TechSpot

Possible virus/malware

Solved
By yinato
Nov 11, 2012
Topic Status:
Not open for further replies.
  1. For the past week and a half, I noticed that my browsers have been very slow and the bandwidth usage has been insanely high (in the 8GB range per day, and most of it is from uploads). At first, I thought that someone may've been piggy-backing on my wifi, so I ended up changing and hiding the SSID and password for the wireless connection. However, the bandwidth usage continued to be as high. I had shut off wifi for a day and used a wired connection, but I still ended up using around 6GB or bandwidth within 3 hours of being connected. Also, I'm the only one using the connection. Below are all of the logs. GMER didn't produce any logs.

    Malwarebytes Anti-Malware (Trial) 1.65.1.1000
    www.malwarebytes.org
    Database version: v2012.11.10.03
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    tony :: TONY-SAT-PC [administrator]
    Protection: Enabled
    11/11/2012 1:53:02 AM
    mbam-log-2012-11-11 (01-53-02).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 201702
    Time elapsed: 3 minute(s), 54 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
    DDS (Ver_2012-11-07.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16450
    Run by tony at 2:03:23 on 2012-11-11
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.7654.5601 [GMT -5:00]
    .
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\System32\StikyNot.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\SearchIndexer.exe
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\BandwidthMonitor\BWMonitor.exe
    C:\Program Files\NetWorx\networx.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\taskmgr.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
    C:\Program Files (x86)\Notepad++\notepad++.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\notepad.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.ca/
    mWinlogon: Userinit = userinit.exe
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\AMD\SteadyVideo\SteadyVideo.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    TCP: NameServer = 192.168.2.1
    TCP: Interfaces\{0FD04827-A482-42FC-B871-0DEFA91E98EE} : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{0FD04827-A482-42FC-B871-0DEFA91E98EE}\0534E49687E23616 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{0FD04827-A482-42FC-B871-0DEFA91E98EE}\2454C4C4033353 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{0FD04827-A482-42FC-B871-0DEFA91E98EE}\2595542535F4E4 : DHCPNameServer = 141.117.199.78 141.117.199.82 141.117.199.74
    TCP: Interfaces\{0FD04827-A482-42FC-B871-0DEFA91E98EE}\C4F4E474 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{11122252-4F96-447D-A760-051FAB1F5FD1}\0534E49687E23616 : DHCPNameServer = 192.168.2.1
    Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
    Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    x64-BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [NetWorx] "C:\Program Files\NetWorx\networx.exe" /auto
    x64-Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
    x64-Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
    x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 amdkmpfd;AMD PCI Root Bus Lower Filter;C:\Windows\System32\drivers\amdkmpfd.sys [2012-2-1 31872]
    R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2012-11-7 27800]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-2-13 235520]
    R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-11-7 84256]
    R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-11-7 108320]
    R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2012-11-7 99248]
    R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-7 399432]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-7 676936]
    R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\System32\drivers\amdhub30.sys [2012-10-29 103552]
    R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2012-10-29 220288]
    R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-12-5 95248]
    R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-7 25928]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2012-10-29 251496]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-10-29 565352]
    R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192ce.sys [2012-10-29 880272]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2012-10-29 56448]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-10-19 160944]
    S3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;C:\Windows\System32\drivers\AGUx64.sys [2012-10-29 1077760]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-29 1255736]
    .
    =============== Created Last 30 ================
    .
    2012-11-10 05:22:22 -------- d-----w- C:\ProgramData\boost_interprocess
    2012-11-09 17:37:14 -------- d-----w- C:\ProgramData\SoftPerfect
    2012-11-09 17:37:14 -------- d-----w- C:\Program Files\NetWorx
    2012-11-09 17:35:42 -------- d-----w- C:\Program Files (x86)\BandwidthMonitor
    2012-11-08 15:42:14 -------- d-----w- C:\Users\tony\.thumbnails
    2012-11-08 15:39:46 -------- d-----w- C:\Users\tony\AppData\Local\fontconfig
    2012-11-08 15:39:43 -------- d-----w- C:\Users\tony\.gimp-2.8
    2012-11-08 15:39:42 -------- d-----w- C:\Users\tony\AppData\Local\gegl-0.2
    2012-11-08 13:52:12 -------- d-----w- C:\Program Files\GIMP 2
    2012-11-08 13:50:21 -------- d-----w- C:\Users\tony\AppData\Roaming\tigerplayer
    2012-11-08 13:50:21 -------- d-----w- C:\Users\tony\AppData\Roaming\CometPlayer
    2012-11-08 13:50:21 -------- d-----w- C:\Program Files (x86)\MpcStar
    2012-11-08 02:12:28 -------- d-----w- C:\Users\tony\AppData\Roaming\Malwarebytes
    2012-11-08 02:12:19 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-11-08 02:12:17 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-11-08 02:12:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-07 16:05:51 -------- d-----w- C:\Users\tony\AppData\Roaming\Avira
    2012-11-07 15:58:40 99248 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
    2012-11-07 15:58:40 27800 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
    2012-11-07 15:58:38 -------- d-----w- C:\ProgramData\Avira
    2012-11-07 15:58:38 -------- d-----w- C:\Program Files (x86)\Avira
    2012-11-07 15:44:01 -------- d-----w- C:\Users\tony\AppData\Local\Diagnostics
    2012-11-06 19:01:02 -------- d-----w- C:\Users\tony\AppData\Local\LogMeIn Rescue Applet
    2012-11-06 18:31:19 -------- d-----w- C:\Users\tony\AppData\Roaming\Bell
    2012-11-06 18:31:13 -------- d-----w- C:\ProgramData\Radialpoint
    2012-11-06 18:31:10 -------- d-----w- C:\ProgramData\Bell
    2012-11-04 05:49:04 -------- d-----w- C:\Users\tony\bluej
    2012-11-03 02:25:18 -------- d-----w- C:\Program Files (x86)\BlueJ
    2012-11-01 14:11:58 -------- d-----w- C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2
    2012-11-01 13:22:37 1139200 ----a-w- C:\Windows\System32\FntCache.dll
    2012-11-01 13:22:36 902656 ----a-w- C:\Windows\System32\d2d1.dll
    2012-11-01 13:22:36 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
    2012-10-31 02:46:02 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-10-31 02:46:02 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-10-30 22:26:56 -------- d-----w- C:\Program Files (x86)\Kill3rCombo
    2012-10-30 22:03:35 -------- d-----w- C:\Users\tony\Tracing
    2012-10-30 21:52:37 -------- d-----w- C:\Users\tony\AppData\Local\Windows Live
    2012-10-30 21:52:23 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
    2012-10-30 18:18:52 -------- d-----w- C:\ProgramData\NexonUS
    2012-10-30 18:18:28 -------- d-----w- C:\Nexon
    2012-10-30 17:54:24 -------- d-----w- C:\Users\tony\AppData\Local\Microsoft Games
    2012-10-30 17:43:49 -------- d-----w- C:\Users\tony\AppData\Local\Adobe
    2012-10-30 16:53:05 916456 ----a-w- C:\Windows\System32\deployJava1.dll
    2012-10-30 16:53:05 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
    2012-10-30 16:52:57 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
    2012-10-30 16:41:21 -------- d-----w- C:\Program Files (x86)\Pando Networks
    2012-10-30 16:33:18 -------- d-----w- C:\Users\tony\AppData\Local\Google
    2012-10-30 16:32:42 -------- d-----w- C:\Users\tony\AppData\Local\Apps
    2012-10-30 16:32:41 -------- d-----w- C:\Users\tony\AppData\Local\Deployment
    2012-10-30 16:29:41 -------- d-----r- C:\Program Files (x86)\Skype
    2012-10-30 13:17:56 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3E431A59-D7C6-4FE3-971B-B33D6001661E}\mpengine.dll
    2012-10-30 13:08:51 -------- d-----w- C:\Windows\PCHEALTH
    2012-10-30 13:06:46 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
    2012-10-30 13:05:54 -------- d-----w- C:\Users\tony\AppData\Local\Microsoft Help
    2012-10-29 23:36:00 -------- d-----w- C:\Windows\Panther
    2012-10-29 21:37:39 -------- d-----w- C:\Windows\SysWow64\Wat
    2012-10-29 21:37:39 -------- d-----w- C:\Windows\System32\Wat
    2012-10-29 20:54:55 81408 ----a-w- C:\Windows\System32\imagehlp.dll
    2012-10-29 20:54:55 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
    2012-10-29 20:54:54 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
    2012-10-29 20:54:54 5120 ----a-w- C:\Windows\System32\wmi.dll
    2012-10-29 20:54:54 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
    2012-10-29 20:42:10 0 ----a-w- C:\Windows\ativpsrm.bin
    2012-10-29 20:40:43 -------- d-----w- C:\Users\tony\AppData\Local\ATI
    2012-10-29 20:40:32 220288 ----a-w- C:\Windows\System32\drivers\amdxhc.sys
    2012-10-29 20:40:32 103552 ----a-w- C:\Windows\System32\drivers\amdhub30.sys
    2012-10-29 20:39:26 -------- d-----w- C:\Windows\kdb
    2012-10-29 20:39:24 -------- d-----w- C:\Program Files\AMD
    2012-10-29 20:39:24 -------- d-----w- C:\Program Files (x86)\AMD
    2012-10-29 20:39:22 -------- d-----w- C:\Program Files (x86)\AMD APP
    2012-10-29 20:39:19 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
    2012-10-29 20:39:19 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
    2012-10-29 20:38:09 -------- d-----w- C:\Program Files (x86)\ATI Technologies
    2012-10-29 20:34:35 56448 ----a-w- C:\Windows\System32\drivers\usbfilter.sys
    2012-10-29 20:34:27 -------- d-sh--w- C:\Windows\Installer
    2012-10-29 20:34:22 -------- d-----w- C:\Program Files\ATI Technologies
    2012-10-29 20:34:20 -------- d-----w- C:\Program Files\ATI
    2012-10-29 20:23:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
    2012-10-29 20:22:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
    2012-10-29 20:20:41 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
    2012-10-29 20:19:56 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
    2012-10-29 20:17:28 -------- d-----w- C:\Windows\SysWow64\sda
    2012-10-29 20:17:03 9887848 ----a-w- C:\Windows\SysWow64\RtsUStoricon.dll
    2012-10-29 20:17:03 422504 ----a-w- C:\Windows\System32\RtsUStor.dll
    2012-10-29 20:17:03 251496 ----a-w- C:\Windows\System32\drivers\RtsUStor.sys
    2012-10-29 20:14:57 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
    2012-10-29 20:13:49 956928 ----a-w- C:\Windows\System32\localspl.dll
    2012-10-29 19:59:27 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2012-10-29 19:57:12 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-10-29 19:57:12 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-10-29 19:57:11 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-10-29 19:53:14 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-10-29 19:53:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-10-29 19:52:47 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-10-29 19:52:47 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-10-29 19:50:24 1077760 ----a-w- C:\Windows\System32\drivers\AGUx64.sys
    2012-10-29 19:47:03 -------- d-----w- C:\Users\tony\AppData\Local\VirtualStore
    .
    ==================== Find3M ====================
    .
    2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
    2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2012-09-12 20:07:44 58368 ----a-w- C:\Windows\SysWow64\sirenacm.dll
    2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
    2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
    2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
    2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
    2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll
    2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll
    2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll
    2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe
    2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    .
    ============= FINISH: 2:04:04.13 ===============
  2. yinato

    yinato TS Rookie Topic Starter Posts: 38

    And here's the attach log:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-07.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/29/2012 3:46:51 PM
    System Uptime: 11/9/2012 8:37:17 PM (30 hours ago)
    .
    Motherboard: AMD | | Pumori
    Processor: AMD A8-4500M APU with Radeon(tm) HD Graphics | Socket FT1 | 1387/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 699 GiB total, 645.689 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP15: 10/30/2012 5:56:41 PM - WLSetup
    RP16: 11/1/2012 7:22:59 AM - Windows Update
    RP18: 11/2/2012 10:26:23 AM - Windows Modules Installer
    RP19: 11/2/2012 10:24:48 PM - Installed BlueJ
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Reader XI
    AMD Accelerated Video Transcoding
    AMD APP SDK Runtime
    AMD Catalyst Install Manager
    AMD Media Foundation Decoders
    AMD Steady Video Plug-In
    AMD VISION Engine Control Center
    Avira Free Antivirus
    BlueJ
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Localization All
    ccc-utility64
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    D3DX10
    Elsword version v2.1024.2.1
    GIMP 2.8.2
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    Java 7 Update 9 (64-bit)
    Java SE Development Kit 7 Update 9 (64-bit)
    Mabinogi
    Malwarebytes Anti-Malware version 1.65.1.1000
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Office 64-bit Components 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared 64-bit MUI (English) 2007
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    MpcStar 5.4
    MSVCRT
    MSVCRT110
    MSVCRT110_amd64
    NetWorx 5.2.5
    Nexon Game Manager
    Notepad++
    Photo Common
    Realtek Ethernet Controller Driver
    Realtek USB 2.0 Card Reader
    Realtek WLAN Driver
    RPS CRT
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687314) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2687315) 32-Bit Edition
    Skype™ 6.0
    Synaptics Pointing Device Driver
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687407) 32-Bit Edition
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    WinRAR 4.20 (64-bit)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/9/2012 9:17:47 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: StarOpen
    11/9/2012 12:25:52 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR6.
    11/7/2012 6:14:30 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR5.
    11/6/2012 10:43:09 AM, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.
    11/4/2012 12:30:59 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1005] - Unable to produce a minidump file from the full dump file.
    11/4/2012 12:30:59 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0xfffffa800736d010, 0xfffff880040c5adc, 0x0000000000000000, 0x0000000000000002). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: .
    11/10/2012 12:17:15 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    .
    ==== End Of File ===========================
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  4. yinato

    yinato TS Rookie Topic Starter Posts: 38

    Here's the combofix log

    ComboFix 12-11-10.01 - tony 11/11/2012 11:05:29.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.7654.5997 [GMT -5:00]
    Running from: c:\users\tony\Desktop\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\boost_interprocess\20121109203717.932796
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-10-11 to 2012-11-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-11-11 16:13 . 2012-11-11 16:13 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-11-10 05:22 . 2012-11-11 16:10 -------- d-----w- c:\programdata\boost_interprocess
    2012-11-09 17:37 . 2012-11-09 17:37 -------- d-----w- c:\program files\NetWorx
    2012-11-09 17:37 . 2012-11-09 17:37 -------- d-----w- c:\programdata\SoftPerfect
    2012-11-09 17:35 . 2012-11-09 17:37 -------- d-----w- c:\program files (x86)\BandwidthMonitor
    2012-11-08 13:52 . 2012-11-08 13:52 -------- d-----w- c:\program files\GIMP 2
    2012-11-08 13:50 . 2012-11-08 13:50 -------- d-----w- c:\program files (x86)\MpcStar
    2012-11-08 02:12 . 2012-11-08 02:12 -------- d-----w- c:\programdata\Malwarebytes
    2012-11-08 02:12 . 2012-11-08 02:12 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-11-08 02:12 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-07 15:58 . 2012-10-04 17:07 129216 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2012-11-07 15:58 . 2012-09-24 14:58 27800 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2012-11-07 15:58 . 2012-09-13 20:52 99248 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2012-11-07 15:58 . 2012-11-07 15:58 -------- d-----w- c:\programdata\Avira
    2012-11-07 15:58 . 2012-11-07 15:58 -------- d-----w- c:\program files (x86)\Avira
    2012-11-06 18:31 . 2012-11-06 18:31 -------- d-----w- c:\programdata\Radialpoint
    2012-11-06 18:31 . 2012-11-09 14:22 -------- d-----w- c:\programdata\Bell
    2012-11-05 22:55 . 2012-11-05 22:55 -------- d-----w- c:\program files\WinRAR
    2012-11-03 02:25 . 2012-11-03 02:25 -------- d-----w- c:\program files (x86)\BlueJ
    2012-11-03 01:56 . 2012-11-03 01:56 -------- d-----w- c:\program files (x86)\Notepad++
    2012-11-01 14:11 . 2012-11-01 14:11 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
    2012-11-01 13:22 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
    2012-11-01 13:22 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
    2012-11-01 13:22 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
    2012-11-01 11:23 . 2012-11-01 11:23 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
    2012-10-31 02:46 . 2012-10-31 02:46 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-10-31 02:46 . 2012-10-31 02:46 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-10-31 02:46 . 2012-10-31 02:46 -------- d-----w- c:\windows\system32\Macromed
    2012-10-30 22:26 . 2012-10-30 22:26 -------- d-----w- c:\program files (x86)\Kill3rCombo
    2012-10-30 21:56 . 2012-10-30 21:58 -------- d-----w- c:\program files (x86)\Windows Live
    2012-10-30 21:52 . 2012-10-30 21:52 -------- d-----w- c:\program files (x86)\Common Files\Windows Live
    2012-10-30 18:18 . 2012-10-30 18:29 -------- d-----w- c:\programdata\NexonUS
    2012-10-30 18:18 . 2012-10-30 18:18 -------- d-----w- C:\Nexon
    2012-10-30 17:54 . 2012-10-30 17:54 -------- d-----w- c:\windows\SysWow64\Macromed
    2012-10-30 17:40 . 2012-10-30 17:40 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2012-10-30 16:53 . 2012-10-30 16:52 916456 ----a-w- c:\windows\system32\deployJava1.dll
    2012-10-30 16:53 . 2012-10-30 16:52 289768 ----a-w- c:\windows\system32\javaws.exe
    2012-10-30 16:53 . 2012-10-30 16:52 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-10-30 16:52 . 2012-10-30 16:52 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
    2012-10-30 16:52 . 2012-10-30 16:52 189416 ----a-w- c:\windows\system32\javaw.exe
    2012-10-30 16:52 . 2012-10-30 16:52 188904 ----a-w- c:\windows\system32\java.exe
    2012-10-30 16:51 . 2012-10-30 16:52 -------- d-----w- c:\program files\Java
    2012-10-30 16:41 . 2012-11-09 14:17 -------- d-----w- c:\program files (x86)\Pando Networks
    2012-10-30 16:34 . 2012-10-30 16:34 -------- d-----w- c:\program files\Google
    2012-10-30 16:33 . 2012-10-31 15:01 -------- d-----w- c:\program files (x86)\Google
    2012-10-30 16:29 . 2012-10-30 16:29 -------- d-----w- c:\program files (x86)\Common Files\Skype
    2012-10-30 16:29 . 2012-10-30 16:29 -------- d-----r- c:\program files (x86)\Skype
    2012-10-30 16:29 . 2012-10-30 16:29 -------- d-----w- c:\programdata\Skype
    2012-10-30 13:17 . 2012-10-17 06:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3E431A59-D7C6-4FE3-971B-B33D6001661E}\mpengine.dll
    2012-10-30 13:09 . 2012-11-01 13:22 -------- d-----w- c:\program files (x86)\Microsoft Works
    2012-10-30 13:08 . 2012-10-30 13:08 -------- d-----w- c:\windows\PCHEALTH
    2012-10-30 13:06 . 2012-10-30 13:06 -------- d-----w- c:\program files\Microsoft Office
    2012-10-30 13:06 . 2012-10-30 13:06 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
    2012-10-30 13:05 . 2012-11-02 14:28 -------- d-----w- c:\programdata\Microsoft Help
    2012-10-30 13:04 . 2012-10-30 13:04 -------- d-----r- C:\MSOCache
    2012-10-29 23:36 . 2012-10-29 19:46 -------- d-----w- c:\windows\Panther
    2012-10-29 21:47 . 2012-10-30 13:08 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2012-10-29 21:37 . 2012-10-29 21:37 -------- d-----w- c:\windows\SysWow64\Wat
    2012-10-29 21:37 . 2012-10-29 21:37 -------- d-----w- c:\windows\system32\Wat
    2012-10-29 21:22 . 2012-09-28 04:18 65309168 ----a-w- c:\windows\system32\MRT.exe
    2012-10-29 20:54 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-10-29 20:54 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-10-29 20:54 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-10-29 20:54 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-10-29 20:54 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-10-29 20:42 . 2012-10-29 20:42 0 ----a-w- c:\windows\ativpsrm.bin
    2012-10-29 20:40 . 2012-10-29 20:40 -------- d-----w- c:\programdata\ATI
    2012-10-29 20:40 . 2012-01-04 16:24 220288 ----a-w- c:\windows\system32\drivers\amdxhc.sys
    2012-10-29 20:40 . 2012-01-04 16:24 103552 ----a-w- c:\windows\system32\drivers\amdhub30.sys
    2012-10-29 20:39 . 2012-10-29 20:39 -------- d-----w- c:\windows\kdb
    2012-10-29 20:39 . 2012-10-29 20:39 -------- d-----w- c:\program files\AMD
    2012-10-29 20:39 . 2012-10-29 20:39 -------- d-----w- c:\program files (x86)\AMD
    2012-10-29 20:39 . 2012-10-29 20:39 -------- d-----w- c:\program files (x86)\AMD APP
    2012-10-29 20:39 . 2012-10-29 20:39 -------- d-----w- c:\program files\Common Files\ATI Technologies
    2012-10-29 20:39 . 2012-10-29 20:39 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
    2012-10-29 20:38 . 2012-10-29 20:38 -------- d-----w- c:\program files (x86)\ATI Technologies
    2012-10-29 20:34 . 2012-10-29 20:34 -------- dc----w- c:\windows\system32\DRVSTORE
    2012-10-29 20:34 . 2012-01-14 08:05 56448 ----a-w- c:\windows\system32\drivers\usbfilter.sys
    2012-10-29 20:34 . 2012-11-09 14:22 -------- d-sh--w- c:\windows\Installer
    2012-10-29 20:34 . 2012-10-29 20:39 -------- d-----w- c:\program files\ATI Technologies
    2012-10-29 20:34 . 2012-10-29 20:34 -------- d-----w- c:\program files\ATI
    2012-10-29 20:23 . 2012-08-31 18:19 1659760 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2012-10-29 20:22 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
    2012-10-29 20:20 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
    2012-10-29 20:19 . 2011-02-19 12:03 46080 ----a-w- c:\windows\system32\atmlib.dll
    2012-10-29 20:17 . 2012-10-29 20:17 -------- d-----w- c:\windows\SysWow64\sda
    2012-10-29 20:17 . 2011-08-17 18:27 9887848 ----a-w- c:\windows\SysWow64\RtsUStoricon.dll
    2012-10-29 20:17 . 2011-08-17 18:27 422504 ----a-w- c:\windows\system32\RtsUStor.dll
    2012-10-29 20:17 . 2011-08-17 18:27 251496 ----a-w- c:\windows\system32\drivers\RtsUStor.sys
    2012-10-29 20:14 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
    2012-10-29 20:13 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
    2012-10-29 19:57 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-10-29 19:57 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-10-29 19:57 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-10-29 19:53 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-10-29 19:53 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-10-29 19:53 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-10-29 19:53 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-10-29 19:53 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-10-29 19:53 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-10-29 19:53 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-10-29 19:52 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-10-29 19:52 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-10-29 19:50 . 2012-04-13 18:34 1077760 ----a-w- c:\windows\system32\drivers\AGUx64.sys
    2012-10-29 19:46 . 2012-11-08 15:42 -------- d-----w- c:\users\tony
    2012-10-29 19:46 . 2012-10-29 19:46 -------- d-----w- C:\Recovery
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-12 20:07 . 2012-09-12 20:07 58368 ----a-w- c:\windows\SysWow64\sirenacm.dll
    2012-08-20 17:38 . 2012-10-29 20:26 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-10-30 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-02-13 630912]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
    "avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-10-16 384800]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="userinit.exe"
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-10-19 160944]
    R3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\system32\DRIVERS\AGUx64.sys [2012-04-13 1077760]
    R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-29 1255736]
    S0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\DRIVERS\amdkmpfd.sys [2012-02-01 31872]
    S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2012-09-24 27800]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-02-13 235520]
    S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-10-16 84256]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
    S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [2012-01-04 103552]
    S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [2012-01-04 220288]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-12-05 95248]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2011-08-17 251496]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-24 565352]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2012-06-19 880272]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2012-01-14 56448]
    S3 X6va011;X6va011;c:\windows\SysWOW64\Drivers\X6va011 [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - QWAVEDRV
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-11-11 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-31 02:46]
    .
    2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-30 16:33]
    .
    2012-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-30 16:33]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NetWorx"="c:\program files\NetWorx\networx.exe" [2012-10-11 4757904]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.ca/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.2.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va011]
    "ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va011"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-11-11 11:25:01
    ComboFix-quarantined-files.txt 2012-11-11 16:24
    .
    Pre-Run: 694,052,229,120 bytes free
    Post-Run: 694,946,426,880 bytes free
    .
    - - End Of File - - 54C245AE459CB1138A356844386BDAB1
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  6. yinato

    yinato TS Rookie Topic Starter Posts: 38

    I can't seem to run it. I'm not getting an option to run it as an admin when I right click it.
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hm...let's do the following instead (keep TDSSKiller for now):

    RogueKiller Scan

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
  8. yinato

    yinato TS Rookie Topic Starter Posts: 38

    Okay, here are the logs:

    RogueKiller V8.2.3 [11/07/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : tony [Admin rights]
    Mode : Scan -- Date : 11/12/2012 08:22:57
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 4 ¤¤¤
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD7500BPVT-80HXZT3 ATA Device +++++
    --- User ---
    [MBR] 987bed29dadb4197d79acb688c97a8d5
    [BSP] d6720c4ffd816d05b67069ae612e4629 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 715302 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[1]_S_11122012_02d0822.txt >>
    RKreport[1]_S_11122012_02d0822.txt


    RogueKiller V8.2.3 [11/07/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : tony [Admin rights]
    Mode : Remove -- Date : 11/12/2012 08:23:37
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 3 ¤¤¤
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD7500BPVT-80HXZT3 ATA Device +++++
    --- User ---
    [MBR] 987bed29dadb4197d79acb688c97a8d5
    [BSP] d6720c4ffd816d05b67069ae612e4629 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 715302 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2]_D_11122012_02d0823.txt >>
    RKreport[1]_S_11122012_02d0822.txt ; RKreport[2]_D_11122012_02d0823.txt


    RogueKiller V8.2.3 [11/07/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : tony [Admin rights]
    Mode : Shortcuts HJfix -- Date : 11/12/2012 08:24:14
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 1 / Fail 0
    Quick launch: Success 1 / Fail 0
    Programs: Success 3 / Fail 0
    Start menu: Success 1 / Fail 0
    User folder: Success 71 / Fail 0
    My documents: Success 0 / Fail 0
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 8 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 55 / Fail 0
    Backup: [NOT FOUND]
    Drives:
    [C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [D:] \Device\CdRom0 -- 0x5 --> Skipped
    Finished : << RKreport[3]_SC_11122012_02d0824.txt >>
    RKreport[1]_S_11122012_02d0822.txt ; RKreport[2]_D_11122012_02d0823.txt ; RKreport[3]_SC_11122012_02d0824.txt
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Scan for malware

    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.


    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  10. yinato

    yinato TS Rookie Topic Starter Posts: 38

    No files were detected with either scans. Also, it seems that my laptop is responding even slower after running that online scan.

    Malwarebytes Anti-Malware (Trial) 1.65.1.1000
    www.malwarebytes.org
    Database version: v2012.11.12.01
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    tony :: TONY-SAT-PC [administrator]
    Protection: Enabled
    11/12/2012 2:39:37 PM
    mbam-log-2012-11-12 (14-39-37).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 203513
    Time elapsed: 2 minute(s), 21 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Try to run TDSSKiller once more, please.. and the following:

    • Please download SanityCheck to your Desktop from here [​IMG].
    • Please close all open windows, double-click "SanitySetup.exe" and follow the prompts to install the tool.
      Please choose "I accept the agreement" and make sure to place a checkmark next to "Create a Desktop icon"
    • At the end, please click the "Finish" button. Click "Yes" and "OK" to close the next messages.
      Please close the program and restart your computer.
    • Now, please re-run the program by clicking its icon or from "Start" => "All the programs" => "SanityCheck" and click the "Analyze.." button.
    • Finally, please click "OK" and scroll down the window to copy and paste the results in your next reply.
     
  12. yinato

    yinato TS Rookie Topic Starter Posts: 38

    Turns out I had to manually add the .exe extension to get TDSSKiller working...anyway, below are the logs. The TDSS log was too large, so I'm attaching it.

    No irregularities have been detected. Note that although this software does a thorough check on a number of techniques, it cannot be regarded as a guarantee that your system is not compromised.

    As always, we suggest you use a good antivirus scanner which does not make use of any controversial techniques and always practice caution when downloading files and opening email attachments.


    Note that is is not always possible to make a clear distinction between malware and legitimate products. This is because certain legitimate products resort to agressive controversial techniques as an anti-piracy measure, to avoid debugging or for anti-competetive purposes. Antivirus or other security software may be making use of rootkit-like techniques in an attempt to hide itself from malware. Worse, such products may be involved in a controversial race along the lines of "defeat evil with its own weapons".


    About your system:

    Windows version: Windows 7 Service Pack 1, 6.1, build: 7601
    Windows dir: C:\Windows
    CPU: AuthenticAMD AMD A8-4500M APU with Radeon(tm) HD Graphics AMD586, level: 21
    4 logical processors, active mask: 15
    RAM: 8026185728 total

    Report generated on 11/13/2012 3:46:46 PM

    Attached Files:

  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  14. yinato

    yinato TS Rookie Topic Starter Posts: 38

    Results of screen317's Security Check version 0.99.54
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Avira Desktop
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.1.1000
    Google Chrome 22.0.1229.96
    Google Chrome 23.0.1271.64
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.


    Any other questions before I mark this topic solved?
  16. yinato

    yinato TS Rookie Topic Starter Posts: 38

    Nope, thanks for all the help!
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Great. Topic marked. :D
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.