Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop keeps restarting when awoken from 'sleep mode' + occasional 'freezing'


  • This topic is locked This topic is locked
34 replies to this topic

#1 Chris Weeks

Chris Weeks

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 07 July 2013 - 03:58 AM

Hi.

I'm running Windows Vista Home Premium (sp2) on a Sony VAIO laptop.

My laptop was recently infected by a rootkit trojan, which was successfully removed, thanks to some help via your forum(s).

 

While my laptop has been running well since the virus was removed, there have been some notable issues.

My main issue is that when my laptop is in Sleep Mode, and I try to wake it, either by pressing the power button or 'any key', it restarts;

I'm shown the 'windows did not shutdown properly' page on startup, but after clicking 'start windows normally' it boots up fine.

Just before it restarts I see a flicker of a blue screen, which disappears too quickly to read. (I have seen white and red text on this screen).

 

I have had occasional 'crashing/freezing' issues also, where I can still move the mouse/pointer, but there is no response from the keyboard, even ctrl/alt/del.

 

Another thing I have noticed is that my C: Drive seems to keep getting full, even though I am not adding anything to it. (system restore issues perhaps?)

 

Any help with these frustrating issues would be much appreciated.

 

Thanks.

 

Chris.

 

 



BC AdBot (Login to Remove)

 


#2 Chris Weeks

Chris Weeks
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 07 July 2013 - 01:17 PM

Further developments. My laptop will now not fully boot. It gets to the desktop screen, but then freezes when loading the icons in the taskbar. I can move the mouse/pointer, but that is all. I tried a startup repair/system restore and while it went through the motions, the same thing happened on startup.

Your help would be massively appreciated.

 

Will boot in safe mode and run as you would expect in that mode.


Edited by Chris Weeks, 07 July 2013 - 01:34 PM.


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:10 AM

Posted 07 July 2013 - 01:28 PM

Hello, Chris. Seeing as normal mode is pretty much useless now and safe mode are no-go, I have reported your topic to people who deal with computers like this. Please wait while one of them come and assist you, it may be a while since we have quite a few in line.

 

xXToffeeXx~


Edited by xXToffeeXx, 07 July 2013 - 01:28 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 Chris Weeks

Chris Weeks
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 07 July 2013 - 01:49 PM

Thanks, although Safe Mode does now work;)


Edited by Orange Blossom, 07 July 2013 - 02:47 PM.
Moved to log forum. ~ OB


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 PM

Posted 07 July 2013 - 02:20 PM

Hi and welcome.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Chris Weeks

Chris Weeks
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 07 July 2013 - 02:30 PM

Hi, thanks for responding. Quick update... I tried a 'Clean Boot' and I am now back up and running, without any freezing (driver issue, program issue perhaps?). Although I will now follow your instructions.

Update: Still freezing, although letting me start some processes now and go online, but then just seems to freeze and become unresponsive again.

Edited by Chris Weeks, 07 July 2013 - 03:09 PM.


#7 Chris Weeks

Chris Weeks
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 07 July 2013 - 02:43 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-07-2013
Ran by SYSTEM on 07-07-2013 20:39:31
Running from G:\
Windows Vista ™ Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet016
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: []  [x]
Winlogon\Notify\psfus: C:\Windows\system32\psqlpwd.dll (UPEK Inc.)
Winlogon\Notify\VESWinlogon: VESWinlogon.dll (Sony Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
HKU\Default\...\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe" [x]
HKU\Default User\...\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe" [x]
HKU\Kingbastard\...\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe" [x]
Lsa: [Notification Packages] scecli psqlpwd
SSODL: EldosMountNotificator - {C28617FD-4FE7-4043-AD51-C8132CE90106} - C:\Windows\system32\SSCbFsMntNtf3.dll (EldoS Corporation)

========================== Services (Whitelisted) =================

S4 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [84024 2013-06-27] (Avira Operations GmbH & Co. KG)
S4 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [108088 2013-06-27] (Avira Operations GmbH & Co. KG)
S4 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [1680704 2009-04-03] (WIBU-SYSTEMS AG)
S4 EPSON_EB_RPCV4_01; C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE [143872 2007-12-17] (SEIKO EPSON CORPORATION)
S4 EPSON_PM_RPCV4_01; C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE [113664 2007-01-11] (SEIKO EPSON CORPORATION)
S4 FlipShare Service; C:\Program Files\Flip Video\FlipShare\FlipShareService.exe [451904 2009-10-28] ()
S2 MSSQL$MSSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S3 MSSQL$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe [7520337 2002-12-17] (Microsoft Corporation)
S4 NIHardwareService; C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [4604208 2013-01-17] (Native Instruments GmbH)
S4 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75136 2011-04-29] ()
S4 SOHCImp; C:\Program Files\Sony\VAIO Media plus\SOHCImp.exe [103712 2008-05-21] (Sony Corporation)
S4 SOHDms; C:\Program Files\Sony\VAIO Media plus\SOHDms.exe [353568 2008-05-21] (Sony Corporation)
S4 SOHDs; C:\Program Files\Sony\VAIO Media plus\SOHDs.exe [62752 2008-05-21] (Sony Corporation)
S3 SQLAgent$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE [311872 2002-12-17] (Microsoft Corporation)
S4 VAIO Entertainment TV Device Arbitration Service; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe [69632 2009-03-05] (Sony Corporation)
S4 VCFw; C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [5189992 2009-03-05] (Sony Corporation)
S4 VcmIAlzMgr; C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [480624 2009-09-16] (Sony Corporation)
S4 Vcsw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [313264 2009-03-05] (Sony Corporation)
S4 VUAgent; C:\Program Files\Sony\VAIO Update 5\VUAgent.exe [722288 2010-04-09] (Sony Corporation)
S4 VzCdbSvc; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [192512 2009-03-05] (Sony Corporation)

==================== Drivers (Whitelisted) ====================

S3 AmdLLD; C:\Windows\System32\DRIVERS\AmdLLD.sys [34304 2007-06-29] (AMD, Inc.)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [84744 2013-03-28] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [135136 2013-03-28] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-03-28] (Avira Operations GmbH & Co. KG)
S3 gbxavs; C:\Windows\System32\Drivers\gbxavs.sys [346192 2011-07-07] (Native Instruments GmbH)
S3 gbxusb_svc; C:\Windows\System32\Drivers\gbxusb.sys [68688 2011-07-07] (Native Instruments GmbH)
S3 JMCR_CFS; C:\Windows\System32\DRIVERS\jmcr_cfs.sys [52752 2008-07-02] (JMicron Technology Corporation)
S2 KorgBlkT; C:\Windows\System32\Drivers\korgblkt.sys [17240 2007-03-01] (KORG Inc.)
S3 KORGUMDS; C:\Windows\System32\Drivers\KORGUMDS.SYS [21720 2008-10-29] (KORG Inc.)
S3 LMouFilt; C:\Windows\System32\DRIVERS\LMouFilt.Sys [37328 2013-01-08] (Logitech, Inc.)
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [31560 2013-06-20] ()
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [79816 2009-09-16] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [35272 2009-09-16] (McAfee, Inc.)
S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [34248 2009-09-16] (McAfee, Inc.)
S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [40552 2009-09-16] (McAfee, Inc.)
S3 NETwNv32; C:\Windows\System32\DRIVERS\NETwNv32.sys [7346176 2013-01-08] (Intel Corporation)
S3 NIWinCDEmu; C:\Windows\System32\DRIVERS\NIWinCDEmu.sys [62544 2011-12-09] ()
S3 NvnUsbAudio; C:\Windows\System32\DRIVERS\nvnusbaudio.sys [29184 2009-08-10] (Novation DMS Ltd.)
S1 RapportCerberus_43926; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys [272216 2012-10-30] ()
S1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [71480 2012-07-29] (Trusteer Ltd.)
S1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [166840 2012-07-29] (Trusteer Ltd.)
S3 RDID1079; C:\Windows\System32\Drivers\rdwm1079.sys [140160 2008-02-04] (Roland Corporation)
S3 RDID1103; C:\Windows\System32\Drivers\rdwm1103.sys [144256 2009-08-03] (Roland Corporation)
S3 RDID1110; C:\Windows\System32\Drivers\rdwm1110.sys [207232 2010-04-09] (Roland Corporation)
S3 SaiKF620; C:\Windows\System32\DRIVERS\SaiKF620.sys [106496 2008-10-22] (Saitek)
S3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [23608 2013-01-08] (Synaptics Incorporated)
S3 SSCBFS3; C:\Windows\System32\DRIVERS\sscbfs3.sys [295936 2013-01-30] (EldoS Corporation)
S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2012-08-27] (Avira GmbH)
S0 TPkd; C:\Windows\System32\Drivers\TPkd.sys [86016 2009-12-23] (PACE Anti-Piracy, Inc.)
S3 ZTEusbnet; C:\Windows\System32\DRIVERS\ZTEusbnet.sys [114688 2010-03-25] (ZTE Corporation)
S3 ZTEusbvoice; C:\Windows\System32\DRIVERS\ZTEusbvoice.sys [105856 2010-04-19] (ZTE Incorporated)
S3 catchme; \??\C:\Users\admin\AppData\Local\Temp\catchme.sys [x]
S3 FreshIO; \??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 Nvsr_seabnt; No ImagePath
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S4 UIUSys; system32\DRIVERS\UIUSYS.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-07 20:39 - 2013-07-07 20:39 - 00000000 ____D C:\FRST
2013-07-07 20:29 - 2013-07-07 20:29 - 01373373 ____A (Farbar) C:\Users\admin\Downloads\FRST.exe
2013-07-07 16:53 - 2013-07-07 20:35 - 99508893 ____A C:\Users\admin\Downloads\OrchestralBrass_r29310_v9.0.alp
2013-07-07 16:53 - 2013-07-07 16:53 - 00027413 ____A C:\Users\admin\Downloads\OrchestralMallets_r29190_v9.0.alp.part
2013-07-07 16:53 - 2013-07-07 16:53 - 00000000 ____A C:\Users\admin\Downloads\OrchestralMallets_r29190_v9.0.alp
2013-07-07 14:59 - 2013-07-07 17:15 - 912940108 ____A C:\Users\admin\Downloads\TheForgebyHecq_r29189_v9.0.alp
2013-07-07 12:51 - 2013-07-07 17:37 - 00000000 ____D C:\Users\admin\Desktop\Ableton Live Suite Packs
2013-07-07 11:51 - 2013-07-07 12:05 - 149100923 ____A C:\Users\admin\Desktop\Max61_x86_416a295(1).zip
2013-07-07 11:05 - 2013-07-07 11:19 - 00000000 ____D C:\Program Files\AbletonLive9Suite
2013-07-07 10:21 - 2013-07-07 11:12 - 00000000 ____D C:\Users\admin\Desktop\Ableton Live 9 Suite 9.0.2 (Win 32 bit-io) [ChingLiu]
2013-07-07 10:20 - 2013-07-07 10:20 - 00001984 ____A C:\Users\Public\Desktop\Windows 7 Upgrade Advisor.lnk
2013-07-07 10:20 - 2013-07-07 10:20 - 00000000 ____D C:\Program Files\Microsoft Windows 7 Upgrade Advisor
2013-07-07 09:51 - 2013-07-07 09:53 - 20034184 ____A (Microsoft Corporation) C:\Users\admin\Downloads\Windows-KB890830-V5.1.exe
2013-07-07 09:51 - 2013-07-07 09:53 - 08669472 ____A (Microsoft Corporation) C:\Users\admin\Downloads\Windows7UpgradeAdvisorSetup(1).exe
2013-07-06 23:39 - 2013-07-06 23:39 - 00000000 ____D C:\Program Files\Common Files\Propellerhead Software
2013-07-06 23:20 - 2013-07-06 23:20 - 00000000 ____D C:\Ableton Live 9 Suite 9.0.2
2013-07-06 23:17 - 2013-07-06 23:17 - 00000000 ____D C:\Users\admin\Downloads\AbletonLive9Suite
2013-07-06 23:17 - 2013-07-06 11:52 - 725873519 ____A C:\Users\admin\Desktop\Ableton Live 9 Suite 9.0.2 (Win 32 bit-io) [ChingLiu].zip
2013-07-06 22:02 - 2013-07-06 23:13 - 697206016 ____A C:\Users\admin\Downloads\Kama Sutra For Delinquent Perverts.zip
2013-07-06 19:02 - 2013-07-06 19:03 - 00000000 ____D C:\Users\admin\Desktop\CONDUCTOR & LOST COSMONAUT
2013-07-06 16:14 - 2013-07-06 16:14 - 00000544 ____A C:\Users\admin\Documents\cc_20130706_161415.reg
2013-07-06 15:58 - 2013-07-06 15:59 - 04396440 ____A (Piriform Ltd) C:\Users\admin\Downloads\ccsetup403.exe
2013-07-06 12:48 - 2013-07-06 12:48 - 00001186 ____A C:\Users\Public\Desktop\The Walking Dead.lnk
2013-07-06 12:48 - 2013-07-06 12:48 - 00000000 ____D C:\Users\admin\Documents\Telltale Games
2013-07-06 12:34 - 2013-07-06 12:34 - 00000000 ____D C:\Program Files\Telltale Games
2013-07-03 12:25 - 2013-07-03 12:25 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-29 11:12 - 2013-06-29 18:19 - 00000000 ____D C:\Users\admin\Documents\My SugarSync
2013-06-29 11:04 - 2013-06-29 11:12 - 00000000 ____D C:\Users\admin\AppData\Local\SugarSync
2013-06-29 11:04 - 2013-01-30 13:12 - 00225024 ____A (EldoS Corporation) C:\Windows\System32\SSCbFsNetRdr3.dll
2013-06-29 11:04 - 2013-01-30 13:12 - 00159488 ____A (EldoS Corporation) C:\Windows\System32\SSCbFsMntNtf3.dll
2013-06-29 11:03 - 2013-01-30 13:11 - 00295936 ____A (EldoS Corporation) C:\Windows\System32\Drivers\sscbfs3.sys
2013-06-29 10:59 - 2013-06-29 11:03 - 20911672 ____A (SugarSync, Inc.) C:\Users\admin\Downloads\SugarSyncSetup.exe
2013-06-26 16:08 - 2013-06-26 16:10 - 00000000 ____D C:\Users\admin\Downloads\Laurie Spiegel - The Expanding Universe
2013-06-26 13:56 - 2013-06-26 14:34 - 396727089 ____A C:\Users\admin\Downloads\Laurie Spiegel - The Expanding Universe.zip
2013-06-25 13:57 - 2013-06-25 13:57 - 00017278 ____A C:\Users\admin\Documents\cc_20130625_135747.reg
2013-06-25 12:49 - 2013-06-25 12:49 - 00000000 ____A C:\sfc
2013-06-20 23:03 - 2013-06-20 23:03 - 00001892 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2013-06-20 23:01 - 2013-06-20 23:01 - 00000000 ____D C:\Program Files\Common Files\Java
2013-06-20 23:01 - 2013-06-20 22:59 - 00263592 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-06-20 23:00 - 2013-06-20 23:00 - 00094632 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-06-20 23:00 - 2013-06-20 22:59 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-06-20 23:00 - 2013-06-20 22:59 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-06-20 22:53 - 2013-06-20 22:53 - 00903592 ____A (Oracle Corporation) C:\Users\admin\Downloads\jxpiinstall(1).exe
2013-06-20 22:27 - 2013-06-20 22:27 - 00000888 ____A C:\AdwCleaner[S2].txt
2013-06-20 18:04 - 2013-06-20 18:04 - 00018662 ____A C:\Users\admin\Downloads\Chris-Weeks_sales_2013-06-20(1).csv
2013-06-20 18:02 - 2013-06-20 18:02 - 00000479 ____A C:\Users\admin\Downloads\Chris-Weeks_sales_2013-06-20.csv
2013-06-20 14:14 - 2013-06-20 14:54 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-20 14:12 - 2013-06-20 14:12 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2013-06-20 09:41 - 2013-06-20 10:15 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-06-19 11:11 - 2013-06-19 11:11 - 00000000 ____D C:\Program Files\ESET
2013-06-19 10:55 - 2013-06-19 10:56 - 00012218 ____A C:\AdwCleaner[S1].txt
2013-06-18 21:07 - 2013-06-18 21:07 - 00075956 ____A C:\Users\admin\Documents\cc_20130618_210738.reg
2013-06-18 12:07 - 2013-06-18 12:07 - 00008308 ____A C:\Users\admin\Desktop\Chris Weeks - The Lost Cosmonaut [Info] formatted for notepad.txt
2013-06-17 12:05 - 2013-06-17 12:05 - 00001881 ____A C:\Users\admin\Desktop\Avira Free Antivirus Profile Quick system scan.LNK
2013-06-16 17:18 - 2013-06-16 17:18 - 00000000 ____D C:\Chris Weeks - The Lost Cosmonaut [promotional copy]
2013-06-13 22:49 - 2013-05-17 00:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-13 22:49 - 2013-05-16 23:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-13 22:49 - 2013-05-16 23:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-13 22:49 - 2013-05-16 23:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-13 22:49 - 2013-05-16 23:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-13 22:49 - 2013-05-16 23:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-13 22:49 - 2013-05-16 23:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-13 22:49 - 2013-05-16 23:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-13 22:49 - 2013-05-16 23:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-13 22:49 - 2013-05-16 23:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-13 22:49 - 2013-05-16 23:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-13 22:49 - 2013-05-16 23:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-13 22:49 - 2013-05-16 23:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-13 22:49 - 2013-05-16 23:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-13 22:49 - 2013-05-16 23:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-13 22:49 - 2013-05-16 23:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-13 08:36 - 2013-05-08 04:40 - 00914792 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-13 08:36 - 2013-05-08 02:58 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2013-06-13 08:36 - 2013-05-02 05:04 - 00443904 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-13 08:36 - 2013-05-02 05:03 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\printcom.dll
2013-06-13 08:35 - 2013-05-02 23:03 - 03603832 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-13 08:35 - 2013-05-02 23:03 - 03551096 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-13 08:35 - 2013-04-24 05:00 - 00985600 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-13 08:35 - 2013-04-24 05:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-13 08:35 - 2013-04-24 05:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-13 08:35 - 2013-04-24 05:00 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-13 08:35 - 2013-04-24 02:46 - 00812544 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-13 08:34 - 2013-04-17 13:30 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-07 17:15 - 2013-06-07 17:15 - 00000000 ____D C:\Users\admin\Desktop\Ludovico Einaudi - In A Time Lapse

==================== One Month Modified Files and Folders ========

2013-07-07 20:39 - 2013-07-07 20:39 - 00000000 ____D C:\FRST
2013-07-07 20:35 - 2013-07-07 16:53 - 99508893 ____A C:\Users\admin\Downloads\OrchestralBrass_r29310_v9.0.alp
2013-07-07 20:35 - 2006-11-02 14:01 - 00032646 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-07 20:35 - 2006-11-02 14:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-07 20:35 - 2006-11-02 13:47 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-07 20:35 - 2006-11-02 13:47 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-07 20:29 - 2013-07-07 20:29 - 01373373 ____A (Farbar) C:\Users\admin\Downloads\FRST.exe
2013-07-07 20:08 - 2008-08-06 22:27 - 00324948 ____A C:\ProgramData\nvModes.001
2013-07-07 20:08 - 2008-08-06 22:26 - 00324948 ____A C:\ProgramData\nvModes.dat
2013-07-07 18:12 - 2009-11-22 10:36 - 00000000 ____D C:\users\Kingbastard
2013-07-07 18:12 - 2009-03-18 14:07 - 00000000 ____D C:\users\admin
2013-07-07 18:12 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\spool
2013-07-07 18:12 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\registration
2013-07-07 18:12 - 2006-11-02 11:22 - 89915392 ____A C:\Windows\System32\config\software_previous
2013-07-07 18:12 - 2006-11-02 11:22 - 144703488 ____A C:\Windows\System32\config\system_previous
2013-07-07 18:06 - 2006-11-02 11:22 - 39321600 ____A C:\Windows\System32\config\components_previous
2013-07-07 18:06 - 2006-11-02 11:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-07-07 17:37 - 2013-07-07 12:51 - 00000000 ____D C:\Users\admin\Desktop\Ableton Live Suite Packs
2013-07-07 17:15 - 2013-07-07 14:59 - 912940108 ____A C:\Users\admin\Downloads\TheForgebyHecq_r29189_v9.0.alp
2013-07-07 16:53 - 2013-07-07 16:53 - 00027413 ____A C:\Users\admin\Downloads\OrchestralMallets_r29190_v9.0.alp.part
2013-07-07 16:53 - 2013-07-07 16:53 - 00000000 ____A C:\Users\admin\Downloads\OrchestralMallets_r29190_v9.0.alp
2013-07-07 13:31 - 2009-03-18 14:02 - 01376590 ____A C:\Windows\WindowsUpdate.log
2013-07-07 12:05 - 2013-07-07 11:51 - 149100923 ____A C:\Users\admin\Desktop\Max61_x86_416a295(1).zip
2013-07-07 11:37 - 2006-11-02 11:22 - 05242880 ____A C:\Windows\System32\config\default_previous
2013-07-07 11:37 - 2006-11-02 11:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2013-07-07 11:19 - 2013-07-07 11:05 - 00000000 ____D C:\Program Files\AbletonLive9Suite
2013-07-07 11:19 - 2009-03-20 16:25 - 00000000 ____D C:\Users\admin\AppData\Roaming\Ableton
2013-07-07 11:18 - 2009-03-20 17:09 - 00000000 ____D C:\Users\admin\Documents\Ableton
2013-07-07 11:12 - 2013-07-07 10:21 - 00000000 ____D C:\Users\admin\Desktop\Ableton Live 9 Suite 9.0.2 (Win 32 bit-io) [ChingLiu]
2013-07-07 10:20 - 2013-07-07 10:20 - 00001984 ____A C:\Users\Public\Desktop\Windows 7 Upgrade Advisor.lnk
2013-07-07 10:20 - 2013-07-07 10:20 - 00000000 ____D C:\Program Files\Microsoft Windows 7 Upgrade Advisor
2013-07-07 10:11 - 2013-02-02 16:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-07 09:53 - 2013-07-07 09:51 - 20034184 ____A (Microsoft Corporation) C:\Users\admin\Downloads\Windows-KB890830-V5.1.exe
2013-07-07 09:53 - 2013-07-07 09:51 - 08669472 ____A (Microsoft Corporation) C:\Users\admin\Downloads\Windows7UpgradeAdvisorSetup(1).exe
2013-07-06 23:46 - 2009-03-20 16:24 - 00000000 ____D C:\Program Files\Ableton
2013-07-06 23:39 - 2013-07-06 23:39 - 00000000 ____D C:\Program Files\Common Files\Propellerhead Software
2013-07-06 23:20 - 2013-07-06 23:20 - 00000000 ____D C:\Ableton Live 9 Suite 9.0.2
2013-07-06 23:17 - 2013-07-06 23:17 - 00000000 ____D C:\Users\admin\Downloads\AbletonLive9Suite
2013-07-06 23:13 - 2013-07-06 22:02 - 697206016 ____A C:\Users\admin\Downloads\Kama Sutra For Delinquent Perverts.zip
2013-07-06 22:59 - 2013-03-19 00:01 - 00000000 ____D C:\Users\admin\AppData\Roaming\Spotify
2013-07-06 19:03 - 2013-07-06 19:02 - 00000000 ____D C:\Users\admin\Desktop\CONDUCTOR & LOST COSMONAUT
2013-07-06 17:15 - 2006-11-02 11:33 - 00809820 ____A C:\Windows\System32\PerfStringBackup.INI
2013-07-06 16:42 - 2009-04-03 08:58 - 00000000 ____D C:\Users\admin\Documents\Sony ACID Pro 6.0 Projects
2013-07-06 16:14 - 2013-07-06 16:14 - 00000544 ____A C:\Users\admin\Documents\cc_20130706_161415.reg
2013-07-06 15:59 - 2013-07-06 15:58 - 04396440 ____A (Piriform Ltd) C:\Users\admin\Downloads\ccsetup403.exe
2013-07-06 15:59 - 2012-09-24 12:22 - 00000804 ____A C:\Users\Public\Desktop\CCleaner.lnk
2013-07-06 15:59 - 2009-03-22 20:58 - 00000000 ____D C:\Program Files\CCleaner
2013-07-06 12:48 - 2013-07-06 12:48 - 00001186 ____A C:\Users\Public\Desktop\The Walking Dead.lnk
2013-07-06 12:48 - 2013-07-06 12:48 - 00000000 ____D C:\Users\admin\Documents\Telltale Games
2013-07-06 12:34 - 2013-07-06 12:34 - 00000000 ____D C:\Program Files\Telltale Games
2013-07-06 11:52 - 2013-07-06 23:17 - 725873519 ____A C:\Users\admin\Desktop\Ableton Live 9 Suite 9.0.2 (Win 32 bit-io) [ChingLiu].zip
2013-07-04 17:47 - 2013-05-16 09:07 - 00000000 ____D C:\Users\admin\Documents\WebCam Media
2013-07-04 07:42 - 2012-05-02 21:52 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-07-03 12:25 - 2013-07-03 12:25 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-07-02 09:36 - 2013-03-19 00:04 - 00000000 ____D C:\Users\admin\AppData\Local\Spotify
2013-06-30 09:56 - 2010-10-10 17:40 - 00000132 ____A C:\Users\admin\AppData\Roaming\Adobe PNG Format CS5 Prefs
2013-06-29 18:19 - 2013-06-29 11:12 - 00000000 ____D C:\Users\admin\Documents\My SugarSync
2013-06-29 11:12 - 2013-06-29 11:04 - 00000000 ____D C:\Users\admin\AppData\Local\SugarSync
2013-06-29 11:04 - 2012-04-26 08:30 - 00000000 ____D C:\Program Files\SugarSync
2013-06-29 11:03 - 2013-06-29 10:59 - 20911672 ____A (SugarSync, Inc.) C:\Users\admin\Downloads\SugarSyncSetup.exe
2013-06-26 16:10 - 2013-06-26 16:08 - 00000000 ____D C:\Users\admin\Downloads\Laurie Spiegel - The Expanding Universe
2013-06-26 14:34 - 2013-06-26 13:56 - 396727089 ____A C:\Users\admin\Downloads\Laurie Spiegel - The Expanding Universe.zip
2013-06-25 13:57 - 2013-06-25 13:57 - 00017278 ____A C:\Users\admin\Documents\cc_20130625_135747.reg
2013-06-25 13:53 - 2009-12-29 17:07 - 00000000 ____D C:\Program Files\Steam
2013-06-25 13:25 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\Msdtc
2013-06-25 12:49 - 2013-06-25 12:49 - 00000000 ____A C:\sfc
2013-06-22 16:21 - 2013-04-15 20:05 - 00001049 ____A C:\Users\admin\Desktop\Contemplation Moon codes.csv
2013-06-22 14:23 - 2012-11-17 16:20 - 00008731 ____A C:\Users\admin\CmDust-Result.log
2013-06-20 23:07 - 2009-03-18 14:07 - 00000000 ____D C:\Users\admin\AppData\Local\Adobe
2013-06-20 23:03 - 2013-06-20 23:03 - 00001892 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2013-06-20 23:03 - 2008-07-25 05:10 - 00000000 ____D C:\ProgramData\Adobe
2013-06-20 23:03 - 2008-07-25 05:10 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-06-20 23:03 - 2008-07-25 05:10 - 00000000 ____D C:\Program Files\Adobe
2013-06-20 23:01 - 2013-06-20 23:01 - 00000000 ____D C:\Program Files\Common Files\Java
2013-06-20 23:00 - 2013-06-20 23:00 - 00094632 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-06-20 22:59 - 2013-06-20 23:01 - 00263592 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-06-20 22:59 - 2013-06-20 23:00 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-06-20 22:59 - 2013-06-20 23:00 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-06-20 22:59 - 2012-11-30 12:46 - 00867240 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-06-20 22:59 - 2011-05-12 18:35 - 00789416 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-06-20 22:59 - 2008-08-19 15:36 - 00000000 ____D C:\ProgramData\McAfee
2013-06-20 22:53 - 2013-06-20 22:53 - 00903592 ____A (Oracle Corporation) C:\Users\admin\Downloads\jxpiinstall(1).exe
2013-06-20 22:27 - 2013-06-20 22:27 - 00000888 ____A C:\AdwCleaner[S2].txt
2013-06-20 18:04 - 2013-06-20 18:04 - 00018662 ____A C:\Users\admin\Downloads\Chris-Weeks_sales_2013-06-20(1).csv
2013-06-20 18:02 - 2013-06-20 18:02 - 00000479 ____A C:\Users\admin\Downloads\Chris-Weeks_sales_2013-06-20.csv
2013-06-20 14:54 - 2013-06-20 14:14 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-20 14:12 - 2013-06-20 14:12 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2013-06-20 10:15 - 2013-06-20 09:41 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-06-19 20:25 - 2012-01-25 08:50 - 00000000 ____D C:\Program Files\stinger
2013-06-19 11:11 - 2013-06-19 11:11 - 00000000 ____D C:\Program Files\ESET
2013-06-19 10:56 - 2013-06-19 10:55 - 00012218 ____A C:\AdwCleaner[S1].txt
2013-06-19 05:03 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-18 22:28 - 2012-04-26 08:39 - 00000000 ____D C:\Users\admin\AppData\Roaming\TagScanner
2013-06-18 22:28 - 2009-03-18 14:07 - 00000000 ____D C:\Users\admin\AppData\Local\Microsoft Help
2013-06-18 22:28 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Defender
2013-06-18 22:28 - 2006-11-02 12:18 - 00000000 __RSD C:\Windows\Media
2013-06-18 22:28 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\rescache
2013-06-18 21:16 - 2009-03-18 14:07 - 00000000 ____D C:\Users\admin\AppData\Local\Google
2013-06-18 21:07 - 2013-06-18 21:07 - 00075956 ____A C:\Users\admin\Documents\cc_20130618_210738.reg
2013-06-18 20:22 - 2009-03-18 14:07 - 00009160 ____A C:\Users\admin\AppData\Local\d3d9caps.dat
2013-06-18 12:07 - 2013-06-18 12:07 - 00008308 ____A C:\Users\admin\Desktop\Chris Weeks - The Lost Cosmonaut [Info] formatted for notepad.txt
2013-06-17 12:05 - 2013-06-17 12:05 - 00001881 ____A C:\Users\admin\Desktop\Avira Free Antivirus Profile Quick system scan.LNK
2013-06-17 11:22 - 2013-02-02 16:13 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-17 11:22 - 2013-02-02 16:13 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-17 11:19 - 2012-01-12 10:30 - 00000441 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2013-06-16 17:18 - 2013-06-16 17:18 - 00000000 ____D C:\Chris Weeks - The Lost Cosmonaut [promotional copy]
2013-06-07 17:15 - 2013-06-07 17:15 - 00000000 ____D C:\Users\admin\Desktop\Ludovico Einaudi - In A Time Lapse

Files to move or delete:
====================
C:\Users\admin\jxpiinstall.exe
C:\Users\admin\mseinstall.exe
C:\Users\admin\setup.exe
C:\ProgramData\nvModes.dat

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-04 18:14:46
Restore point made on: 2013-07-05 18:50:52
Restore point made on: 2013-07-06 12:44:17
Restore point made on: 2013-07-06 23:28:58
Restore point made on: 2013-07-06 23:44:14
Restore point made on: 2013-07-07 10:20:00
Restore point made on: 2013-07-07 11:01:06

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4062.14 MB
Available physical RAM: 3459.31 MB
Total Pagefile: 3818.61 MB
Available Pagefile: 3650.81 MB
Total Virtual: 2047.88 MB
Available Virtual: 1963.02 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:286.81 GB) (Free:22.45 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:298.08 GB) (Free:80.72 GB) NTFS
Drive f: (Recovery) (Fixed) (Total:11.28 GB) (Free:0.63 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (Transcend) (Removable) (Total:29.09 GB) (Free:2.49 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: D68C5698)
Partition 1: (Not Active) - (Size=11 GB) - (Type=27)
Partition 2: (Active) - (Size=287 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: 9DD6C29C)
Partition 1: (Not Active) - (Size=298 GB) - (Type=OF Extended)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 29 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=29 GB) - (Type=0C)


LastRegBack: 2013-07-07 20:30

==================== End Of Log ============================



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 PM

Posted 07 July 2013 - 04:42 PM

You seems to have ran many tools also. The computer was infected with ZeroAccess. Can you list the tools ran?

 

Download the enclosed file.

 

Save it next to FRST.

 

Run FRST as you did before,except that this time around click on the Fix button and wait

 

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services

    • Windows Firewall

    • System Restore

    • Security Center

    • Windows Update


  • Press "Scan".

  • It will create a log (FSS.txt) in the same directory the tool is run.

  • Please copy and paste the log to your reply.

 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Chris Weeks

Chris Weeks
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 07 July 2013 - 06:28 PM

The tools ran were (in no particular order): AdwCleaner | aswMBR | ESETScan | FSS | MiniToolBox | Security Check | tdsskiller

 

Here's the Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-07-2013
Ran by SYSTEM at 2013-07-08 00:22:20 Run:1
Running from G:\
Boot Mode: Recovery

==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.

==== End of Fixlog ====



#10 Chris Weeks

Chris Weeks
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 07 July 2013 - 06:29 PM

Here's the FSS Log:

 

Farbar Service Scanner Version: 06-07-2013
Ran by admin (administrator) on 08-07-2013 at 00:29:17
Running from "C:\Users\admin\Downloads"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-06-13 08:36] - [2013-05-08 04:40] - 0914792 ____A (Microsoft Corporation) 078218D74C4EFC2CE7E4C6DF22A94F2F

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-06-13 08:35] - [2013-04-24 05:00] - 0133120 ____A (Microsoft Corporation) 3EDE4C1F9672C972479201544969ADCB

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 PM

Posted 07 July 2013 - 08:19 PM

All looks clear. How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Chris Weeks

Chris Weeks
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 08 July 2013 - 12:46 AM

It's still restarting when woken from sleep mode. I'm not convinced that the problems have gone away, but generally it seems to be running ok. I've had it on for three hours this morning, and it's not frozen/crashed.

However, I keep noticing that both my local hard disks keep randomly changing the amount they are full. My C: drive had about 45GB free this morning, now it says 35GB.

My D: drive had about 75GB free, now it's saying 54GB. I haven't added anything to them that would account for such a large increase. I can't make sense of it!

 

Update: The laptop is sitll running; a good 7 hours without freezing. That includes restarting the machine. It has been booting properly, if not a little slowly.

I have not tried to put it in Sleep Mode and wake it again though, as I fear it will just restart.


Edited by Chris Weeks, 08 July 2013 - 06:51 AM.


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 PM

Posted 08 July 2013 - 09:11 AM

Lets try this version of Combofix:

 

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to MyPoppy as follows:

    CF_download_FF.gif

    CF_download_rename.gif

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on MyPoppy.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.  
  • Please post the "C:\MyPoppy.txt" . ( I believe Combofix will also rename the report)

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Chris Weeks

Chris Weeks
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 08 July 2013 - 10:48 AM

Just to let you know. before you sent your last msg, I removed Avira Antivirus and put Avast on instead. I never really liked Avira.


Edited by Chris Weeks, 08 July 2013 - 01:15 PM.


#15 Chris Weeks

Chris Weeks
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:10 AM

Posted 08 July 2013 - 01:15 PM

ComboFix Log:

 

ComboFix 13-07-08.03 - admin 08/07/2013  18:48:01.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3038.1577 [GMT 1:00]
Running from: c:\users\admin\Desktop\MyPoppy.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-08 to 2013-07-08  )))))))))))))))))))))))))))))))
.
.
2013-07-08 18:02 . 2013-07-08 18:02    --------    d-----w-    c:\users\admin\AppData\Local\temp
2013-07-08 18:02 . 2013-07-08 18:02    --------    d-----w-    c:\users\Public\AppData\Local\temp
2013-07-08 18:02 . 2013-07-08 18:02    --------    d-----w-    c:\users\Kingbastard\AppData\Local\temp
2013-07-08 18:02 . 2013-07-08 18:02    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-08 10:05 . 2013-07-08 10:06    369584    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-07-08 10:05 . 2013-05-09 08:59    29816    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-07-08 10:05 . 2013-05-09 08:59    49760    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2013-07-08 10:05 . 2013-05-09 08:59    56080    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-07-08 10:05 . 2013-07-08 10:06    770344    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-07-08 10:05 . 2013-07-08 10:06    175176    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-07-08 10:05 . 2013-05-09 08:59    49376    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-07-08 10:05 . 2013-05-09 08:59    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-07-08 10:05 . 2013-05-09 08:58    229648    ----a-w-    c:\windows\system32\aswBoot.exe
2013-07-08 10:04 . 2013-05-09 08:58    41664    ----a-w-    c:\windows\avastSS.scr
2013-07-08 10:04 . 2013-07-08 10:04    --------    d-----w-    c:\program files\AVAST Software
2013-07-08 10:02 . 2013-07-08 10:04    --------    d-----w-    c:\programdata\AVAST Software
2013-07-08 07:00 . 2013-07-08 07:00    --------    d-----w-    c:\program files\Cycling '74
2013-07-08 06:36 . 2013-07-08 06:40    --------    d-----w-    c:\program files\Ableton9
2013-07-08 00:54 . 2013-07-08 00:54    60872    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{AC7DB4AB-3B8A-480F-BC0E-344D164F7C0B}\offreg.dll
2013-07-07 19:39 . 2013-07-07 19:39    --------    d-----w-    C:\FRST
2013-07-07 09:20 . 2013-07-07 09:20    --------    d-----w-    c:\program files\Microsoft Windows 7 Upgrade Advisor
2013-07-06 22:39 . 2013-07-06 22:39    --------    d-----w-    c:\program files\Common Files\Propellerhead Software
2013-07-06 11:34 . 2013-07-06 11:34    --------    d-----w-    c:\program files\Telltale Games
2013-07-05 05:51 . 2013-06-12 04:18    7068072    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{AC7DB4AB-3B8A-480F-BC0E-344D164F7C0B}\mpengine.dll
2013-06-29 17:30 . 2013-07-06 15:01    --------    d-----w-    c:\users\admin\AppData\Local\MigWiz
2013-06-29 10:04 . 2013-06-29 10:12    --------    d-----w-    c:\users\admin\AppData\Local\SugarSync
2013-06-29 10:04 . 2013-01-30 12:12    225024    ----a-w-    c:\windows\system32\SSCbFsNetRdr3.dll
2013-06-29 10:04 . 2013-01-30 12:12    159488    ----a-w-    c:\windows\system32\SSCbFsMntNtf3.dll
2013-06-29 10:03 . 2013-01-30 12:11    295936    ----a-w-    c:\windows\system32\drivers\sscbfs3.sys
2013-06-20 22:01 . 2013-06-20 22:01    --------    d-----w-    c:\program files\Common Files\Java
2013-06-20 22:00 . 2013-06-20 22:00    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-20 13:14 . 2013-06-20 13:54    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-20 13:12 . 2013-06-20 13:12    31560    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-06-20 08:41 . 2013-06-20 09:15    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2013-06-19 10:11 . 2013-06-19 10:11    --------    d-----w-    c:\program files\ESET
2013-06-16 16:18 . 2013-06-16 16:18    --------    d-----w-    C:\Chris Weeks - The Lost Cosmonaut [promotional copy]
2013-06-13 07:36 . 2013-05-08 03:40    914792    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-06-13 07:36 . 2013-05-08 01:58    31232    ----a-w-    c:\windows\system32\drivers\tcpipreg.sys
2013-06-13 07:36 . 2013-05-02 04:04    443904    ----a-w-    c:\windows\system32\win32spl.dll
2013-06-13 07:36 . 2013-05-02 04:03    37376    ----a-w-    c:\windows\system32\printcom.dll
2013-06-13 07:35 . 2013-04-24 04:00    985600    ----a-w-    c:\windows\system32\crypt32.dll
2013-06-13 07:35 . 2013-04-24 04:00    98304    ----a-w-    c:\windows\system32\cryptnet.dll
2013-06-13 07:35 . 2013-04-24 04:00    133120    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-06-13 07:35 . 2013-04-24 04:00    41984    ----a-w-    c:\windows\system32\certenc.dll
2013-06-13 07:35 . 2013-04-24 01:46    812544    ----a-w-    c:\windows\system32\certutil.exe
2013-06-13 07:35 . 2013-05-02 22:03    3603832    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-13 07:35 . 2013-05-02 22:03    3551096    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-06-13 07:34 . 2013-04-17 12:30    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-20 21:59 . 2012-11-30 11:46    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-20 21:59 . 2011-05-12 17:35    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-17 10:22 . 2013-02-02 15:13    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-17 10:22 . 2013-02-02 15:13    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-03 11:21 . 2013-06-03 11:21    6475776    ----a-w-    c:\windows\system32\PSP VintageWarmer2.dll
2013-05-10 07:17 . 2011-08-05 11:54    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-03 11:23 . 2013-05-03 11:23    1431552    ----a-w-    c:\windows\system32\ReWire.dll
2013-05-02 01:06 . 2009-10-03 05:33    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-15 14:20 . 2013-05-16 04:34    638328    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 10:56 . 2013-05-16 04:34    37376    ----a-w-    c:\windows\system32\cdd.dll
2008-06-19 18:59 . 2013-07-03 11:25    889856    ----a-w-    c:\program files\mozilla firefox\components\pbgk1_9.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58    121968    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{69925D1B-6A0F-4413-861A-81AB98039DB9}"
[HKEY_CLASSES_ROOT\CLSID\{69925D1B-6A0F-4413-861A-81AB98039DB9}]
2013-01-30 12:12    159488    ----a-w-    c:\windows\System32\SSCbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2013-06-26 17:22    2090848    ----a-w-    c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2013-06-26 17:22    2090848    ----a-w-    c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{39D54CC2-69CF-43b4-B167-577D25E7F496}"
[HKEY_CLASSES_ROOT\CLSID\{39D54CC2-69CF-43b4-B167-577D25E7F496}]
2013-06-26 17:22    2090848    ----a-w-    c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2013-06-26 17:22    2090848    ----a-w-    c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncSharedPending]
@="{F7395C2E-A5D8-4a32-9536-5C6A9F1DC450}"
[HKEY_CLASSES_ROOT\CLSID\{F7395C2E-A5D8-4a32-9536-5C6A9F1DC450}]
2013-06-26 17:22    2090848    ----a-w-    c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2008-06-19 19:04    2957312    ----a-w-    c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2008-06-19 19:04    2957312    ----a-w-    c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"disableCAD"= 1 (0x1)
"DisableStartupSound"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C28617FD-4FE7-4043-AD51-C8132CE90106}"= "c:\windows\system32\SSCbFsMntNtf3.dll" [2013-01-30 159488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"EldosMountNotificator"= {C28617FD-4FE7-4043-AD51-C8132CE90106} - c:\windows\system32\SSCbFsMntNtf3.dll [2013-01-30 159488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-06-19 18:51    90112    ----a-w-    c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-07-16 01:04    98304    ----a-w-    c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=c:\windows\pss\Device Detector 2.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Palo Alto Software Update Manager 9.0.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Palo Alto Software Update Manager 9.0.lnk
backup=c:\windows\pss\Palo Alto Software Update Manager 9.0.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Greenshot.lnk]
path=c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Greenshot.lnk
backup=c:\windows\pss\Greenshot.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Assassin's Creed.LNK]
path=c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registration Assassin's Creed.LNK
backup=c:\windows\pss\Registration Assassin's Creed.LNK.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51    919008    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 02:44    500208    ------w-    c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-22 21:10    402432    ----a-w-    c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 13:53    77824    ----a-w-    c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AML]
2008-06-13 22:07    1097728    ----a-w-    c:\program files\Sony\VAIO Launcher\AML.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 14:13    59280    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 13:18    202024    ----a-w-    c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-06-29 14:03    36864    ----a-w-    c:\program files\GameSpy\Comrade\Comrade.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-04-07 08:13    673616    ------w-    c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R340 Series]
2006-12-26 05:00    177664    ----a-w-    c:\windows\System32\spool\drivers\w32x86\3\E_FATIAJA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX210 Series]
2008-11-06 00:00    199680    ----a-w-    c:\windows\System32\spool\drivers\w32x86\3\E_FATIFDE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-16 00:54    178712    ----a-w-    c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2008-04-04 03:03    317280    ----a-w-    c:\program files\Sony\ISB Utility\ISBMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 13:57    152544    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2013-04-04 13:50    887432    ----a-w-    c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MarketingTools]
2008-08-19 14:41    24576    ----a-w-    c:\program files\Sony\Marketing Tools\MarketingTools.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-05-25 04:25    6595928    ----a-w-    c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 07:51    1836328    ----a-w-    c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 13:57    153136    ----a-w-    c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSUFloatingUI]
2008-07-30 23:05    262144    ----a-w-    c:\program files\Sony\Network Utility\LANUtil.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-05-01 02:07    13781536    ----a-w-    c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-05-01 02:07    92704    ----a-w-    c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2008-06-19 18:29    48904    ----a-w-    c:\program files\Protector Suite QL\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-11-02 08:38    167936    ----a-w-    c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 03:12    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-07-11 11:45    6244896    ----a-w-    c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2008-07-11 11:45    1826816    ----a-w-    c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2013-06-18 14:59    4643328    ----a-w-    c:\users\admin\AppData\Roaming\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2013-06-18 14:59    1104384    ----a-w-    c:\users\admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-02-15 13:08    1597864    ----a-w-    c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SugarSync]
2013-06-26 17:29    12419424    ----a-w-    c:\program files\SugarSync\SugarSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 06:32    253816    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 12:37    517096    ----a-w-    c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2013-01-08 19:05    1557800    ----a-w-    c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37    37888    ----a-w-    c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23    1008184    ----a-w-    c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWRVRT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs    REG_MULTI_SZ       BthServ
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-02 10:22]
.
2013-01-08 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 10:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\he6py3vh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - ExtSQL: 2013-07-08 11:05; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-BitTorrent DNA - c:\users\admin\Program Files\DNA\btdna.exe
MSConfigStartUp-LifeCam - c:\program files\Microsoft LifeCam\LifeExp.exe
MSConfigStartUp-Monitor - c:\windows\PixArt\PAC207\Monitor.exe
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-WinPatrol - c:\program files\BillP Studios\WinPatrol\winpatrol.exe
MSConfigStartUp-Wondershare Helper Compact - c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
AddRemove-Native Instruments Maschine Controller Driver - c:\programdata\{B49C92CB-1A73-4A41-A84C-5091582E7AA8}\Maschine Controller Driver Setup PC.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-08 19:02
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
 [0] 0x1E2A0000
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2526120626-3347230282-2708207307-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:75,48,bb,8b,e7,f0,37,82,66,14,5e,1f,53,01,c8,d7,54,60,83,d6,ce,12,d8,
   16,dd,3a,60,d3,3b,40,13,79,3c,dc,8d,ce,6f,42,d8,74,d5,c6,ee,59,0e,fc,22,34,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
[HKEY_USERS\S-1-5-21-2526120626-3347230282-2708207307-1000\Software\SecuROM\License information*]
"datasecu"=hex:83,87,06,dc,e7,a2,4d,e1,94,4e,0a,92,fa,ba,39,12,8c,6b,f4,11,93,
   28,83,37,d1,74,c4,d9,86,98,97,1d,84,a4,e5,77,88,39,5b,e8,c8,be,38,3d,2d,a1,\
"rkeysecu"=hex:b2,66,cb,8d,29,9a,a4,e0,d4,f6,c5,26,48,04,9a,e7
.
[HKEY_LOCAL_MACHINE\system\ControlSet016\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\remote.dll
.
- - - - - - - > 'Explorer.exe'(6140)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\SSCbFsMntNtf3.dll
c:\windows\system32\SSCbFsNetRdr3.dll
.
Completion time: 2013-07-08  19:05:55
ComboFix-quarantined-files.txt  2013-07-08 18:05
ComboFix2.txt  2012-01-11 22:09
.
Pre-Run: 33,833,234,432 bytes free
Post-Run: 34,584,477,696 bytes free
.
- - End Of File - - 7AA652BC5B682F150A0AF0E7AA51862A
5C616939100B85E558DA92B899A0FC36
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users