TechSpot

Google redirect virus (or similar) in my Win7 64-bit

By erichludwig
Apr 5, 2012
  1. It seems I have a Google Redirect Virus (or similar) in my Win7 64bits Asus laptop. It's not happening often, and hard to reproduce consistently. MBAM, Spybot and Microsoft Security Essentials don't report anything. Laptop seems a bit slower, fan louder than usual, but no serious hangs or CTD. Hope you can help.

    Note: I'm using a regular desktop computer right now with internet connection to post on this forum (no trouble with this computer since it's behind a serious firewall at my job, with mcafee enterprise antivirus and such things). My laptop is offline, right next to me. I'm swapping files between both computers with an USB drive.

    Here's my logs in the next posts (step 1 to 5, I did this yesterday evening):

    I hope you can help. Thank you for your wonderful service.
     
  2. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    My MBAM log

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.04.04.09

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    admin :: G51J [administrator]

    04/04/2012 7:31:42 PM
    mbam-log-2012-04-04 (19-31-42).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 330054
    Time elapsed: 44 minute(s), 3 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  3. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    MBR check part 1

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Home Premium Edition
    Windows Information: Service Pack 1 (build 7601), 64-bit
    Base Board Manufacturer: PEGATRON CORPORATION
    BIOS Manufacturer: American Megatrends Inc.
    System Manufacturer: ASUSTek Computer Inc.
    System Product Name: G60J
    Logical Drives Mask: 0x0000017c

    Kernel Drivers (total 209):
    0x02E67000 \SystemRoot\system32\ntoskrnl.exe
    0x02E1E000 \SystemRoot\system32\hal.dll
    0x00BA3000 \SystemRoot\system32\kdcom.dll
    0x00C46000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x00C95000 \SystemRoot\system32\PSHED.dll
    0x00CA9000 \SystemRoot\system32\CLFS.SYS
    0x00D07000 \SystemRoot\system32\CI.dll
    0x00E30000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x00ED4000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x00EE3000 \SystemRoot\system32\drivers\ACPI.sys
    0x00F3A000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x00F43000 \SystemRoot\system32\drivers\msisadrv.sys
    0x00F4D000 \SystemRoot\system32\drivers\pci.sys
    0x00F80000 \SystemRoot\system32\drivers\vdrvroot.sys
    0x00F8D000 \SystemRoot\System32\drivers\partmgr.sys
    0x00FA2000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x00FAB000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x00FB7000 \SystemRoot\system32\drivers\volmgr.sys
    0x0102A000 \SystemRoot\System32\drivers\volmgrx.sys
    0x01086000 \SystemRoot\system32\drivers\pciide.sys
    0x0108D000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x0109D000 \SystemRoot\System32\drivers\mountmgr.sys
    0x010B7000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x011D3000 \SystemRoot\system32\drivers\atapi.sys
    0x01000000 \SystemRoot\system32\drivers\ataport.SYS
    0x011DC000 \SystemRoot\system32\drivers\msahci.sys
    0x011E7000 \SystemRoot\system32\drivers\amdxata.sys
    0x012E9000 \SystemRoot\system32\drivers\fltmgr.sys
    0x01335000 \SystemRoot\system32\drivers\fileinfo.sys
    0x01349000 \SystemRoot\System32\Drivers\AsDsm.sys
    0x01430000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x01356000 \SystemRoot\System32\Drivers\msrpc.sys
    0x015D3000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x01200000 \SystemRoot\System32\Drivers\cng.sys
    0x015EE000 \SystemRoot\System32\drivers\pcw.sys
    0x01400000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x016C3000 \SystemRoot\system32\drivers\ndis.sys
    0x01600000 \SystemRoot\system32\drivers\NETIO.SYS
    0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x018BF000 \SystemRoot\System32\drivers\tcpip.sys
    0x01AC3000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x01B0D000 \SystemRoot\system32\drivers\volsnap.sys
    0x01B59000 \SystemRoot\System32\Drivers\spldr.sys
    0x01B61000 \SystemRoot\System32\drivers\rdyboost.sys
    0x01B9B000 \SystemRoot\System32\Drivers\mup.sys
    0x01BAD000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x01BB6000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x01800000 \SystemRoot\system32\DRIVERS\disk.sys
    0x01816000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x04400000 \SystemRoot\system32\drivers\cdrom.sys
    0x0442A000 \SystemRoot\system32\DRIVERS\MpFilter.sys
    0x0445B000 \SystemRoot\System32\Drivers\Null.SYS
    0x04464000 \SystemRoot\System32\Drivers\Beep.SYS
    0x0446B000 \SystemRoot\System32\drivers\vga.sys
    0x04479000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x0449E000 \SystemRoot\System32\drivers\watchdog.sys
    0x044AE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x045EE000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x045F7000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x01854000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x0185F000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x01870000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x01892000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x042DD000 \SystemRoot\system32\drivers\afd.sys
    0x04366000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x043AB000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x043B4000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x043DA000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x043F0000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x04200000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x0421B000 \SystemRoot\system32\drivers\termdd.sys
    0x0422F000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x04280000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x0428C000 \SystemRoot\system32\drivers\mssmbios.sys
    0x04297000 \SystemRoot\System32\drivers\discache.sys
    0x042A6000 \SystemRoot\System32\Drivers\dfsc.sys
    0x042C4000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x0168B000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x05897000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x063A0000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
    0x04A09000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x04AFD000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x04B43000 \SystemRoot\system32\drivers\usbehci.sys
    0x04B54000 \SystemRoot\system32\drivers\USBPORT.SYS
    0x04BAA000 \SystemRoot\system32\drivers\HDAudBus.sys
    0x04CCC000 \SystemRoot\system32\DRIVERS\NETw1v64.sys
    0x05393000 \SystemRoot\system32\drivers\sdbus.sys
    0x053B3000 \SystemRoot\system32\DRIVERS\rimspe64.sys
    0x04C00000 \SystemRoot\system32\DRIVERS\rixdpe64.sys
    0x04C56000 \SystemRoot\system32\drivers\1394ohci.sys
    0x04C94000 \SystemRoot\system32\DRIVERS\L1C62x64.sys
    0x04CA7000 \SystemRoot\system32\drivers\i8042prt.sys
    0x063A2000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x04CC5000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x053CC000 \SystemRoot\system32\drivers\mouclass.sys
    0x053DB000 \SystemRoot\system32\DRIVERS\kbfiltr.sys
    0x053E3000 \SystemRoot\system32\drivers\kbdclass.sys
    0x053F2000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x04BCE000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x053F7000 \SystemRoot\system32\DRIVERS\ATK64AMD.sys
    0x04BE4000 \SystemRoot\system32\drivers\CompositeBus.sys
     
  4. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    MBR check part 2

    0x05800000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x05816000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x04BF4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x0583A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x05869000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x017B6000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x0189F000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x04CC7000 \SystemRoot\system32\drivers\swenum.sys
    0x01272000 \SystemRoot\system32\drivers\ks.sys
    0x04A00000 \SystemRoot\system32\drivers\WmBEnum.sys
    0x05884000 \SystemRoot\system32\drivers\WmXlCore.sys
    0x063EE000 \SystemRoot\system32\drivers\umbus.sys
    0x068FB000 \SystemRoot\system32\drivers\usbhub.sys
    0x06955000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x08807000 \SystemRoot\system32\drivers\RTKVHD64.sys
    0x0696A000 \SystemRoot\system32\drivers\portcls.sys
    0x069A7000 \SystemRoot\system32\drivers\drmk.sys
    0x089EC000 \SystemRoot\system32\drivers\ksthunk.sys
    0x00010000 \SystemRoot\System32\win32k.sys
    0x089F2000 \SystemRoot\System32\drivers\Dxapi.sys
    0x069C9000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x044B7000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x069D7000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x069EA000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x06800000 \SystemRoot\System32\Drivers\BTHUSB.sys
    0x06818000 \SystemRoot\System32\Drivers\bthport.sys
    0x004D0000 \SystemRoot\System32\TSDDD.dll
    0x03E70000 \SystemRoot\system32\DRIVERS\xnacc.sys
    0x03F1E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x0480A000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
    0x049C2000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0x049D3000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
    0x006A0000 \SystemRoot\System32\cdd.dll
    0x049DC000 \SystemRoot\system32\drivers\luafv.sys
    0x03F3B000 \SystemRoot\system32\drivers\WudfPf.sys
    0x03F5C000 \SystemRoot\system32\DRIVERS\rfcomm.sys
    0x03F88000 \SystemRoot\system32\drivers\BthEnum.sys
    0x03F98000 \SystemRoot\system32\DRIVERS\bthpan.sys
    0x0721E000 \SystemRoot\system32\DRIVERS\btwavdt.sys
    0x07299000 \SystemRoot\system32\drivers\btwaudio.sys
    0x0731F000 \SystemRoot\system32\DRIVERS\btwl2cap.sys
    0x0732B000 \SystemRoot\system32\DRIVERS\btwrchid.sys
    0x0732F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x07348000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x07351000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x07366000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x073B9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x073CC000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x073E4000 \??\C:\Program Files\ATKGFNEX\ASMMAP64.sys
    0x09EA5000 \SystemRoot\system32\drivers\HTTP.sys
    0x09F6E000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x09F8C000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x09FA4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x09E00000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x09E4E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x0A229000 \SystemRoot\system32\drivers\peauth.sys
    0x0A2CF000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x0A2DA000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x0A30B000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x0A31D000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x0A6DF000 \SystemRoot\System32\DRIVERS\srv.sys
    0x0A777000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
    0x0A78F000 \SystemRoot\system32\drivers\WmVirHid.sys
    0x0A792000 \SystemRoot\system32\drivers\kbdhid.sys
    0x0A7A0000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x0A7AD000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x0A7E3000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x0A600000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x77AE0000 \Windows\System32\ntdll.dll
    0x47D10000 \Windows\System32\smss.exe
    0xFFE00000 \Windows\System32\apisetschema.dll
    0xFF110000 \Windows\System32\autochk.exe
    0x77CB0000 \Windows\System32\psapi.dll
    0x77990000 \Windows\System32\urlmon.dll
    0xFFDD0000 \Windows\System32\sechost.dll
    0xFFD60000 \Windows\System32\gdi32.dll
    0xFFD50000 \Windows\System32\lpk.dll
    0xFFD30000 \Windows\System32\imagehlp.dll
    0xFFC00000 \Windows\System32\rpcrt4.dll
    0xFFB80000 \Windows\System32\shlwapi.dll
    0xFF9A0000 \Windows\System32\setupapi.dll
    0xFF900000 \Windows\System32\clbcatq.dll
    0x77830000 \Windows\System32\wininet.dll
    0xFF6F0000 \Windows\System32\ole32.dll
    0x77730000 \Windows\System32\user32.dll
    0xFF6E0000 \Windows\System32\nsi.dll
    0xFE950000 \Windows\System32\shell32.dll
    0xFE880000 \Windows\System32\usp10.dll
    0xFE7A0000 \Windows\System32\oleaut32.dll
    0x77610000 \Windows\System32\kernel32.dll
    0xFE770000 \Windows\System32\imm32.dll
    0xFE690000 \Windows\System32\advapi32.dll
    0xFE630000 \Windows\System32\Wldap32.dll
    0x77400000 \Windows\System32\iertutil.dll
    0xFE590000 \Windows\System32\comdlg32.dll
    0xFE540000 \Windows\System32\ws2_32.dll
    0xFE430000 \Windows\System32\msctf.dll
    0xFE3B0000 \Windows\System32\difxapi.dll
    0xFE310000 \Windows\System32\msvcrt.dll
    0x77CA0000 \Windows\System32\normaliz.dll
    0xFE2D0000 \Windows\System32\wintrust.dll
    0xFE160000 \Windows\System32\crypt32.dll
    0xFE120000 \Windows\System32\cfgmgr32.dll
    0xFE100000 \Windows\System32\devobj.dll
    0xFE060000 \Windows\System32\comctl32.dll
    0xFDFF0000 \Windows\System32\KernelBase.dll
    0xFDFE0000 \Windows\System32\msasn1.dll
    0x75400000 \Windows\SysWOW64\normaliz.dll

    Processes (total 64):
    0 System Idle Process
    4 System
    360 C:\Windows\System32\smss.exe
    516 C:\Windows\System32\csrss.exe
    596 C:\Windows\System32\wininit.exe
    616 C:\Windows\System32\csrss.exe
    656 C:\Windows\System32\services.exe
    664 C:\Windows\System32\lsass.exe
    672 C:\Windows\System32\lsm.exe
    776 C:\Windows\System32\svchost.exe
    844 C:\Windows\System32\nvvsvc.exe
    888 C:\Windows\System32\svchost.exe
    956 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    1000 C:\Windows\System32\svchost.exe
    156 C:\Windows\System32\svchost.exe
    376 C:\Windows\System32\svchost.exe
    724 C:\Windows\System32\winlogon.exe
    1144 C:\Windows\System32\svchost.exe
    1232 C:\Windows\System32\svchost.exe
    1408 C:\Windows\System32\FBAgent.exe
    1456 C:\Program Files (x86)\ASUS\ATK Hotkey\AsLdrSrv.exe
    1584 C:\Program Files\ATKGFNEX\GFNEXSrv.exe
    1676 C:\Windows\System32\spoolsv.exe
    1736 C:\Windows\System32\nvvsvc.exe
    1796 C:\Windows\System32\svchost.exe
    1196 C:\Windows\System32\svchost.exe
    1500 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    2276 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    2348 C:\Windows\System32\SearchIndexer.exe
    2480 C:\Windows\System32\svchost.exe
    2552 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    2644 C:\Windows\System32\taskhost.exe
    2668 C:\Windows\System32\taskeng.exe
    2744 C:\Windows\System32\dwm.exe
    2772 C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
    2796 C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
    2812 C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
    2836 C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
    2852 C:\Program Files\P4G\BatteryLife.exe
    2860 C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
    2888 C:\Windows\explorer.exe
    2920 C:\Windows\SysWOW64\ACEngSvr.exe
    2624 C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
    2980 C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
    3040 C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
    2616 C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
    3164 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    3176 C:\Program Files\Logitech\Gaming Software\LWEMon.exe
    3184 C:\Program Files\Microsoft Security Client\msseces.exe
    3248 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    3960 C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
    4000 C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
    1824 C:\Windows\System32\WUDFHost.exe
    1700 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    1840 C:\Windows\System32\svchost.exe
    1904 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    1160 C:\Windows\System32\audiodg.exe
    3032 C:\Windows\System32\VSSVC.exe
    1996 C:\Windows\System32\svchost.exe
    1928 C:\Windows\System32\SearchProtocolHost.exe
    3784 C:\Windows\System32\SearchFilterHost.exe
    3812 C:\Windows\System32\dllhost.exe
    2020 D:\My Data\AntiRootkit\4 master boot record (MBR) check\MBRCheck.exe
    3840 C:\Windows\System32\conhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`a962f000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000016`4aaf6e00 (NTFS)
    \\.\E: --> \\.\PhysicalDrive1 at offset 0x00000032`1bc00000 (NTFS)
    \\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)

    PhysicalDrive0 Model Number: ST9320423AS, Rev: 0002SDM1
    PhysicalDrive1 Model Number: ST9320423AS, Rev: 0002SDM1

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
    298 GB \\.\PhysicalDrive1 Unknown MBR code
    SHA1: 16FACB29D75458833E397367B1DA17929157C2B3


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  5. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    DDS log part 1

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
    Run by admin at 19:29:16 on 2012-04-04
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.4085.2409 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\FBAgent.exe
    C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
    C:\Program Files\ATKGFNEX\GFNEXSrv.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
    C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
    C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
    C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
    C:\Program Files\P4G\BatteryLife.exe
    C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
    C:\Windows\Explorer.EXE
    C:\Windows\SysWOW64\ACEngSvr.exe
    C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
    C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
    C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
    C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Logitech\Gaming Software\LWEMon.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
    C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\Robocopy.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
     
  6. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    DDS log part 2

    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.ca/
    uDefault_Page_URL = hxxp://asus.msn.com
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files (x86)\Windows Live\Family Safety\fssbho.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: DhcpNameServer = 10.0.1.1
    TCP: Interfaces\{33DDAECC-C18A-46E3-BE32-A72A77DDCFC3} : DhcpNameServer = 10.0.1.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files (x86)\Windows Live\Family Safety\fssbho.dll
    BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    BHO-X64: Search Helper - No File
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz1xytif.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://flightsimulatornewsbrief.blogspot.com/
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_228.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]
    R2 ASMMAP64;ASMMAP64;C:\Program Files\ATKGFNEX\ASMMAP64.sys [2009-11-13 14904]
    R2 rimspci;rimspci;C:\Windows\system32\DRIVERS\rimspe64.sys --> C:\Windows\system32\DRIVERS\rimspe64.sys [?]
    R2 rixdpcie;rixdpcie;C:\Windows\system32\DRIVERS\rixdpe64.sys --> C:\Windows\system32\DRIVERS\rixdpe64.sys [?]
    R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
    R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
    R3 NETw1v64;Intel(R) Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw1v64.sys --> C:\Windows\system32\DRIVERS\NETw1v64.sys [?]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-1-31 158856]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-28 253600]
    S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
    S3 fsssvc;Windows Live Family Safety;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2008-12-8 533344]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S4 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-11-13 79360]
    S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-11-13 79360]
    .
    =============== Created Last 30 ================
    .
    2012-04-04 22:29:35 -------- d-----w- C:\ProgramData\AVAST Software
    2012-04-04 22:29:35 -------- d-----w- C:\Program Files\AVAST Software
    2012-04-03 01:11:05 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0BB0B28A-76DE-444D-8BBF-D5BE26435A04}\mpengine.dll
    2012-03-28 22:18:07 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-03-24 19:30:06 -------- d-----w- C:\Program Files (x86)\FS Panel Studio Demo
    2012-03-18 03:13:36 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
    2012-03-18 03:13:36 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
    2012-03-14 00:57:49 3145728 ----a-w- C:\Windows\System32\win32k.sys
    2012-03-14 00:57:46 1544192 ----a-w- C:\Windows\System32\DWrite.dll
    2012-03-14 00:57:45 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2012-03-14 00:57:13 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-03-14 00:57:12 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-03-14 00:57:12 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-03-14 00:57:12 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-03-14 00:57:10 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
    2012-03-14 00:57:07 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
    2012-03-14 00:57:06 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
    2012-03-13 22:07:45 -------- d-----w- C:\Program Files (x86)\HexEdit
    2012-03-13 22:07:35 303616 ----a-w- C:\Windows\IsUninst.exe
    .
    ==================== Find3M ====================
    .
    2012-04-02 23:08:00 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2012-03-28 22:18:07 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
    .
    ============= FINISH: 19:30:08.01 ===============
     
  7. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    End of my logs step 1-5

    I guess these are the first logs you need to make a diagnostic?
    I tried to install avast but it was very unresponsive (freeze) and I uninstalled it. Maybe a conflict with Microsoft Security Essential? I haven't disabled it (yet).
    Do you need the Attach.txt log from DDS?
    Thanks
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The MBR Check is not in the steps> this is: Step 3: GMER Please go back to the thread and follow instructions for GMER.

    Preliminary Virus and Malware Removal.
    ===========================================
    Then run Bootkit Remover:

    Download Bootkit Remover.zip and save to your desktop.
    1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the boot cleaner.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    -------------------------------------------
    The do the following after running the Bootkit Removed
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START boot cleaner.exe fix  \\.\PhysicalDrive1  
    EXIT
    
    
    • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fixbat to run.
      You may see a black box appear; this is normal.
    • When done, run bootkit.exe again and post its output.
    ================================
    There is another log from the DDS scan. It is named Attach.txt. This is only a name, not a direction. Please find it and include it in your next reply.
    ===================================
    NOTE: "fan louder than usual" = heat. Clean inside of laptop= carefully.

    "It's not happening often, and hard to reproduce consistently.">>>Please explain what happens in what you are calling a "redirect or similar."
    ===================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
    ==========================================
    We will continue after you run the Bootkit remover and answer my questions.
    =======================================
    If you are using a flash drive, I suggest that you protect and disinfect it:
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.


    :
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We posted at same time. You do not need Avast if you have MSE- only one antivirus. Please be careful to read all instructions carefully

    Yes for the Attach.exe log.
     
  10. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

  11. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    My GMER log

    Wll post GMER log soon (currently redoing it, sorry about that)
    Found the Bootkit Remover.zip (in the download area)
    Guess I'm nervous... will breath deeply and read carefully... Thanks for your patience...
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  13. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    GMER log

    I guess the correct URL for the Bootkit Remover is
    http://www.smartestcomputing.us.com/files/file/11-bootkit-remover/
    (submitted by Broni Dec 11 2011 04:33 PM)

    So here is my GMER log :

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-04-05 10:33:00
    Windows 6.1.7601 Service Pack 1
    Running: yqeku1oc.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d48bbe
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d48bbe (not active ControlSet)

    ---- Files - GMER 1.0.15 ----

    File C:\ADSM_PData_0150 0 bytes
    File C:\ADSM_PData_0150\DB 0 bytes
    File C:\ADSM_PData_0150\DB\SI.db 624 bytes
    File C:\ADSM_PData_0150\DB\UL.db 16 bytes
    File C:\ADSM_PData_0150\DB\VL.db 16 bytes
    File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
    File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
    File C:\ADSM_PData_0150\_avt 512 bytes

    ---- EOF - GMER 1.0.15 ----
     
  14. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    Log before & after Bootkit removal

    So I did the Bootkit steps before and after the fix.bat :

    Before

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`a962f000
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...


    After Bootkit removal (look the same to me, is that ok? maybe not...)

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`a962f000
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  15. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    attach.txt log part 1

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 23/11/2011 8:14:26 PM
    System Uptime: 05/04/2012 9:06:34 AM (1 hours ago)
    .
    Motherboard: PEGATRON CORPORATION | | G60J
    Processor: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz | Socket 989 | 1600/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 36.797 GiB free.
    D: is FIXED (NTFS) - 209 GiB total, 58.725 GiB free.
    E: is FIXED (NTFS) - 98 GiB total, 32.154 GiB free.
    F: is FIXED (NTFS) - 200 GiB total, 87.648 GiB free.
    G: is CDROM ()
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP93: 27/03/2012 8:31:58 PM - Windows Update
    RP94: 28/03/2012 6:09:26 PM - Removed QuickTime
    RP95: 30/03/2012 9:21:17 PM - Windows Update
    RP96: 02/04/2012 6:23:32 PM - Installed Microsoft Flight
    RP97: 02/04/2012 7:07:21 PM - Installed Java(TM) 6 Update 31
    RP98: 04/04/2012 6:29:16 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    737 Captain (737-200) Upgrade 0.5
    737 Captain (737-200) Upgrade 0.7
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.1 MUI
    aerosoft's - Tahiti X
    AI Carriers
    ALPHA EFA Typhoon FSX
    ASUS AI Recovery
    ASUS AP Bank
    ASUS Data Security Manager
    ASUS FancyStart
    ASUS LifeFrame3
    ASUS Live Update
    ASUS SmartLogon
    ASUS Splendid Video Enhancement Technology
    ASUS Virtual Camera
    ASUS WebStorage
    ASUS_ScreenSaver_GSeries
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    ATK Generic Function Service
    ATK Hotkey
    ATKOSD2
    Audacity 1.3.12 (Unicode)
    BitTornado 0.3.17
    Choice Guard
    ControlDeck
    Creative MediaSource 5
    Disktrix UltimateDefrag
    Express Gate
    FFmpeg for Audacity on Windows
    Flight Simulator X
    Flight Simulator X Service Pack 1
    FS Panel Studio for FSX Build 20207
    FS Panel Studio FSPS Demo
    Game Booster
    HexEdit
    Island Wars 2
    Jasc Paint Shop Pro 8
    Jasc Paint Shop Pro 8.10 Update Patch
    Java Auto Updater
    Java(TM) 6 Update 31
    Junk Mail filter update
    Just Flight - 757 Jetliner - Freemium Livery Pack 15
    Just Flight - 757 Jetliner Freemium
    Just Flight - A318 Jetliner
    Just Flight - DC-6B - Legends of Flight DEMO
    LAME v3.98.2 for Audacity
    Malwarebytes Anti-Malware version 1.60.1.1000
    Merimbula (YMER) v1.0
    Microsoft Flight
    Microsoft Flight Simulator X
    Microsoft Flight Simulator X: Acceleration
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Excel MUI (Arabic) 2007
    Microsoft Office Excel MUI (Chinese (Simplified)) 2007
    Microsoft Office Excel MUI (Chinese (Traditional)) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel MUI (French) 2007
    Microsoft Office Excel MUI (Portuguese (Brazil)) 2007
    Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
    Microsoft Office Excel MUI (Spanish) 2007
    Microsoft Office Excel MUI (Thai) 2007
    Microsoft Office Excel MUI (Turkish) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office IME (Chinese (Simplified)) 2007
    Microsoft Office IME (Chinese (Traditional)) 2007
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (Arabic) 2007
    Microsoft Office OneNote MUI (Chinese (Simplified)) 2007
    Microsoft Office OneNote MUI (Chinese (Traditional)) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office OneNote MUI (French) 2007
    Microsoft Office OneNote MUI (Portuguese (Brazil)) 2007
    Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
    Microsoft Office OneNote MUI (Spanish) 2007
    Microsoft Office OneNote MUI (Thai) 2007
    Microsoft Office OneNote MUI (Turkish) 2007
    Microsoft Office PowerPoint MUI (Arabic) 2007
    Microsoft Office PowerPoint MUI (Chinese (Simplified)) 2007
    Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint MUI (French) 2007
    Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2007
    Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
    Microsoft Office PowerPoint MUI (Spanish) 2007
    Microsoft Office PowerPoint MUI (Thai) 2007
    Microsoft Office PowerPoint MUI (Turkish) 2007
    Microsoft Office Proof (Arabic) 2007
    Microsoft Office Proof (Basque) 2007
    Microsoft Office Proof (Catalan) 2007
    Microsoft Office Proof (Chinese (Simplified)) 2007
    Microsoft Office Proof (Chinese (Traditional)) 2007
    Microsoft Office Proof (Dutch) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Galician) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Portuguese (Brazil)) 2007
    Microsoft Office Proof (Portuguese (Portugal)) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proof (Thai) 2007
    Microsoft Office Proof (Turkish) 2007
    Microsoft Office Proofing (Arabic) 2007
    Microsoft Office Proofing (Chinese (Simplified)) 2007
    Microsoft Office Proofing (Chinese (Traditional)) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (French) 2007
    Microsoft Office Proofing (Portuguese (Brazil)) 2007
    Microsoft Office Proofing (Portuguese (Portugal)) 2007
    Microsoft Office Proofing (Spanish) 2007
    Microsoft Office Proofing (Thai) 2007
    Microsoft Office Proofing (Turkish) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (Arabic) 2007
    Microsoft Office Shared MUI (Chinese (Simplified)) 2007
    Microsoft Office Shared MUI (Chinese (Traditional)) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (French) 2007
    Microsoft Office Shared MUI (Portuguese (Brazil)) 2007
    Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
    Microsoft Office Shared MUI (Spanish) 2007
    Microsoft Office Shared MUI (Thai) 2007
    Microsoft Office Shared MUI (Turkish) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (Arabic) 2007
    Microsoft Office Word MUI (Chinese (Simplified)) 2007
    Microsoft Office Word MUI (Chinese (Traditional)) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word MUI (French) 2007
    Microsoft Office Word MUI (Portuguese (Brazil)) 2007
    Microsoft Office Word MUI (Portuguese (Portugal)) 2007
    Microsoft Office Word MUI (Spanish) 2007
    Microsoft Office Word MUI (Thai) 2007
    Microsoft Office Word MUI (Turkish) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mozilla Firefox 11.0 (x86 en-US)
    Mp3tag v2.46a
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Mudry Cap-10
    NL2000V4_installer
    Notepad++
    NVIDIA PhysX
    Panda USB Vaccine 1.0.1.4
    Project BO-105 PAH
    RAF Marham FSX
    Realtek High Definition Audio Driver
    RICOH R5U230 Media Driver ver.2.05.02.02
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Short Empire for FSX
    Skype™ 5.8
    Sound Blaster Audigy HD
    Spybot - Search & Destroy
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Vallen JPegger
    VEH Clemenceau V2-09
    VLC media player 1.1.4
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    WinFlash
    Wireless Console 3
     
  16. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    attach.txt log part 2

    .
    ==== Event Viewer Messages From Past Week ========
    .
    31/03/2012 8:27:59 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
    31/03/2012 6:56:35 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    31/03/2012 5:38:24 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    31/03/2012 2:11:28 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    30/03/2012 9:11:13 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    30/03/2012 8:20:25 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    30/03/2012 3:48:56 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    30/03/2012 11:56:11 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    30/03/2012 10:01:05 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    29/03/2012 8:54:33 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    29/03/2012 5:18:40 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    29/03/2012 10:02:26 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    05/04/2012 9:16:55 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.123.948.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8202.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    05/04/2012 9:07:14 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    04/04/2012 8:37:02 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.123.948.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8202.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    04/04/2012 8:27:13 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
     
  17. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    attach.txt log part 3 / 3

    04/04/2012 7:20:14 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.123.948.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8202.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    04/04/2012 7:10:03 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    04/04/2012 7:00:10 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.123.948.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8202.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    04/04/2012 6:50:27 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    04/04/2012 6:47:33 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    04/04/2012 6:47:33 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    04/04/2012 6:47:33 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    04/04/2012 6:47:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    04/04/2012 6:47:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    04/04/2012 6:47:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    04/04/2012 6:47:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSnx aswSP aswTdi DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    04/04/2012 6:46:59 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    04/04/2012 6:42:21 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    04/04/2012 6:38:42 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    04/04/2012 5:59:33 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.123.948.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8202.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    04/04/2012 5:49:30 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    03/04/2012 8:20:43 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    03/04/2012 5:44:56 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    02/04/2012 6:05:14 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.123.854.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8202.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    02/04/2012 5:55:42 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    01/04/2012 8:26:11 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    01/04/2012 8:17:49 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    01/04/2012 7:47:31 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    01/04/2012 1:40:27 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    .
    ==== End Of File ===========================
     
  18. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    Sorry had to post my logs in multiple posts, looks like it's too big for your forum or my ISP is limiting my uploads....

    "It's not happening often, and hard to reproduce consistently.">>>Please explain what happens in what you are calling a "redirect or similar."

    In firefox, while searching in google, sometimes I select a page (a famous flight simulator forum) and I am redirected to something completly diffirent. Didn't write down the URL, it was highly suspicious. Happen once in a while (no more than 4 times a week).

    I've just installed Panda Vaccine. Thanks for the tip. Looks very useful.

    I guess I followed your instructions in your last post. Over to you. Thanks.
     
  19. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    I guess I missed to copy properly the result of the first Bootkit Remover log before the fix.dat script, maybe that's why my two Bootkit logs are identical... Sorry...
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I thought I'd save a step but it looks like it was unnecessary. MBR check showed:
    PhysicalDrive 0 is main hard drive and okay.
    PhysicalDrive1 showed 'unknown' MBR code but did not show up in the Bootkit Remover. Is that a partition?
    ======================================
    Many of the errors in the Event Viewer are from Microsoft Antimalware Real-Time Protection >>>>>The filter driver requires an up-to-date engine in order to function. You must install the latest definition>> You must install the latest definition updates in order to enable real-time protection.

    I see this so often in logs! The only suggestion I have for that in particular is to uninstall/reinstall the program.
    ==========================================
    You do a search in the Google Search box in Firefox and click on Search. A page from Google displays with hits for that search. You choose on of the hits, but instead of THAT coming up, some other unrelated site come up. This is correct??? But it only happens once in a while- correct??

    This is not a 'typical' redirect- not this seldom.
    1. Does it happen only in Firefox?
    2. If you copy a URL and paste it in the Address Bar, does the right site come up.
    3. If you type a URL in the Address bar, does the right site come up?
    4. If you click on a shortcut for a URL, such as in History/Bookmarks/Favorites, does the correct site display.
    5. Is it possible that the few times the site does not display and is redirected is happening for the same site(s)?
    6. Does this happen on any particular types of sites, such as a secure site?
    7. Are you experiencing any connection problems e.g. connecting to the internet?
    ======================================
    There is also some indication that all of the Services and their Dependencies might not be running, so we need to check that:

    Please download Farbar Service Scanner
    • Check ALL boxes to include all files.
    • Press the Scan button
    • Log named FSS.txt will be created in the same directory as the tool
    • Please paste the log into your next reply
    ========================================
    Let's go ahead with the following and see if they pick anything up. So far I'm not seeing malware entries:
    You said the lappy was offline now. If that's because you cannot connect and run in Normal Mode? If you just decided to go offline, but can access, it would be best to connect to run the following scans. You can't put a recovery console on the system in Safe Mode, nor can you run the Eset scan.

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ======================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  21. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    your Question: PhysicalDrive 0 is main hard drive and okay. PhysicalDrive1 showed 'unknown' MBR code but did not show up in the Bootkit Remover. Is that a partition?

    Answer: No it's not a partition. I have 2 hard drives, PhysicalDrive1 is my second "data" drive with no OS. But I do have partitions, 4 of them: 2 for each drive: drive 0 = C:, D: - drive 1 = E:, F:

    Q: You do a search in the Google Search box in Firefox and click on Search. A page from Google displays with hits for that search. You choose on of the hits, but instead of THAT coming up, some other unrelated site come up. This is correct??? But it only happens once in a while- correct??

    A: Yes, all of this is correct. But I use also the main Google home page and Googlebar Lite v 4.8.2 by Jonah Bishop in Firefox (since the real Googlebar is not available anymore in Firefox 11). I don't use the regular Firefox Google Search box (not enough options for my taste).

    Q: This is not a 'typical' redirect- not this seldom.

    Q1. Does it happen only in Firefox?
    A1: Can't tell. I use only Firefox, I don't like IE at all, but I do have it, two versions, 32 and 64 bits.
    Q2. If you copy a URL and paste it in the Address Bar, does the right site come up.
    A2: Yes it does.
    Q3. If you type a URL in the Address bar, does the right site come up?
    A3: Yes
    Q4. If you click on a shortcut for a URL, such as in History/Bookmarks/Favorites, does the correct site display.
    A4: Yes
    Q5. Is it possible that the few times the site does not display and is redirected is happening for the same site(s)?
    A5: No, different sites, but I'm not 100% positive, need to make more tests.
    Q6. Does this happen on any particular types of sites, such as a secure site?
    A6: Didn't notice anything like this (you mean ssl encrypted pages?)
    Q7. Are you experiencing any connection problems e.g. connecting to the internet?
    A7: No, my apple wifi router at home works fine, and here at the office it's ok too

    Q: You said the lappy was offline now. If that's because you cannot connect and run in Normal Mode? If you just decided to go offline, but can access, it would be best to connect to run the following scans. You can't put a recovery console on the system in Safe Mode, nor can you run the Eset scan:

    A: My laptop is back online, no problem to connect at home or here. I'm online only when surfing the net, since this is mostly a gaming laptop and I play offline. But now I'm at the office, and I'm using my boss' wifi router (don't tell). So I'll be able run the 3 scans you suggested.

    Here are the logs for FSS, Combofix and eset (in separate posts below)

    eset is not finished yet (so far 44min.) but a threat was found after 20min:
    Java/TrojanDownloader.Agent.NCJ trojan

    Will post the complete eset log later.
     
  22. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    Farbar Service Scanner log

    Farbar Service Scanner Version: 01-03-2012
    Ran by admin (administrator) on 05-04-2012 at 12:32:14
    Running from "C:\Users\admin\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  23. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    ComboFix log part 1

    ComboFix 12-04-05.06 - admin 05/04/2012 12:38:17.1.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.4085.2617 [GMT -4:00]
    Running from: c:\users\admin\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\FullRemove.exe
    c:\programdata\Tarma Installer
    c:\programdata\Tarma Installer\{A9CC77F7-77AC-48C5-A48D-7E6FCD115C8D}\_Setup.dll
    c:\programdata\Tarma Installer\{A9CC77F7-77AC-48C5-A48D-7E6FCD115C8D}\20120301183614.log
    c:\programdata\Tarma Installer\{A9CC77F7-77AC-48C5-A48D-7E6FCD115C8D}\Setup.dat
    c:\programdata\Tarma Installer\{A9CC77F7-77AC-48C5-A48D-7E6FCD115C8D}\Setup.exe
    c:\programdata\Tarma Installer\{A9CC77F7-77AC-48C5-A48D-7E6FCD115C8D}\Setup.ico
    c:\programdata\Tarma Installer\{D085AEC0-D870-410F-9C04-D9CF1FA9EE5F}\_Setup.dll
    c:\programdata\Tarma Installer\{D085AEC0-D870-410F-9C04-D9CF1FA9EE5F}\20111216113430.log
    c:\programdata\Tarma Installer\{D085AEC0-D870-410F-9C04-D9CF1FA9EE5F}\20120222220634.log
    c:\programdata\Tarma Installer\{D085AEC0-D870-410F-9C04-D9CF1FA9EE5F}\20120222220649.log
    c:\programdata\Tarma Installer\{D085AEC0-D870-410F-9C04-D9CF1FA9EE5F}\Setup.dat
    c:\programdata\Tarma Installer\{D085AEC0-D870-410F-9C04-D9CF1FA9EE5F}\Setup.exe
    c:\programdata\Tarma Installer\{D085AEC0-D870-410F-9C04-D9CF1FA9EE5F}\Setup.ico
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-05 to 2012-04-05 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-05 16:41 . 2012-04-05 16:41 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-04-05 16:29 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B617E7A5-E4B6-47AF-A39A-557625163877}\mpengine.dll
    2012-04-05 14:34 . 2012-04-05 14:34 -------- d-----w- c:\programdata\Panda Security
    2012-04-05 14:33 . 2012-04-05 14:33 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
    2012-04-04 22:30 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe
    2012-04-04 22:29 . 2012-04-04 22:49 -------- d-----w- c:\programdata\AVAST Software
    2012-04-04 22:29 . 2012-04-04 22:29 -------- d-----w- c:\program files\AVAST Software
    2012-04-02 23:30 . 2012-04-02 23:30 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-04-02 23:07 . 2012-04-02 23:07 -------- d-----w- c:\program files (x86)\Java
    2012-03-28 22:18 . 2012-03-28 22:18 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-03-24 19:30 . 2012-03-24 19:30 -------- d-----w- c:\program files (x86)\FS Panel Studio Demo
    2012-03-18 03:13 . 2012-03-18 03:13 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
    2012-03-18 03:13 . 2012-03-18 03:13 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
    2012-03-14 00:57 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-03-14 00:57 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2012-03-14 00:57 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
    2012-03-14 00:57 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-03-14 00:57 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-03-14 00:57 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-03-14 00:57 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-03-14 00:57 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-03-14 00:57 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-03-14 00:57 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-03-13 22:07 . 2012-03-13 22:09 -------- d-----w- c:\program files (x86)\HexEdit
    2012-03-13 22:07 . 1997-11-19 18:49 303616 ----a-w- c:\windows\IsUninst.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-02 23:08 . 2011-12-01 23:29 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-03-28 22:18 . 2011-12-15 02:34 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-03-14 03:27 . 2011-12-05 01:54 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-02-28 23:44 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
    2012-02-28 23:44 . 2009-08-18 16:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-02-10 21:22 . 2012-02-10 21:22 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9E2887D1-4A8E-4EEA-B5D3-4A527D4CC1C3}\gapaengine.dll
    2012-01-31 12:44 . 2011-12-03 16:58 279656 ------w- c:\windows\system32\MpSigStub.exe
     
  24. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    Combofix log part 2

    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
    @="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
    [HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
    2007-06-02 01:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
    IME File REG_SZ IMSC12.IME
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
    "ATKOSD2"=c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
    "HControlUser"=c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
    .
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-01-31 158856]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 253600]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-11-13 79360]
    R4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-11-13 79360]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
    S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
    S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [x]
    S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [x]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    S3 NETw1v64;Intel(R) Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw1v64.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-05 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 22:18]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
    @="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
    [HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
    2007-06-02 00:52 159744 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
    @="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
    [HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
    2011-09-05 07:20 227840 ----a-w- c:\program files (x86)\ASUS\Asus WebStorage\3.0.120.241\AsusWSShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
    @="{64174815-8D98-4CE6-8646-4C039977D808}"
    [HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
    2011-09-05 07:20 227840 ----a-w- c:\program files (x86)\ASUS\Asus WebStorage\3.0.120.241\AsusWSShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-10 16336416]
    "Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 190536]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 64.254.253.110 69.70.221.59
    FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz1xytif.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://flightsimulatornewsbrief.blogspot.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-ASUS_ScreenSaver_GSeries - c:\windows\system32\ASUS_ScreenSaver_GSeries.scr
    AddRemove-Project BO-105 PAH - d:\a essayer\bo-105pah\Uninstal.exe
    AddRemove-RAF Marham FSX - d:\a essayer\ACG RAF Marham FSX\Marham FSX Uninstall.exe
    AddRemove-Mudry Cap-10 - d:\a essayer\Cap 10\Uninstall_Cap10fsx.exe
    AddRemove-VEH Clemenceau V2-09 - f:\flight simulator x\Uninstal VEH_Clemenceau_V2-09.exe
    .
    .
    .
     
  25. erichludwig

    erichludwig TS Rookie Topic Starter Posts: 27

    Combofix log part 3

    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-04-05 12:45:11
    ComboFix-quarantined-files.txt 2012-04-05 16:45
    .
    Pre-Run: 40,556,630,016 bytes free
    Post-Run: 40,035,082,240 bytes free
    .
    - - End Of File - - 4972674FF908DEEE077155869EF1BC9B
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...