Solved File recovery rogue scanner infection

CanHazTrojanz?

CanHazTrojanz?

Posts: 106   +0
Hello, I just got infected badly yesterday 8/31/12.

I use my PC for work I do online for my own web publishing business and SEO or copywriting clients. I wound up getting infected with a rogue scanner. All of a sudden various windows open up warning of an infection, computer reboots itself. When it rebooted, I found a black background with my icons "ghosted" as they were hidden. I ran Malwarebytes immediately, which found 2 Trojans but that didn't answer all my problems by a long shot.

Before finding the "5 steps" recommended here at techspot, I was following an online tutorial given by Broni to another user:

https://www.techspot.com/community/topics/system-check-virus.178301/

I didn't take all the recommendations since I found malware that the other user didn't have, so I've posted all my findings below the "5 steps" information.

The two steps I did extra if you will:

Running Esage Lab's "Bootkit Remover"
Trying to run aswMBR.exe, but that didn't run.
Running MBRcheck.exe as Broni suggested.

I've pasted the results beneath the output of steps 2, 3 and 4 as recommended in the 5-step prepatory thread.

I did not do anything else but run my "Vipre" antivirus, but all that found was 180 tracking cookies and removed 108 of them, not sure why it didn't catch the virus as it has active protection.

I've marked the files according to the steps, and use ##============## to differentiate the diagnostic results. The extra two files are below the information of the initial diagnostic.

Your help would be MUCH appreciated as I have a large family and work more than full time from home for clients, I'm really at a loss right now.

##==========================================##

Step 2: Malwarebytes Log

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.30.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
IdHusseys :: IDHUSSEYS-PC [administrator]

8/31/2012 4:35:33 PM
mbam-log-2012-08-31 (16-35-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225886
Time elapsed: 14 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

##=============================================##
Step 3: GMER Log

No Results Found - But here I messed up! It DID find about 6 or 7 files (mostly under "Documents and Settings" folder if I recall correctly, but I can't open that file, access denied).

I thought I hit "Save" but accidentally hit "Scan" and it ran a second time...found nothing. I ran it again just in case, it found nothing.

So I noticed on the GMER site they mention the "catchme.exe" script, I downloaded and opened that. Here are its results:



detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error


##=============================================##
Step 4: DDS Log (first "DDS.txt" then "Attach.txt" files):



.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 9.0.8112.16421
Run by IdHusseys at 20:05:38 on 2012-09-01
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2812.2034 [GMT -6:00]
.
AV: GFI Software VIPRE *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: GFI Software VIPRE *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe
C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: LastPass Vault: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Program Files (x86)\LastPass\LPToolbar.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [MP3 Skype Recorder] C:\Program Files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe
uRun: [Google Update] "C:\Users\IdHusseys\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SBAMTray] "C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe"
StartupFolder: C:\Users\IDHUSS~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\IdHusseys\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\IDHUSS~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: LastPass - file://C:\Users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://C:\Users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=fillforms
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
DPF: {CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{7523F849-46AC-423E-B1D1-4B910EF80C38} : DhcpNameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{CF0CB9F8-FA84-4B47-A1C1-735CF549A63D} : DhcpNameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{CF0CB9F8-FA84-4B47-A1C1-735CF549A63D}\1627279637534376 : DhcpNameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{CF0CB9F8-FA84-4B47-A1C1-735CF549A63D}\C696E6B6379737 : DhcpNameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{CF0CB9F8-FA84-4B47-A1C1-735CF549A63D}\D41627961602845737375697 : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\MP3 Skype Recorder\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} -
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
BHO-X64: LastPass Vault - No File
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
TB-X64: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SBAMTray] "C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\IdHusseys\AppData\Roaming\Mozilla\Firefox\Profiles\d1hd1tuj.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.6.0_22\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Users\IdHusseys\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\IdHusseys\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R2 SBAMSvc;VIPRE Antivirus;C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe [2012-8-29 3677000]
R2 SBPIMSvc;SB Recovery Service;C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe [2012-8-29 175496]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-12-21 89600]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 sbapifs;sbapifs;C:\Windows\system32\DRIVERS\sbapifs.sys --> C:\Windows\system32\DRIVERS\sbapifs.sys [?]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;"C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe" --> C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-23 113120]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 sbwtis;sbwtis;C:\Windows\system32\DRIVERS\sbwtis.sys --> C:\Windows\system32\DRIVERS\sbwtis.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-09-01 12:26:05--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-01 07:27:256851408----a-w-C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{75EE6CA2-C53E-4E4F-BADA-3E07FA354116}\mpengine.dll
2012-09-01 00:19:4693----a-w-C:\Users\IdHusseys\AppData\Roaming\netstat.bat
2012-08-29 23:41:4847496----a-w-C:\Windows\SysWow64\sbbd.exe
2012-08-27 01:25:591034216----a-w-C:\Windows\System32\npDeployJava1.dll
2012-08-26 19:26:3286816----a-w-C:\Windows\System32\drivers\sbwtis.sys
2012-08-24 05:34:2614790243----a-w-C:\Program Files (x86)\SERPAttacks_Video.exe
2012-08-24 05:22:58--------d-----w-C:\Program Files (x86)\Market Samurai
2012-08-24 03:32:13135933721----a-w-C:\Program Files (x86)\Apache_OpenOffice_incubating_3.4.1_Win_x86_install_en-US.exe
2012-08-22 09:05:0673416----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-22 09:05:06696520----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-22 08:08:40--------d-----w-C:\lynx_w32
2012-08-20 22:28:45--------d--h--w-C:\Users\IdHusseys\AppData\Local\ElevatedDiagnostics
2012-08-15 18:28:52503808----a-w-C:\Windows\System32\srcore.dll
2012-08-15 18:28:5043008----a-w-C:\Windows\SysWow64\srclient.dll
2012-08-15 18:28:39751104----a-w-C:\Windows\System32\win32spl.dll
2012-08-15 18:28:37559104----a-w-C:\Windows\System32\spoolsv.exe
2012-08-15 18:28:37492032----a-w-C:\Windows\SysWow64\win32spl.dll
2012-08-15 18:28:3667072----a-w-C:\Windows\splwow64.exe
2012-08-15 18:28:3259392----a-w-C:\Windows\System32\browcli.dll
2012-08-15 18:28:32136704----a-w-C:\Windows\System32\browser.dll
2012-08-15 18:28:3141984----a-w-C:\Windows\SysWow64\browcli.dll
2012-08-15 18:28:243148800----a-w-C:\Windows\System32\win32k.sys
2012-08-15 18:28:22956928----a-w-C:\Windows\System32\localspl.dll
2012-08-14 22:24:0515428440----a-w-C:\Program Files (x86)\AdobeAIRInstaller.exe
2012-08-14 21:49:12--------d--h--w-C:\Users\IdHusseys\AppData\Local\{136E17CE-9D8C-4576-B5FB-9FD9476CEE7D}
2012-08-13 19:53:47--------d--h--w-C:\Users\IdHusseys\AppData\Local\{22CFA543-8BC0-487D-B925-78E6564E6786}
2012-08-11 21:18:14--------d--h--w-C:\Users\IdHusseys\AppData\Roaming\Microsys
2012-08-11 21:17:46--------d-----w-C:\Program Files\Microsys
2012-08-09 21:04:46--------d--h--w-C:\Users\IdHusseys\temp
2012-08-09 20:55:1911264----a-w-C:\Windows\SysWow64\SPORDER.DLL
.
==================== Find3M ====================
.
2012-08-29 23:41:4847496----a-w-C:\Windows\System32\sbbd.exe
2012-08-28 03:34:13916456----a-w-C:\Windows\System32\deployJava1.dll
2012-08-24 09:02:52821736----a-w-C:\Windows\SysWow64\npdeployJava1.dll
2012-08-24 09:02:52746984----a-w-C:\Windows\SysWow64\deployJava1.dll
2012-08-01 20:36:5482872----a-w-C:\Windows\System32\drivers\sbapifs.sys
2012-06-29 03:56:342312704----a-w-C:\Windows\System32\jscript9.dll
2012-06-29 03:49:111392128----a-w-C:\Windows\System32\wininet.dll
2012-06-29 03:48:071494528----a-w-C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49173056----a-w-C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:482382848----a-w-C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:581800704----a-w-C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:011129472----a-w-C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:591427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:452382848----a-w-C:\Windows\SysWow64\mshtml.tlb
2012-06-16 01:05:0260304----a-w-C:\Users\IdHusseys\g2mdlhlpx.exe
2012-06-06 06:06:162004480----a-w-C:\Windows\System32\msxml6.dll
2012-06-06 06:06:161881600----a-w-C:\Windows\System32\msxml3.dll
2012-06-06 06:02:541133568----a-w-C:\Windows\System32\cdosys.dll
2012-06-06 05:05:521390080----a-w-C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:521236992----a-w-C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06805376----a-w-C:\Windows\SysWow64\cdosys.dll
.
============= FINISH: 20:13:01.63 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 4/10/2010 2:35:09 PM
System Uptime: 9/1/2012 5:57:48 PM (3 hours ago)
.
Motherboard: Hewlett-Packard | | 363F
Processor: AMD Athlon(tm) II Dual-Core M320 | Socket S1G3 | 2094/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 219 GiB total, 150.054 GiB free.
D: is FIXED (NTFS) - 14 GiB total, 2.236 GiB free.
E: is FIXED (FAT32) - 0 GiB total, 0.092 GiB free.
F: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
==== System Restore Points ===================
.
RP360: 8/28/2012 12:42:21 AM - Removed Java 7 Update 6 (64-bit)
RP361: 8/28/2012 12:49:20 AM - Installed Java 7 Update 6
RP362: 8/29/2012 10:32:06 PM - Installed Proxy Multiply
RP363: 8/30/2012 1:30:49 PM - Removed Proxy Multiply
RP364: 8/31/2012 5:36:32 PM - Windows Update
RP365: 8/31/2012 7:32:13 PM - Configured Power2Go
RP366: 8/31/2012 7:34:47 PM - Configured PowerDirector
RP367: 8/31/2012 7:44:01 PM - Removed Fresh Proxy Scraper.
RP368: 8/31/2012 7:45:03 PM - Removed iTunes
RP369: 8/31/2012 7:45:58 PM - Removed Microsoft Silverlight
RP370: 8/31/2012 7:46:38 PM - Removed muvee Reveal
RP371: 8/31/2012 7:51:35 PM - Removed iTunes
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Adobe Shockwave Player
Adobe Shockwave Player 11.6
Amazon Kindle
AMD USB Filter Driver
Apple Application Support
Apple Software Update
Atheros Driver Installation Program
AVS Audio Converter 7
AVS Audio Editor 7.1
AVS Audio Recorder version 4.0
AVS Cover Editor 2.0.1.3
AVS Disc Creator 5
AVS Document Converter 2.1.2
AVS DVD Copy version 4.1.2
AVS Screen Capture version 2.0.1
AVS Update Manager 1.0
AVS Video Converter 8
AVS Video Editor 6
AVS Video Recorder 2.4
AVS Video ReMaker 4.0.8.140
AVS4YOU Software Navigator 1.4
BacklinkTopia
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
CurationSoft
D3DX10
Directory Submitter 1.0.29
Dropbox
FileZilla Client 3.5.3
FreeMind
GFX Video Writer
GFX Writer
GIMP 2.6.11
Google Chrome
GoToMeeting 5.2.0.952
Hewlett-Packard ACLM.NET v1.1.0.0
HMA! Pro VPN 2.6.9
HP Customer Experience Enhancements
HP Product Detection
HP Update
HP User Guides 0148
HP Wireless Assistant
IDT Audio
Image Crusher
Jigs@w Puzzle Promo Creator 2.1
Junk Mail filter update
jZip
LastPass (uninstall only)
LightScribe System Software
Magic Article Rewriter
Magic Article Submitter
Magic Rank Tracker version 2.7
Magic Tokens Database 2.0
Malwarebytes Anti-Malware version 1.62.0.1300
Market Samurai
MarketMeSuite
Mesh Runtime
Messenger Companion
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WSE 3.0
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
MP3 Skype Recorder
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NP Checker
OpenOffice.org 3.4.1
PAD SubmitWorker 1.2
PDF2EXE 3.0
PressBot
QuickTime
Realtek 8136 8168 8169 Ethernet Driver
Realtek USB 2.0 Card Reader
Recovery Manager
RSSBot
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
SEO PowerSuite
SERPAttacks
SERPAttacks Video Tutorial
Skype™ 5.8
swMSM
The 5 Bucks a Day Action Enforcer
Tracker
Unity Web Player
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VideoBot
VIPRE Antivirus
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Xenu's Link Sleuth
XMind
.
==== Event Viewer Messages From Past Week ========
.
9/1/2012 7:05:53 AM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
9/1/2012 5:58:31 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
9/1/2012 5:58:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/1/2012 5:58:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/1/2012 5:58:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
9/1/2012 5:58:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
9/1/2012 5:58:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/1/2012 5:58:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/1/2012 5:58:10 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/1/2012 5:02:50 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
9/1/2012 5:01:24 PM, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
9/1/2012 4:58:55 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
9/1/2012 3:49:31 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
9/1/2012 3:42:23 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
9/1/2012 3:42:07 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
8/31/2012 8:02:43 PM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
8/31/2012 8:02:43 PM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
8/31/2012 6:21:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/31/2012 6:06:51 PM, Error: Microsoft-Windows-Directory-Services-SAM [12291] - SAM failed to start the TCP/IP or SPX/IPX listening thread
8/31/2012 6:05:48 PM, Error: Service Control Manager [7023] - The Peer Name Resolution Protocol service terminated with the following error: Access is denied.
8/31/2012 6:05:48 PM, Error: Service Control Manager [7001] - The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: Access is denied.
8/31/2012 6:05:48 PM, Error: Microsoft-Windows-PNRPSvc [102] - The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80070005.
8/28/2012 6:38:05 PM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
.
==== End Of File ===========================
 
Following are the "extra" reports (Bootkit Remover and MBRcheck.exe). I wasn't requested to run them, but was following a thread where Broni helped someone with the same symptoms as me, a rogue scanner virus.


Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...


##=============================================##


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:Windows 7 Home Premium Edition
Windows Information:Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer:Hewlett-Packard
BIOS Manufacturer:Hewlett-Packard
System Manufacturer:Hewlett-Packard
System Product Name:presario CQ61 Notebook PC
Logical Drives Mask:0x0000007c

Kernel Drivers (total 233):
0x02C4F000 \SystemRoot\system32\ntoskrnl.exe
0x02C06000 \SystemRoot\system32\hal.dll
0x00BD1000 \SystemRoot\system32\kdcom.dll
0x00C13000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00C20000 \SystemRoot\system32\PSHED.dll
0x00C34000 \SystemRoot\system32\CLFS.SYS
0x00C92000 \SystemRoot\system32\CI.dll
0x00D52000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00C00000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E63000 \SystemRoot\system32\drivers\ACPI.sys
0x00EBA000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00EC3000 \SystemRoot\system32\drivers\msisadrv.sys
0x00ECD000 \SystemRoot\system32\drivers\pci.sys
0x00F00000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00F0D000 \SystemRoot\system32\drivers\isapnp.sys
0x00F16000 \SystemRoot\system32\drivers\mpio.sys
0x00F40000 \SystemRoot\System32\drivers\partmgr.sys
0x00F55000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00F5E000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00F6A000 \SystemRoot\system32\drivers\volmgr.sys
0x00F7F000 \SystemRoot\System32\drivers\volmgrx.sys
0x00FDB000 \SystemRoot\system32\drivers\intelide.sys
0x00FE3000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00FF3000 \SystemRoot\system32\drivers\aliide.sys
0x00E00000 \SystemRoot\system32\drivers\amdide.sys
0x00E07000 \SystemRoot\system32\drivers\cmdide.sys
0x00E0F000 \SystemRoot\System32\drivers\mountmgr.sys
0x00E29000 \SystemRoot\system32\drivers\msdsm.sys
0x01029000 \SystemRoot\system32\drivers\nvraid.sys
0x01051000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x01081000 \SystemRoot\system32\drivers\pciide.sys
0x01088000 \SystemRoot\system32\drivers\viaide.sys
0x01090000 \SystemRoot\system32\drivers\iaStorV.sys
0x011AE000 \SystemRoot\system32\drivers\atapi.sys
0x011B7000 \SystemRoot\system32\drivers\ataport.SYS
0x011E1000 \SystemRoot\system32\DRIVERS\lsi_sas.sys
0x01227000 \SystemRoot\system32\DRIVERS\storport.sys
0x0128A000 \SystemRoot\system32\drivers\msahci.sys
0x01295000 \SystemRoot\system32\drivers\HpSAMD.sys
0x012AC000 \SystemRoot\system32\DRIVERS\adp94xx.sys
0x01327000 \SystemRoot\system32\DRIVERS\adpahci.sys
0x0137D000 \SystemRoot\system32\DRIVERS\adpu320.sys
0x013AC000 \SystemRoot\system32\drivers\amdsata.sys
0x01485000 \SystemRoot\system32\DRIVERS\amdsbs.sys
0x014CC000 \SystemRoot\system32\drivers\amdxata.sys
0x014D7000 \SystemRoot\system32\DRIVERS\arc.sys
0x014F0000 \SystemRoot\system32\DRIVERS\arcsas.sys
0x0150B000 \SystemRoot\system32\DRIVERS\elxstor.sys
0x01592000 \SystemRoot\system32\DRIVERS\iirsp.sys
0x015A3000 \SystemRoot\system32\DRIVERS\lsi_fc.sys
0x015C2000 \SystemRoot\system32\DRIVERS\lsi_sas2.sys
0x015D5000 \SystemRoot\system32\DRIVERS\lsi_scsi.sys
0x015F4000 \SystemRoot\system32\DRIVERS\megasas.sys
0x0169B000 \SystemRoot\system32\DRIVERS\MegaSR.sys
0x0173F000 \SystemRoot\system32\DRIVERS\nfrd960.sys
0x0174F000 \SystemRoot\system32\drivers\nvstor.sys
0x0181F000 \SystemRoot\system32\DRIVERS\ql2300.sys
0x0177A000 \SystemRoot\system32\DRIVERS\ql40xx.sys
0x019C3000 \SystemRoot\system32\DRIVERS\SiSRaid2.sys
0x019D1000 \SystemRoot\system32\DRIVERS\sisraid4.sys
0x019E9000 \SystemRoot\system32\DRIVERS\stexstor.sys
0x01600000 \SystemRoot\system32\DRIVERS\vsmraid.sys
0x0162A000 \SystemRoot\system32\drivers\fltmgr.sys
0x01800000 \SystemRoot\system32\drivers\fileinfo.sys
0x01A3C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01400000 \SystemRoot\System32\Drivers\msrpc.sys
0x01BDF000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01C69000 \SystemRoot\System32\Drivers\cng.sys
0x01CDB000 \SystemRoot\System32\drivers\pcw.sys
0x01CEC000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01CF6000 \SystemRoot\system32\drivers\ndis.sys
0x01C00000 \SystemRoot\system32\drivers\NETIO.SYS
0x01A00000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01E89000 \SystemRoot\System32\drivers\tcpip.sys
0x0208C000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x020D6000 \SystemRoot\system32\DRIVERS\wd.sys
0x020DE000 \SystemRoot\system32\drivers\volsnap.sys
0x0212A000 \SystemRoot\System32\Drivers\spldr.sys
0x02132000 \SystemRoot\system32\drivers\sbp2port.sys
0x0214F000 \SystemRoot\System32\drivers\rdyboost.sys
0x02189000 \SystemRoot\System32\Drivers\mup.sys
0x0219B000 \SystemRoot\System32\drivers\hwpolicy.sys
0x021A4000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x021DE000 \SystemRoot\system32\DRIVERS\disk.sys
0x021F4000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
0x01E38000 \SystemRoot\system32\drivers\cdrom.sys
0x01E62000 \SystemRoot\System32\Drivers\Null.SYS
0x01E6B000 \SystemRoot\System32\Drivers\Beep.SYS
0x01E72000 \SystemRoot\System32\drivers\vga.sys
0x01676000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x01DE9000 \SystemRoot\System32\drivers\watchdog.sys
0x01E80000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x01C60000 \SystemRoot\system32\drivers\rdpencdd.sys
0x01A2A000 \SystemRoot\system32\drivers\rdprefmp.sys
0x01814000 \SystemRoot\System32\Drivers\Msfs.SYS
0x017D9000 \SystemRoot\System32\Drivers\Npfs.SYS
0x0145E000 \SystemRoot\system32\DRIVERS\tdx.sys
0x019F3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x042FB000 \SystemRoot\system32\drivers\afd.sys
0x04384000 \SystemRoot\System32\DRIVERS\netbt.sys
0x043C9000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x043D2000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04200000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x04216000 \SystemRoot\system32\DRIVERS\netbios.sys
0x04242000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x0425D000 \SystemRoot\system32\drivers\termdd.sys
0x04271000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x042C2000 \SystemRoot\system32\drivers\nsiproxy.sys
0x042CE000 \SystemRoot\system32\drivers\mssmbios.sys
0x042D9000 \SystemRoot\System32\drivers\discache.sys
0x013CA000 \SystemRoot\System32\Drivers\dfsc.sys
0x042E8000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x01200000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04225000 \SystemRoot\system32\DRIVERS\amdppm.sys
0x0465B000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x04C72000 \SystemRoot\System32\Drivers\fastfat.SYS
0x04CA8000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04D9C000 \SystemRoot\System32\drivers\dxgmms1.sys
0x03429000 \SystemRoot\system32\DRIVERS\athrx.sys
0x035B2000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x035BF000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x03400000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x04600000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0340B000 \SystemRoot\system32\DRIVERS\usbfilter.sys
0x03418000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04DE2000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x01000000 \SystemRoot\system32\drivers\HDAudBus.sys
0x050FB000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x05119000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x05128000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x0518F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x0519E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x051A3000 \SystemRoot\system32\drivers\wmiacpi.sys
0x051AC000 \SystemRoot\system32\drivers\CompositeBus.sys
0x051BC000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x051D2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x05000000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x0500C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0503B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x05056000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x05077000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x05091000 \SystemRoot\system32\DRIVERS\tap0901.sys
0x0509E000 \SystemRoot\system32\drivers\swenum.sys
0x050A0000 \SystemRoot\system32\drivers\ks.sys
0x050E3000 \SystemRoot\system32\drivers\umbus.sys
0x0529A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x052F4000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05309000 \SystemRoot\system32\DRIVERS\stwrt64.sys
0x05384000 \SystemRoot\system32\DRIVERS\portcls.sys
0x053C1000 \SystemRoot\system32\DRIVERS\drmk.sys
0x053E3000 \SystemRoot\system32\drivers\ksthunk.sys
0x0546A000 \SystemRoot\system32\DRIVERS\agrsm64.sys
0x0559B000 \SystemRoot\system32\drivers\modem.sys
0x055AA000 \SystemRoot\System32\Drivers\crashdmp.sys
0x055B8000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x055C4000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x055CF000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00060000 \SystemRoot\System32\win32k.sys
0x055E2000 \SystemRoot\System32\drivers\Dxapi.sys
0x05400000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x0541B000 \SystemRoot\system32\DRIVERS\dc3d.sys
0x0542D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x05436000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x05444000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x05200000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x0545D000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0x055EE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x0521D000 \SystemRoot\system32\DRIVERS\point64.sys
0x0522D000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x0523B000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00550000 \SystemRoot\System32\TSDDD.dll
0x007C0000 \SystemRoot\System32\cdd.dll
0x00960000 \SystemRoot\System32\ATMFD.DLL
0x05249000 \SystemRoot\system32\drivers\luafv.sys
0x0526C000 \SystemRoot\system32\DRIVERS\sbapifs.sys
0x01E00000 \SystemRoot\system32\drivers\WudfPf.sys
0x053E9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x03C98000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x03CEB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x03CFE000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x03D16000 \SystemRoot\system32\drivers\HTTP.sys
0x03DDF000 \SystemRoot\system32\DRIVERS\bowser.sys
0x03C00000 \SystemRoot\System32\drivers\mpsdrv.sys
0x03C18000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x03C45000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x04EFB000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x04F1F000 \SystemRoot\system32\drivers\peauth.sys
0x04FC5000 \SystemRoot\System32\Drivers\secdrv.SYS
0x04E00000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x04E31000 \SystemRoot\System32\drivers\tcpipreg.sys
0x04E43000 \SystemRoot\System32\DRIVERS\srv2.sys
0x06E98000 \SystemRoot\System32\DRIVERS\srv.sys
0x06F30000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x06F61000 \SystemRoot\system32\DRIVERS\sbwtis.sys
0x77420000 \Windows\System32\ntdll.dll
0x47BE0000 \Windows\System32\smss.exe
0xFF740000 \Windows\System32\apisetschema.dll
0xFFE90000 \Windows\System32\autochk.exe
0xFF600000 \Windows\System32\rpcrt4.dll
0xFF560000 \Windows\System32\clbcatq.dll
0xFF550000 \Windows\System32\lpk.dll
0xFF470000 \Windows\System32\advapi32.dll
0xFF420000 \Windows\System32\ws2_32.dll
0xFF3B0000 \Windows\System32\gdi32.dll
0x77300000 \Windows\System32\kernel32.dll
0xFF390000 \Windows\System32\imagehlp.dll
0xFF310000 \Windows\System32\shlwapi.dll
0xFF100000 \Windows\System32\ole32.dll
0xFE370000 \Windows\System32\shell32.dll
0xFE340000 \Windows\System32\imm32.dll
0xFE2C0000 \Windows\System32\difxapi.dll
0x771A0000 \Windows\System32\wininet.dll
0xFE1F0000 \Windows\System32\usp10.dll
0x775F0000 \Windows\System32\psapi.dll
0x76F90000 \Windows\System32\iertutil.dll
0x76E90000 \Windows\System32\user32.dll
0xFE1D0000 \Windows\System32\sechost.dll
0xFDFF0000 \Windows\System32\setupapi.dll
0xFDF10000 \Windows\System32\oleaut32.dll
0x775E0000 \Windows\System32\normaliz.dll
0xFDE70000 \Windows\System32\comdlg32.dll
0xFDE10000 \Windows\System32\Wldap32.dll
0xFDD70000 \Windows\System32\msvcrt.dll
0xFDC60000 \Windows\System32\msctf.dll
0xFDC50000 \Windows\System32\nsi.dll
0x76D40000 \Windows\System32\urlmon.dll
0xFDBE0000 \Windows\System32\KernelBase.dll
0xFDA70000 \Windows\System32\crypt32.dll
0xFDA30000 \Windows\System32\cfgmgr32.dll
0xFDA10000 \Windows\System32\devobj.dll
0xFD970000 \Windows\System32\comctl32.dll
0xFD930000 \Windows\System32\wintrust.dll
0xFD920000 \Windows\System32\msasn1.dll

Processes (total 77):
0 System Idle Process
4 System
272 C:\Windows\System32\smss.exe
376 csrss.exe
444 C:\Windows\System32\wininit.exe
476 csrss.exe
508 C:\Windows\System32\services.exe
524 C:\Windows\System32\lsass.exe
532 C:\Windows\System32\lsm.exe
640 C:\Windows\System32\winlogon.exe
704 C:\Windows\System32\svchost.exe
848 C:\Windows\System32\svchost.exe
892 C:\Windows\System32\atiesrxx.exe
984 C:\Windows\System32\svchost.exe
112 C:\Windows\System32\svchost.exe
308 C:\Windows\System32\svchost.exe
328 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\stacsv64.exe
1248 C:\Windows\System32\svchost.exe
1312 C:\Windows\System32\atieclxx.exe
1340 C:\Windows\System32\svchost.exe
1492 C:\Windows\System32\wlanext.exe
1500 C:\Windows\System32\conhost.exe
1556 C:\Windows\System32\spoolsv.exe
1596 C:\Windows\System32\svchost.exe
1724 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1776 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe
1808 C:\Program Files\LSI SoftModem\agr64svc.exe
1828 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1864 C:\Program Files\Bonjour\mDNSResponder.exe
1912 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
1988 C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe
1144 C:\Windows\System32\svchost.exe
1240 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2044 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2292 WUDFHost.exe
2332 C:\Windows\System32\svchost.exe
2608 C:\Windows\System32\dwm.exe
2652 C:\Windows\explorer.exe
2860 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2868 C:\Program Files\IDT\WDM\sttray64.exe
2876 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
2888 C:\Program Files\Microsoft IntelliType Pro\itype.exe
2896 C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
2912 C:\Program Files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe
2956 C:\Users\IdHusseys\AppData\Roaming\Dropbox\bin\Dropbox.exe
3052 C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
2008 C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
2396 C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
212 C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
2640 C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
2788 C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe
3200 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3404 C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
3560 C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe
3712 C:\Windows\System32\SearchIndexer.exe
3808 WmiPrvSE.exe
3844 C:\Windows\System32\svchost.exe
3920 C:\Program Files\Windows Media Player\wmpnetwk.exe
3012 C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
2252 C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
3612 C:\Windows\System32\svchost.exe
5104 C:\Program Files (x86)\Notepad++\notepad++.exe
192 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
3640 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
1096 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
4788 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
4864 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
4652 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
2264 C:\Windows\System32\taskeng.exe
1152 C:\Windows\SysWOW64\dllhost.exe
4704 C:\Users\IdHusseys\Desktop\boot_cleaner.exe
732 C:\Windows\System32\conhost.exe
4792 C:\Windows\System32\SearchProtocolHost.exe
3984 C:\Windows\System32\SearchFilterHost.exe
2344 C:\Users\IdHusseys\Desktop\MBRCheck.exe
3148 C:\Windows\System32\conhost.exe
3480 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`0c800000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000036`d0b00000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000003a`32300000 (FAT32)

PhysicalDrive0 Model Number: WDCWD2500BEKT-60V5T1, Rev: 12.01A12

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 9F3807A0B71B8DD1FE0EB7D673BFB161086C5C76


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
 
Thank you, Broni for the reply.

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : IdHusseys [Admin rights]
Mode : Scan -- Date : 09/02/2012 14:18:54

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEKT-60V5T1 ATA Device +++++
--- User ---
[MBR] 063cd16551c74d8b53b77c1f4cb4d721
[BSP] 7e6fdc35a5d3f9ce16c15f62b998a65f : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 224323 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 459823104 | Size: 13848 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 488183808 | Size: 103 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] c5c35f84d2d2fd722db9db451cc7575e
[BSP] ee44ff2e1f76c9b9ff9f80d326267ede : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 224323 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 459823104 | Size: 13848 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 488183808 | Size: 103 Mo

+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 33a0f33fb7e7f518f64aedcb9dad35b0
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 7633 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt
 
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
Sorry for being so quiet, Broni - had a to-do list to attend.

I downloaded aswMBR to a thumb drive, moved it to my infected desktop, and when I click on it nothing happens. The desktop icon darkens like it's been pressed, but nothing else happens. I'm downloading it again to re-try. Does it open a dialog box normally?
 
Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
I've tried "run as administrator" and renaming the file before using it...it won't do anything. Is there an alternative?
 
No can do, Broni. It won't run. I've tried in normal mode, normal mode w/o internet, safe mode w/networking and safe mode. I've "run as administrator" from the removable drive as well as the desktop: TDSSKiller won't open.
 
Just to follow up - yesterday I was able to select "properties" on my desktop icons (which before I was unable to access), and de-select "hidden" - but I see now a handful of my icons have re-hidden themselves. All ears for alternatives at your next convenience. Thanks again.
 
Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
OK any security prompts.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.
 
I did as asked - closed all applications/programs, ran FixTDSS and same problem:

"Catalyst Control Centre has stopped working" (lost connection with host or something). Then the program won't open after that dialogue. I tried in safe mode and regular.
 
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes in your reply.

I'll expect two logs:
- FRST.txt
- Search.txt
 
When I choose "repair your computer" I get a black screen. I've tried it 3 times. Also earlier I tried to rename the various TDSS killer programs, following advice from another thread to that effect on BleepingComputer. I used names like "iexplore.exe" and "system" etc. It didn't work.

I should also backup and relate that I've been having Chrome redirect a lot this past year, randomly (come to think of it). Or at various times I'd select text or a URL and then "copy" and when I paste, it would paste various gobbledegook (a lot of it). So this problem's likely been an old ongoing one that just got worse for some reason.

Anyhow, I appreciate you hanging in there, I'm missing nearly a week of work thanks to the infection.
 
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
ComboFix 12-09-03.07 - IdHusseys 09/03/2012 23:23:59.7.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2812.2087 [GMT -6:00]
Running from: c:\users\IdHusseys\Desktop\ComboFix.exe
AV: GFI Software VIPRE *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
SP: GFI Software VIPRE *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\ZORK1.DAT
C:\Install.exe
c:\program files (x86)\Netpeak\NP Checker\RnD.ICS.HelperServiceLibrary.dll
c:\programdata\ntuser.dat
c:\users\IdHusseys\AppData\Roaming\.#
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1040@2102780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1040@21027B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1268@3F2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1268@3F27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1390@962780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1390@9627B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@14C@672780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@14C@6727B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1630@1FA2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1630@1FA27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@604@292780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@604@2927B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@8C0@3D2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@8C0@3D27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@9EC@1FD2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@9EC@1FD27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@A50@20E2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@A50@20E27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@D5C@3E2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@D5C@3E27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@E9C@1F92780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@E9C@1F927B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@F28@1F02780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@F28@1F027B0.###
c:\users\IdHusseys\AppData\Roaming\47f5ae1b-24d4-466b-a5db-c9e5ddf8e247.jpg
c:\users\IdHusseys\AppData\Roaming\50589760-8184-4ca2-bbaa-cd8f71321bd1.jpg
c:\users\IdHusseys\AppData\Roaming\7cc09f13-c726-4ba4-ab0c-6ee1c1ae3041.jpg
c:\users\IdHusseys\AppData\Roaming\867ace52-bbbd-4d66-8b80-6fc6a75e6d09.jpg
c:\users\IdHusseys\AppData\Roaming\af283af5-d03c-4303-aae4-e645209e6e1a.jpg
c:\users\IdHusseys\AppData\Roaming\b3b29eab-1fe4-4a5c-91de-7d4947a97ded.jpg
c:\users\IdHusseys\AppData\Roaming\cead7579-067e-42bf-b761-630e82ccc47f.jpg
c:\users\IdHusseys\AppData\Roaming\d410ac74-5aad-4b67-8e1b-99eb43872416.jpg
c:\users\IdHusseys\AppData\Roaming\df262f7d-e504-4498-9a99-65424493037f.jpg
c:\users\IdHusseys\AppData\Roaming\fd9b4e5b-1383-4f1b-9646-bad6d0ea8428.jpg
c:\users\IdHusseys\AppData\Roaming\Mozilla\Firefox\Profiles\d1hd1tuj.default\searchplugins\bing-zugo.xml
c:\users\IdHusseys\AppData\Roaming\ubot
c:\users\IdHusseys\g2mdlhlpx.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-04 to 2012-09-04 )))))))))))))))))))))))))))))))
.
.
2012-09-04 06:02 . 2012-09-04 06:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-04 06:02 . 2012-09-04 06:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-04 06:02 . 2012-09-04 06:02 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-09-01 12:26 . 2012-09-01 12:26 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-01 07:27 . 2010-05-21 20:13 6851408 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{75EE6CA2-C53E-4E4F-BADA-3E07FA354116}\mpengine.dll
2012-09-01 00:19 . 2012-09-01 00:19 93 ----a-w- c:\users\IdHusseys\AppData\Roaming\netstat.bat
2012-08-29 23:41 . 2012-08-29 23:41 47496 ----a-w- c:\windows\SysWow64\sbbd.exe
2012-08-28 06:50 . 2012-08-28 06:50 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-08-27 01:25 . 2012-08-28 03:34 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-26 19:26 . 2012-08-26 19:26 86816 ----a-w- c:\windows\system32\drivers\sbwtis.sys
2012-08-24 05:34 . 2012-08-24 05:34 14790243 ----a-w- c:\program files (x86)\SERPAttacks_Video.exe
2012-08-24 05:22 . 2012-09-01 00:51 -------- d-----w- c:\program files (x86)\Market Samurai
2012-08-24 05:22 . 2012-09-01 00:25 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-08-24 03:32 . 2012-08-24 03:38 135933721 ----a-w- c:\program files (x86)\Apache_OpenOffice_incubating_3.4.1_Win_x86_install_en-US.exe
2012-08-22 09:05 . 2012-08-22 09:05 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-22 09:05 . 2012-08-22 09:05 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-22 08:08 . 2012-09-01 00:51 -------- d-----w- C:\lynx_w32
2012-08-20 22:28 . 2012-08-22 06:27 -------- d--h--w- c:\users\IdHusseys\AppData\Local\ElevatedDiagnostics
2012-08-15 18:28 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 18:28 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-15 18:28 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 18:28 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 18:28 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-15 18:28 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-15 18:28 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 18:28 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-15 18:28 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-15 18:28 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-15 18:28 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 18:28 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
2012-08-14 22:24 . 2012-08-23 21:23 15428440 ----a-w- c:\program files (x86)\AdobeAIRInstaller.exe
2012-08-11 21:18 . 2012-08-23 00:56 -------- d--h--w- c:\users\IdHusseys\AppData\Roaming\Microsys
2012-08-11 21:17 . 2012-09-01 00:33 -------- d-----w- c:\program files\Microsys
2012-08-09 21:04 . 2012-08-09 21:04 -------- d--h--w- c:\users\IdHusseys\temp
2012-08-09 20:55 . 1997-06-06 21:52 11264 ----a-w- c:\windows\SysWow64\SPORDER.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-29 23:41 . 2010-04-17 16:15 47496 ----a-w- c:\windows\system32\sbbd.exe
2012-08-28 03:34 . 2011-10-22 00:50 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-24 09:02 . 2012-06-18 01:22 821736 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-24 09:02 . 2010-04-16 04:03 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-16 19:07 . 2010-04-11 22:46 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-01 20:36 . 2012-08-01 20:36 82872 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2012-06-09 05:43 . 2012-07-10 18:02 14172672 ----a-w- c:\windows\system32\shell32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-15 17145992]
"MP3 Skype Recorder"="c:\program files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe" [2011-11-18 1975296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-05 98304]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2010-03-23 500792]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"SBAMTray"="c:\program files (x86)\GFI Software\VIPRE\SBAMTray.exe" [2012-08-29 3149704]
.
c:\users\IdHusseys\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-07 113120]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 216576]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-17 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-03-02 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-05 203264]
S2 SBAMSvc;VIPRE Antivirus;c:\program files (x86)\GFI Software\VIPRE\SBAMSvc.exe [2012-08-29 3677000]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-08-01 82872]
S2 SBPIMSvc;SB Recovery Service;c:\program files (x86)\GFI Software\VIPRE\SBPIMSvc.exe [2012-08-29 175496]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-29 52584]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-23 215040]
S3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [2012-08-26 86816]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-03-09 36408]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 17:15 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3455346300-1148100813-3106168065-1000Core.job
- c:\users\IdHusseys\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-25 10:18]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3455346300-1148100813-3106168065-1000UA.job
- c:\users\IdHusseys\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-25 10:18]
.
2012-08-12 c:\windows\Tasks\HPCeeScheduleForIdHusseys.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1860496]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: LastPass - file://c:\users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=fillforms
TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
FF - ProfilePath - c:\users\IdHusseys\AppData\Roaming\Mozilla\Firefox\Profiles\d1hd1tuj.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-WinLiveSuite - c:\program files (x86)\Windows Live\Installer\wlarp.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
.
**************************************************************************
.
Completion time: 2012-09-04 01:10:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-04 07:09
.
Pre-Run: 160,869,343,232 bytes free
Post-Run: 160,759,435,264 bytes free
.
- - End Of File - - 9C622B88A26383E89A9730C23EDF1EA8
 
Broni -

I can't connect to the internet on the infected PC. It states:

Problem with wireless adapter or access point
"Wireless Network Connection" doesn't have a valid IP configuration

You mentioned to restart the PC if it can't connect to the internet after Combofix, but it won't reconnect.
 
Combofix created restore point yesterday.
Use it and see if it'll bring back internet connection.
 
When I go to "Computer > System and Security > Find a Restore point (or whatever it says) > Open System Restore (however it's worded)"

The last restore point is when I noticed the File Recovery rogue infection on August 31st. How do I access the Combofix restore?
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
796
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back