TechSpot

File recovery rogue scanner infection

Solved
By CanHazTrojanz?
Sep 1, 2012
  1. Hello, I just got infected badly yesterday 8/31/12.

    I use my PC for work I do online for my own web publishing business and SEO or copywriting clients. I wound up getting infected with a rogue scanner. All of a sudden various windows open up warning of an infection, computer reboots itself. When it rebooted, I found a black background with my icons "ghosted" as they were hidden. I ran Malwarebytes immediately, which found 2 Trojans but that didn't answer all my problems by a long shot.

    Before finding the "5 steps" recommended here at techspot, I was following an online tutorial given by Broni to another user:

    http://www.techspot.com/community/topics/system-check-virus.178301/

    I didn't take all the recommendations since I found malware that the other user didn't have, so I've posted all my findings below the "5 steps" information.

    The two steps I did extra if you will:

    Running Esage Lab's "Bootkit Remover"
    Trying to run aswMBR.exe, but that didn't run.
    Running MBRcheck.exe as Broni suggested.

    I've pasted the results beneath the output of steps 2, 3 and 4 as recommended in the 5-step prepatory thread.

    I did not do anything else but run my "Vipre" antivirus, but all that found was 180 tracking cookies and removed 108 of them, not sure why it didn't catch the virus as it has active protection.

    I've marked the files according to the steps, and use ##============## to differentiate the diagnostic results. The extra two files are below the information of the initial diagnostic.

    Your help would be MUCH appreciated as I have a large family and work more than full time from home for clients, I'm really at a loss right now.

    ##==========================================##

    Step 2: Malwarebytes Log

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.30.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    IdHusseys :: IDHUSSEYS-PC [administrator]

    8/31/2012 4:35:33 PM
    mbam-log-2012-08-31 (16-35-33).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 225886
    Time elapsed: 14 minute(s), 17 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ##=============================================##
    Step 3: GMER Log

    No Results Found - But here I messed up! It DID find about 6 or 7 files (mostly under "Documents and Settings" folder if I recall correctly, but I can't open that file, access denied).

    I thought I hit "Save" but accidentally hit "Scan" and it ran a second time...found nothing. I ran it again just in case, it found nothing.

    So I noticed on the GMER site they mention the "catchme.exe" script, I downloaded and opened that. Here are its results:



    detected NTDLL code modification:
    ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error


    ##=============================================##
    Step 4: DDS Log (first "DDS.txt" then "Attach.txt" files):



    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
    Internet Explorer: 9.0.8112.16421
    Run by IdHusseys at 20:05:38 on 2012-09-01
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2812.2034 [GMT -6:00]
    .
    AV: GFI Software VIPRE *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: GFI Software VIPRE *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\ctfmon.exe
    C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe
    C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe
    C:\Windows\system32\REGSVR32.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: LastPass Vault: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Program Files (x86)\LastPass\LPToolbar.dll
    BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
    uRun: [MP3 Skype Recorder] C:\Program Files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe
    uRun: [Google Update] "C:\Users\IdHusseys\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [SBAMTray] "C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe"
    StartupFolder: C:\Users\IDHUSS~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\IdHusseys\AppData\Roaming\Dropbox\bin\Dropbox.exe
    StartupFolder: C:\Users\IDHUSS~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
    IE: LastPass - file://C:\Users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=lastpass
    IE: LastPass Fill Forms - file://C:\Users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=fillforms
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
    DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
    DPF: {CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
    TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
    TCP: Interfaces\{7523F849-46AC-423E-B1D1-4B910EF80C38} : DhcpNameServer = 24.116.2.50 24.116.2.34
    TCP: Interfaces\{CF0CB9F8-FA84-4B47-A1C1-735CF549A63D} : DhcpNameServer = 24.116.2.50 24.116.2.34
    TCP: Interfaces\{CF0CB9F8-FA84-4B47-A1C1-735CF549A63D}\1627279637534376 : DhcpNameServer = 24.116.2.50 24.116.2.34
    TCP: Interfaces\{CF0CB9F8-FA84-4B47-A1C1-735CF549A63D}\C696E6B6379737 : DhcpNameServer = 24.116.2.50 24.116.2.34
    TCP: Interfaces\{CF0CB9F8-FA84-4B47-A1C1-735CF549A63D}\D41627961602845737375697 : DhcpNameServer = 192.168.0.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\MP3 Skype Recorder\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} -
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
    BHO-X64: LastPass Vault - No File
    BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    TB-X64: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
    TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
    mRun-x64: [(Default)]
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [SBAMTray] "C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\IdHusseys\AppData\Roaming\Mozilla\Firefox\Profiles\d1hd1tuj.default\
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre1.6.0_22\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Users\IdHusseys\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: C:\Users\IdHusseys\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 SBAMSvc;VIPRE Antivirus;C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe [2012-8-29 3677000]
    R2 SBPIMSvc;SB Recovery Service;C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe [2012-8-29 175496]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
    S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
    S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-12-21 89600]
    S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 sbapifs;sbapifs;C:\Windows\system32\DRIVERS\sbapifs.sys --> C:\Windows\system32\DRIVERS\sbapifs.sys [?]
    S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;"C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe" --> C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [?]
    S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-23 113120]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
    S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S3 sbwtis;sbwtis;C:\Windows\system32\DRIVERS\sbwtis.sys --> C:\Windows\system32\DRIVERS\sbwtis.sys [?]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-09-01 12:26:05--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-09-01 07:27:256851408----a-w-C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{75EE6CA2-C53E-4E4F-BADA-3E07FA354116}\mpengine.dll
    2012-09-01 00:19:4693----a-w-C:\Users\IdHusseys\AppData\Roaming\netstat.bat
    2012-08-29 23:41:4847496----a-w-C:\Windows\SysWow64\sbbd.exe
    2012-08-27 01:25:591034216----a-w-C:\Windows\System32\npDeployJava1.dll
    2012-08-26 19:26:3286816----a-w-C:\Windows\System32\drivers\sbwtis.sys
    2012-08-24 05:34:2614790243----a-w-C:\Program Files (x86)\SERPAttacks_Video.exe
    2012-08-24 05:22:58--------d-----w-C:\Program Files (x86)\Market Samurai
    2012-08-24 03:32:13135933721----a-w-C:\Program Files (x86)\Apache_OpenOffice_incubating_3.4.1_Win_x86_install_en-US.exe
    2012-08-22 09:05:0673416----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-22 09:05:06696520----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-08-22 08:08:40--------d-----w-C:\lynx_w32
    2012-08-20 22:28:45--------d--h--w-C:\Users\IdHusseys\AppData\Local\ElevatedDiagnostics
    2012-08-15 18:28:52503808----a-w-C:\Windows\System32\srcore.dll
    2012-08-15 18:28:5043008----a-w-C:\Windows\SysWow64\srclient.dll
    2012-08-15 18:28:39751104----a-w-C:\Windows\System32\win32spl.dll
    2012-08-15 18:28:37559104----a-w-C:\Windows\System32\spoolsv.exe
    2012-08-15 18:28:37492032----a-w-C:\Windows\SysWow64\win32spl.dll
    2012-08-15 18:28:3667072----a-w-C:\Windows\splwow64.exe
    2012-08-15 18:28:3259392----a-w-C:\Windows\System32\browcli.dll
    2012-08-15 18:28:32136704----a-w-C:\Windows\System32\browser.dll
    2012-08-15 18:28:3141984----a-w-C:\Windows\SysWow64\browcli.dll
    2012-08-15 18:28:243148800----a-w-C:\Windows\System32\win32k.sys
    2012-08-15 18:28:22956928----a-w-C:\Windows\System32\localspl.dll
    2012-08-14 22:24:0515428440----a-w-C:\Program Files (x86)\AdobeAIRInstaller.exe
    2012-08-14 21:49:12--------d--h--w-C:\Users\IdHusseys\AppData\Local\{136E17CE-9D8C-4576-B5FB-9FD9476CEE7D}
    2012-08-13 19:53:47--------d--h--w-C:\Users\IdHusseys\AppData\Local\{22CFA543-8BC0-487D-B925-78E6564E6786}
    2012-08-11 21:18:14--------d--h--w-C:\Users\IdHusseys\AppData\Roaming\Microsys
    2012-08-11 21:17:46--------d-----w-C:\Program Files\Microsys
    2012-08-09 21:04:46--------d--h--w-C:\Users\IdHusseys\temp
    2012-08-09 20:55:1911264----a-w-C:\Windows\SysWow64\SPORDER.DLL
    .
    ==================== Find3M ====================
    .
    2012-08-29 23:41:4847496----a-w-C:\Windows\System32\sbbd.exe
    2012-08-28 03:34:13916456----a-w-C:\Windows\System32\deployJava1.dll
    2012-08-24 09:02:52821736----a-w-C:\Windows\SysWow64\npdeployJava1.dll
    2012-08-24 09:02:52746984----a-w-C:\Windows\SysWow64\deployJava1.dll
    2012-08-01 20:36:5482872----a-w-C:\Windows\System32\drivers\sbapifs.sys
    2012-06-29 03:56:342312704----a-w-C:\Windows\System32\jscript9.dll
    2012-06-29 03:49:111392128----a-w-C:\Windows\System32\wininet.dll
    2012-06-29 03:48:071494528----a-w-C:\Windows\System32\inetcpl.cpl
    2012-06-29 03:43:49173056----a-w-C:\Windows\System32\ieUnatt.exe
    2012-06-29 03:39:482382848----a-w-C:\Windows\System32\mshtml.tlb
    2012-06-29 00:16:581800704----a-w-C:\Windows\SysWow64\jscript9.dll
    2012-06-29 00:09:011129472----a-w-C:\Windows\SysWow64\wininet.dll
    2012-06-29 00:08:591427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
    2012-06-29 00:04:43142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
    2012-06-29 00:00:452382848----a-w-C:\Windows\SysWow64\mshtml.tlb
    2012-06-16 01:05:0260304----a-w-C:\Users\IdHusseys\g2mdlhlpx.exe
    2012-06-06 06:06:162004480----a-w-C:\Windows\System32\msxml6.dll
    2012-06-06 06:06:161881600----a-w-C:\Windows\System32\msxml3.dll
    2012-06-06 06:02:541133568----a-w-C:\Windows\System32\cdosys.dll
    2012-06-06 05:05:521390080----a-w-C:\Windows\SysWow64\msxml6.dll
    2012-06-06 05:05:521236992----a-w-C:\Windows\SysWow64\msxml3.dll
    2012-06-06 05:03:06805376----a-w-C:\Windows\SysWow64\cdosys.dll
    .
    ============= FINISH: 20:13:01.63 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/10/2010 2:35:09 PM
    System Uptime: 9/1/2012 5:57:48 PM (3 hours ago)
    .
    Motherboard: Hewlett-Packard | | 363F
    Processor: AMD Athlon(tm) II Dual-Core M320 | Socket S1G3 | 2094/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 219 GiB total, 150.054 GiB free.
    D: is FIXED (NTFS) - 14 GiB total, 2.236 GiB free.
    E: is FIXED (FAT32) - 0 GiB total, 0.092 GiB free.
    F: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: Security Processor Loader Driver
    Device ID: ROOT\LEGACY_SPLDR\0000
    Manufacturer:
    Name: Security Processor Loader Driver
    PNP Device ID: ROOT\LEGACY_SPLDR\0000
    Service: spldr
    .
    ==== System Restore Points ===================
    .
    RP360: 8/28/2012 12:42:21 AM - Removed Java 7 Update 6 (64-bit)
    RP361: 8/28/2012 12:49:20 AM - Installed Java 7 Update 6
    RP362: 8/29/2012 10:32:06 PM - Installed Proxy Multiply
    RP363: 8/30/2012 1:30:49 PM - Removed Proxy Multiply
    RP364: 8/31/2012 5:36:32 PM - Windows Update
    RP365: 8/31/2012 7:32:13 PM - Configured Power2Go
    RP366: 8/31/2012 7:34:47 PM - Configured PowerDirector
    RP367: 8/31/2012 7:44:01 PM - Removed Fresh Proxy Scraper.
    RP368: 8/31/2012 7:45:03 PM - Removed iTunes
    RP369: 8/31/2012 7:45:58 PM - Removed Microsoft Silverlight
    RP370: 8/31/2012 7:46:38 PM - Removed muvee Reveal
    RP371: 8/31/2012 7:51:35 PM - Removed iTunes
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.4)
    Adobe Shockwave Player
    Adobe Shockwave Player 11.6
    Amazon Kindle
    AMD USB Filter Driver
    Apple Application Support
    Apple Software Update
    Atheros Driver Installation Program
    AVS Audio Converter 7
    AVS Audio Editor 7.1
    AVS Audio Recorder version 4.0
    AVS Cover Editor 2.0.1.3
    AVS Disc Creator 5
    AVS Document Converter 2.1.2
    AVS DVD Copy version 4.1.2
    AVS Screen Capture version 2.0.1
    AVS Update Manager 1.0
    AVS Video Converter 8
    AVS Video Editor 6
    AVS Video Recorder 2.4
    AVS Video ReMaker 4.0.8.140
    AVS4YOU Software Navigator 1.4
    BacklinkTopia
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Compatibility Pack for the 2007 Office system
    CurationSoft
    D3DX10
    Directory Submitter 1.0.29
    Dropbox
    FileZilla Client 3.5.3
    FreeMind
    GFX Video Writer
    GFX Writer
    GIMP 2.6.11
    Google Chrome
    GoToMeeting 5.2.0.952
    Hewlett-Packard ACLM.NET v1.1.0.0
    HMA! Pro VPN 2.6.9
    HP Customer Experience Enhancements
    HP Product Detection
    HP Update
    HP User Guides 0148
    HP Wireless Assistant
    IDT Audio
    Image Crusher
    Jigs@w Puzzle Promo Creator 2.1
    Junk Mail filter update
    jZip
    LastPass (uninstall only)
    LightScribe System Software
    Magic Article Rewriter
    Magic Article Submitter
    Magic Rank Tracker version 2.7
    Magic Tokens Database 2.0
    Malwarebytes Anti-Malware version 1.62.0.1300
    Market Samurai
    MarketMeSuite
    Mesh Runtime
    Messenger Companion
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server Compact 3.5 SP1 English
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft WSE 3.0
    Mozilla Firefox 14.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MP3 Skype Recorder
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NP Checker
    OpenOffice.org 3.4.1
    PAD SubmitWorker 1.2
    PDF2EXE 3.0
    PressBot
    QuickTime
    Realtek 8136 8168 8169 Ethernet Driver
    Realtek USB 2.0 Card Reader
    Recovery Manager
    RSSBot
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    SEO PowerSuite
    SERPAttacks
    SERPAttacks Video Tutorial
    Skype™ 5.8
    swMSM
    The 5 Bucks a Day Action Enforcer
    Tracker
    Unity Web Player
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    VideoBot
    VIPRE Antivirus
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Xenu's Link Sleuth
    XMind
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/1/2012 7:05:53 AM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
    9/1/2012 5:58:31 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    9/1/2012 5:58:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    9/1/2012 5:58:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    9/1/2012 5:58:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    9/1/2012 5:58:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    9/1/2012 5:58:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/1/2012 5:58:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    9/1/2012 5:58:10 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/1/2012 5:58:05 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    9/1/2012 5:02:50 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
    9/1/2012 5:01:24 PM, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
    9/1/2012 4:58:55 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    9/1/2012 3:49:31 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    9/1/2012 3:42:23 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
    9/1/2012 3:42:07 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
    8/31/2012 8:02:43 PM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
    8/31/2012 8:02:43 PM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
    8/31/2012 6:21:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    8/31/2012 6:06:51 PM, Error: Microsoft-Windows-Directory-Services-SAM [12291] - SAM failed to start the TCP/IP or SPX/IPX listening thread
    8/31/2012 6:05:48 PM, Error: Service Control Manager [7023] - The Peer Name Resolution Protocol service terminated with the following error: Access is denied.
    8/31/2012 6:05:48 PM, Error: Service Control Manager [7001] - The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: Access is denied.
    8/31/2012 6:05:48 PM, Error: Microsoft-Windows-PNRPSvc [102] - The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80070005.
    8/28/2012 6:38:05 PM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
    .
    ==== End Of File ===========================
     
  2. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    Following are the "extra" reports (Bootkit Remover and MBRcheck.exe). I wasn't requested to run them, but was following a thread where Broni helped someone with the same symptoms as me, a rogue scanner virus.


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...


    ##=============================================##


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version:Windows 7 Home Premium Edition
    Windows Information:Service Pack 1 (build 7601), 64-bit
    Base Board Manufacturer:Hewlett-Packard
    BIOS Manufacturer:Hewlett-Packard
    System Manufacturer:Hewlett-Packard
    System Product Name:presario CQ61 Notebook PC
    Logical Drives Mask:0x0000007c

    Kernel Drivers (total 233):
    0x02C4F000 \SystemRoot\system32\ntoskrnl.exe
    0x02C06000 \SystemRoot\system32\hal.dll
    0x00BD1000 \SystemRoot\system32\kdcom.dll
    0x00C13000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
    0x00C20000 \SystemRoot\system32\PSHED.dll
    0x00C34000 \SystemRoot\system32\CLFS.SYS
    0x00C92000 \SystemRoot\system32\CI.dll
    0x00D52000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x00C00000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x00E63000 \SystemRoot\system32\drivers\ACPI.sys
    0x00EBA000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x00EC3000 \SystemRoot\system32\drivers\msisadrv.sys
    0x00ECD000 \SystemRoot\system32\drivers\pci.sys
    0x00F00000 \SystemRoot\system32\drivers\vdrvroot.sys
    0x00F0D000 \SystemRoot\system32\drivers\isapnp.sys
    0x00F16000 \SystemRoot\system32\drivers\mpio.sys
    0x00F40000 \SystemRoot\System32\drivers\partmgr.sys
    0x00F55000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x00F5E000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x00F6A000 \SystemRoot\system32\drivers\volmgr.sys
    0x00F7F000 \SystemRoot\System32\drivers\volmgrx.sys
    0x00FDB000 \SystemRoot\system32\drivers\intelide.sys
    0x00FE3000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x00FF3000 \SystemRoot\system32\drivers\aliide.sys
    0x00E00000 \SystemRoot\system32\drivers\amdide.sys
    0x00E07000 \SystemRoot\system32\drivers\cmdide.sys
    0x00E0F000 \SystemRoot\System32\drivers\mountmgr.sys
    0x00E29000 \SystemRoot\system32\drivers\msdsm.sys
    0x01029000 \SystemRoot\system32\drivers\nvraid.sys
    0x01051000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x01081000 \SystemRoot\system32\drivers\pciide.sys
    0x01088000 \SystemRoot\system32\drivers\viaide.sys
    0x01090000 \SystemRoot\system32\drivers\iaStorV.sys
    0x011AE000 \SystemRoot\system32\drivers\atapi.sys
    0x011B7000 \SystemRoot\system32\drivers\ataport.SYS
    0x011E1000 \SystemRoot\system32\DRIVERS\lsi_sas.sys
    0x01227000 \SystemRoot\system32\DRIVERS\storport.sys
    0x0128A000 \SystemRoot\system32\drivers\msahci.sys
    0x01295000 \SystemRoot\system32\drivers\HpSAMD.sys
    0x012AC000 \SystemRoot\system32\DRIVERS\adp94xx.sys
    0x01327000 \SystemRoot\system32\DRIVERS\adpahci.sys
    0x0137D000 \SystemRoot\system32\DRIVERS\adpu320.sys
    0x013AC000 \SystemRoot\system32\drivers\amdsata.sys
    0x01485000 \SystemRoot\system32\DRIVERS\amdsbs.sys
    0x014CC000 \SystemRoot\system32\drivers\amdxata.sys
    0x014D7000 \SystemRoot\system32\DRIVERS\arc.sys
    0x014F0000 \SystemRoot\system32\DRIVERS\arcsas.sys
    0x0150B000 \SystemRoot\system32\DRIVERS\elxstor.sys
    0x01592000 \SystemRoot\system32\DRIVERS\iirsp.sys
    0x015A3000 \SystemRoot\system32\DRIVERS\lsi_fc.sys
    0x015C2000 \SystemRoot\system32\DRIVERS\lsi_sas2.sys
    0x015D5000 \SystemRoot\system32\DRIVERS\lsi_scsi.sys
    0x015F4000 \SystemRoot\system32\DRIVERS\megasas.sys
    0x0169B000 \SystemRoot\system32\DRIVERS\MegaSR.sys
    0x0173F000 \SystemRoot\system32\DRIVERS\nfrd960.sys
    0x0174F000 \SystemRoot\system32\drivers\nvstor.sys
    0x0181F000 \SystemRoot\system32\DRIVERS\ql2300.sys
    0x0177A000 \SystemRoot\system32\DRIVERS\ql40xx.sys
    0x019C3000 \SystemRoot\system32\DRIVERS\SiSRaid2.sys
    0x019D1000 \SystemRoot\system32\DRIVERS\sisraid4.sys
    0x019E9000 \SystemRoot\system32\DRIVERS\stexstor.sys
    0x01600000 \SystemRoot\system32\DRIVERS\vsmraid.sys
    0x0162A000 \SystemRoot\system32\drivers\fltmgr.sys
    0x01800000 \SystemRoot\system32\drivers\fileinfo.sys
    0x01A3C000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x01400000 \SystemRoot\System32\Drivers\msrpc.sys
    0x01BDF000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x01C69000 \SystemRoot\System32\Drivers\cng.sys
    0x01CDB000 \SystemRoot\System32\drivers\pcw.sys
    0x01CEC000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x01CF6000 \SystemRoot\system32\drivers\ndis.sys
    0x01C00000 \SystemRoot\system32\drivers\NETIO.SYS
    0x01A00000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x01E89000 \SystemRoot\System32\drivers\tcpip.sys
    0x0208C000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x020D6000 \SystemRoot\system32\DRIVERS\wd.sys
    0x020DE000 \SystemRoot\system32\drivers\volsnap.sys
    0x0212A000 \SystemRoot\System32\Drivers\spldr.sys
    0x02132000 \SystemRoot\system32\drivers\sbp2port.sys
    0x0214F000 \SystemRoot\System32\drivers\rdyboost.sys
    0x02189000 \SystemRoot\System32\Drivers\mup.sys
    0x0219B000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x021A4000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x021DE000 \SystemRoot\system32\DRIVERS\disk.sys
    0x021F4000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
    0x01E38000 \SystemRoot\system32\drivers\cdrom.sys
    0x01E62000 \SystemRoot\System32\Drivers\Null.SYS
    0x01E6B000 \SystemRoot\System32\Drivers\Beep.SYS
    0x01E72000 \SystemRoot\System32\drivers\vga.sys
    0x01676000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x01DE9000 \SystemRoot\System32\drivers\watchdog.sys
    0x01E80000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x01C60000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x01A2A000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x01814000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x017D9000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x0145E000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x019F3000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x042FB000 \SystemRoot\system32\drivers\afd.sys
    0x04384000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x043C9000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x043D2000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x04200000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x04216000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x04242000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x0425D000 \SystemRoot\system32\drivers\termdd.sys
    0x04271000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x042C2000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x042CE000 \SystemRoot\system32\drivers\mssmbios.sys
    0x042D9000 \SystemRoot\System32\drivers\discache.sys
    0x013CA000 \SystemRoot\System32\Drivers\dfsc.sys
    0x042E8000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x01200000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x04225000 \SystemRoot\system32\DRIVERS\amdppm.sys
    0x0465B000 \SystemRoot\system32\DRIVERS\atikmdag.sys
    0x04C72000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x04CA8000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x04D9C000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x03429000 \SystemRoot\system32\DRIVERS\athrx.sys
    0x035B2000 \SystemRoot\system32\DRIVERS\vwifibus.sys
    0x035BF000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
    0x03400000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x04600000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x0340B000 \SystemRoot\system32\DRIVERS\usbfilter.sys
    0x03418000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x04DE2000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x01000000 \SystemRoot\system32\drivers\HDAudBus.sys
    0x050FB000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x05119000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x05128000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x0518F000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x0519E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x051A3000 \SystemRoot\system32\drivers\wmiacpi.sys
    0x051AC000 \SystemRoot\system32\drivers\CompositeBus.sys
    0x051BC000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x051D2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x05000000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x0500C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x0503B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x05056000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x05077000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x05091000 \SystemRoot\system32\DRIVERS\tap0901.sys
    0x0509E000 \SystemRoot\system32\drivers\swenum.sys
    0x050A0000 \SystemRoot\system32\drivers\ks.sys
    0x050E3000 \SystemRoot\system32\drivers\umbus.sys
    0x0529A000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x052F4000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x05309000 \SystemRoot\system32\DRIVERS\stwrt64.sys
    0x05384000 \SystemRoot\system32\DRIVERS\portcls.sys
    0x053C1000 \SystemRoot\system32\DRIVERS\drmk.sys
    0x053E3000 \SystemRoot\system32\drivers\ksthunk.sys
    0x0546A000 \SystemRoot\system32\DRIVERS\agrsm64.sys
    0x0559B000 \SystemRoot\system32\drivers\modem.sys
    0x055AA000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x055B8000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x055C4000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x055CF000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x00060000 \SystemRoot\System32\win32k.sys
    0x055E2000 \SystemRoot\System32\drivers\Dxapi.sys
    0x05400000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x0541B000 \SystemRoot\system32\DRIVERS\dc3d.sys
    0x0542D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x05436000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x05444000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x05200000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x0545D000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
    0x055EE000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x0521D000 \SystemRoot\system32\DRIVERS\point64.sys
    0x0522D000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x0523B000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x00550000 \SystemRoot\System32\TSDDD.dll
    0x007C0000 \SystemRoot\System32\cdd.dll
    0x00960000 \SystemRoot\System32\ATMFD.DLL
    0x05249000 \SystemRoot\system32\drivers\luafv.sys
    0x0526C000 \SystemRoot\system32\DRIVERS\sbapifs.sys
    0x01E00000 \SystemRoot\system32\drivers\WudfPf.sys
    0x053E9000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x03C98000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x03CEB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x03CFE000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x03D16000 \SystemRoot\system32\drivers\HTTP.sys
    0x03DDF000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x03C00000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x03C18000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x03C45000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x04EFB000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x04F1F000 \SystemRoot\system32\drivers\peauth.sys
    0x04FC5000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x04E00000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x04E31000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x04E43000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x06E98000 \SystemRoot\System32\DRIVERS\srv.sys
    0x06F30000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x06F61000 \SystemRoot\system32\DRIVERS\sbwtis.sys
    0x77420000 \Windows\System32\ntdll.dll
    0x47BE0000 \Windows\System32\smss.exe
    0xFF740000 \Windows\System32\apisetschema.dll
    0xFFE90000 \Windows\System32\autochk.exe
    0xFF600000 \Windows\System32\rpcrt4.dll
    0xFF560000 \Windows\System32\clbcatq.dll
    0xFF550000 \Windows\System32\lpk.dll
    0xFF470000 \Windows\System32\advapi32.dll
    0xFF420000 \Windows\System32\ws2_32.dll
    0xFF3B0000 \Windows\System32\gdi32.dll
    0x77300000 \Windows\System32\kernel32.dll
    0xFF390000 \Windows\System32\imagehlp.dll
    0xFF310000 \Windows\System32\shlwapi.dll
    0xFF100000 \Windows\System32\ole32.dll
    0xFE370000 \Windows\System32\shell32.dll
    0xFE340000 \Windows\System32\imm32.dll
    0xFE2C0000 \Windows\System32\difxapi.dll
    0x771A0000 \Windows\System32\wininet.dll
    0xFE1F0000 \Windows\System32\usp10.dll
    0x775F0000 \Windows\System32\psapi.dll
    0x76F90000 \Windows\System32\iertutil.dll
    0x76E90000 \Windows\System32\user32.dll
    0xFE1D0000 \Windows\System32\sechost.dll
    0xFDFF0000 \Windows\System32\setupapi.dll
    0xFDF10000 \Windows\System32\oleaut32.dll
    0x775E0000 \Windows\System32\normaliz.dll
    0xFDE70000 \Windows\System32\comdlg32.dll
    0xFDE10000 \Windows\System32\Wldap32.dll
    0xFDD70000 \Windows\System32\msvcrt.dll
    0xFDC60000 \Windows\System32\msctf.dll
    0xFDC50000 \Windows\System32\nsi.dll
    0x76D40000 \Windows\System32\urlmon.dll
    0xFDBE0000 \Windows\System32\KernelBase.dll
    0xFDA70000 \Windows\System32\crypt32.dll
    0xFDA30000 \Windows\System32\cfgmgr32.dll
    0xFDA10000 \Windows\System32\devobj.dll
    0xFD970000 \Windows\System32\comctl32.dll
    0xFD930000 \Windows\System32\wintrust.dll
    0xFD920000 \Windows\System32\msasn1.dll

    Processes (total 77):
    0 System Idle Process
    4 System
    272 C:\Windows\System32\smss.exe
    376 csrss.exe
    444 C:\Windows\System32\wininit.exe
    476 csrss.exe
    508 C:\Windows\System32\services.exe
    524 C:\Windows\System32\lsass.exe
    532 C:\Windows\System32\lsm.exe
    640 C:\Windows\System32\winlogon.exe
    704 C:\Windows\System32\svchost.exe
    848 C:\Windows\System32\svchost.exe
    892 C:\Windows\System32\atiesrxx.exe
    984 C:\Windows\System32\svchost.exe
    112 C:\Windows\System32\svchost.exe
    308 C:\Windows\System32\svchost.exe
    328 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\stacsv64.exe
    1248 C:\Windows\System32\svchost.exe
    1312 C:\Windows\System32\atieclxx.exe
    1340 C:\Windows\System32\svchost.exe
    1492 C:\Windows\System32\wlanext.exe
    1500 C:\Windows\System32\conhost.exe
    1556 C:\Windows\System32\spoolsv.exe
    1596 C:\Windows\System32\svchost.exe
    1724 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    1776 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe
    1808 C:\Program Files\LSI SoftModem\agr64svc.exe
    1828 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1864 C:\Program Files\Bonjour\mDNSResponder.exe
    1912 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    1988 C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe
    1144 C:\Windows\System32\svchost.exe
    1240 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    2044 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    2292 WUDFHost.exe
    2332 C:\Windows\System32\svchost.exe
    2608 C:\Windows\System32\dwm.exe
    2652 C:\Windows\explorer.exe
    2860 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    2868 C:\Program Files\IDT\WDM\sttray64.exe
    2876 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    2888 C:\Program Files\Microsoft IntelliType Pro\itype.exe
    2896 C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
    2912 C:\Program Files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe
    2956 C:\Users\IdHusseys\AppData\Roaming\Dropbox\bin\Dropbox.exe
    3052 C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    2008 C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
    2396 C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
    212 C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
    2640 C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    2788 C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe
    3200 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    3404 C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    3560 C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe
    3712 C:\Windows\System32\SearchIndexer.exe
    3808 WmiPrvSE.exe
    3844 C:\Windows\System32\svchost.exe
    3920 C:\Program Files\Windows Media Player\wmpnetwk.exe
    3012 C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
    2252 C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
    3612 C:\Windows\System32\svchost.exe
    5104 C:\Program Files (x86)\Notepad++\notepad++.exe
    192 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
    3640 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
    1096 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
    4788 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
    4864 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
    4652 C:\Users\IdHusseys\AppData\Local\Google\Chrome\Application\chrome.exe
    2264 C:\Windows\System32\taskeng.exe
    1152 C:\Windows\SysWOW64\dllhost.exe
    4704 C:\Users\IdHusseys\Desktop\boot_cleaner.exe
    732 C:\Windows\System32\conhost.exe
    4792 C:\Windows\System32\SearchProtocolHost.exe
    3984 C:\Windows\System32\SearchFilterHost.exe
    2344 C:\Users\IdHusseys\Desktop\MBRCheck.exe
    3148 C:\Windows\System32\conhost.exe
    3480 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`0c800000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000036`d0b00000 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x0000003a`32300000 (FAT32)

    PhysicalDrive0 Model Number: WDCWD2500BEKT-60V5T1, Rev: 12.01A12

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 MBR Code Faked!
    SHA1: 9F3807A0B71B8DD1FE0EB7D673BFB161086C5C76


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  3. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
  4. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    Thank you, Broni for the reply.

    RogueKiller V8.0.2 [08/31/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Safe mode with network support
    User : IdHusseys [Admin rights]
    Mode : Scan -- Date : 09/02/2012 14:18:54

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 7 ¤¤¤
    [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : Root.MBR ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD2500BEKT-60V5T1 ATA Device +++++
    --- User ---
    [MBR] 063cd16551c74d8b53b77c1f4cb4d721
    [BSP] 7e6fdc35a5d3f9ce16c15f62b998a65f : Windows Vista/7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 224323 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 459823104 | Size: 13848 Mo
    3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 488183808 | Size: 103 Mo
    User = LL1 ... OK!
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] c5c35f84d2d2fd722db9db451cc7575e
    [BSP] ee44ff2e1f76c9b9ff9f80d326267ede : MaxSS MBR Code!
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 224323 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 459823104 | Size: 13848 Mo
    3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 488183808 | Size: 103 Mo

    +++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
    --- User ---
    [MBR] 33a0f33fb7e7f518f64aedcb9dad35b0
    [BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 7633 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
     
  5. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  6. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    Sorry for being so quiet, Broni - had a to-do list to attend.

    I downloaded aswMBR to a thumb drive, moved it to my infected desktop, and when I click on it nothing happens. The desktop icon darkens like it's been pressed, but nothing else happens. I'm downloading it again to re-try. Does it open a dialog box normally?
     
  7. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  8. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    I've tried "run as administrator" and renaming the file before using it...it won't do anything. Is there an alternative?
     
  9. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    We must be on at the same time - OK, downloading TDSSKiller and will reply after it runs. Thanks.
     
  10. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    No can do, Broni. It won't run. I've tried in normal mode, normal mode w/o internet, safe mode w/networking and safe mode. I've "run as administrator" from the removable drive as well as the desktop: TDSSKiller won't open.
     
  11. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    Just to follow up - yesterday I was able to select "properties" on my desktop icons (which before I was unable to access), and de-select "hidden" - but I see now a handful of my icons have re-hidden themselves. All ears for alternatives at your next convenience. Thanks again.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    OK any security prompts.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
     
  13. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    I did as asked - closed all applications/programs, ran FixTDSS and same problem:

    "Catalyst Control Centre has stopped working" (lost connection with host or something). Then the program won't open after that dialogue. I tried in safe mode and regular.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
     
  15. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    When I choose "repair your computer" I get a black screen. I've tried it 3 times. Also earlier I tried to rename the various TDSS killer programs, following advice from another thread to that effect on BleepingComputer. I used names like "iexplore.exe" and "system" etc. It didn't work.

    I should also backup and relate that I've been having Chrome redirect a lot this past year, randomly (come to think of it). Or at various times I'd select text or a URL and then "copy" and when I paste, it would paste various gobbledegook (a lot of it). So this problem's likely been an old ongoing one that just got worse for some reason.

    Anyhow, I appreciate you hanging in there, I'm missing nearly a week of work thanks to the infection.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Do you have Windows 7 DVD?
     
  17. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    My DVD drive / CDROM drive is broken. Spilled on it about a year ago. Never use CDROMs so never thought about it.
     
  18. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    But to answer you, I don't.
     
  19. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  20. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    It's running! That's a relief. Next post will have results of the report as you requested, thanks again.
     
  21. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    ComboFix 12-09-03.07 - IdHusseys 09/03/2012 23:23:59.7.2 - x64 NETWORK
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2812.2087 [GMT -6:00]
    Running from: c:\users\IdHusseys\Desktop\ComboFix.exe
    AV: GFI Software VIPRE *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
    SP: GFI Software VIPRE *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\data
    c:\data\ZORK1.DAT
    C:\Install.exe
    c:\program files (x86)\Netpeak\NP Checker\RnD.ICS.HelperServiceLibrary.dll
    c:\programdata\ntuser.dat
    c:\users\IdHusseys\AppData\Roaming\.#
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@1040@2102780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@1040@21027B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@1268@3F2780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@1268@3F27B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@1390@962780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@1390@9627B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@14C@672780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@14C@6727B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@1630@1FA2780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@1630@1FA27B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@604@292780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@604@2927B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@8C0@3D2780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@8C0@3D27B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@9EC@1FD2780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@9EC@1FD27B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@A50@20E2780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@A50@20E27B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@D5C@3E2780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@D5C@3E27B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@E9C@1F92780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@E9C@1F927B0.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@F28@1F02780.###
    c:\users\IdHusseys\AppData\Roaming\.#\MBX@F28@1F027B0.###
    c:\users\IdHusseys\AppData\Roaming\47f5ae1b-24d4-466b-a5db-c9e5ddf8e247.jpg
    c:\users\IdHusseys\AppData\Roaming\50589760-8184-4ca2-bbaa-cd8f71321bd1.jpg
    c:\users\IdHusseys\AppData\Roaming\7cc09f13-c726-4ba4-ab0c-6ee1c1ae3041.jpg
    c:\users\IdHusseys\AppData\Roaming\867ace52-bbbd-4d66-8b80-6fc6a75e6d09.jpg
    c:\users\IdHusseys\AppData\Roaming\af283af5-d03c-4303-aae4-e645209e6e1a.jpg
    c:\users\IdHusseys\AppData\Roaming\b3b29eab-1fe4-4a5c-91de-7d4947a97ded.jpg
    c:\users\IdHusseys\AppData\Roaming\cead7579-067e-42bf-b761-630e82ccc47f.jpg
    c:\users\IdHusseys\AppData\Roaming\d410ac74-5aad-4b67-8e1b-99eb43872416.jpg
    c:\users\IdHusseys\AppData\Roaming\df262f7d-e504-4498-9a99-65424493037f.jpg
    c:\users\IdHusseys\AppData\Roaming\fd9b4e5b-1383-4f1b-9646-bad6d0ea8428.jpg
    c:\users\IdHusseys\AppData\Roaming\Mozilla\Firefox\Profiles\d1hd1tuj.default\searchplugins\bing-zugo.xml
    c:\users\IdHusseys\AppData\Roaming\ubot
    c:\users\IdHusseys\g2mdlhlpx.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-04 to 2012-09-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-04 06:02 . 2012-09-04 06:02 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-09-04 06:02 . 2012-09-04 06:02 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-04 06:02 . 2012-09-04 06:02 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-09-01 12:26 . 2012-09-01 12:26 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-09-01 07:27 . 2010-05-21 20:13 6851408 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{75EE6CA2-C53E-4E4F-BADA-3E07FA354116}\mpengine.dll
    2012-09-01 00:19 . 2012-09-01 00:19 93 ----a-w- c:\users\IdHusseys\AppData\Roaming\netstat.bat
    2012-08-29 23:41 . 2012-08-29 23:41 47496 ----a-w- c:\windows\SysWow64\sbbd.exe
    2012-08-28 06:50 . 2012-08-28 06:50 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-08-27 01:25 . 2012-08-28 03:34 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-08-26 19:26 . 2012-08-26 19:26 86816 ----a-w- c:\windows\system32\drivers\sbwtis.sys
    2012-08-24 05:34 . 2012-08-24 05:34 14790243 ----a-w- c:\program files (x86)\SERPAttacks_Video.exe
    2012-08-24 05:22 . 2012-09-01 00:51 -------- d-----w- c:\program files (x86)\Market Samurai
    2012-08-24 05:22 . 2012-09-01 00:25 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
    2012-08-24 03:32 . 2012-08-24 03:38 135933721 ----a-w- c:\program files (x86)\Apache_OpenOffice_incubating_3.4.1_Win_x86_install_en-US.exe
    2012-08-22 09:05 . 2012-08-22 09:05 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-22 09:05 . 2012-08-22 09:05 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-22 08:08 . 2012-09-01 00:51 -------- d-----w- C:\lynx_w32
    2012-08-20 22:28 . 2012-08-22 06:27 -------- d--h--w- c:\users\IdHusseys\AppData\Local\ElevatedDiagnostics
    2012-08-15 18:28 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
    2012-08-15 18:28 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
    2012-08-15 18:28 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
    2012-08-15 18:28 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
    2012-08-15 18:28 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
    2012-08-15 18:28 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
    2012-08-15 18:28 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
    2012-08-15 18:28 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
    2012-08-15 18:28 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
    2012-08-15 18:28 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
    2012-08-15 18:28 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-08-15 18:28 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
    2012-08-14 22:24 . 2012-08-23 21:23 15428440 ----a-w- c:\program files (x86)\AdobeAIRInstaller.exe
    2012-08-11 21:18 . 2012-08-23 00:56 -------- d--h--w- c:\users\IdHusseys\AppData\Roaming\Microsys
    2012-08-11 21:17 . 2012-09-01 00:33 -------- d-----w- c:\program files\Microsys
    2012-08-09 21:04 . 2012-08-09 21:04 -------- d--h--w- c:\users\IdHusseys\temp
    2012-08-09 20:55 . 1997-06-06 21:52 11264 ----a-w- c:\windows\SysWow64\SPORDER.DLL
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-29 23:41 . 2010-04-17 16:15 47496 ----a-w- c:\windows\system32\sbbd.exe
    2012-08-28 03:34 . 2011-10-22 00:50 916456 ----a-w- c:\windows\system32\deployJava1.dll
    2012-08-24 09:02 . 2012-06-18 01:22 821736 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
    2012-08-24 09:02 . 2010-04-16 04:03 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-08-16 19:07 . 2010-04-11 22:46 62134624 ----a-w- c:\windows\system32\MRT.exe
    2012-08-01 20:36 . 2012-08-01 20:36 82872 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2012-06-09 05:43 . 2012-07-10 18:02 14172672 ----a-w- c:\windows\system32\shell32.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-15 17145992]
    "MP3 Skype Recorder"="c:\program files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe" [2011-11-18 1975296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-05 98304]
    "WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2010-03-23 500792]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "SBAMTray"="c:\program files (x86)\GFI Software\VIPRE\SBAMTray.exe" [2012-08-29 3149704]
    .
    c:\users\IdHusseys\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-07 113120]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 216576]
    R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-17 1255736]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-03-02 89600]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-05 203264]
    S2 SBAMSvc;VIPRE Antivirus;c:\program files (x86)\GFI Software\VIPRE\SBAMSvc.exe [2012-08-29 3677000]
    S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-08-01 82872]
    S2 SBPIMSvc;SB Recovery Service;c:\program files (x86)\GFI Software\VIPRE\SBPIMSvc.exe [2012-08-29 175496]
    S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-29 52584]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-23 215040]
    S3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [2012-08-26 86816]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-03-09 36408]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-03-19 17:15 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3455346300-1148100813-3106168065-1000Core.job
    - c:\users\IdHusseys\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-25 10:18]
    .
    2012-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3455346300-1148100813-3106168065-1000UA.job
    - c:\users\IdHusseys\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-25 10:18]
    .
    2012-08-12 c:\windows\Tasks\HPCeeScheduleForIdHusseys.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1860496]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
    IE: LastPass - file://c:\users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=lastpass
    IE: LastPass Fill Forms - file://c:\users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=fillforms
    TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
    FF - ProfilePath - c:\users\IdHusseys\AppData\Roaming\Mozilla\Firefox\Profiles\d1hd1tuj.default\
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-WinLiveSuite - c:\program files (x86)\Windows Live\Installer\wlarp.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-04 01:10:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-04 07:09
    .
    Pre-Run: 160,869,343,232 bytes free
    Post-Run: 160,759,435,264 bytes free
    .
    - - End Of File - - 9C622B88A26383E89A9730C23EDF1EA8
     
  22. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    Broni -

    I can't connect to the internet on the infected PC. It states:

    Problem with wireless adapter or access point
    "Wireless Network Connection" doesn't have a valid IP configuration

    You mentioned to restart the PC if it can't connect to the internet after Combofix, but it won't reconnect.
     
  23. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Combofix created restore point yesterday.
    Use it and see if it'll bring back internet connection.
     
  24. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    OK will do that. Then what is the next step? I noticed a lot of hidden files still.
     
  25. CanHazTrojanz?

    CanHazTrojanz? TS Enthusiast Topic Starter Posts: 106

    When I go to "Computer > System and Security > Find a Restore point (or whatever it says) > Open System Restore (however it's worded)"

    The last restore point is when I noticed the File Recovery rogue infection on August 31st. How do I access the Combofix restore?
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.