Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR Rootkit Removal problems


  • This topic is locked This topic is locked
7 replies to this topic

#1 Surum

Surum

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rocky Mountian High
  • Local time:05:15 AM

Posted 30 January 2014 - 03:39 PM

Hi ! Im new here.  I am having problems removing a nasty MBR Rootkit from my computer!  I have an old Toshiba Portege M400 with Windows Xp Tablet PC Ed: 2005 Version 2002 SP2.  Great little tablet!!!  For two years now this darn ROOTKIT has been buried in the bottom of this machine.  I have ran MBAM in conjunction with Windows Defender and Rkill.  As i am sure most know, many OTHER viruses have come in and been removed in relation to this Rootkit.  But, nothing seems to uproot the Rootkit itself!!!! Not even sure if my registry is authentic anymore!! 

The current state is as follows:

640 some viruses found yesterday and removed by MBAM after a round or two of Rkill. Nothing serious (some redirects and hijack programs).   

When manually deleting any file it does not appear in the Recycle BIn.

MBR Rootkit detected by Root Reveal.

Sectors 1-62 show sector mismatch!

3 objects return inaccessable/invisible!

The Root Reveal report is below DDS.

 

Thank you for your time on this issue,

 

Surum

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by User at 22:58:29 on 2014-01-29
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1015.313 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe
C:\Program Files\NETGEAR Genie\bin\NETGEARGenie.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\NETGEAR Genie\bin\genie2_tray.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
TB: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [HP Photosmart 7510 series (NET)] "c:\program files\hp\hp photosmart 7510 series\bin\ScanToPCActivationApp.exe" -deviceID "CN2523419C05PX:NW" -scfn "HP Photosmart 7510 series (NET)" -AutoStart 1
uRun: [NETGEARGenie] "c:\program files\netgear genie\bin\NETGEARGenie.exe" -mini -redirect
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [TRot.exe] c:\program files\toshiba\toshiba rotation utility\TRot.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [ThpSrv] thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [PINGER] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [NDSTray.exe] NDSTray.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [Kraidman] c:\program files\toshiba\toshiba raid\console\Kraidman.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [lxcymon.exe] "c:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [EzPrint] "c:\program files\lexmark 3400 series\ezprint.exe"
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MFNetworkScanUtility] c:\program files\canon\canon mf network scan utility\CNMFSUT.EXE
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
dRun: [TabletWizard] c:\windows\help\wizard.hta
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [SpUninstallDeleteDir] rmdir /s /q "c:\windows\system32\config\systemprofile\application data\SearchProtect"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{1C8B8F4B-73D4-4313-9F60-E66C128A6470} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: psfus - psqlpwd.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: TosBtNP - TosBtNP.dll
Notify: tpgwlnotify - tpgwlnot.dll
Notify: TSigNP - TSigNP.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages =  scecli psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\y2gmy0se.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\user\local settings\application data\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\program files\livingplay games\nplplaypop.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\pdflite\npPdfViewer.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - ExtSQL: 2014-01-27 18:29; {e844e171-0702-480a-abc8-39f79c8c6126}; c:\documents and settings\user\application data\mozilla\firefox\profiles\y2gmy0se.default\extensions\{e844e171-0702-480a-abc8-39f79c8c6126}.xpi
FF - ExtSQL: 2014-01-29 13:47; TidyNetwork@TidyNetwork; c:\documents and settings\user\application data\mozilla\firefox\profiles\y2gmy0se.default\extensions\TidyNetwork@TidyNetwork
FF - ExtSQL: 2014-01-29 16:26; musicplayer@firemediaplayer.com; c:\documents and settings\user\application data\mozilla\firefox\profiles\y2gmy0se.default\extensions\musicplayer@firemediaplayer.com.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-28 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-1-15 6144]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl8e7dcb15;MpKsl8e7dcb15;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee43010c-81fb-4972-bd49-bc20e7ef973d}\MpKsl8e7dcb15.sys [2014-1-29 40392]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2006-1-15 5888]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2013-8-14 35088]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-1-14 35968]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2006-1-15 8832]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2006-1-15 595072]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2006-1-14 13568]
S0 jxhaanw;jxhaanw;c:\windows\system32\drivers\jcfwbcj.sys --> c:\windows\system32\drivers\jcfwbcj.sys [?]
S0 qielpplx;qielpplx;c:\windows\system32\drivers\ybqk.sys --> c:\windows\system32\drivers\ybqk.sys [?]
S3 53679955;53679955; [x]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-1-1 24064]
S4 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S4 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files\netgear genie\bin\NETGEARGenieDaemon.exe [2013-4-7 195840]
S4 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2006-1-15 126976]
.
=============== Created Last 30 ================
.
2014-01-30 05:23:18 40392 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee43010c-81fb-4972-bd49-bc20e7ef973d}\MpKsl8e7dcb15.sys
2014-01-29 23:12:23 7760024 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee43010c-81fb-4972-bd49-bc20e7ef973d}\mpengine.dll
2014-01-29 21:09:02 -------- d-----w- C:\TDSSKiller_Quarantine
2014-01-29 20:54:17 -------- d-----w- c:\documents and settings\user\local settings\application data\Spoon
2014-01-29 20:53:36 -------- d-----w- c:\program files\Daring Development
2014-01-29 20:48:59 -------- d-----w- c:\documents and settings\user\application data\Paltalk
2014-01-29 20:47:37 -------- d-----w- c:\program files\TidyNetwork
2014-01-29 20:13:23 -------- d-----w- c:\documents and settings\all users\application data\Systweak
2014-01-29 20:13:21 17136 ----a-w- c:\windows\system32\sasnative32.exe
2014-01-29 20:05:36 -------- d-----w- c:\documents and settings\user\application data\Systweak
2014-01-29 20:05:17 -------- d-----w- c:\program files\Level Quality Watcher
.
==================== Find3M  ====================
.
2013-12-11 15:43:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 15:43:46 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 15:43:32 17248136 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
============= FINISH: 22:58:44.53 ===============

 

 

 

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time:  2014/01/29 22:32
Program Version:  Version 1.3.5.0
Windows Version:  Windows XP Tablet PC Edition SP2
==================================================

Drivers
-------------------
Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xA2708000 Size: 16384 File Visible: No Signed: -
Status: -

Name: dump_KR10I.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_KR10I.sys
Address: 0xA1359000 Size: 217088 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA0A06000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB25711$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB888111WXPSP2$:SummaryInformation
Status: Invisible to the Windows API!

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 Surum

Surum
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rocky Mountian High
  • Local time:05:15 AM

Posted 30 January 2014 - 03:45 PM

Oh yeah!!!! I forgot to say that I have modified the startup through Msconfig to slow/stop the propagation of the Rootkit and/or anyother viruses and can include a screenshot if needed of those settings.



#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:15 AM

Posted 01 February 2014 - 03:33 PM

Please reset msconfig to normal startup while we do the clean-up

 

Please run the following:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.

  • Press Scan button.

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

NEXT

 

Please download Malwarebytes Anti-Rootkit (MBAR) from here and save it to your desktop. 

(Direct link to the file: http://downloads.malwarebytes.org/file/mbar)

  • Be sure to print out and follow the instructions provided on that same page.

  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Doubleclick on the MBAR file you downloaded and approve the UAC prompt in Vista and newer operating systems.

  • Click OK on the next screen, to allow the package to extract the contents of the file to its own folder, mbar.

  • mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

  • After reading the Introduction, click 'Next' if you agree.

  • On the Update Database screen, click on the 'Update' button.

  • Once you see 'Success: Database was successfully updated' click on 'Next'.

  • Click the 'Scan' button.

 

With some infections, you may see two messages boxes.

  • 'Could not load protection driver'. Click 'OK'.

  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

 

If malware is found, do NOT press the Cleanup button when the scan completes. Click EXIT.

Then, please send the following logs as attachments to your reply.

These logs are located in the mbar folder on your desktop where the tool extracted itself to.

 

mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)

system-log.txt


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 Surum

Surum
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rocky Mountian High
  • Local time:05:15 AM

Posted 01 February 2014 - 11:39 PM

Thank you for the quick reply!!!  I did not expect it until Monday! I will change the start-up to normal and perform the steps recommended after a back-up.  I will back everything new tonight.  I will download and run all programs tomorrow morning and post the new logs.  Again thank you!!! 



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:15 AM

Posted 03 February 2014 - 01:16 PM

:thumbup2:


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 Surum

Surum
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rocky Mountian High
  • Local time:05:15 AM

Posted 04 February 2014 - 01:51 AM

Sorry for the delay, loong day at the shop!!!  I accidently ran FRST without changing my MSCONFIG and had to re-run scan.  I did include addition.txt but two other boxes were not checked.  I hope this did not cause any issues.  Please advise!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-02-2014
Ran by User (administrator) on TOSHIBA-USER on 03-02-2014 23:17:23
Running from C:\Documents and Settings\User\Desktop
Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Intel Corporation ) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
(Microsoft Corporation) C:\WINDOWS\system32\wisptis.exe
(Microsoft Corporation) C:\WINDOWS\system32\tabbtnu.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Ink\tcserver.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Acceleration Utilities\Shaker\TSkrMain.exe
(TOSHIBA) C:\Program Files\Toshiba\TOSHIBA Rotation Utility\TRot.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\TPSODDCtl.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\TPSMain.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TouchED\TouchED.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe
(TOSHIBA) C:\Program Files\Toshiba\TME3\TMERzCtl.exe
(RealNetworks, Inc.) C:\Program Files\real\realplayer\Update\realsched.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\TPSBattM.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\ThpSrv.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
(TOSHIBA Corp.) C:\WINDOWS\system32\TFNF5.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
(TOSHIBA) C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
(Matsubleepa Electric Industrial Co., Ltd.) C:\WINDOWS\system32\DVDRAMSV.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
( ) C:\WINDOWS\system32\lxcycoms.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Ink\tabtip.exe
(TOSHIBA Corporation) C:\TOSHIBA\IVP\ISM\pinger.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Agere Systems) C:\Program Files\ltmoh\ltmoh.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\TOSHIBA RAID\Console\KRaidMan.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA RAID\Service\krdevctl.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Sonic Solutions) C:\WINDOWS\system32\DLA\DLACTRLW.EXE
(TOSHIBA) C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
(Agere Systems) C:\WINDOWS\agrsmmsg.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\00THotkey.exe
(NETGEAR) C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe
() C:\Program Files\Lexmark 3400 Series\lxcymon.exe
(Lexmark International Inc.) C:\Program Files\Lexmark 3400 Series\ezprint.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(UPEK Inc.) C:\Program Files\Protector Suite QL\psqltray.exe
(CANON INC.) C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
() C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApntEx.exe
(TOSHIBA) C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
() C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
(Microsoft Corporation) C:\WINDOWS\system32\tcpsvcs.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe
() C:\Program Files\NETGEAR Genie\bin\NETGEARGenie.exe
() C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\ThpSrv.exe
(TOSHIBA) C:\Program Files\Toshiba\TME3\TMESRV31.exe
(Matsubleepa Electric Industrial Co., Ltd.) C:\WINDOWS\system32\RAMASST.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\TODDSrv.exe
(TOSHIBA) C:\Program Files\Toshiba\TME3\TMETEMnu.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
() C:\Program Files\NETGEAR Genie\bin\genie2_tray.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [TSkrMain] - C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe [49152 2004-06-30] (TOSHIBA Corporation)
HKLM\...\Run: [TRot.exe] - c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe [266240 2005-11-29] (TOSHIBA)
HKLM\...\Run: [TPSODDCtl] - C:\WINDOWS\system32\TPSODDCtl.exe [110592 2005-12-15] (TOSHIBA Corporation)
HKLM\...\Run: [TPSMain] - C:\WINDOWS\system32\TPSMain.exe [315392 2005-12-15] (TOSHIBA Corporation)
HKLM\...\Run: [TouchED] - C:\Program Files\TOSHIBA\TouchED\TouchED.Exe [126976 2005-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosHKCW.exe] - C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe [49152 2005-05-17] (TOSHIBA CORPORATION)
HKLM\...\Run: [TMESRV.EXE] - C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE [126976 2005-12-14] (TOSHIBA)
HKLM\...\Run: [TMERzCtl.EXE] - C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE [86016 2005-12-20] (TOSHIBA)
HKLM\...\Run: [TkBellExe] - C:\program files\real\realplayer\update\realsched.exe [296056 2011-11-29] (RealNetworks, Inc.)
HKLM\...\Run: [ThpSrv] - thpsrv /logon
HKLM\...\Run: [TFNF5] - C:\WINDOWS\system32\TFNF5.exe [192512 2005-11-09] (TOSHIBA Corp.)
HKLM\...\Run: [TFncKy] - TFncKy.exe
HKLM\...\Run: [TAudEffect] - C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe [344144 2005-10-05] (TOSHIBA)
HKLM\...\Run: [TAcelMgr] - C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe [90112 2004-12-16] (TOSHIBA Corporation)
HKLM\...\Run: [TabletWizard] - C:\WINDOWS\help\SplshWrp.exe [16384 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [TabletTip] - C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe [271872 2005-04-25] (Microsoft Corporation)
HKLM\...\Run: [SmoothView] - C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [122880 2005-05-23] (TOSHIBA Corporation)
HKLM\...\Run: [PSQLLauncher] - C:\Program Files\Protector Suite QL\launcher.exe [30208 2006-05-05] (UPEK Inc.)
HKLM\...\Run: [PINGER] - C:\TOSHIBA\IVP\ISM\pinger.exe [151552 2005-03-17] (TOSHIBA Corporation)
HKLM\...\Run: [NDSTray.exe] - NDSTray.exe
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [997408 2010-11-30] (Microsoft Corporation)
HKLM\...\Run: [LtMoh] - C:\Program Files\ltmoh\Ltmoh.exe [184320 2004-08-17] (Agere Systems)
HKLM\...\Run: [Kraidman] - C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe [1126484 2005-09-30] (TOSHIBA CORPORATION)
HKLM\...\Run: [IntelZeroConfig] - C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [667718 2005-12-05] (Intel Corporation)
HKLM\...\Run: [IntelWireless] - C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [602182 2005-11-28] (Intel Corporation)
HKLM\...\Run: [igfxpers] - C:\WINDOWS\system32\igfxpers.exe [118784 2005-11-27] (Intel Corporation)
HKLM\...\Run: [igfxhkcmd] - C:\WINDOWS\system32\hkcmd.exe [77824 2005-11-27] (Intel Corporation)
HKLM\...\Run: [DLA] - C:\WINDOWS\System32\DLA\DLACTRLW.EXE [122940 2005-10-06] (Sonic Solutions)
HKLM\...\Run: [CrossMenu] - C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe [798720 2005-09-20] (TOSHIBA)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)
HKLM\...\Run: [Apoint] - C:\Program Files\Apoint2K\Apoint.exe [196608 2004-03-23] (Alps Electric Co., Ltd.)
HKLM\...\Run: [AGRSMMSG] - C:\WINDOWS\AGRSMMSG.exe [88203 2005-10-14] (Agere Systems)
HKLM\...\Run: [00THotkey] - C:\WINDOWS\system32\00THotkey.exe [258048 2006-01-17] (TOSHIBA Corporation)
HKLM\...\Run: [lxcymon.exe] - C:\Program Files\Lexmark 3400 Series\lxcymon.exe [291504 2007-06-25] ()
HKLM\...\Run: [EzPrint] - C:\Program Files\Lexmark 3400 Series\ezprint.exe [82608 2007-06-25] (Lexmark International Inc.)
HKLM\...\Run: [LXCYCATS] - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll [106496 2006-11-21] (Lexmark International Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)
HKLM\...\Run: [MFNetworkScanUtility] - C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE [484760 2009-12-14] (CANON INC.)
HKLM\...\Run: [WrtMon.exe] - C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe [20480 2006-09-20] ()
HKLM\...\Run: [000StTHK] - C:\WINDOWS\system32\000StTHK.exe [24576 2001-06-23] ()
Winlogon\Notify\loginkey: C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll (Microsoft Corporation)
Winlogon\Notify\psfus: C:\WINDOWS\system32\psqlpwd.dll (UPEK Inc.)
Winlogon\Notify\TabBtnWL: C:\WINDOWS\system32\TabBtnWL.dll (Microsoft Corporation)
Winlogon\Notify\TosBtNP: C:\WINDOWS\system32\TosBtNP.dll (TOSHIBA CORPORATION)
Winlogon\Notify\tpgwlnotify: C:\WINDOWS\system32\tpgwlnot.dll (Microsoft Corporation)
Winlogon\Notify\TSigNP: C:\WINDOWS\system32\TSigNP.dll (TOSHIBA)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\.DEFAULT\...\Run: [TabletWizard] - %windir%\help\wizard.hta
HKU\.DEFAULT\...\Run: [DWQueuedReporting] - C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
HKU\.DEFAULT\...\RunOnce: [SpUninstallDeleteDir] - rmdir /s /q "C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect"
HKU\S-1-5-19\...\Run: [TabletWizard] - %windir%\help\wizard.hta
HKU\S-1-5-20\...\Run: [TabletWizard] - %windir%\help\wizard.hta
HKU\S-1-5-21-4084288671-1099399284-4246654273-1005\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe [65536 2004-12-30] (TOSHIBA)
HKU\S-1-5-21-4084288671-1099399284-4246654273-1005\...\Run: [HP Photosmart 7510 series (NET)] - C:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe [1837672 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-4084288671-1099399284-4246654273-1005\...\Run: [NETGEARGenie] - C:\Program Files\NETGEAR Genie\bin\NETGEARGenie.exe [1044224 2013-04-07] ()
HKU\S-1-5-21-4084288671-1099399284-4246654273-1005\...\MountPoints2: {ad5422ac-ed4d-11e1-8373-001cbf88612e} - E:\USBankDemo_BillPay.exe
Lsa: [Notification Packages] scecli psqlpwd
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
ShortcutTarget: RAMASST.lnk -> C:\WINDOWS\system32\RAMASST.exe (Matsubleepa Electric Industrial Co., Ltd.)
Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKLM - DefaultScope {D67B6925-77B0-4A5F-A0FE-E2957EAA453A} URL =
SearchScopes: HKCU - DefaultScope {49C3BEB5-26E3-41B3-B9D4-B1471751FD46} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {49C3BEB5-26E3-41B3-B9D4-B1471751FD46} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
Toolbar: HKLM - Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\y2gmy0se.default
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @mozilla.zeniko.ch/PDFlite_Browser_Plugin - C:\Program Files\PDFlite\npPdfViewer.dll (Simon Bünzli)
FF Plugin: @real.com/nppl3260;version=15.0.0.198 - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=15.0.0.198 - c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.0.198 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.0.198 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=15.0.0.198 - c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @viewpoint.com/VMP - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF Plugin: npDisplayEngine - C:\Program Files\LivingPlay Games\nplplaypop.dll ( )
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Documents and Settings\User\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @mozilla.zeniko.ch/PDFlite_Browser_Plugin - C:\Program Files\PDFlite\npPdfViewer.dll (Simon Bünzli)
FF Extension:     LivingPlay TextLinks         - C:\Documents and Settings\User\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com [2011-09-08]
FF Extension: TidyNetwork - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\y2gmy0se.default\Extensions\TidyNetwork@TidyNetwork [2014-01-29]
FF Extension: Fire Media Player - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\y2gmy0se.default\Extensions\musicplayer@firemediaplayer.com.xpi [2014-01-29]
FF Extension: PursuePoint - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\y2gmy0se.default\Extensions\{e844e171-0702-480a-abc8-39f79c8c6126}.xpi [2014-01-27]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011-11-29]

========================== Services (Whitelisted) =================

R2 DVD-RAM_Service; C:\WINDOWS\system32\DVDRAMSV.exe [110592 2004-08-28] (Matsubleepa Electric Industrial Co., Ltd.)
R2 lxcy_device; C:\WINDOWS\system32\lxcycoms.exe [537264 2007-06-20] ( )
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [11736 2010-11-11] (Microsoft Corporation)
R2 NETGEARGenieDaemon; C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [195840 2013-04-07] (NETGEAR)
R2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [540745 2005-11-28] (Intel Corporation )
R2 Swupdtmr; c:\TOSHIBA\IVP\swupdate\swupdtmr.exe [40960 2005-07-12] ()
R2 Tmesrv; C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe [126976 2005-12-14] (TOSHIBA)

==================== Drivers (Whitelisted) ====================

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21275 2011-05-24] (Meetinghouse Data Communications)
R2 DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [25628 2005-10-06] (Sonic Solutions)
R1 DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions)
R2 DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2496 2005-10-06] (Sonic Solutions)
R2 DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [86524 2005-10-06] (Sonic Solutions)
R2 DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [14684 2005-10-06] (Sonic Solutions)
R2 DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [6364 2005-10-06] (Sonic Solutions)
R1 DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions)
R2 DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [94332 2005-10-06] (Sonic Solutions)
R2 DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [87036 2005-10-06] (Sonic Solutions)
R2 DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions)
R2 FdRedir; C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [13568 2006-05-05] (UPEK Inc.)
R2 FileDisk2; C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [33024 2006-05-05] (UPEK Inc.)
S3 HPFXBULK; C:\WINDOWS\System32\drivers\hpfxbulk.sys [17432 2007-07-16] (Hewlett Packard)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2008-01-25] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2008-01-25] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2008-01-25] (HP)
R3 IFXTPM; C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS [35968 2005-06-09] (Infineon Technologies AG)
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [24064 2012-01-01] ()
R1 meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [102384 2005-06-02] (Matsubleepa Electric Industrial Co.,Ltd.)
R1 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation)
R2 Netdevio; C:\WINDOWS\System32\DRIVERS\netdevio.sys [12032 2003-01-28] (TOSHIBA Corporation.)
R2 NPF; C:\WINDOWS\system32\drivers\npf.sys [35088 2013-08-14] (CACE Technologies, Inc.)
R2 NwlnkIpx; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [88448 2004-08-04] (Microsoft Corporation)
R2 NwlnkNb; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [63232 2004-08-04] (Microsoft Corporation)
R2 NwlnkSpx; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [55936 2004-08-04] (Microsoft Corporation)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [13568 2005-11-28] (Intel Corporation)
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-08-04] ()
R2 smihlp; C:\Program Files\Protector Suite QL\smihlp.sys [3456 2006-05-05] (UPEK Inc.)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1083576 2005-12-12] (SigmaTel, Inc.)
R3 tbiosdrv; C:\WINDOWS\System32\DRIVERS\tbiosdrv.sys [9472 2005-08-24] ()
R3 TEchoCan; C:\WINDOWS\System32\DRIVERS\TEchoCan.sys [595072 2005-12-26] (TOSHIBA Corporation)
R1 TMEI3E; C:\WINDOWS\System32\Drivers\TMEI3E.SYS [5888 2004-06-16] (Toshiba Corporation)
R3 w39n51; C:\WINDOWS\System32\DRIVERS\w39n51.sys [1428096 2005-12-04] (Intel® Corporation)
S3 wanatw; C:\WINDOWS\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
S3 53679955; No ImagePath
S4 IntelIde; No ImagePath
S0 jxhaanw; System32\drivers\jcfwbcj.sys [X]
S0 qielpplx; System32\drivers\ybqk.sys [X]
U5 Tosrfcom; C:\Windows\System32\Drivers\Tosrfcom.sys [64896 2005-08-01] (TOSHIBA Corporation)
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-03 23:16 - 2014-02-03 23:17 - 00021710 _____ () C:\Documents and Settings\User\Desktop\FRST.txt
2014-02-03 23:10 - 2014-02-03 23:11 - 12589848 _____ (Malwarebytes Corp.) C:\Documents and Settings\User\Desktop\mbar-1.07.0.1009.exe
2014-02-03 23:10 - 2014-02-03 23:10 - 01137152 _____ (Farbar) C:\Documents and Settings\User\Desktop\FRST.exe
2014-02-01 21:27 - 2014-02-03 23:17 - 00000000 ____D () C:\FRST
2014-02-01 21:17 - 2014-02-01 21:18 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-01-29 23:02 - 2014-01-29 23:02 - 00370943 _____ () C:\Documents and Settings\User\Desktop\gmer.zip
2014-01-29 22:58 - 2014-01-29 22:58 - 00014461 _____ () C:\Documents and Settings\User\Desktop\dds.txt
2014-01-29 22:58 - 2014-01-29 22:58 - 00008957 _____ () C:\Documents and Settings\User\Desktop\attach.txt
2014-01-29 22:57 - 2014-01-29 22:58 - 00688992 ____R (Swearware) C:\Documents and Settings\User\Desktop\dds.scr
2014-01-29 22:47 - 2014-01-29 22:47 - 00009114 _____ () C:\Documents and Settings\User\Desktop\RootRepeal report 01-29-14 (22-37-12).txt
2014-01-29 22:37 - 2014-01-29 22:37 - 00009114 _____ () C:\RootRepeal report 01-29-14 (22-37-12).txt
2014-01-29 22:27 - 2014-01-29 22:27 - 00008640 _____ () C:\RootRepeal report 01-29-14 (22-27-09).txt
2014-01-29 22:25 - 2014-01-29 22:25 - 00008626 _____ () C:\RootRepeal report 01-29-14 (22-25-38).txt
2014-01-29 22:23 - 2014-01-29 22:32 - 00000015 _____ () C:\Documents and Settings\User\settings.dat
2014-01-29 22:22 - 2014-01-29 22:22 - 00464491 _____ () C:\Documents and Settings\User\Desktop\RootRepeal.zip
2014-01-29 14:09 - 2014-01-29 14:09 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-01-29 14:01 - 2014-01-29 14:01 - 04101441 _____ () C:\Documents and Settings\User\Desktop\tdsskiller.zip
2014-01-29 13:54 - 2014-01-29 13:54 - 00000000 ____D () C:\Documents and Settings\User\Local Settings\Application Data\Spoon
2014-01-29 13:54 - 2014-01-22 06:46 - 00768848 _____ (Microsoft Corporation) C:\Documents and Settings\User\Desktop\msvcr100.dll
2014-01-29 13:53 - 2014-01-29 13:53 - 00000000 ____D () C:\Program Files\Daring Development
2014-01-29 13:53 - 2014-01-29 13:53 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Horizon
2014-01-29 13:48 - 2014-01-29 13:48 - 00000000 ____D () C:\Documents and Settings\User\Application Data\Paltalk
2014-01-29 13:47 - 2014-01-29 15:56 - 00000000 ____D () C:\Program Files\TidyNetwork
2014-01-29 13:18 - 2014-01-29 13:18 - 01555053 _____ () C:\Documents and Settings\User\Desktop\gta-v-save-editor-v80000.rar
2014-01-29 13:13 - 2014-01-29 15:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Systweak
2014-01-29 13:13 - 2014-01-29 13:13 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Advanced System Protector
2014-01-29 13:13 - 2012-07-25 12:03 - 00017136 _____ () C:\WINDOWS\system32\sasnative32.exe
2014-01-29 13:05 - 2014-01-29 15:56 - 00000000 ____D () C:\Program Files\Level Quality Watcher
2014-01-29 13:05 - 2014-01-29 15:56 - 00000000 ____D () C:\Documents and Settings\User\Application Data\Systweak
2014-01-04 12:53 - 2014-01-04 12:53 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Application Data\SearchProtect

==================== One Month Modified Files and Folders =======

2014-02-03 23:17 - 2014-02-03 23:16 - 00021710 _____ () C:\Documents and Settings\User\Desktop\FRST.txt
2014-02-03 23:17 - 2014-02-01 21:27 - 00000000 ____D () C:\FRST
2014-02-03 23:15 - 2006-01-14 13:12 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-02-03 23:14 - 2013-12-04 14:49 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-02-03 23:14 - 2011-09-18 13:24 - 00000276 _____ () C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-4084288671-1099399284-4246654273-1005.job
2014-02-03 23:14 - 2006-01-15 14:09 - 00000000 ____D () C:\WINDOWS\system32\DLA
2014-02-03 23:14 - 2006-01-14 21:21 - 00032406 _____ () C:\WINDOWS\SchedLgU.Txt
2014-02-03 23:14 - 2006-01-14 21:21 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-02-03 23:14 - 2006-01-14 13:12 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2014-02-03 23:13 - 2011-05-24 12:01 - 00000079 ___SH () C:\Documents and Settings\User\ntuser.ini
2014-02-03 23:13 - 2006-01-14 21:16 - 01779882 _____ () C:\WINDOWS\WindowsUpdate.log
2014-02-03 23:13 - 2006-01-14 20:03 - 00000226 __RSH () C:\boot.ini
2014-02-03 23:13 - 2006-01-14 20:02 - 00000603 _____ () C:\WINDOWS\win.ini
2014-02-03 23:13 - 2006-01-14 20:02 - 00000227 _____ () C:\WINDOWS\system.ini
2014-02-03 23:11 - 2014-02-03 23:10 - 12589848 _____ (Malwarebytes Corp.) C:\Documents and Settings\User\Desktop\mbar-1.07.0.1009.exe
2014-02-03 23:10 - 2014-02-03 23:10 - 01137152 _____ (Farbar) C:\Documents and Settings\User\Desktop\FRST.exe
2014-02-03 22:53 - 2012-09-30 21:45 - 00096952 _____ () C:\lxcy.log
2014-02-03 22:43 - 2013-11-15 10:02 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-02-03 22:19 - 2012-06-05 11:00 - 00000000 ____D () C:\Program Files\lx_cats
2014-02-03 22:17 - 2006-01-14 13:08 - 01081938 _____ () C:\WINDOWS\setupapi.log
2014-02-01 21:18 - 2014-02-01 21:17 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-01-29 23:02 - 2014-01-29 23:02 - 00370943 _____ () C:\Documents and Settings\User\Desktop\gmer.zip
2014-01-29 22:58 - 2014-01-29 22:58 - 00014461 _____ () C:\Documents and Settings\User\Desktop\dds.txt
2014-01-29 22:58 - 2014-01-29 22:58 - 00008957 _____ () C:\Documents and Settings\User\Desktop\attach.txt
2014-01-29 22:58 - 2014-01-29 22:57 - 00688992 ____R (Swearware) C:\Documents and Settings\User\Desktop\dds.scr
2014-01-29 22:47 - 2014-01-29 22:47 - 00009114 _____ () C:\Documents and Settings\User\Desktop\RootRepeal report 01-29-14 (22-37-12).txt
2014-01-29 22:37 - 2014-01-29 22:37 - 00009114 _____ () C:\RootRepeal report 01-29-14 (22-37-12).txt
2014-01-29 22:32 - 2014-01-29 22:23 - 00000015 _____ () C:\Documents and Settings\User\settings.dat
2014-01-29 22:28 - 2011-10-08 21:59 - 00000359 _____ () C:\rkill.log
2014-01-29 22:27 - 2014-01-29 22:27 - 00008640 _____ () C:\RootRepeal report 01-29-14 (22-27-09).txt
2014-01-29 22:25 - 2014-01-29 22:25 - 00008626 _____ () C:\RootRepeal report 01-29-14 (22-25-38).txt
2014-01-29 22:22 - 2014-01-29 22:22 - 00464491 _____ () C:\Documents and Settings\User\Desktop\RootRepeal.zip
2014-01-29 19:54 - 2006-01-14 13:09 - 00368142 _____ () C:\WINDOWS\iis6.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00209447 _____ () C:\WINDOWS\FaxSetup.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00144704 _____ () C:\WINDOWS\ocgen.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00114737 _____ () C:\WINDOWS\tsoc.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00084718 _____ () C:\WINDOWS\msmqinst.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00075557 _____ () C:\WINDOWS\comsetup.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00049843 _____ () C:\WINDOWS\netfxocm.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00049646 _____ () C:\WINDOWS\ntdtcsetup.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00016296 _____ () C:\WINDOWS\MedCtrOC.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00011900 _____ () C:\WINDOWS\ocmsn.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00011745 _____ () C:\WINDOWS\tabletoc.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00011409 _____ () C:\WINDOWS\msgsocm.log
2014-01-29 19:54 - 2006-01-14 13:09 - 00001917 _____ () C:\WINDOWS\imsins.log
2014-01-29 15:58 - 2006-01-14 13:04 - 00000000 ____D () C:\WINDOWS\mui
2014-01-29 15:56 - 2014-01-29 13:47 - 00000000 ____D () C:\Program Files\TidyNetwork
2014-01-29 15:56 - 2014-01-29 13:13 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Systweak
2014-01-29 15:56 - 2014-01-29 13:05 - 00000000 ____D () C:\Program Files\Level Quality Watcher
2014-01-29 15:56 - 2014-01-29 13:05 - 00000000 ____D () C:\Documents and Settings\User\Application Data\Systweak
2014-01-29 15:56 - 2013-12-04 14:35 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Conduit
2014-01-29 15:06 - 2013-12-04 14:35 - 00000000 ____D () C:\Program Files\InternetHelper3.7
2014-01-29 15:06 - 2013-12-04 14:35 - 00000000 ____D () C:\Documents and Settings\User\Local Settings\Application Data\InternetHelper3.7
2014-01-29 14:25 - 2006-01-14 21:13 - 00000000 ____D () C:\WINDOWS\Microsoft.Net
2014-01-29 14:11 - 2011-10-08 22:23 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-01-29 14:11 - 2011-10-08 22:23 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-01-29 14:09 - 2014-01-29 14:09 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-01-29 14:01 - 2014-01-29 14:01 - 04101441 _____ () C:\Documents and Settings\User\Desktop\tdsskiller.zip
2014-01-29 13:54 - 2014-01-29 13:54 - 00000000 ____D () C:\Documents and Settings\User\Local Settings\Application Data\Spoon
2014-01-29 13:53 - 2014-01-29 13:53 - 00000000 ____D () C:\Program Files\Daring Development
2014-01-29 13:53 - 2014-01-29 13:53 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Horizon
2014-01-29 13:48 - 2014-01-29 13:48 - 00000000 ____D () C:\Documents and Settings\User\Application Data\Paltalk
2014-01-29 13:46 - 2013-12-04 14:34 - 00000000 _____ () C:\END
2014-01-29 13:45 - 2006-01-14 13:04 - 00000000 ____D () C:\WINDOWS\Resources
2014-01-29 13:18 - 2014-01-29 13:18 - 01555053 _____ () C:\Documents and Settings\User\Desktop\gta-v-save-editor-v80000.rar
2014-01-29 13:13 - 2014-01-29 13:13 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Advanced System Protector
2014-01-29 13:11 - 2006-01-14 13:09 - 00460900 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-01-22 06:46 - 2014-01-29 13:54 - 00768848 _____ (Microsoft Corporation) C:\Documents and Settings\User\Desktop\msvcr100.dll
2014-01-10 13:46 - 2006-01-14 20:02 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-01-04 12:54 - 2013-12-11 08:28 - 00000000 ____D () C:\Documents and Settings\User\Local Settings\Application Data\SearchProtect
2014-01-04 12:53 - 2014-01-04 12:53 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Application Data\SearchProtect

Files to move or delete:
====================
C:\Documents and Settings\User\settings.dat


Some content of TEMP:
====================
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-1c869fc4.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-409638fd.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-4d0d4683.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-76f69cc9.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-a66f52a0.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-aa52ea42.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-bf12e426.exe
C:\Documents and Settings\User\Local Settings\Temp\1D1_DownloadInternetExplorer10.exe
C:\Documents and Settings\User\Local Settings\Temp\6_Offer_18.exe
C:\Documents and Settings\User\Local Settings\Temp\air1D0.exe
C:\Documents and Settings\User\Local Settings\Temp\air1D6.exe
C:\Documents and Settings\User\Local Settings\Temp\BackupSetup.exe
C:\Documents and Settings\User\Local Settings\Temp\fp_pl_pfs_installer.exe
C:\Documents and Settings\User\Local Settings\Temp\G2MInstallerExtractor.exe
C:\Documents and Settings\User\Local Settings\Temp\lowproc.exe
C:\Documents and Settings\User\Local Settings\Temp\ose00000.exe
C:\Documents and Settings\User\Local Settings\Temp\stubhelper.dll


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe
[2006-01-14 20:02] - [2004-08-04 05:00] - 0108032 ____A (Microsoft Corporation) c6ce6eec82f187615d1002bb3bb50ed4

C:\WINDOWS\system32\User32.dll
[2006-01-14 20:02] - [2005-03-02 11:09] - 0577024 ____A (Microsoft Corporation) de2db164bbb35db061af0997e4499054

C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll
[2006-01-14 20:02] - [2005-07-25 21:20] - 0398336 ____A (Microsoft Corporation) c369df215d352b6f3a0b8c3469aa34f8

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Attached Files



#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:15 AM

Posted 04 February 2014 - 12:22 PM

Please re-run MBAR and this time press the CLEAN button.
 
A new log will be created in the MBAR folder if you could please attach that, then do the following:
 
 
NEXT
 
 Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
 
Attached File  FixList.txt   3.01KB   3 downloads
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:15 AM

Posted 08 April 2014 - 04:40 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users