Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Root.Necurs Rootkit


  • This topic is locked This topic is locked
41 replies to this topic

#1 Bleky

Bleky

  • Members
  • 185 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on internet
  • Local time:03:10 PM

Posted 07 March 2014 - 09:47 AM

DDS log is attached beacuse the rootkit does not allow me to paste anything anywhere.

Attached Files


Edited by Bleky, 07 March 2014 - 04:12 PM.


BC AdBot (Login to Remove)

 


#2 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 07 March 2014 - 05:03 PM

Hello and welcome to Bleeping Computer. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.
 
Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.
 
Can you tell me how you know this is Necurs. Did your anti-virus flag it?
 

Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. You can attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

  • If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #3 Bleky

    Bleky
    • Topic Starter

    • Members
    • 185 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somewhere on internet
    • Local time:03:10 PM

    Posted 08 March 2014 - 01:31 AM

    A month ago i scaned my computer with HitmanPro and it found some malware and a worm.
    4 days ago i scan my computer with Rogue Killer beacuse it is slow.
    Rogue Killer found 18 stopped services with random names somewhere in Windows/system32/drivers.
    And in RK is flashing Root.Necurs

    #4 Bleky

    Bleky
    • Topic Starter

    • Members
    • 185 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somewhere on internet
    • Local time:03:10 PM

    Posted 08 March 2014 - 03:28 AM

    Logs are attached :busy:

     

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-03-2014 01
    Ran by SASA (administrator) on DARIOKOP-SASA on 08-03-2014 09:26:12
    Running from C:\Documents and Settings\SASA\Desktop
    Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
    Internet Explorer Version 8
    Boot Mode: Normal
     
    The only official download link for FRST:
    Download link from any site other than Bleeping Computer is unpermitted or outdated.
     
    ==================== Processes (Whitelisted) =================
     
    (SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
    (Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
    (Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
    (Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
    (Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
    (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
    (D-Link) C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
    (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
    (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
    (Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    (APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
    (APN) C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\ServiceLocator.exe
    (APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\Toolbar.exe
     
     
    ==================== Registry (Whitelisted) ==================
     
    HKLM\...\Run: [igfxhkcmd] - C:\WINDOWS\system32\hkcmd.exe [77824 2006-03-23] (Intel Corporation)
    HKLM\...\Run: [igfxpers] - C:\WINDOWS\system32\igfxpers.exe [118784 2006-03-23] (Intel Corporation)
    HKLM\...\Run: [RTHDCPL] - C:\WINDOWS\RTHDCPL.EXE [16049664 2006-08-01] (Realtek Semiconductor Corp.)
    HKLM\...\Run: [SkyTel] - C:\WINDOWS\SkyTel.EXE [2879488 2006-05-16] (Realtek Semiconductor Corp.)
    HKLM\...\Run: [Alcmtr] - C:\WINDOWS\ALCMTR.EXE [69632 2005-05-03] (Realtek Semiconductor Corp.)
    HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
    HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
    HKLM\...\Run: [avgnt] - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-25] (Avira Operations GmbH & Co. KG)
    HKLM\...\Run: [ApnTBMon] - C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1758160 2014-02-13] (APN)
    HKU\S-1-5-21-746137067-1060284298-682003330-1003\...\Run: [LightShot] - C:\Documents and Settings\SASA\Local Settings\Application Data\Skillbrains\lightshot\Lightshot.exe [226592 2014-03-06] ()
    Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus G+ Wireless Adapter Utility.lnk
    ShortcutTarget: D-Link AirPlus G+ Wireless Adapter Utility.lnk -> C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE (D-Link)
     
    ==================== Internet (Whitelisted) ====================
     
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.hr/
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dts.search-results.com/sidebar.html?src=ssb&appid=320&systemid=101&sr=0
    BHO: Avira SearchFree Toolbar - {41564952-412D-5637-4300-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7C\Passport.dll (APN LLC.)
    BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
    BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    Toolbar: HKLM - Avira SearchFree Toolbar - {41564952-412D-5637-4300-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7C\Passport.dll (APN LLC.)
    Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
    Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
    Toolbar: HKCU - Avira SearchFree Toolbar - {41564952-412D-5637-4300-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7C\Passport.dll (APN LLC.)
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
    ShellExecuteHooks:  - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} -  No File [ ]
    Winsock: Catalog9 01 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [257608] (Avira Operations GmbH & Co. KG)
    Winsock: Catalog9 02 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [257608] (Avira Operations GmbH & Co. KG)
    Winsock: Catalog9 14 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [257608] (Avira Operations GmbH & Co. KG)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
     
    FireFox:
    ========
    FF ProfilePath: C:\Documents and Settings\SASA\Application Data\Mozilla\Firefox\Profiles\89b61z8y.default
    FF DefaultSearchEngine: Search Results
    FF SearchEngineOrder.1: Search Results
    FF SelectedSearchEngine: Search Results
    FF Homepage: about:home
    FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll ()
    FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
    FF SearchPlugin: C:\Documents and Settings\SASA\Application Data\Mozilla\Firefox\Profiles\89b61z8y.default\searchplugins\Search_Results.xml
    FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
    FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\amazon-en-GB.xml
    FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eBay-en-GB.xml
    FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eudict.xml
    FF Extension: WOT - C:\Documents and Settings\SASA\Application Data\Mozilla\Firefox\Profiles\89b61z8y.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2013-11-28]
    FF Extension: Firebug - C:\Documents and Settings\SASA\Application Data\Mozilla\Firefox\Profiles\89b61z8y.default\Extensions\firebug@software.joehewitt.com.xpi [2013-03-05]
    FF Extension: XJZ Survey Remover - C:\Documents and Settings\SASA\Application Data\Mozilla\Firefox\Profiles\89b61z8y.default\Extensions\survey-remover@gmx.com.xpi [2013-04-07]
    FF Extension: Avira SearchFree Toolbar plus Web Protection - C:\Documents and Settings\SASA\Application Data\Mozilla\Firefox\Profiles\89b61z8y.default\Extensions\toolbar_AVIRA-V7C@apn.ask.com.xpi [2014-02-24]
    FF HKLM\...\Firefox\Extensions: [{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}] - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\
    FF Extension: Firefox Synchronisation Extension - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ []
    FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
    FF HKLM\...\Thunderbird\Extensions: [{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}] - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\
    FF Extension: Thunderbird Address Book Synchronisation Extension - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ []
     
    Chrome: 
    =======
    CHR DefaultSearchURL: {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
     
    ========================== Services (Whitelisted) =================
     
    R2 AntiVirMailService; C:\Program Files\Avira\AntiVir Desktop\avmailc.exe [896592 2014-02-25] (Avira Operations GmbH & Co. KG)
    R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [440400 2014-02-25] (Avira Operations GmbH & Co. KG)
    R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [440400 2014-02-25] (Avira Operations GmbH & Co. KG)
    R2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [1017424 2014-02-25] (Avira Operations GmbH & Co. KG)
    R2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2014-02-13] (APN LLC.)
    S2 gupdate1c98548550a6e3a; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-02-02] (Google Inc.)
    S4 HidServ; C:\WINDOWS\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
    R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106248 2014-02-07] (SurfRight B.V.)
    R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2013-10-08] (Oracle Corporation)
     
    ==================== Drivers (Whitelisted) ====================
     
    R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [90400 2014-02-25] (Avira Operations GmbH & Co. KG)
    R1 avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [135648 2014-02-25] (Avira Operations GmbH & Co. KG)
    R1 avkmgr; C:\WINDOWS\System32\DRIVERS\avkmgr.sys [37352 2014-02-25] (Avira Operations GmbH & Co. KG)
    R1 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [52312 2014-03-06] (Malwarebytes Corporation)
    S3 odysseyIM3; C:\WINDOWS\System32\DRIVERS\odysseyIM3.sys [62865 2004-08-20] (Funk Software, Inc.)
    R3 PCANDIS5; C:\WINDOWS\system32\PCANDIS5.SYS [16292 2004-08-20] (Printing Communications Assoc., Inc. (PCAUSA))
    S1 ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [28520 2014-02-25] (Avira GmbH)
    R3 TNET1130; C:\WINDOWS\System32\DRIVERS\GPlus.sys [283392 2004-05-21] ()
    S3 03180cd4e1a48981; No ImagePath
    S3 15c3b1e5a81fd5ce; No ImagePath
    S3 1ad4956c7492c02b; No ImagePath
    S3 24153a57b72d7ff8; No ImagePath
    S3 3f641d3b2c5353c5; No ImagePath
    S3 4a375ca4f5fc06a1; No ImagePath
    S3 56487994aff2cf48; No ImagePath
    S3 5c94af7c2d813f85; No ImagePath
    S3 5e3485509a62dac6; No ImagePath
    S3 6cbfb8d3d301f1e1; No ImagePath
    S3 722748581b9d9447; No ImagePath
    S3 7fe2c3aa95c36f0d; No ImagePath
    S3 aeb8370c40993b95; No ImagePath
    S3 be090eb994f30b61; No ImagePath
    S3 c4d20684b3fe9d1e; No ImagePath
    S3 d4236d70b7b91d81; No ImagePath
    S3 d67c3761abfd486c; No ImagePath
    S3 dc3317126d6bdb1d; No ImagePath
    S3 f3b1d708dc56cfe7; No ImagePath
    S4 IntelIde; No ImagePath
    U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
    U3 mbr; \??\C:\DOCUME~1\SASA\LOCALS~1\Temp\mbr.sys [X]
    U3 pfryqfoc; \??\C:\DOCUME~1\SASA\LOCALS~1\Temp\pfryqfoc.sys [X]
     
    ==================== NetSvcs (Whitelisted) ===================
     
     
    ==================== One Month Created Files and Folders ========
     
    2014-03-08 09:23 - 2014-03-08 09:26 - 00020343 _____ () C:\Documents and Settings\SASA\Desktop\Addition.txt
    2014-03-08 09:22 - 2014-03-08 09:26 - 00013460 _____ () C:\Documents and Settings\SASA\Desktop\FRST.txt
    2014-03-08 09:22 - 2014-03-08 09:26 - 00000000 ____D () C:\FRST
    2014-03-08 09:22 - 2014-03-08 09:22 - 01145344 _____ (Farbar) C:\Documents and Settings\SASA\Desktop\FRST.exe
    2014-03-07 15:55 - 2014-03-07 15:55 - 00003358 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_H_03072014_155507.txt
    2014-03-07 15:55 - 2014-03-07 15:55 - 00003288 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_PR_03072014_155517.txt
    2014-03-07 15:55 - 2014-03-07 15:55 - 00003252 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_DN_03072014_155522.txt
    2014-03-07 15:54 - 2014-03-07 15:54 - 00006466 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03072014_155420.txt
    2014-03-07 15:33 - 2014-03-07 15:33 - 00046296 _____ () C:\Documents and Settings\SASA\Desktop\dds.txt
    2014-03-07 15:33 - 2014-03-07 15:33 - 00014838 _____ () C:\Documents and Settings\SASA\Desktop\attach.txt
    2014-03-07 15:31 - 2014-03-07 15:31 - 00688992 ____R (Swearware) C:\Documents and Settings\SASA\Desktop\dds.com
    2014-03-06 15:28 - 2014-03-06 15:29 - 04130656 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\SASA\Desktop\tdsskiller.exe
    2014-03-06 15:24 - 2014-03-06 15:24 - 00000000 ____D () C:\Documents and Settings\SASA\Local Settings\Application Data\AskPartnerNetwork
    2014-03-06 15:23 - 2014-03-06 15:23 - 00006622 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_D_03062014_152353.txt
    2014-03-06 15:23 - 2014-03-06 15:23 - 00006538 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03062014_152330.txt
    2014-03-06 15:16 - 2014-03-06 15:16 - 00000000 ____D () C:\Program Files\AskPartnerNetwork
    2014-03-06 15:16 - 2014-03-06 15:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork
    2014-03-06 15:15 - 2014-03-06 15:15 - 00000000 ____D () C:\Documents and Settings\SASA\Application Data\Avira
    2014-03-06 15:15 - 2014-03-06 15:15 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\APN
    2014-03-06 15:15 - 2014-03-06 00:31 - 00509872 _____ (Ask Partner Network) C:\Documents and Settings\SASA\My Documents\APNSetup.exe
    2014-03-06 15:12 - 2014-03-06 15:12 - 00001707 _____ () C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
    2014-03-06 15:12 - 2014-03-06 15:12 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Avira
    2014-03-06 15:11 - 2014-03-06 15:12 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Avira
    2014-03-06 15:11 - 2014-03-06 15:11 - 00000000 ____D () C:\Program Files\Avira
    2014-03-06 15:11 - 2014-02-25 11:48 - 00135648 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avipbb.sys
    2014-03-06 15:11 - 2014-02-25 11:48 - 00090400 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avgntflt.sys
    2014-03-06 15:11 - 2014-02-25 11:48 - 00037352 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avkmgr.sys
    2014-03-06 15:11 - 2014-02-25 11:48 - 00028520 _____ (Avira GmbH) C:\WINDOWS\system32\Drivers\ssmdrv.sys
    2014-03-06 14:47 - 2014-03-06 14:49 - 148325712 _____ () C:\Documents and Settings\SASA\Desktop\avira_internet_security_suite_en.exe
    2014-03-06 14:37 - 2014-03-06 14:37 - 04051656 _____ (Avira Operations GmbH & Co. KG) C:\Documents and Settings\SASA\Desktop\avira_en_av___ws.exe
    2014-03-06 14:34 - 2014-03-06 15:04 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
    2014-03-06 14:34 - 2014-03-06 14:34 - 00107224 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2014-03-06 14:33 - 2014-03-06 15:04 - 00000000 ____D () C:\Documents and Settings\SASA\Desktop\mbar
    2014-03-06 14:33 - 2014-03-06 14:33 - 00052312 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
    2014-03-06 14:32 - 2014-03-06 14:33 - 12589848 _____ (Malwarebytes Corp.) C:\Documents and Settings\SASA\Desktop\mbar-1.07.0.1009.exe
    2014-03-05 17:34 - 2014-03-05 17:34 - 00370943 _____ () C:\Documents and Settings\SASA\Desktop\gmer.zip
    2014-03-05 17:34 - 2014-01-28 18:36 - 00380416 _____ () C:\Documents and Settings\SASA\Desktop\gmer.exe
    2014-03-05 15:54 - 2014-03-05 15:54 - 00004202 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_D_03052014_155433.txt
    2014-03-05 15:54 - 2014-03-05 15:54 - 00004118 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03052014_155415.txt
    2014-03-05 15:06 - 2014-03-05 15:06 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2916036$
    2014-03-05 14:46 - 2014-03-05 14:46 - 03819008 _____ () C:\Documents and Settings\SASA\Desktop\RogueKiller.exe
    2014-03-05 14:30 - 2014-03-05 14:32 - 00012967 _____ () C:\WINDOWS\KB2909921-IE8.log
    2014-03-05 14:29 - 2014-03-05 14:30 - 00004174 _____ () C:\WINDOWS\KB2909210-IE8.log
    2014-03-04 17:43 - 2014-03-08 06:01 - 00000374 _____ () C:\WINDOWS\Tasks\update-sys.job
    2014-03-04 17:43 - 2014-03-08 05:28 - 00000374 _____ () C:\WINDOWS\Tasks\update-S-1-5-21-746137067-1060284298-682003330-1003.job
    2014-03-04 17:43 - 2014-03-06 17:52 - 00000509 _____ () C:\Documents and Settings\SASA\Local Settings\Application Data\UserProducts.xml
    2014-03-04 17:43 - 2014-03-06 17:52 - 00000000 ____D () C:\Documents and Settings\SASA\Start Menu\Programs\Lightshot
    2014-03-04 17:43 - 2014-03-04 17:43 - 00000003 _____ () C:\Documents and Settings\SASA\Local Settings\Application Data\updater.log
    2014-03-04 17:43 - 2014-03-04 17:43 - 00000000 ____D () C:\Program Files\Skillbrains
    2014-03-04 17:43 - 2014-03-04 17:43 - 00000000 ____D () C:\Documents and Settings\SASA\Local Settings\Application Data\Skillbrains
    2014-03-04 17:16 - 2014-03-04 17:16 - 00003499 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03042014_171602.txt
    2014-03-04 17:14 - 2014-03-04 17:14 - 00003468 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_D_03042014_171435.txt
    2014-03-04 17:12 - 2014-03-04 17:12 - 00003430 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03042014_171213.txt
    2014-03-04 17:08 - 2014-03-04 17:08 - 00000000 _____ () C:\Documents and Settings\SASA\Desktop\New Text Document.txt
    2014-03-04 17:05 - 2014-03-04 17:05 - 00003761 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_D_03042014_170552.txt
    2014-03-04 16:58 - 2014-03-04 16:58 - 00003698 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03042014_165810.txt
    2014-03-04 16:57 - 2014-03-05 15:06 - 00016151 _____ () C:\WINDOWS\KB2916036.log
    2014-03-04 16:55 - 2014-03-06 15:23 - 00000000 ____D () C:\Documents and Settings\SASA\Desktop\RK_Quarantine
    2014-02-07 14:23 - 2014-02-07 14:23 - 00003340 _____ () C:\Documents and Settings\SASA\Desktop\Rkill.txt
    2014-02-07 14:16 - 2014-02-07 14:32 - 00012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
    2014-02-07 14:10 - 2014-02-07 14:17 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
    2014-02-07 14:10 - 2014-02-07 14:10 - 00001610 _____ () C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
    2014-02-07 14:10 - 2014-02-07 14:10 - 00000000 ____D () C:\Program Files\HitmanPro
    2014-02-07 14:10 - 2014-02-07 14:10 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
     
    ==================== One Month Modified Files and Folders =======
     
    2014-03-08 09:26 - 2014-03-08 09:23 - 00020343 _____ () C:\Documents and Settings\SASA\Desktop\Addition.txt
    2014-03-08 09:26 - 2014-03-08 09:22 - 00013460 _____ () C:\Documents and Settings\SASA\Desktop\FRST.txt
    2014-03-08 09:26 - 2014-03-08 09:22 - 00000000 ____D () C:\FRST
    2014-03-08 09:26 - 2009-07-01 06:05 - 00000936 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    2014-03-08 09:22 - 2014-03-08 09:22 - 01145344 _____ (Farbar) C:\Documents and Settings\SASA\Desktop\FRST.exe
    2014-03-08 08:48 - 2013-05-14 13:44 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
    2014-03-08 08:17 - 2009-01-17 10:00 - 01073271 _____ () C:\WINDOWS\WindowsUpdate.log
    2014-03-08 06:01 - 2014-03-04 17:43 - 00000374 _____ () C:\WINDOWS\Tasks\update-sys.job
    2014-03-08 05:28 - 2014-03-04 17:43 - 00000374 _____ () C:\WINDOWS\Tasks\update-S-1-5-21-746137067-1060284298-682003330-1003.job
    2014-03-07 17:26 - 2009-07-01 06:05 - 00000932 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    2014-03-07 15:55 - 2014-03-07 15:55 - 00003358 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_H_03072014_155507.txt
    2014-03-07 15:55 - 2014-03-07 15:55 - 00003288 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_PR_03072014_155517.txt
    2014-03-07 15:55 - 2014-03-07 15:55 - 00003252 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_DN_03072014_155522.txt
    2014-03-07 15:54 - 2014-03-07 15:54 - 00006466 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03072014_155420.txt
    2014-03-07 15:33 - 2014-03-07 15:33 - 00046296 _____ () C:\Documents and Settings\SASA\Desktop\dds.txt
    2014-03-07 15:33 - 2014-03-07 15:33 - 00014838 _____ () C:\Documents and Settings\SASA\Desktop\attach.txt
    2014-03-07 15:31 - 2014-03-07 15:31 - 00688992 ____R (Swearware) C:\Documents and Settings\SASA\Desktop\dds.com
    2014-03-07 05:28 - 2009-01-17 10:04 - 00032496 _____ () C:\WINDOWS\SchedLgU.Txt
    2014-03-06 17:52 - 2014-03-04 17:43 - 00000509 _____ () C:\Documents and Settings\SASA\Local Settings\Application Data\UserProducts.xml
    2014-03-06 17:52 - 2014-03-04 17:43 - 00000000 ____D () C:\Documents and Settings\SASA\Start Menu\Programs\Lightshot
    2014-03-06 15:29 - 2014-03-06 15:28 - 04130656 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\SASA\Desktop\tdsskiller.exe
    2014-03-06 15:24 - 2014-03-06 15:24 - 00000000 ____D () C:\Documents and Settings\SASA\Local Settings\Application Data\AskPartnerNetwork
    2014-03-06 15:23 - 2014-03-06 15:23 - 00006622 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_D_03062014_152353.txt
    2014-03-06 15:23 - 2014-03-06 15:23 - 00006538 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03062014_152330.txt
    2014-03-06 15:23 - 2014-03-04 16:55 - 00000000 ____D () C:\Documents and Settings\SASA\Desktop\RK_Quarantine
    2014-03-06 15:16 - 2014-03-06 15:16 - 00000000 ____D () C:\Program Files\AskPartnerNetwork
    2014-03-06 15:16 - 2014-03-06 15:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork
    2014-03-06 15:15 - 2014-03-06 15:15 - 00000000 ____D () C:\Documents and Settings\SASA\Application Data\Avira
    2014-03-06 15:15 - 2014-03-06 15:15 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\APN
    2014-03-06 15:12 - 2014-03-06 15:12 - 00001707 _____ () C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
    2014-03-06 15:12 - 2014-03-06 15:12 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Avira
    2014-03-06 15:12 - 2014-03-06 15:11 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Avira
    2014-03-06 15:11 - 2014-03-06 15:11 - 00000000 ____D () C:\Program Files\Avira
    2014-03-06 15:04 - 2014-03-06 14:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
    2014-03-06 15:04 - 2014-03-06 14:33 - 00000000 ____D () C:\Documents and Settings\SASA\Desktop\mbar
    2014-03-06 14:49 - 2014-03-06 14:47 - 148325712 _____ () C:\Documents and Settings\SASA\Desktop\avira_internet_security_suite_en.exe
    2014-03-06 14:37 - 2014-03-06 14:37 - 04051656 _____ (Avira Operations GmbH & Co. KG) C:\Documents and Settings\SASA\Desktop\avira_en_av___ws.exe
    2014-03-06 14:34 - 2014-03-06 14:34 - 00107224 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2014-03-06 14:33 - 2014-03-06 14:33 - 00052312 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
    2014-03-06 14:33 - 2014-03-06 14:32 - 12589848 _____ (Malwarebytes Corp.) C:\Documents and Settings\SASA\Desktop\mbar-1.07.0.1009.exe
    2014-03-06 00:31 - 2014-03-06 15:15 - 00509872 _____ (Ask Partner Network) C:\Documents and Settings\SASA\My Documents\APNSetup.exe
    2014-03-05 17:34 - 2014-03-05 17:34 - 00370943 _____ () C:\Documents and Settings\SASA\Desktop\gmer.zip
    2014-03-05 16:18 - 2009-01-17 10:55 - 00000159 _____ () C:\WINDOWS\wiadebug.log
    2014-03-05 16:18 - 2009-01-17 10:55 - 00000048 _____ () C:\WINDOWS\wiaservc.log
    2014-03-05 16:18 - 2009-01-17 10:04 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
    2014-03-05 16:18 - 2006-02-28 13:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
    2014-03-05 16:16 - 2009-01-17 10:05 - 00000178 ___SH () C:\Documents and Settings\SASA\ntuser.ini
    2014-03-05 15:54 - 2014-03-05 15:54 - 00004202 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_D_03052014_155433.txt
    2014-03-05 15:54 - 2014-03-05 15:54 - 00004118 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03052014_155415.txt
    2014-03-05 15:15 - 2009-01-17 10:46 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
    2014-03-05 15:06 - 2014-03-05 15:06 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2916036$
    2014-03-05 15:06 - 2014-03-04 16:57 - 00016151 _____ () C:\WINDOWS\KB2916036.log
    2014-03-05 15:06 - 2009-09-01 05:40 - 00209056 _____ () C:\WINDOWS\updspapi.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 01857089 _____ () C:\WINDOWS\FaxSetup.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00905709 _____ () C:\WINDOWS\ocgen.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00858764 _____ () C:\WINDOWS\tsoc.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00571678 _____ () C:\WINDOWS\msmqinst.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00480422 _____ () C:\WINDOWS\comsetup.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00327743 _____ () C:\WINDOWS\netfxocm.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00291005 _____ () C:\WINDOWS\ntdtcsetup.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00129564 _____ () C:\WINDOWS\MedCtrOC.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00094128 _____ () C:\WINDOWS\tabletoc.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00093647 _____ () C:\WINDOWS\msgsocm.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00078631 _____ () C:\WINDOWS\ocmsn.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00019761 _____ () C:\WINDOWS\iis6.log
    2014-03-05 15:06 - 2009-01-17 10:53 - 00001355 _____ () C:\WINDOWS\imsins.log
    2014-03-05 14:58 - 2009-01-17 10:53 - 00502006 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
    2014-03-05 14:52 - 2013-05-11 15:31 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
    2014-03-05 14:52 - 2011-12-16 02:05 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
    2014-03-05 14:50 - 2013-07-19 02:00 - 00000000 ____D () C:\WINDOWS\system32\MRT
    2014-03-05 14:46 - 2014-03-05 14:46 - 03819008 _____ () C:\Documents and Settings\SASA\Desktop\RogueKiller.exe
    2014-03-05 14:40 - 2011-12-16 00:27 - 00000000 ____D () C:\Documents and Settings\SASA\My Documents\Preuzimanja
    2014-03-05 14:33 - 2011-12-15 20:15 - 85946576 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2014-03-05 14:32 - 2014-03-05 14:30 - 00012967 _____ () C:\WINDOWS\KB2909921-IE8.log
    2014-03-05 14:32 - 2009-01-17 10:53 - 00001355 _____ () C:\WINDOWS\imsins.BAK
    2014-03-05 14:31 - 2013-05-14 14:13 - 00000000 ____D () C:\WINDOWS\ie8updates
    2014-03-05 14:30 - 2014-03-05 14:29 - 00004174 _____ () C:\WINDOWS\KB2909210-IE8.log
    2014-03-05 14:25 - 2009-01-17 10:52 - 00881112 _____ () C:\WINDOWS\setupapi.log
    2014-03-05 14:25 - 2009-01-17 10:07 - 00000000 ____D () C:\Program Files\ESET
    2014-03-04 17:43 - 2014-03-04 17:43 - 00000003 _____ () C:\Documents and Settings\SASA\Local Settings\Application Data\updater.log
    2014-03-04 17:43 - 2014-03-04 17:43 - 00000000 ____D () C:\Program Files\Skillbrains
    2014-03-04 17:43 - 2014-03-04 17:43 - 00000000 ____D () C:\Documents and Settings\SASA\Local Settings\Application Data\Skillbrains
    2014-03-04 17:16 - 2014-03-04 17:16 - 00003499 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03042014_171602.txt
    2014-03-04 17:14 - 2014-03-04 17:14 - 00003468 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_D_03042014_171435.txt
    2014-03-04 17:12 - 2014-03-04 17:12 - 00003430 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03042014_171213.txt
    2014-03-04 17:08 - 2014-03-04 17:08 - 00000000 _____ () C:\Documents and Settings\SASA\Desktop\New Text Document.txt
    2014-03-04 17:05 - 2014-03-04 17:05 - 00003761 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_D_03042014_170552.txt
    2014-03-04 16:58 - 2014-03-04 16:58 - 00003698 _____ () C:\Documents and Settings\SASA\Desktop\RKreport[0]_S_03042014_165810.txt
    2014-02-25 11:48 - 2014-03-06 15:11 - 00135648 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avipbb.sys
    2014-02-25 11:48 - 2014-03-06 15:11 - 00090400 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avgntflt.sys
    2014-02-25 11:48 - 2014-03-06 15:11 - 00037352 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avkmgr.sys
    2014-02-25 11:48 - 2014-03-06 15:11 - 00028520 _____ (Avira GmbH) C:\WINDOWS\system32\Drivers\ssmdrv.sys
    2014-02-07 14:32 - 2014-02-07 14:16 - 00012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
    2014-02-07 14:23 - 2014-02-07 14:23 - 00003340 _____ () C:\Documents and Settings\SASA\Desktop\Rkill.txt
    2014-02-07 14:17 - 2014-02-07 14:10 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
    2014-02-07 14:13 - 2009-01-17 10:07 - 00099288 _____ () C:\Documents and Settings\SASA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2014-02-07 14:10 - 2014-02-07 14:10 - 00001610 _____ () C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
    2014-02-07 14:10 - 2014-02-07 14:10 - 00000000 ____D () C:\Program Files\HitmanPro
    2014-02-07 14:10 - 2014-02-07 14:10 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
    2014-02-06 03:54 - 2009-03-08 03:32 - 00174592 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2014-02-06 03:54 - 2006-02-28 13:00 - 00174592 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
    2014-02-06 00:26 - 2013-05-14 13:56 - 11113472 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieframe.dll
    2014-02-06 00:26 - 2013-05-14 13:56 - 02006016 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iertutil.dll
    2014-02-06 00:26 - 2013-05-14 13:56 - 00743424 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedvtool.dll
    2014-02-06 00:26 - 2013-05-14 13:56 - 00630272 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeeds.dll
    2014-02-06 00:26 - 2013-05-14 13:56 - 00522240 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsdbgui.dll
    2014-02-06 00:26 - 2013-05-14 13:56 - 00247808 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieproxy.dll
    2014-02-06 00:26 - 2013-05-14 13:56 - 00055296 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    2014-02-06 00:26 - 2013-05-14 13:56 - 00012800 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpshims.dll
    2014-02-06 00:26 - 2010-04-16 17:09 - 00184320 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iepeers.dll
    2014-02-06 00:26 - 2009-07-18 17:05 - 06021120 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtml.dll
    2014-02-06 00:26 - 2009-06-26 17:50 - 01216000 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\urlmon.dll
    2014-02-06 00:26 - 2009-06-26 17:50 - 00920064 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wininet.dll
    2014-02-06 00:26 - 2009-03-08 13:09 - 00387584 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedkcs32.dll
    2014-02-06 00:26 - 2009-03-08 03:39 - 11113472 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
    2014-02-06 00:26 - 2009-03-08 03:34 - 01469440 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\inetcpl.cpl
    2014-02-06 00:26 - 2009-03-08 03:34 - 00206848 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\occache.dll
    2014-02-06 00:26 - 2009-03-08 03:34 - 00105984 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\url.dll
    2014-02-06 00:26 - 2009-03-08 03:34 - 00043520 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\licmgr10.dll
    2014-02-06 00:26 - 2009-03-08 03:33 - 00759296 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\vgx.dll
    2014-02-06 00:26 - 2009-03-08 03:33 - 00025600 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsproxy.dll
    2014-02-06 00:26 - 2009-03-08 03:33 - 00018944 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\corpol.dll
    2014-02-06 00:26 - 2009-03-08 03:32 - 02006016 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
    2014-02-06 00:26 - 2009-03-08 03:32 - 00630272 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
    2014-02-06 00:26 - 2009-03-08 03:32 - 00611840 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mstime.dll
    2014-02-06 00:26 - 2009-03-08 03:31 - 00067072 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtmled.dll
    2014-02-06 00:26 - 2009-03-08 03:31 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeedsbs.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 06021120 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 01469440 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
    2014-02-06 00:26 - 2006-02-28 13:00 - 01216000 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00920064 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00611840 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstime.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00387584 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00206848 _____ (Microsoft Corporation) C:\WINDOWS\system32\occache.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00105984 _____ (Microsoft Corporation) C:\WINDOWS\system32\url.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\licmgr10.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00025600 _____ (Microsoft Corporation) C:\WINDOWS\system32\jsproxy.dll
    2014-02-06 00:26 - 2006-02-28 13:00 - 00018944 _____ (Microsoft Corporation) C:\WINDOWS\system32\corpol.dll
     
    Some content of TEMP:
    ====================
    C:\Documents and Settings\SASA\Local Settings\Temp\avgnt.exe
    C:\Documents and Settings\SASA\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
    C:\Documents and Settings\SASA\Local Settings\Temp\ntdll_dump.dll
    C:\Documents and Settings\SASA\Local Settings\Temp\Offercast_AVIRAV7_.exe
    C:\Documents and Settings\SASA\Local Settings\Temp\{6A926C18-A5A3-45D4-94F0-92DBF5EDBDD3}-GoogleUpdateSetup.exe
     
     
    ==================== Bamital & volsnap Check =================
     
    C:\WINDOWS\explorer.exe => MD5 is legit
    C:\WINDOWS\system32\winlogon.exe => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    C:\WINDOWS\system32\User32.dll => MD5 is legit
    C:\WINDOWS\system32\userinit.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

    Attached Files


    Edited by Bud_91, 09 March 2014 - 12:12 PM.


    #5 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:10 AM

    Posted 09 March 2014 - 12:46 PM

    Let's start with this.

     

    Please download the attached fixlist.txt and save it to your desktop. Then run FRST again and select "Fix." Post the resulting fixlog.txt.

     

    Then,

     

    Please download the latest version of TDSSKiller from here and save it to your Desktop.
    •  
    • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
    • Put a checkmark beside loaded modules.
    2012081514h0118.png
    • A reboot will be needed to apply the changes. Do it.
    • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
    • Then click on Change parameters in TDSSKiller.
    • Check all boxes then click OK.
    2012081517h0349.png
    • Click the Start Scan button.
    19695967.jpg
    • The scan should take no longer than 2 minutes.
    • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

    Attached Files


    Edited by Bud_91, 09 March 2014 - 12:46 PM.

    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #6 Bleky

    Bleky
    • Topic Starter

    • Members
    • 185 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somewhere on internet
    • Local time:03:10 PM

    Posted 10 March 2014 - 08:05 AM

    TDSS Killer found nothing.

    Fixlog is attached.

    I also attached RK report.

    :busy:

    Attached Files



    #7 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:10 AM

    Posted 10 March 2014 - 08:46 AM

    Could you please attach the TDSSKiller report anyway?

     

    Any improvement with the latest fix?


    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #8 Bleky

    Bleky
    • Topic Starter

    • Members
    • 185 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somewhere on internet
    • Local time:03:10 PM

    Posted 10 March 2014 - 11:08 AM

    TDSS log is attached

    Nothing improved,it is getting worse :o

    There is more new viruses installed

    this is one of them  APPL/Solimba.Gen5

    Attached Files



    #9 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:10 AM

    Posted 10 March 2014 - 11:24 AM

    Could you please run a fresh Rogue Killer scan.

     

    Here are the instructions:

     

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan

     
    RGKRScan.png.pagespeed.ce.QGZsQEjUHM.png
     
    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
     
    RGKRDelete.png.pagespeed.ce.qto0V0bIgv.p
     
    • The report has been created on the desktop.
     
    • Next click on the ShortcutsFix
    RGKRShortcutsFix.png.pagespeed.ce.-1RdBn
    • The report has been created on the desktop.
     
    Please post: All RKreport.txt text files located on your desktop.

    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #10 Bleky

    Bleky
    • Topic Starter

    • Members
    • 185 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somewhere on internet
    • Local time:03:10 PM

    Posted 11 March 2014 - 06:58 AM

    RK does not find the rootkit but i think it is hidding somewhere in system :scratchhead:

    Logs are attached

    Attached Files



    #11 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:10 AM

    Posted 11 March 2014 - 08:17 AM

    While I work out what to do next, could you please describe your current symptoms?


    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #12 Bleky

    Bleky
    • Topic Starter

    • Members
    • 185 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somewhere on internet
    • Local time:03:10 PM

    Posted 11 March 2014 - 08:30 AM

    Yesterday Avira  alomst crash the system with the virus found notifications.

    Computer boots normally but slowly,i need to wait about 2-3min. when the Windows XP logo screen comes to load...



    #13 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:10 AM

    Posted 11 March 2014 - 10:52 AM

    Can you please attach the latest Avira logs to your next post. They should be located here: C:\Documents and Settings\All Users\Dados de aplicativos\Avira\AntiVir Desktop\LOGFILES

     

    Now, let's run this scan:

     

    Download aswMBR.exe to your desktop.
    Double click the aswMBR.exe to run it Click the "Scan" button to start scan 
     
    aswMBRScan.gif.pagespeed.ce.LUmbzwGQt-.g
     
    On completion of the scan click save log, save it to your desktop and post in your next reply
     
    aswMBRsavelog.gif.pagespeed.ce.koDAEoybV
     

    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #14 Bleky

    Bleky
    • Topic Starter

    • Members
    • 185 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somewhere on internet
    • Local time:03:10 PM

    Posted 11 March 2014 - 11:51 AM

    Avira logs are attached :busy:

    I will post aswMBR logs later...

    Attached Files


    Edited by Bleky, 11 March 2014 - 11:51 AM.


    #15 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:10 AM

    Posted 11 March 2014 - 01:08 PM

    Most of the Avira detections are adware in things that you downloaded. The only other detection is of a file in a restore point, which we will clear when we are done.

     

    I'll wait for aswMBR.


    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users