Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible rootkit issue


  • Please log in to reply
34 replies to this topic

#1 sillymonkey

sillymonkey

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 12 June 2013 - 06:06 AM

Hello there,

 

I have managed to pick up something really sticky. I get many instances of iexplore.exe multiplying in the background. I never use internet explorer but its pretty obvious when you come back and find over 100 instances of iexplore.exe running each using about 100k of RAM after about an hour. No significant CPU drain but adaware is now finding lots of trojans and other issues on scheduled scans, but cant clear the primary infection. I started looking through the various threads around here but couldn't find anything similar enough, or I just don't know enough to properly identify my problem. Following the lead of a similar thread I ran Boot_cleaner and it indicated a rootkit was involved, Log below. So I figured it best to just start from scratch and follow the instructions of someone who really knows what they are doing. If someone could help me with this I would be extremely grateful.

 

Thanks in advance, 

 

 

Bootkit Remover
© 2009 Esage Lab
www.esagelab.com
 
Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit
 
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`14900000
 
     Size  Device Name          MBR Status
 --------------------------------------------
   698 GB  \\.\PhysicalDrive0   Controlled by rootkit!
 
Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
 
 
Done;
Press any key to quit...
 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:48 AM

Posted 12 June 2013 - 06:55 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

 

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 sillymonkey

sillymonkey
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 12 June 2013 - 07:50 AM

Hiya Marius,

 

Thanks for offering your time to help those less capable, I will do my best to make it as smooth as possible for you to help me out.

 

I have run FRST 64 bit and GMER and attached the logs file below.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-06-2013 03

Ran by Radulosk (administrator) on 12-06-2013 22:23:49

Running from C:\Users\Radulosk\Desktop

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Normal

 

==================== Processes (Whitelisted) =================

 

(Emsi Software GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe

(ASUSTeK Computer Inc.) C:\Windows\system32\FBAgent.exe

(Microsoft Corporation) C:\Windows\system32\WLANExt.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

(ASUS) C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe

() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe

() C:\Windows\System32\rpcnetp.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe

(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe

(ASUS) C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe

(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe

(ASUS) C:\Windows\AsScrPro.exe

(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe

(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe

(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe

(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe

(Astrill) C:\Program Files (x86)\Astrill\astrill.exe

(Astrill) C:\Program Files (x86)\Astrill\ASProxy.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe

(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

(Microsoft Corporation) C:\Windows\system32\mspaint.exe

(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [6330568 2013-03-21] (ESET)

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2661672 2012-02-20] (ELAN Microelectronics Corp.)

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)

HKCU\...\Run: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean [3713032 2012-11-13] (Safer-Networking Ltd.)

HKCU\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1641896 2013-06-07] (Valve Corporation)

HKCU\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5622512 2013-05-15] (SUPERAntiSpyware.com)

HKCU\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3672640 2013-03-14] (Disc Soft Ltd)

HKLM-x32\...\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3825176 2012-11-13] (Safer-Networking Ltd.)

HKLM-x32\...\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [291608 2012-02-07] (Intel Corporation)

HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-20] (CyberLink Corp.)

HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-20] (ASUS)

HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-01-21] (Microsoft Corporation)

HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [318080 2011-12-23] (ASUSTek Computer Inc.)

HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174720 2011-10-25] (ASUS)

HKLM-x32\...\Run: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE" [2984688 2011-07-18] (ASUSTek Computer Inc.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\AsusVibeLauncher.lnk

ShortcutTarget: AsusVibeLauncher.lnk -> C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe (No File)

BootExecute: autocheck autochk * sdnclean64.exe

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com

HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

Winsock: Catalog9 01 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9 02 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9 03 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9 04 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9 16 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9-x64 01 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Winsock: Catalog9-x64 02 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Winsock: Catalog9-x64 03 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Winsock: Catalog9-x64 04 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Winsock: Catalog9-x64 16 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

Tcpip\Parameters: [DhcpNameServer] 192.168.2.2 111.209.253.2

 

FireFox:

========

FF ProfilePath: C:\Users\Radulosk\AppData\Roaming\Mozilla\Firefox\Profiles\5hvsaq47.default

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_149.dll ()

FF Plugin: @java.com/DTPlugin,version=10.13.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.13.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_149.dll ()

FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)

FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf - C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52 - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)

FF Plugin-x32: @java.com/DTPlugin,version=10.13.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.13.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE - disabled No File

FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File

FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @videolan.org/vlc,version=2.0.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF Extension: No Name - C:\Users\Radulosk\AppData\Roaming\Mozilla\Firefox\Profiles\5hvsaq47.default\Extensions\addon@astrill.com

 

Chrome:

=======

CHR HomePage: hxxp://www.google.com/ig/redirectdomain?brand=ASUT&bmod=ASUT

CHR RestoreOnStartup: "hxxp://www.google.com.au/"

CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}

CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\pdf.dll ()

CHR Plugin: (Foxit Reader Plugin for Mozilla) - C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)

CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)

CHR Plugin: (Java™ Platform SE 7 U13) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll No File

CHR Plugin: (Zeon Plus) - C:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll No File

CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File

CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)

CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_149.dll ()

CHR Plugin: (Java Deployment Toolkit 7.0.130.20) - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

CHR Extension: (Google Docs) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0

CHR Extension: (Google Drive) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0

CHR Extension: (YouTube) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0

CHR Extension: (Google Search) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0

CHR Extension: (AdBlock) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.63_0

CHR Extension: (Gmail) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

 

==================== Services (Whitelisted) =================

 

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [143120 2013-05-24] (SUPERAntiSpyware.com)

R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [3045688 2011-10-03] (Emsi Software GmbH)

S3 ASOVPNHelper; C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [434928 2012-05-25] (Astrill)

R3 ASProxy; C:\Program Files (x86)\Astrill\ASProxy.exe [1917864 2013-01-09] (Astrill)

R2 ASUS InstantOn; C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [277120 2012-02-04] (ASUS)

R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1341664 2013-03-21] (ESET)

R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2011-12-17] ()

R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2011-12-17] (Intel Corporation)

R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)

R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)

R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)

 

==================== Drivers (Whitelisted) ====================

 

R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [85800 2011-02-20] (Emsi Software GmbH)

R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [85800 2011-02-20] (Emsi Software GmbH)

R3 AiCharger; C:\Windows\SysWow64\DRIVERS\AiCharger.sys [17152 2012-01-31] (ASUSTek Computer Inc.)

R3 AsusVBus; C:\Windows\System32\DRIVERS\AsusVBus.sys [35968 2011-12-22] (Windows ® Win 7 DDK provider)

R3 AsusVTouch; C:\Windows\System32\DRIVERS\AsusVTouch.sys [16512 2011-11-08] (Windows ® Win 7 DDK provider)

R3 asvpndrv; C:\Windows\System32\DRIVERS\asvpndrv.sys [31744 2012-02-29] (Astrill)

R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2013-06-12] (DT Soft Ltd)

R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [213416 2013-02-20] (ESET)

R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [150616 2013-01-10] (ESET)

R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [139768 2013-01-10] (ESET)

R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [x]

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-06-12 22:15 - 2013-06-12 22:15 - 00377856 ____A C:\Users\Radulosk\Desktop\ex6el844.exe

2013-06-12 22:11 - 2013-06-12 22:11 - 00000000 ____D C:\FRST

2013-06-12 22:09 - 2013-06-12 22:09 - 01920250 ____A (Farbar) C:\Users\Radulosk\Desktop\FRST64.exe

2013-06-12 19:20 - 2011-09-21 18:11 - 00003641 ____A C:\readme_ru.txt

2013-06-12 19:20 - 2011-09-21 18:11 - 00003114 ____A C:\readme_en.txt

2013-06-12 19:20 - 2011-09-20 03:02 - 00083968 ____A (Esage Lab) C:\boot_cleaner.exe

2013-06-12 19:06 - 2013-06-12 19:06 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\11355026.sys

2013-06-12 18:59 - 2013-06-12 18:59 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Radulosk\Downloads\tdsskiller.exe

2013-06-12 18:59 - 2013-06-12 18:59 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\54378501.sys

2013-06-12 18:50 - 2011-09-21 18:11 - 00003641 ____A C:\Users\Radulosk\Desktop\readme_ru.txt

2013-06-12 18:50 - 2011-09-21 18:11 - 00003114 ____A C:\Users\Radulosk\Desktop\readme_en.txt

2013-06-12 18:50 - 2011-09-20 03:02 - 00083968 ____A (Esage Lab) C:\Users\Radulosk\Desktop\boot_cleaner.exe

2013-06-12 18:49 - 2013-06-12 18:49 - 00044607 ____A C:\Users\Radulosk\Downloads\bootkit_remover.zip

2013-06-12 18:48 - 2013-06-12 18:48 - 00001813 ____A C:\Users\Radulosk\Desktop\aswMBR.txt

2013-06-12 18:48 - 2013-06-12 18:48 - 00000512 ____A C:\Users\Radulosk\Desktop\MBR.dat

2013-06-12 16:49 - 2013-06-12 16:51 - 04745728 ____A (AVAST Software) C:\Users\Radulosk\Downloads\aswMBR.exe

2013-06-12 16:43 - 2013-06-12 16:44 - 00000000 ____D C:\Users\Radulosk\Desktop\word docs

2013-06-12 16:43 - 2013-05-31 15:54 - 00658624 ____A (Sysinternals - www.sysinternals.com) C:\Users\Radulosk\Desktop\autoruns.exe

2013-06-12 16:43 - 2013-05-31 15:54 - 00577728 ____A (Sysinternals - www.sysinternals.com) C:\Users\Radulosk\Desktop\autorunsc.exe

2013-06-12 16:43 - 2013-03-17 16:52 - 00049518 ____A C:\Users\Radulosk\Desktop\autoruns.chm

2013-06-12 16:43 - 2006-07-28 09:32 - 00007005 ____A C:\Users\Radulosk\Desktop\Eula.txt

2013-06-12 16:42 - 2013-06-12 16:42 - 00550867 ____A C:\Users\Radulosk\Downloads\Autoruns.zip

2013-06-12 12:36 - 2013-06-12 12:42 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\DAEMON Tools Lite

2013-06-12 12:36 - 2013-06-12 12:38 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys

2013-06-12 12:36 - 2013-06-12 12:36 - 00000000 ____D C:\Program Files (x86)\DAEMON Tools Lite

2013-06-12 12:35 - 2013-06-12 12:36 - 00000000 ____D C:\ProgramData\DAEMON Tools Lite

2013-06-12 12:34 - 2013-06-12 12:35 - 13901152 ____A (Disc Soft Ltd) C:\Users\Radulosk\Downloads\DTLite4471-0333.exe

2013-06-05 21:12 - 2013-06-05 21:12 - 00004757 ____A C:\Users\Radulosk\Downloads\savedrecs (8).ciw

2013-06-02 16:26 - 2013-06-02 16:27 - 09233420 ____A C:\Users\Radulosk\Desktop\thesis 1 .xps

2013-05-31 21:34 - 2013-05-31 23:12 - 00000000 ____D C:\Users\Radulosk\Desktop\bioshock

2013-05-31 13:04 - 2013-06-12 19:08 - 00548864 ____A C:\Windows\WindowsUpdate.log

2013-05-31 13:02 - 2013-06-12 19:03 - 00000616 ____A C:\Windows\setupact.log

2013-05-31 13:02 - 2013-05-31 13:02 - 00000000 ____A C:\Windows\setuperr.log

2013-05-31 12:03 - 2013-06-12 20:03 - 00000516 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 3a09af33-5b5f-48d6-ad03-651b05b9d5d4.job

2013-05-31 12:03 - 2013-06-12 02:00 - 00000516 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 1cbbee14-3008-46f5-a99c-142b4a717909.job

2013-05-31 12:03 - 2013-05-31 12:03 - 00001810 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\SUPERAntiSpyware.com

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2013-05-31 12:02 - 2013-05-31 12:03 - 25934296 ____A (SUPERAntiSpyware.com) C:\Users\Radulosk\Downloads\SUPERAntiSpyware.exe

2013-05-31 11:43 - 2013-05-31 11:43 - 00001945 ____A C:\Windows\epplauncher.mif

2013-05-31 11:43 - 2013-05-31 11:43 - 00000000 ____D C:\Program Files\Microsoft Security Client

2013-05-31 11:43 - 2013-05-31 11:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2013-05-31 11:42 - 2013-05-31 11:42 - 13475464 ____A (Microsoft Corporation) C:\Users\Radulosk\Downloads\mseinstall.exe

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\Malwarebytes

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-31 11:09 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-05-31 11:07 - 2013-05-31 11:07 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\Radulosk\Downloads\mbam-setup-1.75.0.1300.exe

2013-05-31 10:59 - 2013-05-31 10:59 - 00850929 ____A C:\Users\Radulosk\AppData\Local\census.cache

2013-05-31 10:59 - 2013-05-31 10:59 - 00100799 ____A C:\Users\Radulosk\AppData\Local\ars.cache

2013-05-31 10:48 - 2013-05-31 10:48 - 02406064 ____A (Trend Micro Inc.) C:\Users\Radulosk\Downloads\HousecallLauncher64.exe

2013-05-31 10:48 - 2013-05-31 10:48 - 00000036 ____A C:\Users\Radulosk\AppData\Local\housecall.guid.cache

2013-05-31 08:09 - 2013-05-31 08:11 - 00000000 ____D C:\Users\Radulosk\Desktop\Audio Book - The Fabric of the Cosmos (Brian Greene)

2013-05-31 08:08 - 2013-05-31 08:09 - 00000000 ____D C:\Users\Radulosk\Desktop\Pale Blue Dot -- Audiobook and E-book by Carl Sagan, 10 hrs

2013-05-31 07:59 - 2013-05-31 08:01 - 00000000 ____D C:\Users\Radulosk\Desktop\Clarke Collected Stories Vol3

2013-05-31 07:58 - 2013-05-31 07:58 - 00000000 ____D C:\Users\Radulosk\Desktop\Arthur C. Clarke - Childhood's End (ebook and audiobook)

2013-05-31 07:56 - 2013-05-31 07:58 - 00000000 ____D C:\Users\Radulosk\Desktop\Clarke Collected Stories Vol4

2013-05-26 14:51 - 2013-05-26 14:51 - 09929981 ____A C:\Users\Radulosk\Desktop\qcm schematic.pptx

2013-05-24 16:40 - 2013-05-24 16:42 - 09879610 ____A C:\Users\Radulosk\Desktop\qcm for panels.tif

2013-05-24 16:27 - 2013-05-24 16:31 - 00011726 ____A C:\Users\Radulosk\Desktop\cistein.tif

2013-05-24 16:24 - 2013-05-24 16:24 - 04940690 ____A C:\Users\Radulosk\Desktop\qcm.tif

2013-05-22 18:32 - 2013-04-05 16:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-22 18:32 - 2013-04-05 16:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-22 18:32 - 2013-04-05 16:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-22 18:32 - 2013-04-05 16:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-22 18:32 - 2013-04-05 15:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-22 18:32 - 2013-04-05 15:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-05-22 18:32 - 2013-04-05 14:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-22 18:32 - 2013-04-05 14:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-22 18:32 - 2013-04-05 13:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-22 18:32 - 2013-04-05 13:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-05-22 18:31 - 2013-06-05 17:18 - 00000000 ____D C:\Users\Radulosk\Desktop\final chapters split

2013-05-18 11:10 - 2013-04-10 16:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-18 11:10 - 2013-04-10 16:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-18 11:10 - 2013-04-10 13:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-18 11:10 - 2013-02-27 16:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-18 11:10 - 2013-02-27 15:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-18 11:10 - 2013-02-27 15:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-18 11:10 - 2013-02-27 15:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-18 11:10 - 2013-02-27 15:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-18 11:10 - 2013-02-27 14:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-18 11:10 - 2013-02-27 14:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-18 11:10 - 2013-02-27 14:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-18 11:10 - 2011-02-03 21:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

 

==================== One Month Modified Files and Folders =======

 

2013-06-12 22:15 - 2013-06-12 22:15 - 00377856 ____A C:\Users\Radulosk\Desktop\ex6el844.exe

2013-06-12 22:14 - 2009-07-14 14:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-06-12 22:14 - 2009-07-14 14:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-06-12 22:11 - 2013-06-12 22:11 - 00000000 ____D C:\FRST

2013-06-12 22:09 - 2013-06-12 22:09 - 01920250 ____A (Farbar) C:\Users\Radulosk\Desktop\FRST64.exe

2013-06-12 21:29 - 2013-02-11 14:38 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-12 20:03 - 2013-05-31 12:03 - 00000516 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 3a09af33-5b5f-48d6-ad03-651b05b9d5d4.job

2013-06-12 19:23 - 2013-02-24 15:42 - 00003582 ____A C:\Windows\SysWOW64\ASProxy.ini

2013-06-12 19:23 - 2013-02-24 15:42 - 00001976 ____A C:\Windows\SysWOW64\ASProxyOff.ini

2013-06-12 19:23 - 2013-02-24 15:42 - 00001976 ____A C:\Windows\System32\ASProxyOff.ini

2013-06-12 19:19 - 2013-02-11 14:39 - 00000000 ____D C:\Program Files (x86)\Steam

2013-06-12 19:11 - 2009-07-14 15:13 - 00741696 ____A C:\Windows\System32\PerfStringBackup.INI

2013-06-12 19:08 - 2013-05-31 13:04 - 00548864 ____A C:\Windows\WindowsUpdate.log

2013-06-12 19:06 - 2013-06-12 19:06 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\11355026.sys

2013-06-12 19:05 - 2012-09-13 05:59 - 00002032 ____A C:\Windows\System32\AutoRunFilter.ini

2013-06-12 19:04 - 2012-09-13 05:52 - 00000828 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job

2013-06-12 19:03 - 2013-05-31 13:02 - 00000616 ____A C:\Windows\setupact.log

2013-06-12 19:03 - 2011-07-18 09:10 - 00017920 ____A C:\Windows\SysWOW64\rpcnetp.dll

2013-06-12 19:03 - 2011-07-18 09:09 - 00017920 ____A C:\Windows\SysWOW64\rpcnetp.exe

2013-06-12 19:03 - 2011-07-18 09:09 - 00017920 ____A C:\Windows\System32\rpcnetp.exe

2013-06-12 19:03 - 2009-07-14 15:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-12 18:59 - 2013-06-12 18:59 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Radulosk\Downloads\tdsskiller.exe

2013-06-12 18:59 - 2013-06-12 18:59 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\54378501.sys

2013-06-12 18:49 - 2013-06-12 18:49 - 00044607 ____A C:\Users\Radulosk\Downloads\bootkit_remover.zip

2013-06-12 18:48 - 2013-06-12 18:48 - 00001813 ____A C:\Users\Radulosk\Desktop\aswMBR.txt

2013-06-12 18:48 - 2013-06-12 18:48 - 00000512 ____A C:\Users\Radulosk\Desktop\MBR.dat

2013-06-12 16:51 - 2013-06-12 16:49 - 04745728 ____A (AVAST Software) C:\Users\Radulosk\Downloads\aswMBR.exe

2013-06-12 16:44 - 2013-06-12 16:43 - 00000000 ____D C:\Users\Radulosk\Desktop\word docs

2013-06-12 16:42 - 2013-06-12 16:42 - 00550867 ____A C:\Users\Radulosk\Downloads\Autoruns.zip

2013-06-12 14:04 - 2012-09-13 05:52 - 00000830 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job

2013-06-12 12:42 - 2013-06-12 12:36 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\DAEMON Tools Lite

2013-06-12 12:38 - 2013-06-12 12:36 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys

2013-06-12 12:36 - 2013-06-12 12:36 - 00000000 ____D C:\Program Files (x86)\DAEMON Tools Lite

2013-06-12 12:36 - 2013-06-12 12:35 - 00000000 ____D C:\ProgramData\DAEMON Tools Lite

2013-06-12 12:35 - 2013-06-12 12:34 - 13901152 ____A (Disc Soft Ltd) C:\Users\Radulosk\Downloads\DTLite4471-0333.exe

2013-06-12 02:00 - 2013-05-31 12:03 - 00000516 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 1cbbee14-3008-46f5-a99c-142b4a717909.job

2013-06-05 21:12 - 2013-06-05 21:12 - 00004757 ____A C:\Users\Radulosk\Downloads\savedrecs (8).ciw

2013-06-05 17:18 - 2013-05-22 18:31 - 00000000 ____D C:\Users\Radulosk\Desktop\final chapters split

2013-06-02 16:27 - 2013-06-02 16:26 - 09233420 ____A C:\Users\Radulosk\Desktop\thesis 1 .xps

2013-06-01 19:55 - 2013-02-21 07:23 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\vlc

2013-05-31 23:12 - 2013-05-31 21:34 - 00000000 ____D C:\Users\Radulosk\Desktop\bioshock

2013-05-31 15:58 - 2013-02-12 09:57 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-31 15:54 - 2013-06-12 16:43 - 00658624 ____A (Sysinternals - www.sysinternals.com) C:\Users\Radulosk\Desktop\autoruns.exe

2013-05-31 15:54 - 2013-06-12 16:43 - 00577728 ____A (Sysinternals - www.sysinternals.com) C:\Users\Radulosk\Desktop\autorunsc.exe

2013-05-31 13:03 - 2012-09-13 05:59 - 00001494 ____A C:\Windows\System32\ServiceFilter.ini

2013-05-31 13:02 - 2013-05-31 13:02 - 00000000 ____A C:\Windows\setuperr.log

2013-05-31 13:00 - 2009-07-29 16:03 - 00000000 ____D C:\Windows\Panther

2013-05-31 12:03 - 2013-05-31 12:03 - 00001810 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\SUPERAntiSpyware.com

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2013-05-31 12:03 - 2013-05-31 12:02 - 25934296 ____A (SUPERAntiSpyware.com) C:\Users\Radulosk\Downloads\SUPERAntiSpyware.exe

2013-05-31 11:43 - 2013-05-31 11:43 - 00001945 ____A C:\Windows\epplauncher.mif

2013-05-31 11:43 - 2013-05-31 11:43 - 00000000 ____D C:\Program Files\Microsoft Security Client

2013-05-31 11:43 - 2013-05-31 11:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2013-05-31 11:42 - 2013-05-31 11:42 - 13475464 ____A (Microsoft Corporation) C:\Users\Radulosk\Downloads\mseinstall.exe

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\Malwarebytes

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-31 11:07 - 2013-05-31 11:07 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\Radulosk\Downloads\mbam-setup-1.75.0.1300.exe

2013-05-31 10:59 - 2013-05-31 10:59 - 00850929 ____A C:\Users\Radulosk\AppData\Local\census.cache

2013-05-31 10:59 - 2013-05-31 10:59 - 00100799 ____A C:\Users\Radulosk\AppData\Local\ars.cache

2013-05-31 10:48 - 2013-05-31 10:48 - 02406064 ____A (Trend Micro Inc.) C:\Users\Radulosk\Downloads\HousecallLauncher64.exe

2013-05-31 10:48 - 2013-05-31 10:48 - 00000036 ____A C:\Users\Radulosk\AppData\Local\housecall.guid.cache

2013-05-31 08:11 - 2013-05-31 08:09 - 00000000 ____D C:\Users\Radulosk\Desktop\Audio Book - The Fabric of the Cosmos (Brian Greene)

2013-05-31 08:09 - 2013-05-31 08:08 - 00000000 ____D C:\Users\Radulosk\Desktop\Pale Blue Dot -- Audiobook and E-book by Carl Sagan, 10 hrs

2013-05-31 08:01 - 2013-05-31 07:59 - 00000000 ____D C:\Users\Radulosk\Desktop\Clarke Collected Stories Vol3

2013-05-31 07:58 - 2013-05-31 07:58 - 00000000 ____D C:\Users\Radulosk\Desktop\Arthur C. Clarke - Childhood's End (ebook and audiobook)

2013-05-31 07:58 - 2013-05-31 07:56 - 00000000 ____D C:\Users\Radulosk\Desktop\Clarke Collected Stories Vol4

2013-05-29 23:32 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\rescache

2013-05-26 14:51 - 2013-05-26 14:51 - 09929981 ____A C:\Users\Radulosk\Desktop\qcm schematic.pptx

2013-05-24 16:42 - 2013-05-24 16:40 - 09879610 ____A C:\Users\Radulosk\Desktop\qcm for panels.tif

2013-05-24 16:31 - 2013-05-24 16:27 - 00011726 ____A C:\Users\Radulosk\Desktop\cistein.tif

2013-05-24 16:24 - 2013-05-24 16:24 - 04940690 ____A C:\Users\Radulosk\Desktop\qcm.tif

2013-05-23 16:08 - 2009-07-14 14:45 - 00337736 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-22 18:31 - 2013-02-11 15:13 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\Skype

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

 

LastRegBack: 2013-06-03 16:52

 

==================== End Of Log ============================

 

Below is the FRST Additional Log.................................................................................................................................................

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-06-2013 03

Ran by Radulosk at 2013-06-12 22:25:00 Run:

Running from C:\Users\Radulosk\Desktop

Boot Mode: Normal

==========================================================

 

 

==================== Installed Programs =======================

 

3DMark 11 (Version: 1.0.3)

Adobe Flash Player 10 ActiveX (Version: 10.1.85.3)

Adobe Flash Player 11 Plugin (Version: 11.5.502.149)

Adobe Shockwave Player 11.6 (Version: 11.6.8.638)

Astrill

ASUS AI Recovery (Version: 1.0.23)

ASUS LifeFrame3 (Version: 3.0.29)

ASUS Power4Gear Hybrid (Version: 1.2.0)

ASUS USB Charger Plus (Version: 2.0.8)

ASUS Virtual Touch (Version: 1.0.9)

ATK Package (Version: 1.0.0015)

CCleaner (Version: 3.27)

CyberLink Power2Go (Version: 6.1.3602c)

DAEMON Tools Lite (Version: 4.47.1.0333)

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Emsisoft Anti-Malware 5.1 (Version: 5.1)

EndNote X6 (Version: 16.0.0.6348)

ESET NOD32 Antivirus (Version: 6.0.316.0)

ETDWare PS/2-X64 10.5.9.0 (Version: 10.5.9.0)

Fast Boot (Version: 1.0.10)

Foxit Reader (Version: 5.4.5.124)

Futuremark SystemInfo (Version: 4.6.0)

Google Chrome (Version: 24.0.1312.57)

Google Update Helper (Version: 1.3.21.123)

InstantOn for NB (Version: 2.1.10)

Intel® Manageability Engine Firmware Recovery Agent (Version: 1.0.0.35132)

Intel® Management Engine Components (Version: 8.0.0.1351)

Intel® Processor Graphics (Version: 9.17.10.2932)

Intel® SDK for OpenCL - CPU Only Runtime Package (Version: 2.0.0.37149)

Intel® USB 3.0 eXtensible Host Controller Driver (Version: 1.0.3.214)

Intel® Trusted Connect Service Client (Version: 1.23.216.0)

Java 7 Update 13 (64-bit) (Version: 7.0.130)

Java 7 Update 13 (Version: 7.0.130)

Java Auto Updater (Version: 2.1.9.0)

Legend of Grimrock

Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)

Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)

Microsoft Office Access MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Office 64-bit Components 2010 (Version: 14.0.4734.1000)

Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Professional Plus 2010 (Version: 14.0.4734.1000)

Microsoft Office Proof (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Proof (French) 2010 (Version: 14.0.4734.1000)

Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4734.1000)

Microsoft Office Proofing (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Word MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Security Client (Version: 4.2.0223.1)

Microsoft Security Essentials (Version: 4.2.223.1)

Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)

Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)

Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (Version: 10.0.30319)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)

Mozilla Firefox 18.0.2 (x86 en-US) (Version: 18.0.2)

Mozilla Maintenance Service (Version: 18.0.2)

Paint.NET v3.5.10 (Version: 3.60.0)

Portal 2

Qualcomm Atheros WiFi Driver Installation (Version: 9.2)

Realtek Ethernet Controller Driver (Version: 7.48.823.2011)

Realtek High Definition Audio Driver (Version: 6.0.1.6570)

Realtek PCIE Card Reader (Version: 6.1.7601.27015)

ResearchSoft Direct Export Helper

Security Task Manager 1.8g (Version: 1.8g)

Serious Sam 2

Serious Sam HD: The Second Encounter

Serious Sam: The Random Encounter

Skype™ 6.1 (Version: 6.1.129)

Spybot - Search & Destroy (Version: 2.0.12)

Steam (Version: 1.0.0.0)

SUPERAntiSpyware (Version: 5.6.1020)

swMSM (Version: 12.0.0.1)

Torchlight II

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition

VLC media player 2.0.5 (Version: 2.0.5)

WinFlash (Version: 2.41.0)

WinRAR 4.20 (64-bit) (Version: 4.20.0)

XnView 1.99.6 (Version: 1.99.6)

 

==================== Restore Points  =========================

 

05-05-2013 05:59:00 Windows Update

18-05-2013 01:09:09 Windows Update

22-05-2013 01:11:32 Windows Update

22-05-2013 08:31:47 Windows Update

29-05-2013 12:43:24 Windows Update

31-05-2013 05:56:48 Windows Update

05-06-2013 01:37:14 Windows Update

11-06-2013 13:23:09 Windows Update

12-06-2013 00:58:35 Windows Update

12-06-2013 02:38:38 Device Driver Package Install: DT Soft Ltd System devices

 

==================== Hosts content: ==========================

# Copyright © 1993-2009 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host

 

# localhost name resolution is handled within DNS itself.

# # # Start of entries inserted by Spybot - Search & Destroy

# This list is Copyright 2000-2010 Safer-Networking Ltd.

# End of entries inserted by Spybot - Search & Destroy

 

# 127.0.0.1       localhost

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

 

There are more than 1000 lines starting with "127.0.0.1"

 

 

==================== Faulty Device Manager Devices =============

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (06/12/2013 00:38:39 PM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (06/12/2013 10:59:05 AM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (06/11/2013 11:23:32 PM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (06/05/2013 09:27:38 PM) (Source: Application Error) (User: )

Description: Faulting application name: WINWORD.EXE, version: 14.0.4734.1000, time stamp: 0x4b58fb0e

Faulting module name: wwlib.dll, version: 14.0.4734.1000, time stamp: 0x4b58fba1

Exception code: 0xc0000005

Fault offset: 0x00261bae

Faulting process id: 0x1a18

Faulting application start time: 0xWINWORD.EXE0

Faulting application path: WINWORD.EXE1

Faulting module path: WINWORD.EXE2

Report Id: WINWORD.EXE3

 

Error: (06/05/2013 11:37:24 AM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (05/31/2013 03:56:55 PM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service) (User: )

Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service) (User: )

Description: The index cannot be initialized.

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service) (User: )

Description: The application cannot be initialized.

 

Context: Windows Application

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service) (User: )

Description: The gatherer object cannot be initialized.

 

Context: Windows Application, SystemIndex Catalog

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

 

System errors:

=============

Error: (06/12/2013 07:19:08 PM) (Source: Service Control Manager) (User: )

Description: The Steam Client Service service failed to start due to the following error:

%%1053

 

Error: (06/12/2013 07:19:08 PM) (Source: Service Control Manager) (User: )

Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

 

Error: (06/12/2013 07:01:26 PM) (Source: DCOM) (User: )

Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

 

Error: (06/12/2013 07:01:00 PM) (Source: DCOM) (User: )

Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

 

Error: (06/02/2013 04:09:47 PM) (Source: Disk) (User: )

Description: The driver detected a controller error on \Device\Harddisk1\DR1.

 

Error: (06/02/2013 04:09:46 PM) (Source: Disk) (User: )

Description: The driver detected a controller error on \Device\Harddisk1\DR1.

 

Error: (06/02/2013 04:09:45 PM) (Source: Disk) (User: )

Description: The driver detected a controller error on \Device\Harddisk1\DR1.

 

Error: (06/01/2013 07:45:50 PM) (Source: Microsoft Antimalware) (User: )

Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 

New Signature Version:

 

Previous Signature Version: 1.151.1306.0

 

Update Source: %NT AUTHORITY59

 

Update Stage: 4.2.0223.00

 

Source Path: 4.2.0223.01

 

Signature Type: %NT AUTHORITY602

 

Update Type: %NT AUTHORITY604

 

User: NT AUTHORITY\SYSTEM

 

Current Engine Version: %NT AUTHORITY605

 

Previous Engine Version: %NT AUTHORITY606

 

Error code: %NT AUTHORITY607

 

Error description: %NT AUTHORITY608

 

Error: (06/01/2013 07:08:32 PM) (Source: Microsoft Antimalware) (User: )

Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 

New Signature Version:

 

Previous Signature Version: 1.151.1306.0

 

Update Source: %NT AUTHORITY59

 

Update Stage: 4.2.0223.00

 

Source Path: 4.2.0223.01

 

Signature Type: %NT AUTHORITY602

 

Update Type: %NT AUTHORITY604

 

User: NT AUTHORITY\SYSTEM

 

Current Engine Version: %NT AUTHORITY605

 

Previous Engine Version: %NT AUTHORITY606

 

Error code: %NT AUTHORITY607

 

Error description: %NT AUTHORITY608

 

Error: (06/01/2013 05:21:41 PM) (Source: Microsoft Antimalware) (User: )

Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 

New Signature Version:

 

Previous Signature Version: 1.151.1306.0

 

Update Source: %NT AUTHORITY59

 

Update Stage: 4.2.0223.00

 

Source Path: 4.2.0223.01

 

Signature Type: %NT AUTHORITY602

 

Update Type: %NT AUTHORITY604

 

User: NT AUTHORITY\SYSTEM

 

Current Engine Version: %NT AUTHORITY605

 

Previous Engine Version: %NT AUTHORITY606

 

Error code: %NT AUTHORITY607

 

Error description: %NT AUTHORITY608

 

 

Microsoft Office Sessions:

=========================

Error: (06/12/2013 00:38:39 PM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (06/12/2013 10:59:05 AM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (06/11/2013 11:23:32 PM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (06/05/2013 09:27:38 PM) (Source: Application Error)(User: )

Description: WINWORD.EXE14.0.4734.10004b58fb0ewwlib.dll14.0.4734.10004b58fba1c000000500261bae1a1801ce60229cb3c2f1C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXEC:\Program Files (x86)\Microsoft Office\Office14\wwlib.dllec9fa9ec-cdd2-11e2-a0e0-10bf4813637e

 

Error: (06/05/2013 11:37:24 AM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (05/31/2013 03:56:55 PM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service)(User: )

Description:

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

The catalog is corrupt

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service)(User: )

Description:

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service)(User: )

Description: Context: Windows Application

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service)(User: )

Description: Context: Windows Application, SystemIndex Catalog

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

 

==================== Memory info ===========================

 

Percentage of memory in use: 48%

Total physical RAM: 3981.91 MB

Available physical RAM: 2058.49 MB

Total Pagefile: 7962.01 MB

Available Pagefile: 5415.36 MB

Total Virtual: 8192 MB

Available Virtual: 8191.8 MB

 

==================== Drives ================================

 

Drive c: (OS) (Fixed) (Total:300 GB) (Free:179.59 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]

Drive d: (DATA) (Fixed) (Total:373.32 GB) (Free:247.64 GB) NTFS (Disk=0 Partition=4)

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (Size: 699 GB) (Disk ID: 89BD900E)

 

Partition: GPT Partition Type

==================== End Of Log ============================

GMER Log…………………………………………………………………………………………………………………………………………….

Below is the GMER Log, when I ran the .exe it prompted the below message. I clicked ok and setup the scan as instructed but when it ran it prompted the below message twice more.

C:\ windows\system32\config\system : the process cannot access the file because it is in use by another process

 

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-06-12 22:41:27

Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST750LM0 rev.2AR1 698.64GB

Running: ex6el844.exe; Driver: C:\Users\Radulosk\AppData\Local\Temp\kxtdikog.sys

 

 

---- Threads - GMER 2.1 ----

 

Thread   [1012:188]                                                     0000000076167587

Thread   [1012:396]                                                     0000000077442e25

Thread   [1012:1580]                                                    0000000074a86430

Thread   [1012:1584]                                                    0000000074a86430

Thread   [1012:1588]                                                    0000000074a86430

Thread   [1012:1592]                                                    0000000074a86430

Thread   [1012:1596]                                                    0000000074a86430

Thread   [1012:1600]                                                    0000000074a86430

Thread   [1012:1604]                                                    0000000074a86430

Thread   [1012:1608]                                                    0000000074a86430

Thread   [1012:1612]                                                    0000000074a86430

Thread   [1012:1616]                                                    0000000074a86430

Thread   [1012:1556]                                                    0000000077443e45

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:3740]  000007fefb5d2a7c

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5248]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5252]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5256]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5260]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5264]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5268]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5272]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5276]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5284]  0000000180027010

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5300]  0000000180027010

 

---- Disk sectors - GMER 2.1 ----

 

Disk    \Device\Harddisk0\DR0                                           unknown MBR code

 

---- EOF - GMER 2.1 ----

 

 

Hiya Marius,

 

Thanks for offering your time to help those less capable, I will do my best to make it as smooth as possible for you to help me out.

 

i have run FRST 64 bit and attached the log file below.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-06-2013 03

Ran by Radulosk (administrator) on 12-06-2013 22:23:49

Running from C:\Users\Radulosk\Desktop

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Normal

 

==================== Processes (Whitelisted) =================

 

(Emsi Software GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe

(ASUSTeK Computer Inc.) C:\Windows\system32\FBAgent.exe

(Microsoft Corporation) C:\Windows\system32\WLANExt.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

(ASUS) C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe

() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe

() C:\Windows\System32\rpcnetp.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe

(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe

(ASUS) C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe

(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe

(ASUS) C:\Windows\AsScrPro.exe

(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe

(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe

(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe

(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe

(Astrill) C:\Program Files (x86)\Astrill\astrill.exe

(Astrill) C:\Program Files (x86)\Astrill\ASProxy.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe

(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

(Microsoft Corporation) C:\Windows\system32\mspaint.exe

(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [6330568 2013-03-21] (ESET)

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2661672 2012-02-20] (ELAN Microelectronics Corp.)

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)

HKCU\...\Run: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean [3713032 2012-11-13] (Safer-Networking Ltd.)

HKCU\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1641896 2013-06-07] (Valve Corporation)

HKCU\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5622512 2013-05-15] (SUPERAntiSpyware.com)

HKCU\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3672640 2013-03-14] (Disc Soft Ltd)

HKLM-x32\...\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3825176 2012-11-13] (Safer-Networking Ltd.)

HKLM-x32\...\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [291608 2012-02-07] (Intel Corporation)

HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-20] (CyberLink Corp.)

HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-20] (ASUS)

HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-01-21] (Microsoft Corporation)

HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [318080 2011-12-23] (ASUSTek Computer Inc.)

HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174720 2011-10-25] (ASUS)

HKLM-x32\...\Run: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE" [2984688 2011-07-18] (ASUSTek Computer Inc.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\AsusVibeLauncher.lnk

ShortcutTarget: AsusVibeLauncher.lnk -> C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe (No File)

BootExecute: autocheck autochk * sdnclean64.exe

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com

HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

Winsock: Catalog9 01 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9 02 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9 03 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9 04 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9 16 C:\Windows\system32\ASProxy.dll File Not found ()

Winsock: Catalog9-x64 01 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Winsock: Catalog9-x64 02 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Winsock: Catalog9-x64 03 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Winsock: Catalog9-x64 04 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Winsock: Catalog9-x64 16 C:\Windows\system32\ASProxy64.dll [468392] (Astrill)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

Tcpip\Parameters: [DhcpNameServer] 192.168.2.2 111.209.253.2

 

FireFox:

========

FF ProfilePath: C:\Users\Radulosk\AppData\Roaming\Mozilla\Firefox\Profiles\5hvsaq47.default

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_149.dll ()

FF Plugin: @java.com/DTPlugin,version=10.13.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.13.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_149.dll ()

FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)

FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf - C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52 - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)

FF Plugin-x32: @java.com/DTPlugin,version=10.13.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.13.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE - disabled No File

FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File

FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @videolan.org/vlc,version=2.0.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF Extension: No Name - C:\Users\Radulosk\AppData\Roaming\Mozilla\Firefox\Profiles\5hvsaq47.default\Extensions\addon@astrill.com

 

Chrome:

=======

CHR HomePage: hxxp://www.google.com/ig/redirectdomain?brand=ASUT&bmod=ASUT

CHR RestoreOnStartup: "hxxp://www.google.com.au/"

CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}

CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\pdf.dll ()

CHR Plugin: (Foxit Reader Plugin for Mozilla) - C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)

CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)

CHR Plugin: (Java™ Platform SE 7 U13) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll No File

CHR Plugin: (Zeon Plus) - C:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll No File

CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File

CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)

CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_149.dll ()

CHR Plugin: (Java Deployment Toolkit 7.0.130.20) - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

CHR Extension: (Google Docs) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0

CHR Extension: (Google Drive) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0

CHR Extension: (YouTube) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0

CHR Extension: (Google Search) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0

CHR Extension: (AdBlock) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.63_0

CHR Extension: (Gmail) - C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

 

==================== Services (Whitelisted) =================

 

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [143120 2013-05-24] (SUPERAntiSpyware.com)

R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [3045688 2011-10-03] (Emsi Software GmbH)

S3 ASOVPNHelper; C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [434928 2012-05-25] (Astrill)

R3 ASProxy; C:\Program Files (x86)\Astrill\ASProxy.exe [1917864 2013-01-09] (Astrill)

R2 ASUS InstantOn; C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [277120 2012-02-04] (ASUS)

R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1341664 2013-03-21] (ESET)

R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2011-12-17] ()

R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2011-12-17] (Intel Corporation)

R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)

R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)

R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)

 

==================== Drivers (Whitelisted) ====================

 

R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [85800 2011-02-20] (Emsi Software GmbH)

R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [85800 2011-02-20] (Emsi Software GmbH)

R3 AiCharger; C:\Windows\SysWow64\DRIVERS\AiCharger.sys [17152 2012-01-31] (ASUSTek Computer Inc.)

R3 AsusVBus; C:\Windows\System32\DRIVERS\AsusVBus.sys [35968 2011-12-22] (Windows ® Win 7 DDK provider)

R3 AsusVTouch; C:\Windows\System32\DRIVERS\AsusVTouch.sys [16512 2011-11-08] (Windows ® Win 7 DDK provider)

R3 asvpndrv; C:\Windows\System32\DRIVERS\asvpndrv.sys [31744 2012-02-29] (Astrill)

R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2013-06-12] (DT Soft Ltd)

R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [213416 2013-02-20] (ESET)

R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [150616 2013-01-10] (ESET)

R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [139768 2013-01-10] (ESET)

R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [x]

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-06-12 22:15 - 2013-06-12 22:15 - 00377856 ____A C:\Users\Radulosk\Desktop\ex6el844.exe

2013-06-12 22:11 - 2013-06-12 22:11 - 00000000 ____D C:\FRST

2013-06-12 22:09 - 2013-06-12 22:09 - 01920250 ____A (Farbar) C:\Users\Radulosk\Desktop\FRST64.exe

2013-06-12 19:20 - 2011-09-21 18:11 - 00003641 ____A C:\readme_ru.txt

2013-06-12 19:20 - 2011-09-21 18:11 - 00003114 ____A C:\readme_en.txt

2013-06-12 19:20 - 2011-09-20 03:02 - 00083968 ____A (Esage Lab) C:\boot_cleaner.exe

2013-06-12 19:06 - 2013-06-12 19:06 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\11355026.sys

2013-06-12 18:59 - 2013-06-12 18:59 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Radulosk\Downloads\tdsskiller.exe

2013-06-12 18:59 - 2013-06-12 18:59 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\54378501.sys

2013-06-12 18:50 - 2011-09-21 18:11 - 00003641 ____A C:\Users\Radulosk\Desktop\readme_ru.txt

2013-06-12 18:50 - 2011-09-21 18:11 - 00003114 ____A C:\Users\Radulosk\Desktop\readme_en.txt

2013-06-12 18:50 - 2011-09-20 03:02 - 00083968 ____A (Esage Lab) C:\Users\Radulosk\Desktop\boot_cleaner.exe

2013-06-12 18:49 - 2013-06-12 18:49 - 00044607 ____A C:\Users\Radulosk\Downloads\bootkit_remover.zip

2013-06-12 18:48 - 2013-06-12 18:48 - 00001813 ____A C:\Users\Radulosk\Desktop\aswMBR.txt

2013-06-12 18:48 - 2013-06-12 18:48 - 00000512 ____A C:\Users\Radulosk\Desktop\MBR.dat

2013-06-12 16:49 - 2013-06-12 16:51 - 04745728 ____A (AVAST Software) C:\Users\Radulosk\Downloads\aswMBR.exe

2013-06-12 16:43 - 2013-06-12 16:44 - 00000000 ____D C:\Users\Radulosk\Desktop\word docs

2013-06-12 16:43 - 2013-05-31 15:54 - 00658624 ____A (Sysinternals - www.sysinternals.com) C:\Users\Radulosk\Desktop\autoruns.exe

2013-06-12 16:43 - 2013-05-31 15:54 - 00577728 ____A (Sysinternals - www.sysinternals.com) C:\Users\Radulosk\Desktop\autorunsc.exe

2013-06-12 16:43 - 2013-03-17 16:52 - 00049518 ____A C:\Users\Radulosk\Desktop\autoruns.chm

2013-06-12 16:43 - 2006-07-28 09:32 - 00007005 ____A C:\Users\Radulosk\Desktop\Eula.txt

2013-06-12 16:42 - 2013-06-12 16:42 - 00550867 ____A C:\Users\Radulosk\Downloads\Autoruns.zip

2013-06-12 12:36 - 2013-06-12 12:42 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\DAEMON Tools Lite

2013-06-12 12:36 - 2013-06-12 12:38 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys

2013-06-12 12:36 - 2013-06-12 12:36 - 00000000 ____D C:\Program Files (x86)\DAEMON Tools Lite

2013-06-12 12:35 - 2013-06-12 12:36 - 00000000 ____D C:\ProgramData\DAEMON Tools Lite

2013-06-12 12:34 - 2013-06-12 12:35 - 13901152 ____A (Disc Soft Ltd) C:\Users\Radulosk\Downloads\DTLite4471-0333.exe

2013-06-05 21:12 - 2013-06-05 21:12 - 00004757 ____A C:\Users\Radulosk\Downloads\savedrecs (8).ciw

2013-06-02 16:26 - 2013-06-02 16:27 - 09233420 ____A C:\Users\Radulosk\Desktop\thesis 1 .xps

2013-05-31 21:34 - 2013-05-31 23:12 - 00000000 ____D C:\Users\Radulosk\Desktop\bioshock

2013-05-31 13:04 - 2013-06-12 19:08 - 00548864 ____A C:\Windows\WindowsUpdate.log

2013-05-31 13:02 - 2013-06-12 19:03 - 00000616 ____A C:\Windows\setupact.log

2013-05-31 13:02 - 2013-05-31 13:02 - 00000000 ____A C:\Windows\setuperr.log

2013-05-31 12:03 - 2013-06-12 20:03 - 00000516 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 3a09af33-5b5f-48d6-ad03-651b05b9d5d4.job

2013-05-31 12:03 - 2013-06-12 02:00 - 00000516 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 1cbbee14-3008-46f5-a99c-142b4a717909.job

2013-05-31 12:03 - 2013-05-31 12:03 - 00001810 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\SUPERAntiSpyware.com

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2013-05-31 12:02 - 2013-05-31 12:03 - 25934296 ____A (SUPERAntiSpyware.com) C:\Users\Radulosk\Downloads\SUPERAntiSpyware.exe

2013-05-31 11:43 - 2013-05-31 11:43 - 00001945 ____A C:\Windows\epplauncher.mif

2013-05-31 11:43 - 2013-05-31 11:43 - 00000000 ____D C:\Program Files\Microsoft Security Client

2013-05-31 11:43 - 2013-05-31 11:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2013-05-31 11:42 - 2013-05-31 11:42 - 13475464 ____A (Microsoft Corporation) C:\Users\Radulosk\Downloads\mseinstall.exe

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\Malwarebytes

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-31 11:09 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-05-31 11:07 - 2013-05-31 11:07 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\Radulosk\Downloads\mbam-setup-1.75.0.1300.exe

2013-05-31 10:59 - 2013-05-31 10:59 - 00850929 ____A C:\Users\Radulosk\AppData\Local\census.cache

2013-05-31 10:59 - 2013-05-31 10:59 - 00100799 ____A C:\Users\Radulosk\AppData\Local\ars.cache

2013-05-31 10:48 - 2013-05-31 10:48 - 02406064 ____A (Trend Micro Inc.) C:\Users\Radulosk\Downloads\HousecallLauncher64.exe

2013-05-31 10:48 - 2013-05-31 10:48 - 00000036 ____A C:\Users\Radulosk\AppData\Local\housecall.guid.cache

2013-05-31 08:09 - 2013-05-31 08:11 - 00000000 ____D C:\Users\Radulosk\Desktop\Audio Book - The Fabric of the Cosmos (Brian Greene)

2013-05-31 08:08 - 2013-05-31 08:09 - 00000000 ____D C:\Users\Radulosk\Desktop\Pale Blue Dot -- Audiobook and E-book by Carl Sagan, 10 hrs

2013-05-31 07:59 - 2013-05-31 08:01 - 00000000 ____D C:\Users\Radulosk\Desktop\Clarke Collected Stories Vol3

2013-05-31 07:58 - 2013-05-31 07:58 - 00000000 ____D C:\Users\Radulosk\Desktop\Arthur C. Clarke - Childhood's End (ebook and audiobook)

2013-05-31 07:56 - 2013-05-31 07:58 - 00000000 ____D C:\Users\Radulosk\Desktop\Clarke Collected Stories Vol4

2013-05-26 14:51 - 2013-05-26 14:51 - 09929981 ____A C:\Users\Radulosk\Desktop\qcm schematic.pptx

2013-05-24 16:40 - 2013-05-24 16:42 - 09879610 ____A C:\Users\Radulosk\Desktop\qcm for panels.tif

2013-05-24 16:27 - 2013-05-24 16:31 - 00011726 ____A C:\Users\Radulosk\Desktop\cistein.tif

2013-05-24 16:24 - 2013-05-24 16:24 - 04940690 ____A C:\Users\Radulosk\Desktop\qcm.tif

2013-05-22 18:32 - 2013-04-05 16:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-22 18:32 - 2013-04-05 16:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-22 18:32 - 2013-04-05 16:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-22 18:32 - 2013-04-05 16:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-22 18:32 - 2013-04-05 16:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-22 18:32 - 2013-04-05 15:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-22 18:32 - 2013-04-05 15:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-22 18:32 - 2013-04-05 15:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-05-22 18:32 - 2013-04-05 14:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-22 18:32 - 2013-04-05 14:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-22 18:32 - 2013-04-05 13:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-22 18:32 - 2013-04-05 13:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-05-22 18:31 - 2013-06-05 17:18 - 00000000 ____D C:\Users\Radulosk\Desktop\final chapters split

2013-05-18 11:10 - 2013-04-10 16:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-18 11:10 - 2013-04-10 16:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-18 11:10 - 2013-04-10 13:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-18 11:10 - 2013-02-27 16:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-18 11:10 - 2013-02-27 15:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-18 11:10 - 2013-02-27 15:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-18 11:10 - 2013-02-27 15:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-18 11:10 - 2013-02-27 15:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-18 11:10 - 2013-02-27 14:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-18 11:10 - 2013-02-27 14:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-18 11:10 - 2013-02-27 14:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-18 11:10 - 2011-02-03 21:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

 

==================== One Month Modified Files and Folders =======

 

2013-06-12 22:15 - 2013-06-12 22:15 - 00377856 ____A C:\Users\Radulosk\Desktop\ex6el844.exe

2013-06-12 22:14 - 2009-07-14 14:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-06-12 22:14 - 2009-07-14 14:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-06-12 22:11 - 2013-06-12 22:11 - 00000000 ____D C:\FRST

2013-06-12 22:09 - 2013-06-12 22:09 - 01920250 ____A (Farbar) C:\Users\Radulosk\Desktop\FRST64.exe

2013-06-12 21:29 - 2013-02-11 14:38 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-12 20:03 - 2013-05-31 12:03 - 00000516 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 3a09af33-5b5f-48d6-ad03-651b05b9d5d4.job

2013-06-12 19:23 - 2013-02-24 15:42 - 00003582 ____A C:\Windows\SysWOW64\ASProxy.ini

2013-06-12 19:23 - 2013-02-24 15:42 - 00001976 ____A C:\Windows\SysWOW64\ASProxyOff.ini

2013-06-12 19:23 - 2013-02-24 15:42 - 00001976 ____A C:\Windows\System32\ASProxyOff.ini

2013-06-12 19:19 - 2013-02-11 14:39 - 00000000 ____D C:\Program Files (x86)\Steam

2013-06-12 19:11 - 2009-07-14 15:13 - 00741696 ____A C:\Windows\System32\PerfStringBackup.INI

2013-06-12 19:08 - 2013-05-31 13:04 - 00548864 ____A C:\Windows\WindowsUpdate.log

2013-06-12 19:06 - 2013-06-12 19:06 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\11355026.sys

2013-06-12 19:05 - 2012-09-13 05:59 - 00002032 ____A C:\Windows\System32\AutoRunFilter.ini

2013-06-12 19:04 - 2012-09-13 05:52 - 00000828 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job

2013-06-12 19:03 - 2013-05-31 13:02 - 00000616 ____A C:\Windows\setupact.log

2013-06-12 19:03 - 2011-07-18 09:10 - 00017920 ____A C:\Windows\SysWOW64\rpcnetp.dll

2013-06-12 19:03 - 2011-07-18 09:09 - 00017920 ____A C:\Windows\SysWOW64\rpcnetp.exe

2013-06-12 19:03 - 2011-07-18 09:09 - 00017920 ____A C:\Windows\System32\rpcnetp.exe

2013-06-12 19:03 - 2009-07-14 15:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-12 18:59 - 2013-06-12 18:59 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Radulosk\Downloads\tdsskiller.exe

2013-06-12 18:59 - 2013-06-12 18:59 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\54378501.sys

2013-06-12 18:49 - 2013-06-12 18:49 - 00044607 ____A C:\Users\Radulosk\Downloads\bootkit_remover.zip

2013-06-12 18:48 - 2013-06-12 18:48 - 00001813 ____A C:\Users\Radulosk\Desktop\aswMBR.txt

2013-06-12 18:48 - 2013-06-12 18:48 - 00000512 ____A C:\Users\Radulosk\Desktop\MBR.dat

2013-06-12 16:51 - 2013-06-12 16:49 - 04745728 ____A (AVAST Software) C:\Users\Radulosk\Downloads\aswMBR.exe

2013-06-12 16:44 - 2013-06-12 16:43 - 00000000 ____D C:\Users\Radulosk\Desktop\word docs

2013-06-12 16:42 - 2013-06-12 16:42 - 00550867 ____A C:\Users\Radulosk\Downloads\Autoruns.zip

2013-06-12 14:04 - 2012-09-13 05:52 - 00000830 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job

2013-06-12 12:42 - 2013-06-12 12:36 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\DAEMON Tools Lite

2013-06-12 12:38 - 2013-06-12 12:36 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys

2013-06-12 12:36 - 2013-06-12 12:36 - 00000000 ____D C:\Program Files (x86)\DAEMON Tools Lite

2013-06-12 12:36 - 2013-06-12 12:35 - 00000000 ____D C:\ProgramData\DAEMON Tools Lite

2013-06-12 12:35 - 2013-06-12 12:34 - 13901152 ____A (Disc Soft Ltd) C:\Users\Radulosk\Downloads\DTLite4471-0333.exe

2013-06-12 02:00 - 2013-05-31 12:03 - 00000516 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 1cbbee14-3008-46f5-a99c-142b4a717909.job

2013-06-05 21:12 - 2013-06-05 21:12 - 00004757 ____A C:\Users\Radulosk\Downloads\savedrecs (8).ciw

2013-06-05 17:18 - 2013-05-22 18:31 - 00000000 ____D C:\Users\Radulosk\Desktop\final chapters split

2013-06-02 16:27 - 2013-06-02 16:26 - 09233420 ____A C:\Users\Radulosk\Desktop\thesis 1 .xps

2013-06-01 19:55 - 2013-02-21 07:23 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\vlc

2013-05-31 23:12 - 2013-05-31 21:34 - 00000000 ____D C:\Users\Radulosk\Desktop\bioshock

2013-05-31 15:58 - 2013-02-12 09:57 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-31 15:54 - 2013-06-12 16:43 - 00658624 ____A (Sysinternals - www.sysinternals.com) C:\Users\Radulosk\Desktop\autoruns.exe

2013-05-31 15:54 - 2013-06-12 16:43 - 00577728 ____A (Sysinternals - www.sysinternals.com) C:\Users\Radulosk\Desktop\autorunsc.exe

2013-05-31 13:03 - 2012-09-13 05:59 - 00001494 ____A C:\Windows\System32\ServiceFilter.ini

2013-05-31 13:02 - 2013-05-31 13:02 - 00000000 ____A C:\Windows\setuperr.log

2013-05-31 13:00 - 2009-07-29 16:03 - 00000000 ____D C:\Windows\Panther

2013-05-31 12:03 - 2013-05-31 12:03 - 00001810 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\SUPERAntiSpyware.com

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com

2013-05-31 12:03 - 2013-05-31 12:03 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2013-05-31 12:03 - 2013-05-31 12:02 - 25934296 ____A (SUPERAntiSpyware.com) C:\Users\Radulosk\Downloads\SUPERAntiSpyware.exe

2013-05-31 11:43 - 2013-05-31 11:43 - 00001945 ____A C:\Windows\epplauncher.mif

2013-05-31 11:43 - 2013-05-31 11:43 - 00000000 ____D C:\Program Files\Microsoft Security Client

2013-05-31 11:43 - 2013-05-31 11:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2013-05-31 11:42 - 2013-05-31 11:42 - 13475464 ____A (Microsoft Corporation) C:\Users\Radulosk\Downloads\mseinstall.exe

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\Malwarebytes

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-05-31 11:09 - 2013-05-31 11:09 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-31 11:07 - 2013-05-31 11:07 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\Radulosk\Downloads\mbam-setup-1.75.0.1300.exe

2013-05-31 10:59 - 2013-05-31 10:59 - 00850929 ____A C:\Users\Radulosk\AppData\Local\census.cache

2013-05-31 10:59 - 2013-05-31 10:59 - 00100799 ____A C:\Users\Radulosk\AppData\Local\ars.cache

2013-05-31 10:48 - 2013-05-31 10:48 - 02406064 ____A (Trend Micro Inc.) C:\Users\Radulosk\Downloads\HousecallLauncher64.exe

2013-05-31 10:48 - 2013-05-31 10:48 - 00000036 ____A C:\Users\Radulosk\AppData\Local\housecall.guid.cache

2013-05-31 08:11 - 2013-05-31 08:09 - 00000000 ____D C:\Users\Radulosk\Desktop\Audio Book - The Fabric of the Cosmos (Brian Greene)

2013-05-31 08:09 - 2013-05-31 08:08 - 00000000 ____D C:\Users\Radulosk\Desktop\Pale Blue Dot -- Audiobook and E-book by Carl Sagan, 10 hrs

2013-05-31 08:01 - 2013-05-31 07:59 - 00000000 ____D C:\Users\Radulosk\Desktop\Clarke Collected Stories Vol3

2013-05-31 07:58 - 2013-05-31 07:58 - 00000000 ____D C:\Users\Radulosk\Desktop\Arthur C. Clarke - Childhood's End (ebook and audiobook)

2013-05-31 07:58 - 2013-05-31 07:56 - 00000000 ____D C:\Users\Radulosk\Desktop\Clarke Collected Stories Vol4

2013-05-29 23:32 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\rescache

2013-05-26 14:51 - 2013-05-26 14:51 - 09929981 ____A C:\Users\Radulosk\Desktop\qcm schematic.pptx

2013-05-24 16:42 - 2013-05-24 16:40 - 09879610 ____A C:\Users\Radulosk\Desktop\qcm for panels.tif

2013-05-24 16:31 - 2013-05-24 16:27 - 00011726 ____A C:\Users\Radulosk\Desktop\cistein.tif

2013-05-24 16:24 - 2013-05-24 16:24 - 04940690 ____A C:\Users\Radulosk\Desktop\qcm.tif

2013-05-23 16:08 - 2009-07-14 14:45 - 00337736 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-22 18:31 - 2013-02-11 15:13 - 00000000 ____D C:\Users\Radulosk\AppData\Roaming\Skype

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

 

LastRegBack: 2013-06-03 16:52

 

==================== End Of Log ============================

 

Below is the FRST Additional Log.................................................................................................................................................

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-06-2013 03

Ran by Radulosk at 2013-06-12 22:25:00 Run:

Running from C:\Users\Radulosk\Desktop

Boot Mode: Normal

==========================================================

 

 

==================== Installed Programs =======================

 

3DMark 11 (Version: 1.0.3)

Adobe Flash Player 10 ActiveX (Version: 10.1.85.3)

Adobe Flash Player 11 Plugin (Version: 11.5.502.149)

Adobe Shockwave Player 11.6 (Version: 11.6.8.638)

Astrill

ASUS AI Recovery (Version: 1.0.23)

ASUS LifeFrame3 (Version: 3.0.29)

ASUS Power4Gear Hybrid (Version: 1.2.0)

ASUS USB Charger Plus (Version: 2.0.8)

ASUS Virtual Touch (Version: 1.0.9)

ATK Package (Version: 1.0.0015)

CCleaner (Version: 3.27)

CyberLink Power2Go (Version: 6.1.3602c)

DAEMON Tools Lite (Version: 4.47.1.0333)

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Emsisoft Anti-Malware 5.1 (Version: 5.1)

EndNote X6 (Version: 16.0.0.6348)

ESET NOD32 Antivirus (Version: 6.0.316.0)

ETDWare PS/2-X64 10.5.9.0 (Version: 10.5.9.0)

Fast Boot (Version: 1.0.10)

Foxit Reader (Version: 5.4.5.124)

Futuremark SystemInfo (Version: 4.6.0)

Google Chrome (Version: 24.0.1312.57)

Google Update Helper (Version: 1.3.21.123)

InstantOn for NB (Version: 2.1.10)

Intel® Manageability Engine Firmware Recovery Agent (Version: 1.0.0.35132)

Intel® Management Engine Components (Version: 8.0.0.1351)

Intel® Processor Graphics (Version: 9.17.10.2932)

Intel® SDK for OpenCL - CPU Only Runtime Package (Version: 2.0.0.37149)

Intel® USB 3.0 eXtensible Host Controller Driver (Version: 1.0.3.214)

Intel® Trusted Connect Service Client (Version: 1.23.216.0)

Java 7 Update 13 (64-bit) (Version: 7.0.130)

Java 7 Update 13 (Version: 7.0.130)

Java Auto Updater (Version: 2.1.9.0)

Legend of Grimrock

Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)

Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)

Microsoft Office Access MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Office 64-bit Components 2010 (Version: 14.0.4734.1000)

Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Professional Plus 2010 (Version: 14.0.4734.1000)

Microsoft Office Proof (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Proof (French) 2010 (Version: 14.0.4734.1000)

Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4734.1000)

Microsoft Office Proofing (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Office Word MUI (English) 2010 (Version: 14.0.4734.1000)

Microsoft Security Client (Version: 4.2.0223.1)

Microsoft Security Essentials (Version: 4.2.223.1)

Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)

Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)

Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (Version: 10.0.30319)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)

Mozilla Firefox 18.0.2 (x86 en-US) (Version: 18.0.2)

Mozilla Maintenance Service (Version: 18.0.2)

Paint.NET v3.5.10 (Version: 3.60.0)

Portal 2

Qualcomm Atheros WiFi Driver Installation (Version: 9.2)

Realtek Ethernet Controller Driver (Version: 7.48.823.2011)

Realtek High Definition Audio Driver (Version: 6.0.1.6570)

Realtek PCIE Card Reader (Version: 6.1.7601.27015)

ResearchSoft Direct Export Helper

Security Task Manager 1.8g (Version: 1.8g)

Serious Sam 2

Serious Sam HD: The Second Encounter

Serious Sam: The Random Encounter

Skype™ 6.1 (Version: 6.1.129)

Spybot - Search & Destroy (Version: 2.0.12)

Steam (Version: 1.0.0.0)

SUPERAntiSpyware (Version: 5.6.1020)

swMSM (Version: 12.0.0.1)

Torchlight II

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition

VLC media player 2.0.5 (Version: 2.0.5)

WinFlash (Version: 2.41.0)

WinRAR 4.20 (64-bit) (Version: 4.20.0)

XnView 1.99.6 (Version: 1.99.6)

 

==================== Restore Points  =========================

 

05-05-2013 05:59:00 Windows Update

18-05-2013 01:09:09 Windows Update

22-05-2013 01:11:32 Windows Update

22-05-2013 08:31:47 Windows Update

29-05-2013 12:43:24 Windows Update

31-05-2013 05:56:48 Windows Update

05-06-2013 01:37:14 Windows Update

11-06-2013 13:23:09 Windows Update

12-06-2013 00:58:35 Windows Update

12-06-2013 02:38:38 Device Driver Package Install: DT Soft Ltd System devices

 

==================== Hosts content: ==========================

# Copyright © 1993-2009 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host

 

# localhost name resolution is handled within DNS itself.

# # # Start of entries inserted by Spybot - Search & Destroy

# This list is Copyright 2000-2010 Safer-Networking Ltd.

# End of entries inserted by Spybot - Search & Destroy

 

# 127.0.0.1       localhost

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

 

There are more than 1000 lines starting with "127.0.0.1"

 

 

==================== Faulty Device Manager Devices =============

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (06/12/2013 00:38:39 PM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (06/12/2013 10:59:05 AM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (06/11/2013 11:23:32 PM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (06/05/2013 09:27:38 PM) (Source: Application Error) (User: )

Description: Faulting application name: WINWORD.EXE, version: 14.0.4734.1000, time stamp: 0x4b58fb0e

Faulting module name: wwlib.dll, version: 14.0.4734.1000, time stamp: 0x4b58fba1

Exception code: 0xc0000005

Fault offset: 0x00261bae

Faulting process id: 0x1a18

Faulting application start time: 0xWINWORD.EXE0

Faulting application path: WINWORD.EXE1

Faulting module path: WINWORD.EXE2

Report Id: WINWORD.EXE3

 

Error: (06/05/2013 11:37:24 AM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (05/31/2013 03:56:55 PM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

 

 

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

.

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service) (User: )

Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service) (User: )

Description: The index cannot be initialized.

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service) (User: )

Description: The application cannot be initialized.

 

Context: Windows Application

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service) (User: )

Description: The gatherer object cannot be initialized.

 

Context: Windows Application, SystemIndex Catalog

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

 

System errors:

=============

Error: (06/12/2013 07:19:08 PM) (Source: Service Control Manager) (User: )

Description: The Steam Client Service service failed to start due to the following error:

%%1053

 

Error: (06/12/2013 07:19:08 PM) (Source: Service Control Manager) (User: )

Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

 

Error: (06/12/2013 07:01:26 PM) (Source: DCOM) (User: )

Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

 

Error: (06/12/2013 07:01:00 PM) (Source: DCOM) (User: )

Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

 

Error: (06/02/2013 04:09:47 PM) (Source: Disk) (User: )

Description: The driver detected a controller error on \Device\Harddisk1\DR1.

 

Error: (06/02/2013 04:09:46 PM) (Source: Disk) (User: )

Description: The driver detected a controller error on \Device\Harddisk1\DR1.

 

Error: (06/02/2013 04:09:45 PM) (Source: Disk) (User: )

Description: The driver detected a controller error on \Device\Harddisk1\DR1.

 

Error: (06/01/2013 07:45:50 PM) (Source: Microsoft Antimalware) (User: )

Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 

New Signature Version:

 

Previous Signature Version: 1.151.1306.0

 

Update Source: %NT AUTHORITY59

 

Update Stage: 4.2.0223.00

 

Source Path: 4.2.0223.01

 

Signature Type: %NT AUTHORITY602

 

Update Type: %NT AUTHORITY604

 

User: NT AUTHORITY\SYSTEM

 

Current Engine Version: %NT AUTHORITY605

 

Previous Engine Version: %NT AUTHORITY606

 

Error code: %NT AUTHORITY607

 

Error description: %NT AUTHORITY608

 

Error: (06/01/2013 07:08:32 PM) (Source: Microsoft Antimalware) (User: )

Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 

New Signature Version:

 

Previous Signature Version: 1.151.1306.0

 

Update Source: %NT AUTHORITY59

 

Update Stage: 4.2.0223.00

 

Source Path: 4.2.0223.01

 

Signature Type: %NT AUTHORITY602

 

Update Type: %NT AUTHORITY604

 

User: NT AUTHORITY\SYSTEM

 

Current Engine Version: %NT AUTHORITY605

 

Previous Engine Version: %NT AUTHORITY606

 

Error code: %NT AUTHORITY607

 

Error description: %NT AUTHORITY608

 

Error: (06/01/2013 05:21:41 PM) (Source: Microsoft Antimalware) (User: )

Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 

New Signature Version:

 

Previous Signature Version: 1.151.1306.0

 

Update Source: %NT AUTHORITY59

 

Update Stage: 4.2.0223.00

 

Source Path: 4.2.0223.01

 

Signature Type: %NT AUTHORITY602

 

Update Type: %NT AUTHORITY604

 

User: NT AUTHORITY\SYSTEM

 

Current Engine Version: %NT AUTHORITY605

 

Previous Engine Version: %NT AUTHORITY606

 

Error code: %NT AUTHORITY607

 

Error description: %NT AUTHORITY608

 

 

Microsoft Office Sessions:

=========================

Error: (06/12/2013 00:38:39 PM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (06/12/2013 10:59:05 AM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (06/11/2013 11:23:32 PM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (06/05/2013 09:27:38 PM) (Source: Application Error)(User: )

Description: WINWORD.EXE14.0.4734.10004b58fb0ewwlib.dll14.0.4734.10004b58fba1c000000500261bae1a1801ce60229cb3c2f1C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXEC:\Program Files (x86)\Microsoft Office\Office14\wwlib.dllec9fa9ec-cdd2-11e2-a0e0-10bf4813637e

 

Error: (06/05/2013 11:37:24 AM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (05/31/2013 03:56:55 PM) (Source: Microsoft-Windows-CAPI2)(User: )

Description:

Details:

AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

 

System Error:

The system cannot find the file specified.

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service)(User: )

Description:

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

The catalog is corrupt

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service)(User: )

Description:

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service)(User: )

Description: Context: Windows Application

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (05/31/2013 01:03:10 PM) (Source: Windows Search Service)(User: )

Description: Context: Windows Application, SystemIndex Catalog

 

 

Details:

The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

 

==================== Memory info ===========================

 

Percentage of memory in use: 48%

Total physical RAM: 3981.91 MB

Available physical RAM: 2058.49 MB

Total Pagefile: 7962.01 MB

Available Pagefile: 5415.36 MB

Total Virtual: 8192 MB

Available Virtual: 8191.8 MB

 

==================== Drives ================================

 

Drive c: (OS) (Fixed) (Total:300 GB) (Free:179.59 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]

Drive d: (DATA) (Fixed) (Total:373.32 GB) (Free:247.64 GB) NTFS (Disk=0 Partition=4)

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (Size: 699 GB) (Disk ID: 89BD900E)

 

Partition: GPT Partition Type

==================== End Of Log ============================

GMER Log…………………………………………………………………………………………………………………………………………….

Below is the GMER Log, when I ran the .exe it prompted the below message. I clicked ok and setup the scan as instructed but when it ran it prompted the below message twice more.

"C:\ windows\system32\config\system : the process cannot access the file because it is in use by another process"

 

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-06-12 22:41:27

Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST750LM0 rev.2AR1 698.64GB

Running: ex6el844.exe; Driver: C:\Users\Radulosk\AppData\Local\Temp\kxtdikog.sys

 

 

---- Threads - GMER 2.1 ----

 

Thread   [1012:188]                                                     0000000076167587

Thread   [1012:396]                                                     0000000077442e25

Thread   [1012:1580]                                                    0000000074a86430

Thread   [1012:1584]                                                    0000000074a86430

Thread   [1012:1588]                                                    0000000074a86430

Thread   [1012:1592]                                                    0000000074a86430

Thread   [1012:1596]                                                    0000000074a86430

Thread   [1012:1600]                                                    0000000074a86430

Thread   [1012:1604]                                                    0000000074a86430

Thread   [1012:1608]                                                    0000000074a86430

Thread   [1012:1612]                                                    0000000074a86430

Thread   [1012:1616]                                                    0000000074a86430

Thread   [1012:1556]                                                    0000000077443e45

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:3740]  000007fefb5d2a7c

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5248]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5252]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5256]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5260]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5264]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5268]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5272]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5276]  000000018000b730

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5284]  0000000180027010

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4416:5300]  0000000180027010

 

---- Disk sectors - GMER 2.1 ----

 

Disk    \Device\Harddisk0\DR0                                           unknown MBR code

 

---- EOF - GMER 2.1 ----



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:48 AM

Posted 12 June 2013 - 07:54 AM

That´s fine! There we go:

 

 

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 sillymonkey

sillymonkey
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 12 June 2013 - 07:55 AM

Sorry i think there was a repeated section in there



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:48 AM

Posted 12 June 2013 - 08:15 AM

Not that bad! :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 sillymonkey

sillymonkey
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 12 June 2013 - 08:24 AM

updated and ran Malwarebytes: Antirootkit but it claimed no rootkits present. Log attached below.

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 10.0.9200.16576
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.294000 GHz
Memory total: 4175339520, free: 1806299136
 
Downloaded database version: v2013.06.12.04
Downloaded database version: v2013.05.22.01
Initializing...
------------ Kernel report ------------
     06/12/2013 23:07:34
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\30674266.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\iusb3hcs.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\dtsoftbus01.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\eamonm.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\ehdrv.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\AiCharger.sys
\SystemRoot\system32\DRIVERS\iusb3xhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\RtsBaStor.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\ETD.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbfiltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\asvpndrv.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\AsusVBus.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\AsusVTouch.sys
\SystemRoot\System32\drivers\mshidkmdf.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\iusb3hub.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\??\C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys
\??\C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\epfwwfpr.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Users\Radulosk\AppData\Local\Temp\kxtdikog.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80047f0790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa800433d050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80047f0790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80047f02c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80047f0790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004339550, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa800433d050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Partition type: GUID
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 3
Partition type: GUID
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 3
Partition type: GUID
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 89BD900E
 
GPT Protective MBR Partition information:
 
    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
GPT Partition information:
 
    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 540174697
    GPT Header CurrentLba = 1 BackupLba 1465149167
    GPT Header FirstUsableLba 34  LastUsableLba 1465149134
    GPT Header Guid 5aa1653a-90cf-4eaf-927-95f9823b435a
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128
 
    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 540174697
    Backup GPT header CurrentLba = 1465149167 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 1465149134
    Backup GPT header Guid 5aa1653a-90cf-4eaf-927-95f9823b435a
    Backup GPT header Contains 128 partition entries starting at LBA 1465149135
    Backup GPT header Partition entry size = 128
 
    Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 3a5abce4-4165-4586-bb80-23529718207e
    FirstLBA 2048  Last LBA 411647
    Attributes 0
    Partition Name                 EFI system partition
 
    GPT Partition 0 is bootable
    Partition 1 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID 411a7634-84f0-40e7-93a-b93ddf385bfc
    FirstLBA 411648  Last LBA 673791
    Attributes 0
    Partition Name         Microsoft reserved partition
 
    Partition 2 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 1fde2ffe-aaa0-417d-90bb-4e6c6d75a7b4
    FirstLBA 673792  Last LBA 629819391
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 847c5b1d-79-4fea-811e-78d266b514ab
    FirstLBA 629819392  Last LBA 1412718591
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 4 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID ae7f3d34-da44-4be5-bded-1f2ee02f564b
    FirstLBA 1412718592  Last LBA 1465147391
    Attributes 1
    Partition Name                 Basic data partition
 
Disk Size: 750156374016 bytes
Sector size: 512 bytes
 
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:48 AM

Posted 12 June 2013 - 08:38 AM

No malware to see...

 

 

Scan with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.

 

 

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 sillymonkey

sillymonkey
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 12 June 2013 - 08:47 AM

running the programs you stated now, will post logs once complete.

 

just to let you know that i am still seeing multiple instances and increasing of iexplore.exe running in the background.



#10 sillymonkey

sillymonkey
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 12 June 2013 - 10:17 AM

It has taken quite a while to run those scans, my internet connection is very poor at the moment as I'm currently working from china. 

I have run AdwCleaner and attached the log below. Currently Eset is running and has found 3 threats (win 32/open candy application and 2 varients of win32/somoto.A applications, but its taking a long time to finish and I will need to go to sleep and pick this up tomorrow when I will post you the full logs including Fbar. Take your time responding as I'm sure you are in some other timezone.

 

Thanks for your help so far, I'll be hot on the case again as soon as I can.

 

 

# AdwCleaner v2.303 - Logfile created 06/12/2013 at 23:51:03
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Radulosk - RADULOSK-PC
# Boot Mode : Normal
# Running from : C:\Users\Radulosk\Downloads\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Deleted : C:\ProgramData\Partner
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\Software\PIP
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v10.0.9200.16576
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v18.0.2 (en-US)
 
File : C:\Users\Radulosk\AppData\Roaming\Mozilla\Firefox\Profiles\5hvsaq47.default\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v24.0.1312.57
 
File : C:\Users\Radulosk\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [1178 octets] - [12/06/2013 23:51:03]
 
########## EOF - C:\AdwCleaner[S1].txt - [1238 octets] ##########


#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:48 AM

Posted 12 June 2013 - 10:29 AM

alright, sleep well!


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 sillymonkey

sillymonkey
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 12 June 2013 - 07:58 PM

Hi there,

 

Managed to complete all the scans you requested, Log files follow.

 

Eset log of threats found..............................................................................................................................................................

 

 

C:\Users\Radulosk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5KGLTY65\bi_downloader[1].exe a variant of Win32/Somoto.A application
C:\Users\Radulosk\AppData\Local\Temp\nskB563.tmp a variant of Win32/Somoto.A application
C:\Users\Radulosk\Downloads\DTLite4471-0333.exe Win32/OpenCandy application
C:\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_4019f2b8d860ad30\autochk.exe a variant of Win32/CompuTrace.B application
 
 
Farbar log....................................................................................................................................................................................
 
Farbar Service Scanner Version: 31-05-2013 01
Ran by Radulosk (administrator) on 13-06-2013 at 09:56:48
Running from "C:\Users\Radulosk\Desktop\farbar"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-06-12 19:28] - [2013-05-08 16:39] - 1910632 ____A (Microsoft Corporation) 9849EA3843A2ADBDD1497E97A85D8CAE
 
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2013-06-12 19:09] - [2013-05-13 15:51] - 0184320 ____A (Microsoft Corporation) D8129C49798CBBFB2E4351D4B7B8EF9C
 
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****

 



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:48 AM

Posted 13 June 2013 - 01:17 AM

Fix with FRST

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    C:\Users\Radulosk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5KGLTY65\bi_downloader[1].exe
    C:\Users\Radulosk\AppData\Local\Temp\nskB563.tmp
    C:\Users\Radulosk\Downloads\DTLite4471-0333.exe
    C:\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_4019f2b8d860ad30\autochk.exe
     
     
    
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 sillymonkey

sillymonkey
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 13 June 2013 - 02:30 AM

Hi there, Ran the fix and the security check, Logs below.

 

 Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-06-2013 03

Ran by Radulosk at 2013-06-13 17:13:59 Run:1
Running from C:\Users\Radulosk\Desktop
Boot Mode: Normal
==============================================
 
C:\Users\Radulosk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5KGLTY65\bi_downloader[1].exe => Moved successfully.
C:\Users\Radulosk\AppData\Local\Temp\nskB563.tmp => Moved successfully.
C:\Users\Radulosk\Downloads\DTLite4471-0333.exe => Moved successfully.
Could not move C:\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_4019f2b8d860ad30\autochk.exe. => Scheduled to move on reboot.
 
=========== Result of Scheduled Files to move ===========
C:\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_4019f2b8d860ad30\autochk.exe => File moved successfully.
 
==== End of Fixlog ====

 

 

..................................................................................................................................................................................................

 

security check log

 

 

 Results of screen317's Security Check version 0.99.64  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Emsisoft Anti-Malware           
ESET NOD32 Antivirus 6.0        
Microsoft Security Essentials   
 Antivirus out of date! (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 MVPS Hosts File  
 Spybot - Search & Destroy 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 13  
 Java version out of Date! 
 Adobe Flash Player 10 Flash Player out of Date! 
  Adobe Flash Player 11.5.502.149 Flash Player out of Date!  
 Mozilla Firefox 18.0.2 Firefox out of Date!  
 Google Chrome 24.0.1312.57  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 ESET NOD32 Antivirus egui.exe  
 ESET NOD32 Antivirus ekrn.exe  
 Spybot Teatimer.exe is disabled! 
 Emsisoft Anti-Malware a2service.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:48 AM

Posted 13 June 2013 - 02:37 AM

That´s it - your computer is all clean! :)

 

 

Adobe flash player update


Your Adobe flash player is outdated. We will fix this.

  • Get the actual player from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

 

Java update update


Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer ( Java 7 Update 4 ) and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.

After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

 

Mozilla Firefox update

Your Firefox browser is outdated. Please follow these instructions to update it:

  • Get the actual firefox from here.
  • Run setup and follow the instructions on your monitor.
  • Report any problems you have with the update.

 

 

 

 

Uninstall our tools.
Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

Reading Material
How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users