Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit infection, Please help remove....


  • This topic is locked This topic is locked
30 replies to this topic

#1 noopers

noopers

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 25 September 2013 - 01:54 PM

Hi , I was directed to this area by Broni in this thread    .

 

 

My PC will start in normal mode but it takes 90 minutes or so and once it starts I am not able to perform any function because the PC hangs.

 

 

 

Here's what led me to this site.

 

On 9/20 morning my browser was acting strange like when I clicked the arrow to go back I had to click numerous times and sometime it wouldn't go back at all. I was running Kaspersky anti virus at the time but wonder if something malicous got in. When I shut down the computer and tried to restart it took almost 90 minutes to start . Once it starts and I click start menu or a program on the desktop the it hangs and I'm able to do nothing.

 

 

 

 

I'm able to work in safe mode and safe mode with networking as normal.

 

As recommended.

 

I downloaded super anti spyware and it found only cookies I got rid of .

 

I also downloaded Adware cleaner which found a number of issues which I deleted.

 

Did a malware bytes scan and said I was clean. Tried to start in normal mode and the same issues.

 

 

Recently I downgraded from one of the top Kaspersky security programs to what I have now . Hindsight being 20/20 I should have paid to keep what I had but I thought I was protected.

 

 

-----------------------

 

As directed in the linked thread I....

 

Downloaded and ran Security Check

Downloaded and ran Farber Service Scanner

Downloaded and ran Mini Tool Box

Downloaded and ran Malwarebytes' Anti-Malware (aka MBAM):

Downloaded and ran Malwarebytes Anti-Rootkit

Downloaded and ran Rkill

 

All scans are posted in linked thread.

 

 

I appreaciate any assistance rendered in helping rid my computer of this mess.

 

Thanks!!

 

I downloaded and ran DDS as instructed and here are the logs.

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK

Internet Explorer: 9.0.8112.16506

Run by Administrator at 9:59:07 on 2013-09-25

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2046.1521 [GMT -4:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\Explorer.EXE

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Bar = Preserve

mStart Page = about:blank

BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -

BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\contentblocker\ie_content_blocker_plugin.dll

BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -

BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\urladvisor\klwtbbho.dll

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [Amazon Cloud Player] c:\users\administrator\appdata\local\amazon cloud player\Amazon Music Helper.exe

uRun: [ApplePhotoStreams] c:\program files\common files\apple\internet services\ApplePhotoStreams.exe

uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRunOnce: [Report] c:\adwcleaner\AdwCleaner[S1].txt

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"

mRun: [ROC_ROC_NT] "c:\program files\avg secure search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Nvtmru] "c:\program files\nvidia corporation\nvidia update core\nvtmru.exe"

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [GrpConv] grpconv -o

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-Explorer: NoDriveTypeAutoRun = dword:28

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\urladvisor\klwtbbho.dll

DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{6888E990-41B4-416D-B374-BC51F86CD570} : DHCPNameServer = 75.75.75.75 75.75.76.76

Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} -

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - <orphaned>

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg

.

============= SERVICES / DRIVERS ===============

.

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2012-8-2 24408]

R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2013-5-2 44000]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]

S1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2013-5-2 145040]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe [2013-5-2 356376]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

S3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2008-6-5 1298944]

S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2013-5-2 25944]

S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2013-5-2 25944]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]

.

=============== File Associations ===============

.

FileExt: .txt: Applications\WINWORD.EXE="c:\program files\microsoft office\office12\WINWORD.EXE" /n /dde [UserChoice] [default=edit - 'Open' doesn't exist]

.

=============== Created Last 30 ================

.

2013-09-25 01:09:08     205072      ----a-w-    c:\windows\system32\drivers\tmcomm.sys

2013-09-24 19:49:07     --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)

2013-09-24 19:40:54     --------    d-----w-    c:\windows\ERUNT

2013-09-24 18:18:44     22856 ----a-w-    c:\windows\system32\drivers\mbam.sys

2013-09-24 18:04:16     --------    d-----w-    C:\AdwCleaner

2013-09-24 17:59:04     --------    d-----w-      c:\users\administrator\appdata\roaming\SUPERAntiSpyware.com

2013-09-24 17:58:57     --------    d-----w-    c:\programdata\SUPERAntiSpyware.com

2013-09-24 17:58:57     --------    d-----w-    c:\program files\SUPERAntiSpyware

2013-09-24 11:45:31     --------    d-----w-    c:\program files\GUMEAAD.tmp

2013-09-22 03:05:42     7328304     ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{838b4338-7956-432c-9977-d6d727d06ae0}\mpengine.dll

2013-09-21 17:46:35     --------    d-----w-    c:\windows\system32\wbem\repository

2013-09-21 16:35:59     --------    d-----w-    c:\windows\Registration

2013-09-21 03:05:26     --------    d-----w-    c:\programdata\Malwarebytes

2013-09-21 03:05:25     --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware

2013-09-12 11:55:47     615936      ----a-w-    c:\windows\system32\themeui.dll

2013-09-12 11:55:46     2049536     ----a-w-    c:\windows\system32\win32k.sys

2013-09-08 11:51:39     --------    d-----w-    c:\users\administrator\appdata\local\NVIDIA

2013-09-08 00:58:26     640288      ----a-w-    c:\windows\system32\nvvsvc.exe

2013-09-08 00:58:26     62752 ----a-w-    c:\windows\system32\nvshext.dll

2013-09-08 00:58:26     4192544     ----a-w-    c:\windows\system32\nvcpl.dll

2013-09-08 00:58:26     3045664     ----a-w-    c:\windows\system32\nvsvc.dll

2013-09-08 00:58:26     223008      ----a-w-    c:\windows\system32\nvmctray.dll

2013-09-06 22:21:36     --------    d-----w-    C:\NVIDIA(1)

2013-09-06 22:00:01     --------    d-----w-    c:\programdata\NVIDIA Corporation

2013-09-06 21:59:50     --------    d-----w-    c:\program files\NVIDIA Corporation(4)

2013-09-06 20:54:04     --------    d-----w-    c:\programdata\NVIDIA(9)

2013-09-03 13:53:52     187248      ----a-w-    c:\program files\internet explorer\plugins\nppdf32.dll

2013-08-27 18:24:04     1548288     ----a-w-    c:\windows\system32\WMVDECOD.DLL

.

==================== Find3M  ====================

.

2013-08-21 13:41:32     11782374    ----a-w-    c:\users\administrator\bitpim-1.0.7-setup.exe

2013-08-07 08:22:04     238872      ------w-    c:\windows\system32\MpSigStub.exe

2013-07-31 10:00:20     1800704     ----a-w-    c:\windows\system32\jscript9.dll

2013-07-31 09:52:44     1129472     ----a-w-    c:\windows\system32\wininet.dll

2013-07-31 09:52:34     1427968     ----a-w-    c:\windows\system32\inetcpl.cpl

2013-07-31 09:48:43     142848      ----a-w-    c:\windows\system32\ieUnatt.exe

2013-07-31 09:48:09     420864      ----a-w-    c:\windows\system32\vbscript.dll

2013-07-31 09:45:42     2382848     ----a-w-    c:\windows\system32\mshtml.tlb

2013-07-17 19:41:34     2048  ----a-w-    c:\windows\system32\tzres.dll

2013-07-10 20:00:39     44000 ----a-w-    c:\windows\system32\drivers\kltdi.sys

2013-07-10 09:47:00     783360      ----a-w-    c:\windows\system32\rpcrt4.dll

2013-07-09 12:10:36     1205168     ----a-w-    c:\windows\system32\ntdll.dll

2013-07-08 04:55:51     3603904     ----a-w-    c:\windows\system32\ntkrnlpa.exe

2013-07-08 04:55:51     3551680     ----a-w-    c:\windows\system32\ntoskrnl.exe

2013-07-08 04:20:04     172544      ----a-w-    c:\windows\system32\wintrust.dll

2013-07-08 04:16:55     98304 ----a-w-    c:\windows\system32\cryptnet.dll

2013-07-08 04:16:55     133120      ----a-w-    c:\windows\system32\cryptsvc.dll

2013-07-08 04:16:54     992768      ----a-w-    c:\windows\system32\crypt32.dll

2013-07-05 04:53:33     905664      ----a-w-    c:\windows\system32\drivers\tcpip.sys

2013-07-03 22:17:51     867240      ----a-w-    c:\windows\system32\npDeployJava1.dll

2013-07-03 22:17:51     789416      ----a-w-    c:\windows\system32\deployJava1.dll

2011-10-15 14:42:25     336   ----a-w-    c:\program files\temp995.bat

.

============= FINISH: 10:00:50.15 ===============

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 25 September 2013 - 05:37 PM


Hello noopers

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 noopers

noopers
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 25 September 2013 - 06:53 PM

Thanks for the attention and help Gringo!!

 

 

The computer still is running the same as earlier.    I'm able to run in safe mode only. 

 

Here are the scans.

 

# AdwCleaner v3.005 - Report created 25/09/2013 at 19:30:12

# Updated 22/09/2013 by Xplode

# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)

# Username : Administrator - TIGERDIRECT-PC

# Running from : C:\Users\Administrator\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v9.0.8112.16506

 

 

*************************

 

AdwCleaner[R0].txt - [1669 octets] - [24/09/2013 14:04:23]

AdwCleaner[R1].txt - [788 octets] - [24/09/2013 14:35:23]

AdwCleaner[R2].txt - [906 octets] - [24/09/2013 21:03:09]

AdwCleaner[R3].txt - [1087 octets] - [25/09/2013 19:28:02]

AdwCleaner[S0].txt - [1626 octets] - [24/09/2013 14:12:41]

AdwCleaner[S1].txt - [848 octets] - [24/09/2013 14:36:15]

AdwCleaner[S2].txt - [1011 octets] - [25/09/2013 19:30:12]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1071 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.0.2 (09.22.2013:1)

OS: Windows Vista ™ Home Premium x86

Ran by Administrator on Wed 09/25/2013 at 19:42:35.24

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Wed 09/25/2013 at 19:45:11.15

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

On the JRT, it said something about a bad module  ;did I want to restart? (I pressed N) as it was scanning.

 

 

Thanks.



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 25 September 2013 - 07:09 PM


Hello noopers

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 noopers

noopers
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 25 September 2013 - 08:28 PM

Hi Gringo, thanks for the continuing help!

 

I ran ComboFix as instructed.  Combofix restarted my computer and it wouldn't start in normal mode. I shut it off pressed F8 and restarted in safe mode and the program finished off the scan and produced the log I'm posting now.

 

ComboFix 13-09-24.02 - Administrator 09/25/2013  20:38:33.5.2 - x86 NETWORK

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2046.1358 [GMT -4:00]

Running from: c:\users\Administrator\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 * Created a new restore point

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\hosts

c:\programdata\ntuser.dat

c:\users\Administrator\bitpim-1.0.7-setup.exe

.

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_5762

.

.

(((((((((((((((((((((((((   Files Created from 2013-08-26 to 2013-09-26  )))))))))))))))))))))))))))))))

.

.

2013-09-26 00:47 . 2013-09-26 01:05 --------    d-----w-      c:\users\Administrator\AppData\Local\temp

2013-09-26 00:47 . 2013-09-26 00:47 --------    d-----w-      c:\users\UpdatusUser\AppData\Local\temp

2013-09-26 00:47 . 2013-09-26 00:47 --------    d-----w-      c:\users\tigerdirect\AppData\Local\temp

2013-09-26 00:47 . 2013-09-26 00:47 --------    d-----w-      c:\users\Public\AppData\Local\temp

2013-09-26 00:47 . 2013-09-26 00:47 --------    d-----w-      c:\users\Default\AppData\Local\temp

2013-09-25 01:09 . 2013-09-25 01:09 205072      ----a-w-      c:\windows\system32\drivers\tmcomm.sys

2013-09-24 19:49 . 2013-09-25 03:22 --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)

2013-09-24 19:40 . 2013-09-24 19:40 --------    d-----w-    c:\windows\ERUNT

2013-09-24 18:18 . 2013-04-04 18:50 22856 ----a-w-    c:\windows\system32\drivers\mbam.sys

2013-09-24 18:04 . 2013-09-25 23:30 --------    d-----w-    C:\AdwCleaner

2013-09-24 17:59 . 2013-09-24 17:59 --------    d-----w-      c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com

2013-09-24 17:58 . 2013-09-24 17:59 --------    d-----w-    c:\program files\SUPERAntiSpyware

2013-09-24 17:58 . 2013-09-24 17:58 --------    d-----w-      c:\programdata\SUPERAntiSpyware.com

2013-09-24 11:45 . 2013-09-24 11:45 --------    d-----w-    c:\program files\GUMEAAD.tmp

2013-09-21 17:46 . 2013-09-26 01:04 --------    d-----w-      c:\windows\system32\wbem\repository

2013-09-21 03:05 . 2013-09-21 03:05 --------    d-----w-    c:\programdata\Malwarebytes

2013-09-21 03:05 . 2013-09-24 18:18 --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware

2013-09-12 11:55 . 2013-07-16 04:35 615936      ----a-w-    c:\windows\system32\themeui.dll

2013-09-12 11:55 . 2013-08-08 01:45 2049536     ----a-w-    c:\windows\system32\win32k.sys

2013-09-08 11:51 . 2013-09-08 11:51 --------    d-----w-      c:\users\Administrator\AppData\Local\NVIDIA

2013-09-08 01:02 . 2013-09-08 01:02 --------    d-----w-    c:\program files\AGEIA Technologies

2013-09-08 00:58 . 2013-06-21 09:52 4192544     ----a-w-    c:\windows\system32\nvcpl.dll

2013-09-08 00:58 . 2013-06-21 09:52 3045664     ----a-w-    c:\windows\system32\nvsvc.dll

2013-09-08 00:58 . 2013-06-21 09:52 640288      ----a-w-    c:\windows\system32\nvvsvc.exe

2013-09-08 00:58 . 2013-06-21 09:52 62752 ----a-w-    c:\windows\system32\nvshext.dll

2013-09-08 00:58 . 2013-06-21 09:52 223008      ----a-w-    c:\windows\system32\nvmctray.dll

2013-09-06 22:21 . 2013-09-07 23:16 --------    d-----w-    C:\NVIDIA(1)

2013-09-06 22:00 . 2013-09-08 11:51 --------    d-----w-    c:\programdata\NVIDIA Corporation

2013-09-06 21:59 . 2013-09-07 23:17 --------    d-----w-    c:\program files\NVIDIA Corporation(4)

2013-09-06 20:54 . 2013-09-06 20:54 --------    d-----w-    c:\programdata\NVIDIA(9)

2013-09-03 13:53 . 2013-09-03 13:53 187248      ----a-w-    c:\program files\Internet Explorer\Plugins\nppdf32.dll

2013-08-27 18:24 . 2013-08-02 02:48 1548288     ----a-w-    c:\windows\system32\WMVDECOD.DLL

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-09-05 05:02 . 2013-09-22 03:05 7328304     ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{838B4338-7956-432C-9977-D6D727D06AE0}\mpengine.dll

2013-08-07 08:22 . 2010-11-01 15:33 238872      ------w-    c:\windows\system32\MpSigStub.exe

2013-07-17 19:41 . 2013-08-15 10:40 2048  ----a-w-    c:\windows\system32\tzres.dll

2013-07-10 20:00 . 2013-05-02 21:11 44000 ----a-w-    c:\windows\system32\drivers\kltdi.sys

2013-07-10 09:47 . 2013-08-15 10:40 783360      ----a-w-    c:\windows\system32\rpcrt4.dll

2013-07-09 12:10 . 2013-08-15 10:40 1205168     ----a-w-    c:\windows\system32\ntdll.dll

2013-07-08 04:55 . 2013-08-15 10:40 3603904     ----a-w-    c:\windows\system32\ntkrnlpa.exe

2013-07-08 04:55 . 2013-08-15 10:40 3551680     ----a-w-    c:\windows\system32\ntoskrnl.exe

2013-07-08 04:20 . 2013-08-15 10:40 172544      ----a-w-    c:\windows\system32\wintrust.dll

2013-07-08 04:16 . 2013-08-15 10:40 133120      ----a-w-    c:\windows\system32\cryptsvc.dll

2013-07-08 04:16 . 2013-08-15 10:40 98304 ----a-w-    c:\windows\system32\cryptnet.dll

2013-07-08 04:16 . 2013-08-15 10:40 992768      ----a-w-    c:\windows\system32\crypt32.dll

2013-07-05 04:53 . 2013-08-15 10:41 905664      ----a-w-      c:\windows\system32\drivers\tcpip.sys

2013-07-03 22:17 . 2012-07-16 11:54 867240      ----a-w-      c:\windows\system32\npDeployJava1.dll

2013-07-03 22:17 . 2010-05-10 13:13 789416      ----a-w-      c:\windows\system32\deployJava1.dll

2011-10-15 14:42 . 2011-10-15 14:42 336   ----a-w-    c:\program files\temp995.bat

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"Amazon Cloud Player"="c:\users\Administrator\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe" [2013-06-21 3108864]

"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-04-05 59720]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-08-15 5703920]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]

"Nvtmru"="c:\program files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 1012000]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-05-23 119056]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation      REG_MULTI_SZ      FontCache

bthsvcs     REG_MULTI_SZ      BthServ

.

Contents of the 'Scheduled Tasks' folder

.

2013-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-24 22:10]

.

2013-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-24 22:10]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKLM-Run-ROC_ROC_NT - c:\program files\AVG Secure Search\ROC_ROC_NT.exe

SafeBoot-WudfPf

SafeBoot-WudfRd

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-09-25 21:05

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ... 

.

scanning hidden autostart entries ...

.

scanning hidden files ... 

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (Administrator)

"{5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F}"=hex:51,66,7a,6c,4c,1d,3b,1b,63,d3,77,

   4f,97,bd,d9,06,85,80,19,b7,fa,fb,bc,54

"{E33CF602-D945-461A-83F0-819F76A199F8}"=hex:51,66,7a,6c,4c,1d,3b,1b,12,e9,2f,

   f9,75,8b,7c,0c,97,fa,c4,df,77,e5,da,e3

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (Administrator)

"Timestamp"=hex:89,42,2b,33,f8,0f,cc,01

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,ec,07,3f,05,6c,90,45,96,2b,a0,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,77,2a,60,4e,88,4d,9d,e7,99,\

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AIFF"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AIFF"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AIFF"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ASF"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ASX"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AU"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.avi"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bin\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\DTLite.exe"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.btc\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\Apcd.exe"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.CDA"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Microsoft Internet Mail Message"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.HTM"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.HTM"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar\UserChoice]

@Denied: (2) (Administrator)

"Progid"="jarfile"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\UserChoice]

@Denied: (2) (Administrator)

"Progid"="txtfile"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.M3U"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Microsoft.Zune.2.M4A"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Microsoft.Zune.2.M4B"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Microsoft.Zune.2.M4V"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mbr\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Microsoft.Zune.2.MBR"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.MHT"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.MHT"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MIDI"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MIDI"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MP3"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Microsoft.Zune.2.MP4"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.PARTIAL"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MIDI"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]

@Denied: (2) (Administrator)

"Progid"="FirefoxHTML"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AU"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\Carriers At War.exe"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.SVG"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\WINWORD.EXE"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.URL"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WAV"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WAX"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.WEBSITE"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ASF"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMA"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMD"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMS"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMV"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ASX"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMZ"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WPL"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WVX"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.XHT"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]

@Denied: (2) (Administrator)

"Progid"="IE.AssocFile.XHT"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zpl\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Microsoft.Zune.2.ZPL"

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:1c,21,57,f4,81,bf,b5,7f,9f,fd,fb,c0,5c,5f,4b,5b,eb,31,99,72,14,f3,67,

   94,62,3b,d0,01,5b,cb,0a,52,0a,02,64,4a,cf,21,ad,6b,f4,8d,33,17,6f,d9,b6,2d,\

"??"=hex:dd,99,0c,75,e0,d9,b3,83,e9,61,6d,9e,fe,35,fe,09

.

[HKEY_USERS\S-1-5-21-1137197817-1767675464-2595903877-500\Software\SecuROM\License information*]

"datasecu"=hex:49,66,5a,36,79,96,b2,a4,50,a4,53,1c,db,0f,09,84,28,10,1f,ca,2a,

   b6,19,43,8c,4f,36,4f,2e,55,d8,92,52,17,f6,b1,f2,46,31,0b,8d,45,b6,5f,c6,23,\

"rkeysecu"=hex:e0,d3,35,90,70,ac,51,83,fb,16,2c,e7,30,99,7d,a7

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\ACRAD74\5&28832147&0&UID5243152\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\ACRAD74\5&28832147&0&UID5243152\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\ACRAD74\5&48b799b&0&UID272\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\ACRAD74\5&48b799b&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\ACRAD74\5&48b799b&0&UID5243152\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\ACRAD74\5&48b799b&0&UID5243152\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&2a802906&0&12345678&05&00\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&2a802906&0&12345678&05&00\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&48b799b&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&48b799b&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\NVD0000\5&48b799b&0&UID5243136\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\NVD0000\5&48b799b&0&UID5243136\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\OQI3F16\5&48b799b&0&UID257\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\OQI3F16\5&48b799b&0&UID257\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\VSC361C\5&2a802906&0&UID257\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\VSC361C\5&2a802906&0&UID257\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\VSC361C\5&48b799b&0&UID257\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\VSC361C\5&48b799b&0&UID257\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

@DACL=(02 0000)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Windows Media Player\wmpnscfg.exe

c:\windows\helppane.exe

.

**************************************************************************

.

Completion time: 2013-09-25  21:11:06 - machine was rebooted

ComboFix-quarantined-files.txt  2013-09-26 01:11

.

Pre-Run: 260,193,562,624 bytes free

Post-Run: 260,432,715,776 bytes free

.

- - End Of File - - 63E01FC5EC1D1FEC0436260546662323

8F558EB6672622401DA993E1E865C861



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 25 September 2013 - 08:47 PM


Hello noopers



Please download Farbar Recovery Scan Tool and save it to your desktop.


Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 noopers

noopers
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 25 September 2013 - 09:00 PM

Hi Gringo, thanks again for the help. It is much appreaciated!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-09-2013

Ran by Administrator (administrator) on TIGERDIRECT-PC on 25-09-2013 21:56:26

Running from C:\Users\Administrator\Desktop

Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Safe Mode (with Networking)

 

==================== Processes (Whitelisted) ===================

 

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe

(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM\...\Run: [Zune Launcher] - C:\Program Files\Zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)

HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)

HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)

HKLM\...\Run: [Nvtmru] - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1012000 2013-05-16] (NVIDIA Corporation)

HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)

HKLM\...\Runonce: [GrpConv] - grpconv -o

HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)

HKCU\...\Run: [Amazon Cloud Player] - C:\Users\Administrator\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe [3108864 2013-06-21] ()

HKCU\...\Run: [ApplePhotoStreams] - C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-04-05] (Apple Inc.)

HKCU\...\Run: [SUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5703920 2013-08-14] (SUPERAntiSpyware)

HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter

HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter

HKU\tigerdirect\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter

HKU\UpdatusUser\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

SearchScopes: HKLM - DefaultScope value is missing.

SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =

BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1505\6.6.1088\TmIEPlg.dll No File

BHO: Content Blocker Plugin - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)

BHO: Virtual Keyboard Plugin - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)

BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO: TmBpIeBHO Class - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll No File

BHO: URL Advisor Plugin - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)

Toolbar: HKCU - No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} -  No File

DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll No File

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1505\6.6.1088\TmIEPlg.dll No File

Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} -  No File

ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)

Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [223232] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

 

========================== Services (Whitelisted) =================

 

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [119056 2013-05-23] (SUPERAntiSpyware.com)

S2 AVP; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe [356376 2013-05-02] (Kaspersky Lab ZAO)

S2 DTSRVC; C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe [73728 2007-09-20] ()

 

==================== Drivers (Whitelisted) ====================

 

S3 c65013264; C:\Windows\System32\drivers\c6501.sys [1298944 2007-02-07] (C-Media Inc)

R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)

S3 ENTECH; C:\Windows\system32\DRIVERS\ENTECH.sys [21664 2004-10-25] (EnTech Taiwan)

R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [136024 2012-06-19] (Kaspersky Lab ZAO)

S1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [594528 2013-05-02] (Kaspersky Lab ZAO)

R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [24408 2012-08-02] (Kaspersky Lab ZAO)

S3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [25944 2013-05-02] (Kaspersky Lab)

S3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [25944 2013-05-02] (Kaspersky Lab)

R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [44000 2013-07-10] (Kaspersky Lab ZAO)

S1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [145040 2013-05-02] (Kaspersky Lab ZAO)

R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [7680 2006-10-18] ()

S3 PdiPorts; C:\Windows\System32\Drivers\PdiPorts.sys [15920 2006-11-16] (Portrait Displays, Inc.)

S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

S0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2012-07-18] (Duplex Secure Ltd.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)

R3 catchme; \??\C:\ComboFix\catchme.sys [x]

S3 IpInIp; system32\DRIVERS\ipinip.sys [x]

U5 klflt; C:\Windows\System32\Drivers\klflt.sys [74848 2013-05-02] (Kaspersky Lab ZAO)

S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]

S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

S3 USBAAPL; System32\Drivers\usbaapl.sys [x]

U3 mbr; \??\C:\ComboFix\mbr.sys [x]

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-09-25 21:55 - 2013-09-25 21:55 - 00000000 ____D C:\FRST

2013-09-25 21:50 - 2013-09-25 21:49 - 01089329 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe

2013-09-25 21:23 - 2013-09-25 21:23 - 00025058 _____ C:\ComboFix.txt

2013-09-25 20:36 - 2013-09-25 21:23 - 00000000 ____D C:\Qoobox

2013-09-25 20:36 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe

2013-09-25 20:36 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe

2013-09-25 20:36 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe

2013-09-25 20:36 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe

2013-09-25 20:36 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe

2013-09-25 20:36 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe

2013-09-25 20:36 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe

2013-09-25 20:36 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe

2013-09-25 20:20 - 2013-09-25 20:20 - 05130004 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe

2013-09-25 19:46 - 2013-09-25 19:30 - 00001151 _____ C:\Users\Administrator\Desktop\AdwCleaner[S2].txt

2013-09-25 19:45 - 2013-09-25 19:45 - 00000650 _____ C:\Users\Administrator\Desktop\JRT.txt

2013-09-25 19:12 - 2013-09-25 19:12 - 01042066 _____ C:\Users\Administrator\Desktop\AdwCleaner.exe

2013-09-25 10:00 - 2013-09-25 10:03 - 00009384 _____ C:\Users\Administrator\Desktop\attach.txt

2013-09-25 10:00 - 2013-09-25 10:02 - 00010381 _____ C:\Users\Administrator\Desktop\dds.txt

2013-09-25 09:58 - 2013-09-25 09:58 - 00688992 ____R (Swearware) C:\Users\Administrator\Desktop\dds.com

2013-09-24 23:14 - 2013-09-24 23:14 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\Administrator\Desktop\rkill.exe

2013-09-24 22:31 - 2013-09-24 22:32 - 00023953 _____ C:\Users\Administrator\Downloads\Result.txt

2013-09-24 22:29 - 2013-09-24 22:29 - 00760937 _____ (Farbar) C:\Users\Administrator\Downloads\MiniToolBox.exe

2013-09-24 22:27 - 2013-09-24 23:53 - 00000000 ____D C:\Users\Administrator\Desktop\New Folder

2013-09-24 22:19 - 2013-09-24 22:19 - 00358923 _____ (Farbar) C:\Users\Administrator\Desktop\FSS.exe

2013-09-24 22:18 - 2013-09-24 22:17 - 00891144 _____ C:\Users\Administrator\Desktop\SecurityCheck.exe

2013-09-24 21:09 - 2013-09-24 21:09 - 00205072 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys

2013-09-24 15:49 - 2013-09-24 23:22 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2013-09-24 15:48 - 2013-09-24 23:42 - 00000000 ____D C:\Users\Administrator\Desktop\mbar

2013-09-24 15:40 - 2013-09-24 15:40 - 00000000 ____D C:\Windows\ERUNT

2013-09-24 15:38 - 2013-09-25 19:12 - 01030038 _____ (Thisisu) C:\Users\Administrator\Desktop\JRT.exe

2013-09-24 15:37 - 2013-09-24 22:45 - 12907592 _____ (Malwarebytes Corp.) C:\Users\Administrator\Desktop\mbar-1.07.0.1005.exe

2013-09-24 14:18 - 2013-09-24 14:18 - 00000906 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-09-24 14:18 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2013-09-24 14:04 - 2013-09-25 19:30 - 00000000 ____D C:\AdwCleaner

2013-09-24 14:02 - 2013-09-24 14:03 - 10284816 _____ (Malwarebytes Corporation                                    ) C:\Users\Administrator\Downloads\mbam-setup.exe

2013-09-24 13:59 - 2013-09-24 13:59 - 00001800 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2013-09-24 13:59 - 2013-09-24 13:59 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\SUPERAntiSpyware.com

2013-09-24 13:58 - 2013-09-24 13:59 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2013-09-24 13:58 - 2013-09-24 13:58 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com

2013-09-24 13:54 - 2013-09-24 13:58 - 27714152 _____ (SUPERAntiSpyware) C:\Users\Administrator\Downloads\SUPERAntiSpyware.exe

2013-09-24 07:45 - 2013-09-24 07:45 - 00000000 ____D C:\Program Files\GUMEAAD.tmp

2013-09-21 12:35 - 2013-09-21 12:35 - 00000000 ____D C:\Windows\Registration

2013-09-20 23:05 - 2013-09-24 14:18 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-09-20 23:05 - 2013-09-20 23:05 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-09-12 08:33 - 2013-07-31 06:30 - 12335104 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2013-09-12 08:33 - 2013-07-31 06:05 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2013-09-12 08:33 - 2013-07-31 06:00 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2013-09-12 08:33 - 2013-07-31 05:53 - 01104896 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2013-09-12 08:33 - 2013-07-31 05:52 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2013-09-12 08:33 - 2013-07-31 05:52 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2013-09-12 08:33 - 2013-07-31 05:51 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll

2013-09-12 08:33 - 2013-07-31 05:49 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2013-09-12 08:33 - 2013-07-31 05:48 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

2013-09-12 08:33 - 2013-07-31 05:48 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2013-09-12 08:33 - 2013-07-31 05:48 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2013-09-12 08:33 - 2013-07-31 05:47 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2013-09-12 08:33 - 2013-07-31 05:46 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2013-09-12 08:33 - 2013-07-31 05:45 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2013-09-12 08:33 - 2013-07-31 05:45 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2013-09-12 08:33 - 2013-07-31 05:42 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2013-09-12 07:55 - 2013-08-07 21:45 - 02049536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2013-09-12 07:55 - 2013-07-16 00:35 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\themeui.dll

2013-09-08 07:51 - 2013-09-08 07:51 - 00000000 ____D C:\Users\Administrator\AppData\Local\NVIDIA

2013-09-07 21:02 - 2013-09-07 21:02 - 00000000 ____D C:\Program Files\AGEIA Technologies

2013-09-07 20:58 - 2013-06-21 05:52 - 04192544 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll

2013-09-07 20:58 - 2013-06-21 05:52 - 03045664 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc.dll

2013-09-07 20:58 - 2013-06-21 05:52 - 00640288 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe

2013-09-07 20:58 - 2013-06-21 05:52 - 00223008 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll

2013-09-07 20:58 - 2013-06-21 05:52 - 00062752 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 21102368 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv32.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 17560352 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 13411896 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2um.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 12427240 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dum.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 09069344 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys

2013-09-07 20:47 - 2013-06-21 08:02 - 07687592 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 06324360 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 02777888 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 02597856 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 02002720 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 01024288 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco3232049.dll

2013-09-07 20:47 - 2013-06-21 08:02 - 00893728 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco3232049.dll

2013-09-07 20:47 - 2013-02-25 01:27 - 00154400 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda32v.sys

2013-09-07 20:47 - 2013-02-25 01:27 - 00028448 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap32.dll

2013-09-07 20:47 - 2013-01-29 04:35 - 00892704 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco3220103.dll

2013-09-07 20:23 - 2013-09-07 20:25 - 135162712 _____ (NVIDIA Corporation) C:\Users\Administrator\Downloads\320.49-desktop-win8-win7-winvista-32bit-english-whql.exe

2013-09-06 18:21 - 2013-09-07 19:16 - 00000000 ____D C:\NVIDIA(1)

2013-09-06 18:00 - 2013-09-08 07:51 - 00000000 ____D C:\ProgramData\NVIDIA Corporation

2013-09-06 17:59 - 2013-09-07 19:17 - 00000000 ____D C:\Program Files\NVIDIA Corporation(4)

2013-09-06 16:54 - 2013-09-06 16:54 - 00000000 ____D C:\ProgramData\NVIDIA(9)

2013-08-27 14:24 - 2013-08-01 22:48 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL

 

==================== One Month Modified Files and Folders =======

 

2013-09-25 21:55 - 2013-09-25 21:55 - 00000000 ____D C:\FRST

2013-09-25 21:49 - 2013-09-25 21:50 - 01089329 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe

2013-09-25 21:23 - 2013-09-25 21:23 - 00025058 _____ C:\ComboFix.txt

2013-09-25 21:23 - 2013-09-25 20:36 - 00000000 ____D C:\Qoobox

2013-09-25 21:21 - 2006-11-02 06:23 - 00000215 _____ C:\Windows\system.ini

2013-09-25 21:13 - 2013-07-10 15:43 - 00000000 ____D C:\ProgramData\Kaspersky Lab

2013-09-25 21:08 - 2006-11-02 06:33 - 00775966 _____ C:\Windows\system32\PerfStringBackup.INI

2013-09-25 21:04 - 2012-11-09 07:32 - 00021998 _____ C:\Windows\PFRO.log

2013-09-25 20:47 - 2012-07-13 21:13 - 00000000 ____D C:\Windows\erdnt

2013-09-25 20:46 - 2008-06-05 07:13 - 00000000 ____D C:\Users\Administrator

2013-09-25 20:20 - 2013-09-25 20:20 - 05130004 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe

2013-09-25 19:45 - 2013-09-25 19:45 - 00000650 _____ C:\Users\Administrator\Desktop\JRT.txt

2013-09-25 19:30 - 2013-09-25 19:46 - 00001151 _____ C:\Users\Administrator\Desktop\AdwCleaner[S2].txt

2013-09-25 19:30 - 2013-09-24 14:04 - 00000000 ____D C:\AdwCleaner

2013-09-25 19:12 - 2013-09-25 19:12 - 01042066 _____ C:\Users\Administrator\Desktop\AdwCleaner.exe

2013-09-25 19:12 - 2013-09-24 15:38 - 01030038 _____ (Thisisu) C:\Users\Administrator\Desktop\JRT.exe

2013-09-25 10:03 - 2013-09-25 10:00 - 00009384 _____ C:\Users\Administrator\Desktop\attach.txt

2013-09-25 10:02 - 2013-09-25 10:00 - 00010381 _____ C:\Users\Administrator\Desktop\dds.txt

2013-09-25 09:58 - 2013-09-25 09:58 - 00688992 ____R (Swearware) C:\Users\Administrator\Desktop\dds.com

2013-09-24 23:53 - 2013-09-24 22:27 - 00000000 ____D C:\Users\Administrator\Desktop\New Folder

2013-09-24 23:42 - 2013-09-24 15:48 - 00000000 ____D C:\Users\Administrator\Desktop\mbar

2013-09-24 23:22 - 2013-09-24 15:49 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2013-09-24 23:14 - 2013-09-24 23:14 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\Administrator\Desktop\rkill.exe

2013-09-24 22:45 - 2013-09-24 15:37 - 12907592 _____ (Malwarebytes Corp.) C:\Users\Administrator\Desktop\mbar-1.07.0.1005.exe

2013-09-24 22:32 - 2013-09-24 22:31 - 00023953 _____ C:\Users\Administrator\Downloads\Result.txt

2013-09-24 22:29 - 2013-09-24 22:29 - 00760937 _____ (Farbar) C:\Users\Administrator\Downloads\MiniToolBox.exe

2013-09-24 22:19 - 2013-09-24 22:19 - 00358923 _____ (Farbar) C:\Users\Administrator\Desktop\FSS.exe

2013-09-24 22:17 - 2013-09-24 22:18 - 00891144 _____ C:\Users\Administrator\Desktop\SecurityCheck.exe

2013-09-24 22:10 - 2008-01-20 21:35 - 01116098 _____ C:\Windows\WindowsUpdate.log

2013-09-24 22:09 - 2009-04-03 14:29 - 00000000 ____D C:\Windows\Minidump

2013-09-24 21:55 - 2013-08-21 09:19 - 00000012 _____ C:\Windows\bthservsdp.dat

2013-09-24 21:55 - 2006-11-02 09:01 - 00032570 _____ C:\Windows\Tasks\SCHEDLGU.TXT

2013-09-24 21:55 - 2006-11-02 09:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2013-09-24 21:50 - 2011-03-24 18:10 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-09-24 21:40 - 2008-06-05 07:13 - 00001356 _____ C:\Users\Administrator\AppData\Local\d3d9caps.dat

2013-09-24 21:09 - 2013-09-24 21:09 - 00205072 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys

2013-09-24 15:40 - 2013-09-24 15:40 - 00000000 ____D C:\Windows\ERUNT

2013-09-24 14:18 - 2013-09-24 14:18 - 00000906 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-09-24 14:18 - 2013-09-20 23:05 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-09-24 14:03 - 2013-09-24 14:02 - 10284816 _____ (Malwarebytes Corporation                                    ) C:\Users\Administrator\Downloads\mbam-setup.exe

2013-09-24 13:59 - 2013-09-24 13:59 - 00001800 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2013-09-24 13:59 - 2013-09-24 13:59 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\SUPERAntiSpyware.com

2013-09-24 13:59 - 2013-09-24 13:58 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2013-09-24 13:58 - 2013-09-24 13:58 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com

2013-09-24 13:58 - 2013-09-24 13:54 - 27714152 _____ (SUPERAntiSpyware) C:\Users\Administrator\Downloads\SUPERAntiSpyware.exe

2013-09-24 07:45 - 2013-09-24 07:45 - 00000000 ____D C:\Program Files\GUMEAAD.tmp

2013-09-24 06:55 - 2013-02-21 08:58 - 00000000 ____D C:\Windows\system32\Adobe

2013-09-24 06:55 - 2008-06-12 23:57 - 00000000 ____D C:\Windows\system32\MacroMed

2013-09-22 06:28 - 2006-11-02 08:47 - 00003712 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-09-22 06:28 - 2006-11-02 08:47 - 00003712 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-09-21 23:02 - 2013-08-24 07:22 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1

2013-09-21 23:02 - 2013-03-14 17:42 - 00000000 ____D C:\Program Files\Common Files\Apple

2013-09-21 23:00 - 2009-05-17 11:45 - 00000000 ____D C:\Program Files\Google

2013-09-21 22:59 - 2008-06-05 07:31 - 00000000 ___HD C:\Program Files\InstallShield Installation Information

2013-09-21 22:59 - 2008-06-05 07:21 - 00000000 ____D C:\Program Files\Common Files\InstallShield

2013-09-21 13:44 - 2011-03-24 18:10 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-09-21 12:35 - 2013-09-21 12:35 - 00000000 ____D C:\Windows\Registration

2013-09-20 23:21 - 2011-03-25 11:25 - 00000000 ____D C:\Users\tigerdirect

2013-09-20 23:21 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\system32\spool

2013-09-20 23:21 - 2006-11-02 06:22 - 52166656 _____ C:\Windows\system32\config\software_previous

2013-09-20 23:21 - 2006-11-02 06:22 - 44040192 _____ C:\Windows\system32\config\components_previous

2013-09-20 23:21 - 2006-11-02 06:22 - 28573696 _____ C:\Windows\system32\config\system_previous

2013-09-20 23:21 - 2006-11-02 06:22 - 00524288 _____ C:\Windows\system32\config\default_previous

2013-09-20 23:21 - 2006-11-02 06:22 - 00262144 _____ C:\Windows\system32\config\security_previous

2013-09-20 23:21 - 2006-11-02 06:22 - 00262144 _____ C:\Windows\system32\config\sam_previous

2013-09-20 23:20 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\registration.tmp

2013-09-20 23:05 - 2013-09-20 23:05 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-09-13 22:06 - 2008-06-05 07:27 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-09-12 13:50 - 2006-11-02 08:47 - 00436072 _____ C:\Windows\system32\FNTCACHE.DAT

2013-09-12 08:30 - 2013-08-03 11:02 - 00000000 ____D C:\Windows\system32\MRT

2013-09-12 08:27 - 2006-11-02 06:24 - 76725432 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe

2013-09-10 23:30 - 2008-07-02 04:11 - 00000000 ____D C:\Program Files\Common Files\Adobe

2013-09-09 08:09 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\Microsoft.NET

2013-09-08 07:51 - 2013-09-08 07:51 - 00000000 ____D C:\Users\Administrator\AppData\Local\NVIDIA

2013-09-08 07:51 - 2013-09-06 18:00 - 00000000 ____D C:\ProgramData\NVIDIA Corporation

2013-09-07 21:07 - 2008-06-05 07:23 - 00000000 ____D C:\ProgramData\NVIDIA

2013-09-07 21:03 - 2012-11-18 11:08 - 00000000 ____D C:\Program Files\NVIDIA Corporation

2013-09-07 21:02 - 2013-09-07 21:02 - 00000000 ____D C:\Program Files\AGEIA Technologies

2013-09-07 21:02 - 2008-10-03 13:50 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard

2013-09-07 20:33 - 2008-06-05 07:21 - 00000000 ____D C:\NVIDIA

2013-09-07 20:25 - 2013-09-07 20:23 - 135162712 _____ (NVIDIA Corporation) C:\Users\Administrator\Downloads\320.49-desktop-win8-win7-winvista-32bit-english-whql.exe

2013-09-07 19:43 - 2012-11-18 11:15 - 00000000 ___RD C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

2013-09-07 19:43 - 2012-11-18 11:15 - 00000000 ___RD C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2013-09-07 19:43 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\system32\Msdtc

2013-09-07 19:43 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\Help

2013-09-07 19:17 - 2013-09-06 17:59 - 00000000 ____D C:\Program Files\NVIDIA Corporation(4)

2013-09-07 19:16 - 2013-09-06 18:21 - 00000000 ____D C:\NVIDIA(1)

2013-09-06 16:54 - 2013-09-06 16:54 - 00000000 ____D C:\ProgramData\NVIDIA(9)

2013-08-31 20:29 - 2012-07-22 16:59 - 00000000 ____D C:\Users\Administrator\Desktop\AE.files

2013-08-28 08:13 - 2012-04-16 11:17 - 00000000 ____D C:\Matrix Games

 

ZeroAccess:

C:\Windows\Installer\{94c3c19e-22c3-6f0a-a7d1-5acad4a9ab34}

C:\Windows\Installer\{94c3c19e-22c3-6f0a-a7d1-5acad4a9ab34}\L\00000004.@

C:\Windows\Installer\{94c3c19e-22c3-6f0a-a7d1-5acad4a9ab34}\L\201d3dde

 

ZeroAccess:

C:\Users\Administrator\AppData\Local\{94c3c19e-22c3-6f0a-a7d1-5acad4a9ab34}

 

Files to move or delete:

====================

C:\Users\Administrator\iTunesSetup.exe

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

 

LastRegBack: 2013-09-25 21:19

 

==================== End Of Log ============================

 

 

 

Attached Files



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 26 September 2013 - 08:41 PM

Hello noopers



I need you to download this script I have made for you --> Attached File  fixlist.txt   305bytes   3 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 noopers

noopers
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 26 September 2013 - 09:05 PM

Thanks for the help and assistance Gringo!!!

 

Here's the fixlog

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-09-2013

Ran by Administrator at 2013-09-26 22:02:51 Run:1

Running from C:\Users\Administrator\Desktop

Boot Mode: Safe Mode (with Networking)

 

==============================================

 

Content of fixlist:

*****************

Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [223232] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

C:\Windows\Installer\{94c3c19e-22c3-6f0a-a7d1-5acad4a9ab34}

C:\Users\Administrator\AppData\Local\{94c3c19e-22c3-6f0a-a7d1-5acad4a9ab34}

 

 

 

 

*****************

 

Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll

C:\Windows\Installer\{94c3c19e-22c3-6f0a-a7d1-5acad4a9ab34} => Moved successfully.

C:\Users\Administrator\AppData\Local\{94c3c19e-22c3-6f0a-a7d1-5acad4a9ab34} => Moved successfully.

 

==== End of Fixlog ====


Edited by noopers, 26 September 2013 - 09:05 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 26 September 2013 - 09:33 PM


Hello noopers

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

    If the forum still complains about it being to long send me everything that is at the end of the report after where it says

    ==================
    Scan finished
    ==================
and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 noopers

noopers
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 26 September 2013 - 10:28 PM

Hi Gringo , thnaks again for the help and persistence. Much appreaciated.

 

I attached the TDS doc to the post. Both RK reports were labeled [0] but I copied the one with the highest number afterwards (RKreport[0]_S_09262013_225152) as opposed to  ( RKreport[0]_D_09262013_225331)

 

 

RogueKiller V8.6.12 [Sep 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://tigzyrk.blogspot.com/

 

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : Administrator [Admin rights]

Mode : Scan -- Date : 09/26/2013 22:51:52

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 12 ¤¤¤

[RUN][SUSP PATH] HKCU\[...]\Run : Amazon Cloud Player (C:\Users\Administrator\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe [-]) -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-1137197817-1767675464-2595903877-500\[...]\Run : Amazon Cloud Player (C:\Users\Administrator\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe [-]) -> FOUND

[RUN][SUSP PATH] HKLM\[...]\RunOnce : E141A983-2EE8-4F3E-9B6B-31B28FBBDDB6 (cmd.exe /C start /D "C:\Users\ADMINI~1\AppData\Local\Temp" /B E141A983-2EE8-4F3E-9B6B-31B28FBBDDB6.exe -activeimages -postboot [x][-][x]) -> FOUND

[SERVICE][ROGUE ST] HKLM\[...]\CS003\[...]\Services : 5762 (C:\Users\Administrator\AppData\Local\Temp\5762.sys [x]) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[WALLPAPER][PUM] HKCU\[...]\Desktop : WallPaper (C:\Users\Administrator\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [NOT LOADED 0xc000035f] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1       localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - Hitachi HDP725032GLA360 ATA Device +++++

--- User ---

[MBR] 9f3d898e86d29fc00daa62e2d4e12eaf

[BSP] 8d901e9b6bd38fb005225d7846c29fa3 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 305243 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_09262013_225152.txt >>

 

 

I tried to start the PC up in normal mode after the scan and it was just a loop with the blueish green line running across the screen as Vista would normally start only it was not starting.  I started up in safe mode with networking and started up as it usually does.

 

Attached Files



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 26 September 2013 - 10:50 PM

How are things running at this time?

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 noopers

noopers
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 27 September 2013 - 07:23 AM

Hi Gringo!  My PC won't start in normal mode, it just runs the loop with the green squares running across the screen. In safe mode with networking it runs perfect.

 

The only issue I have is when downloading a program I can't save as to the desktop or anywhere I want.  My downloads go to the Administrator-----> downloads folder and I move it to the desktop from there.

 

 

 

I know little to nothing about computers , since I can't start up windows in normal mode is it possible that I have a hardware problem?

 

 

Thanks for the help!!


Edited by noopers, 27 September 2013 - 07:35 AM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 27 September 2013 - 11:53 AM


Hello


I want you to run things in selective startup, this will help pinpoint the type of problem it is



1. push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
2. In the Open box, type msconfig and then click OK. The System Configuration Utility appears.
3. Click the "services" tab.
4. Put a checkmark in "hide all Microsofts services".
5. Uncheck anything that is left.
6. click on the "startup" tab
7. uncheck all under this tab
8. click on the apply button


Restat the computer and see how things are doing, If things are doing better then repeat the process but this time start with the services and start by adding the first half back and apply the changes

If things go bad again then you know the problem is in the services that you restarted and you can keep searching untill you find the one it is

if you restart all the services and things are still ok then go back and do the same thing for the startup programs



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 noopers

noopers
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 27 September 2013 - 07:02 PM

G'evening Gringo!

 

I tried the msconfig a number of times and double checked everything to make sure I was absolutely doing what you requested and wasn't able to get a boot into normal mode.

 

 

I'm just throwing it out there ...  I believe I have a system restore on DVD (assuming I burned it correctly)  from when I first bought the computer as a last resort.  I'd love to resurrect this PC from the dead but I'm wondering if it's salvageable at this point. Of course this isn't a reflection on the help your giving me but the state of my system.

 

I appreaciate all the help you're giving me.

 

 

Thanks very much!!!!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users