TechSpot

"System Check" malware partially removed

By setmostra
Dec 30, 2011
  1. My computer (win 7, 64) got infected by a malware posing as a fake system utility.
    The program, named "System Check" start throwing lots of false error messages like:
    • "Hard drive clusters are partly damaged"
    • "Windows OS can't detects a free hard drive space. hard drive error."
    • "Failed to save all the components for the file: //system32"
    In addition I was unable to start Task Manager and my files started disappear.


    What I have done so far:
    • Downloaded ProcessExplorer, renamed the executable and killed two suspicious process: "BeMDscAw6xceXe" and "rcIkTucXrvMQpF"
    • Moved the executables and some similar files " ~BeMDscAw6xceXe", "~BeMDscAw6xceXer", "BeMDscAw6xceXe" from ProgramData to another directory.
    • Used Autoruns and removed one "BeMDscAw6xceXe" entry. Nothing else looked suspicious.
    • Search the registry and removed two keys: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\BeMDscAw6xceXe_RASAPI32" and
    • "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\BeMDscAw6xceXe_RASMANCS"
    • Removed a Deny permissions for Everyone added to lots of files using: icacls c:\ /remove:d Everyone /T /C /L
    • Remove the hidden attribute from lots of files, probably most of them.
    • Additionally I run unhide from http://download.bleepingcomputer.com/grinler/unhide.exe

    What is still happening?
    • Explorer.exe tries to contact various sites like preview.pulpfree.com
    • When I click a link in a Google search results page got redirected to various other pages. Happens in IE and Firefox.

    If is of any help see also this report: http://www.threatexpert.com/report.aspx?md5=5f0ea0d857e4685826c2adb3b0528f9e

    I put in following posts the logs. I mention I run Avira Free up to date.

    Thank you very much for your help!
     
  2. setmostra

    setmostra TS Rookie Topic Starter

    Logs

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2011.12.30.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Raluca :: RALUCA-PC [administrator]

    Protection: Disabled

    12/30/2011 11:00:06 AM
    mbam-log-2011-12-30 (11-00-06).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 175444
    Time elapsed: 3 minute(s), 49 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    =======================================

    GMER produces no log.

    =======================================

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
    Run by Raluca at 11:10:45 on 2011-12-30
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2935.1256 [GMT 2:00]
    .
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\rundll32.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
    C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\splwow64.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
    TCP: DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{408B305C-2278-4B83-A223-1F3E79275DF0} : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{408B305C-2278-4B83-A223-1F3E79275DF0}\34F6E6E656364796F6E605F696E647 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{408B305C-2278-4B83-A223-1F3E79275DF0}\74163747C616E646D413 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{408B305C-2278-4B83-A223-1F3E79275DF0}\D4966496021403337302355636572756 : DhcpNameServer = 192.168.1.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Raluca\AppData\Roaming\Mozilla\Firefox\Profiles\lm5ry5n3.default\
    FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-2-7 89600]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-2-7 136360]
    R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-2-7 269480]
    R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
    R3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
    R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
    R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\system32\DRIVERS\bcmvwl64.sys --> C:\Windows\system32\DRIVERS\bcmvwl64.sys [?]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
    S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-12-30 08:59:12 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-12-30 08:59:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-28 20:31:38 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-12-28 20:05:23 -------- d-----w- C:\Users\Raluca\AppData\Roaming\Malwarebytes
    2011-12-28 20:05:12 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-12-28 18:40:11 98816 ----a-w- C:\Windows\sed.exe
    2011-12-28 18:40:11 518144 ----a-w- C:\Windows\SWREG.exe
    2011-12-28 18:40:11 256000 ----a-w- C:\Windows\PEV.exe
    2011-12-28 18:40:11 208896 ----a-w- C:\Windows\MBR.exe
    2011-12-28 17:35:54 -------- d-----w- C:\Nasty_****
    2011-12-14 09:28:30 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-12-14 09:28:28 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2011-12-14 09:28:28 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-12-14 09:28:27 3145216 ----a-w- C:\Windows\System32\win32k.sys
    2011-12-14 09:28:24 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-12-14 09:28:24 2048 ----a-w- C:\Windows\System32\tzres.dll
    2011-12-13 19:24:51 -------- d-----w- C:\Windows\SysWow64\AGEIA
    2011-12-13 19:23:40 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
    .
    ==================== Find3M ====================
    .
    2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
    2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
    2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
    2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-10-23 15:30:57 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    .
    ============= FINISH: 11:17:53.29 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/7/2011 9:17:33 PM
    System Uptime: 12/30/2011 9:18:51 AM (2 hours ago)
    .
    Motherboard: Dell Inc. | | 0WXY9J
    Processor: Intel(R) Core(TM) i3 CPU M 380 @ 2.53GHz | CPU 1 | 1971/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 113.959 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Virtual WiFi Miniport Adapter
    Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&1BCCC4E7&0&01
    Manufacturer: Microsoft
    Name: Microsoft Virtual WiFi Miniport Adapter
    PNP Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&1BCCC4E7&0&01
    Service: vwifimp
    .
    ==== System Restore Points ===================
    .
    RP80: 12/5/2011 12:09:09 AM - Scheduled Checkpoint
    RP81: 12/12/2011 12:37:31 PM - Scheduled Checkpoint
    RP82: 12/13/2011 9:23:54 PM - Installed NVIDIA PhysX
    RP83: 12/14/2011 10:00:30 PM - Windows Update
    RP85: 12/22/2011 1:17:28 AM - Scheduled Checkpoint
    RP86: 12/28/2011 8:24:58 PM - Removed Skype Toolbars
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe Flash Player 11 ActiveX
    Avira AntiVir Personal - Free Antivirus
    Canon Utilities Digital Photo Professional 3.9
    Canon Utilities EOS Utility
    Combined Community Codec Pack 2010-10-10
    GIMP 2.6.11
    Guitar Pro 5.2
    Haunted Manor Lord of Mirrors Collectors Edition 1.00
    IDT Audio
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 25
    Java(TM) 6 Update 26
    Malwarebytes Anti-Malware version 1.60.0.1800
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Romanian) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 8.0.1 (x86 en-US)
    NVIDIA PhysX
    Picasa 3
    Realtek Ethernet Controller Driver For Windows 7
    Realtek USB 2.0 Card Reader
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype™ 5.3
    SpywareBlaster 4.4
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    VLC media player 1.1.7
    Yahoo! Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/30/2011 9:39:54 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
    12/29/2011 9:05:03 PM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
    12/29/2011 9:05:03 PM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
    12/29/2011 10:03:30 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
    12/28/2011 6:37:23 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    12/25/2011 9:23:31 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    .
    ==== End Of File ===========================
     
  3. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  4. setmostra

    setmostra TS Rookie Topic Starter

    aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-30 23:10:29
    -----------------------------
    23:10:29.757 OS Version: Windows x64 6.1.7601 Service Pack 1
    23:10:29.757 Number of processors: 4 586 0x2505
    23:10:29.759 ComputerName: RALUCA-PC UserName: Raluca
    23:10:31.046 Initialize success
    23:11:55.036 AVAST engine defs: 11123001
    23:12:42.264 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    23:12:42.269 Disk 0 Vendor: TOSHIBA_MK3265GSX GJ002D Size: 305245MB BusType: 11
    23:12:42.278 Disk 0 MBR read successfully
    23:12:42.282 Disk 0 MBR scan
    23:12:42.287 Disk 0 Windows 7 default MBR code
    23:12:42.291 Disk 0 MBR hidden
    23:12:42.299 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
    23:12:42.314 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
    23:12:42.346 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 625139712
    23:12:42.353 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
    23:12:42.359 Service scanning
    23:12:43.457 Modules scanning
    23:12:43.466 Disk 0 trace - called modules:
    23:12:43.511 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003387334]<<
    23:12:43.518 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003375060]
    23:12:43.524 3 CLASSPNP.SYS[fffff8800199d43f] -> nt!IofCallDriver -> [0xfffffa80030b8520]
    23:12:43.530 5 ACPI.sys[fffff88000d6c7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80030ce1f0]
    23:12:43.536 \Driver\atapi[0xfffffa80030a7060] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8003387334
    23:12:44.541 AVAST engine scan C:\Windows
    23:12:47.646 AVAST engine scan C:\Windows\system32
    23:14:51.402 AVAST engine scan C:\Windows\system32\drivers
    23:15:04.633 AVAST engine scan C:\Users\Raluca
    23:15:27.795 Disk 0 MBR has been saved successfully to "C:\Users\Raluca\Desktop\MBR.dat"
    23:15:27.799 The log file has been saved successfully to "C:\Users\Raluca\Desktop\aswMBR.txt"


    ========================================


    ComboFix 11-12-30.01 - Raluca 12/30/2011 23:24:44.3.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2935.1743 [GMT 2:00]
    Running from: c:\users\Raluca\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-30 21:53 . 2011-12-30 21:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-30 20:30 . 2011-12-30 20:30 35712 ----a-w- c:\windows\SysWow64\drivers\BlackBox.sys
    2011-12-30 19:00 . 2011-05-12 12:03 6144 ------w- c:\windows\system32\E4E3.tmp
    2011-12-30 18:58 . 2011-05-12 12:03 6144 ------w- c:\windows\system32\1A24.tmp
    2011-12-30 18:57 . 2011-12-30 18:57 -------- d-----w- c:\program files (x86)\Sophos
    2011-12-30 08:59 . 2011-12-30 08:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-28 20:05 . 2011-12-28 20:05 -------- d-----w- c:\users\Raluca\AppData\Roaming\Malwarebytes
    2011-12-28 20:05 . 2011-12-28 20:05 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-28 17:35 . 2011-12-30 09:57 -------- d-----w- C:\Nasty_****
    2011-12-14 09:28 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 09:28 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 09:28 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-14 09:28 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 09:28 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 09:28 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-13 19:24 . 2011-12-13 19:24 -------- d-----w- c:\windows\SysWow64\AGEIA
    2011-12-13 19:24 . 2011-12-13 19:24 -------- d-----w- c:\program files (x86)\AGEIA Technologies
    2011-12-13 19:23 . 2011-12-13 19:23 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-23 15:30 . 2011-07-19 11:55 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-30_17.46.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-07 19:31 . 2011-12-30 18:46 26878 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-12-30 18:32 27872 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-02-07 19:25 . 2011-12-30 18:32 7892 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1408542232-2675205540-872438115-1000_UserData.bin
    + 2011-12-30 18:45 . 2011-12-30 18:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-12-30 16:24 . 2011-12-30 16:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-30 18:45 . 2011-12-30 18:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-12-30 16:24 . 2011-12-30 16:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 02:36 . 2011-12-30 16:30 624178 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-12-30 18:51 624178 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-12-30 18:51 106522 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2011-12-30 16:30 106522 c:\windows\system32\perfc009.dat
    - 2009-07-14 05:01 . 2011-12-30 10:22 388944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-12-30 18:40 388944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-05-09 21:24 . 2011-12-30 18:40 6947860 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1408542232-2675205540-872438115-1000-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
    R3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [x]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\E4E3.tmp [x]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
    R3 PROCEXP151;PROCEXP151;c:\windows\system32\Drivers\PROCEXP151.SYS [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-27 136360]
    S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - aswMBR
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-06-17 487424]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.2.1
    FF - ProfilePath - c:\users\Raluca\AppData\Roaming\Mozilla\Firefox\Profiles\lm5ry5n3.default\
    FF - prefs.js: network.proxy.type - 0
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\E4E3.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-12-31 00:12:10
    ComboFix-quarantined-files.txt 2011-12-30 22:12
    ComboFix2.txt 2011-12-30 18:03
    .
    Pre-Run: 131,779,100,672 bytes free
    Post-Run: 131,614,232,576 bytes free
    .
    - - End Of File - - 3041C06DC7035163EBF79EC8BFE4BE7C
     
  5. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Run the following Combofix fix and then post new aswMBR log.

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\E4E3.tmp
    c:\windows\system32\1A24.tmp
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  6. setmostra

    setmostra TS Rookie Topic Starter

    I run Combofix with the script. No reboot asked but after CF ended I got some "illegal operation" errors and rebooted.
    After reboot I run aswMBR.

    ComboFix 11-12-30.02 - Raluca 12/31/2011 0:43.4.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2935.1513 [GMT 2:00]
    Running from: c:\users\Raluca\Desktop\ComboFix.exe
    Command switches used :: c:\users\Raluca\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\1A24.tmp"
    "c:\windows\system32\E4E3.tmp"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\1A24.tmp
    c:\windows\system32\E4E3.tmp
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_MEMSWEEP2
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-30 23:12 . 2011-12-30 23:12 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-30 20:30 . 2011-12-30 20:30 35712 ----a-w- c:\windows\SysWow64\drivers\BlackBox.sys
    2011-12-30 18:57 . 2011-12-30 18:57 -------- d-----w- c:\program files (x86)\Sophos
    2011-12-30 08:59 . 2011-12-30 08:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-28 20:05 . 2011-12-28 20:05 -------- d-----w- c:\users\Raluca\AppData\Roaming\Malwarebytes
    2011-12-28 20:05 . 2011-12-28 20:05 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-28 17:35 . 2011-12-30 09:57 -------- d-----w- C:\Nasty_****
    2011-12-14 09:28 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 09:28 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 09:28 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-14 09:28 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 09:28 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 09:28 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-13 19:24 . 2011-12-13 19:24 -------- d-----w- c:\windows\SysWow64\AGEIA
    2011-12-13 19:24 . 2011-12-13 19:24 -------- d-----w- c:\program files (x86)\AGEIA Technologies
    2011-12-13 19:23 . 2011-12-13 19:23 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-23 15:30 . 2011-07-19 11:55 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-30_17.46.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-07 19:31 . 2011-12-30 18:46 26878 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-12-30 18:32 27872 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-02-08 02:15 . 2011-12-31 05:48 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-02-08 02:15 . 2011-12-30 07:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-02-08 02:15 . 2011-12-31 05:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2011-02-08 02:15 . 2011-12-30 07:56 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2011-12-31 05:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2011-12-30 07:56 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-02-07 19:25 . 2011-12-30 18:32 7892 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1408542232-2675205540-872438115-1000_UserData.bin
    - 2011-12-30 16:24 . 2011-12-30 16:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-30 23:15 . 2011-12-30 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-30 23:15 . 2011-12-30 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-12-30 16:24 . 2011-12-30 16:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-02-07 22:26 . 2011-12-31 06:55 282294 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2009-07-14 02:36 . 2011-12-30 16:30 624178 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-12-31 05:48 624178 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-12-31 05:48 106522 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2011-12-30 16:30 106522 c:\windows\system32\perfc009.dat
    - 2009-07-14 05:01 . 2011-12-30 10:22 388944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-12-30 23:14 388944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-07-19 13:25 . 2011-12-30 23:14 704852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1408542232-2675205540-872438115-1000-12288.dat
    - 2011-07-19 13:25 . 2011-07-19 13:25 704852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1408542232-2675205540-872438115-1000-12288.dat
    + 2011-05-09 21:24 . 2011-12-30 23:14 9365124 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1408542232-2675205540-872438115-1000-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
    R3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [x]
    R3 BlackBox;BlackBox SR2; [x]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
    R3 PROCEXP151;PROCEXP151;c:\windows\system32\Drivers\PROCEXP151.SYS [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-27 136360]
    S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-06-17 487424]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
    "combofix"="c:\combofix\CF20529.3XE" [2010-11-20 345088]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.2.1
    FF - ProfilePath - c:\users\Raluca\AppData\Roaming\Mozilla\Firefox\Profiles\lm5ry5n3.default\
    FF - prefs.js: network.proxy.type - 0
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-31 09:12:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-31 07:12
    ComboFix2.txt 2011-12-30 22:12
    ComboFix3.txt 2011-12-30 18:03
    .
    Pre-Run: 131,655,385,088 bytes free
    Post-Run: 131,207,516,160 bytes free
    .
    - - End Of File - - 16EED6E0EA3FDDBC8C96FB903FF89507



    ==============================================


    aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-30 23:10:29
    -----------------------------
    23:10:29.757 OS Version: Windows x64 6.1.7601 Service Pack 1
    23:10:29.757 Number of processors: 4 586 0x2505
    23:10:29.759 ComputerName: RALUCA-PC UserName: Raluca
    23:10:31.046 Initialize success
    23:11:55.036 AVAST engine defs: 11123001
    23:12:42.264 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    23:12:42.269 Disk 0 Vendor: TOSHIBA_MK3265GSX GJ002D Size: 305245MB BusType: 11
    23:12:42.278 Disk 0 MBR read successfully
    23:12:42.282 Disk 0 MBR scan
    23:12:42.287 Disk 0 Windows 7 default MBR code
    23:12:42.291 Disk 0 MBR hidden
    23:12:42.299 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
    23:12:42.314 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
    23:12:42.346 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 625139712
    23:12:42.353 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
    23:12:42.359 Service scanning
    23:12:43.457 Modules scanning
    23:12:43.466 Disk 0 trace - called modules:
    23:12:43.511 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003387334]<<
    23:12:43.518 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003375060]
    23:12:43.524 3 CLASSPNP.SYS[fffff8800199d43f] -> nt!IofCallDriver -> [0xfffffa80030b8520]
    23:12:43.530 5 ACPI.sys[fffff88000d6c7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80030ce1f0]
    23:12:43.536 \Driver\atapi[0xfffffa80030a7060] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8003387334
    23:12:44.541 AVAST engine scan C:\Windows
    23:12:47.646 AVAST engine scan C:\Windows\system32
    23:14:51.402 AVAST engine scan C:\Windows\system32\drivers
    23:15:04.633 AVAST engine scan C:\Users\Raluca
    23:15:27.795 Disk 0 MBR has been saved successfully to "C:\Users\Raluca\Desktop\MBR.dat"
    23:15:27.799 The log file has been saved successfully to "C:\Users\Raluca\Desktop\aswMBR.txt"


    aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-31 09:17:52
    -----------------------------
    09:17:52.334 OS Version: Windows x64 6.1.7601 Service Pack 1
    09:17:52.334 Number of processors: 4 586 0x2505
    09:17:52.335 ComputerName: RALUCA-PC UserName: Raluca
    09:17:53.931 Initialize success
    09:19:12.628 AVAST engine defs: 11123001
    09:20:01.292 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    09:20:01.302 Disk 0 Vendor: TOSHIBA_MK3265GSX GJ002D Size: 305245MB BusType: 11
    09:20:01.317 Disk 0 MBR read successfully
    09:20:01.320 Disk 0 MBR scan
    09:20:01.326 Disk 0 Windows 7 default MBR code
    09:20:01.328 Disk 0 MBR hidden
    09:20:01.371 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
    09:20:01.398 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
    09:20:01.441 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 625139712
    09:20:01.528 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
    09:20:01.538 Service scanning
    09:20:15.645 Modules scanning
    09:20:15.653 Disk 0 trace - called modules:
    09:20:15.807 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003385334]<<
    09:20:15.816 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800336f060]
    09:20:15.826 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa80030ff520]
    09:20:15.833 5 ACPI.sys[fffff88000ef57a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80030fb680]
    09:20:15.839 \Driver\atapi[0xfffffa80030b3550] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8003385334
    09:20:20.260 AVAST engine scan C:\Windows
    09:20:27.116 AVAST engine scan C:\Windows\system32
    09:24:00.216 AVAST engine scan C:\Windows\system32\drivers
    09:24:15.161 AVAST engine scan C:\Users\Raluca
    09:24:28.524 Disk 0 MBR has been saved successfully to "C:\Users\Raluca\Desktop\MBR.dat"
    09:24:28.555 The log file has been saved successfully to "C:\Users\Raluca\Desktop\aswMBR.txt"
     
  7. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  8. setmostra

    setmostra TS Rookie Topic Starter

    I tried to run TDSSKiller but no success: after UAC prompt nothing happens and no log file found.

    I tried also to save to desktop under another random name. No success either.


    Thank you very much for you help and Happy New Year!!!
     
  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

    • Double click on downloaded file to run it.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will produce a log (FRST.txt) on your desktop.
    • Please copy and paste it to your reply.
     
  10. setmostra

    setmostra TS Rookie Topic Starter

    Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.1
    Ran by Raluca at 2011-12-31 21:15:03
    Running from C:\Users\Raluca\Desktop
    Service Pack 1 (X64) OS Language: English(US)
    Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

    ========================== Registry (Whitelisted) =============

    HKLM\...\Winlogon: [Userinit]
    HKLM-x32\...\Winlogon: [Userinit]
    HKLM\...\Winlogon: [Shell]
    HKLM-x32\...\Winlogon: [Shell] [x x] ()

    ==================== Services (Whitelisted) ======


    ========================== Drivers (Whitelisted) =============


    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============

    2011-12-31 21:14 - 2011-12-31 21:14 - 1377537 ____A C:\Users\Raluca\Desktop\FRST64.exe
    2011-12-31 20:25 - 2011-12-31 20:25 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Desktop\lkjoijoqiwjoiqjoifqj.exe
    2011-12-31 20:21 - 2011-12-31 20:21 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\tdsskiller(1).exe
    2011-12-31 20:21 - 2011-12-31 20:21 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Desktop\tdsskiller.exe
    2011-12-31 19:02 - 2011-12-31 19:07 - 77086912 ____A (Microsoft Corporation) C:\Users\Raluca\Downloads\msert.exe
    2011-12-31 18:03 - 2011-12-31 18:03 - 0000000 ____D C:\Users\Raluca\Downloads\TCPView
    2011-12-31 18:02 - 2011-12-31 18:02 - 0291606 ____A C:\Users\Raluca\Downloads\TCPView(1).zip
    2011-12-31 10:03 - 2011-12-31 10:03 - 0291606 ____A C:\Users\Raluca\Downloads\TCPView.zip
    2011-12-31 09:15 - 2011-12-31 09:15 - 0000000 __SHD C:\$RECYCLE.BIN
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
    2011-12-31 00:35 - 2011-12-31 09:13 - 0000000 ____D C:\ComboFix
    2011-12-30 23:16 - 2011-12-31 00:33 - 4358014 ____R (Swearware) C:\Users\Raluca\Desktop\ComboFix.exe
    2011-12-30 23:15 - 2011-12-31 09:24 - 0000512 ____A C:\Users\Raluca\Desktop\MBR.dat
    2011-12-30 22:58 - 2011-12-30 22:58 - 2721168 ____A (Microsoft Corporation) C:\Users\Raluca\Downloads\Windows7-USB-DVD-tool.exe
    2011-12-30 22:49 - 2011-12-30 22:50 - 0000000 ____D C:\Users\Raluca\Downloads\qwsqws
    2011-12-30 22:48 - 2011-12-30 22:48 - 0231390 ____A C:\Users\Raluca\Downloads\RootkitRevealer.zip
    2011-12-30 22:39 - 2011-12-30 22:39 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\iexplore.com
    2011-12-30 22:30 - 2011-12-30 22:30 - 0035712 ____A C:\Windows\SysWOW64\Drivers\BlackBox.sys
    2011-12-30 21:23 - 2011-12-30 21:24 - 0139264 ____A () C:\Users\Raluca\Downloads\RKUnhookerLE.EXE
    2011-12-30 21:06 - 2011-12-30 21:06 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\tdsskiller.exe
    2011-12-30 20:57 - 2011-12-30 20:57 - 1410192 ____A C:\Users\Raluca\Downloads\sar_15_sfx.exe
    2011-12-30 20:57 - 2011-12-30 20:57 - 0000000 ____D C:\Program Files (x86)\Sophos
    2011-12-30 20:51 - 2011-12-30 20:52 - 0000000 ____D C:\Users\Raluca\Downloads\bootkit_remover
    2011-12-30 20:51 - 2011-12-30 20:51 - 0044607 ____A C:\Users\Raluca\Downloads\bootkit_remover(1).zip
    2011-12-30 20:41 - 2011-12-31 18:16 - 0388676 ____A C:\Windows\ntbtlog.txt
    2011-12-30 20:37 - 2011-12-30 20:37 - 0044607 ____A C:\Users\Raluca\Downloads\bootkit_remover.zip
    2011-12-30 20:34 - 2011-12-30 23:09 - 4702720 ____A (AVAST Software) C:\Users\Raluca\Downloads\aswMBR.exe
    2011-12-30 20:25 - 2011-12-30 20:27 - 0000000 ____D C:\Users\Raluca\Downloads\qwekjdhwkjhkjwtdsskiller
    2011-12-30 20:25 - 2011-12-30 20:25 - 1558406 ____A C:\Users\Raluca\Downloads\tdsskiller.zip
    2011-12-30 20:17 - 2011-12-30 20:17 - 1008141 ____A C:\Users\Raluca\Downloads\rkill.com
    2011-12-30 19:07 - 2011-06-26 08:45 - 0256000 ____A C:\Windows\PEV.exe
    2011-12-30 19:07 - 2010-11-07 19:20 - 0208896 ____A C:\Windows\MBR.exe
    2011-12-30 19:07 - 2000-08-31 02:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2011-12-30 19:07 - 2000-08-31 02:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2011-12-30 19:07 - 2000-08-31 02:00 - 0098816 ____A C:\Windows\sed.exe
    2011-12-30 19:07 - 2000-08-31 02:00 - 0080412 ____A C:\Windows\grep.exe
    2011-12-30 19:07 - 2000-08-31 02:00 - 0068096 ____A C:\Windows\zip.exe
    2011-12-30 19:05 - 2011-12-31 09:13 - 0000000 ____D C:\Qoobox
    2011-12-30 19:04 - 2011-12-30 19:04 - 4356196 ____R (Swearware) C:\Users\Raluca\Downloads\ComboFix.exe
    2011-12-30 11:09 - 2011-12-30 11:09 - 0607260 ____R (Swearware) C:\Users\Raluca\Downloads\dds.scr
    2011-12-30 11:05 - 2011-12-30 11:05 - 0302592 ____A C:\Users\Raluca\Downloads\xvzexw70.exe
    2011-12-30 10:59 - 2011-12-30 10:59 - 0001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2011-12-30 10:59 - 2011-12-30 10:59 - 0001109 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2011-12-30 10:59 - 2011-12-30 10:59 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-30 10:40 - 2011-12-30 10:40 - 0684297 ____A C:\Users\Raluca\Downloads\unhide.exe
    2011-12-29 22:03 - 2011-12-30 19:00 - 0012439 ____A C:\Users\Raluca\Desktop\System Check.docx
    2011-12-28 23:21 - 2011-12-30 11:45 - 0000199 ____A C:\Users\Raluca\Desktop\anti_vir_notes.txt
    2011-12-28 23:10 - 2011-12-28 23:10 - 0004849 ____A C:\Users\Raluca\Downloads\fix_desktop.reg
    2011-12-28 22:08 - 2011-12-28 22:08 - 0302592 ____A C:\Users\Raluca\Downloads\pzg6kin8.exe
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\Raluca\Application Data\Malwarebytes
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\Malwarebytes
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\All Users\Malwarebytes
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\ProgramData\Malwarebytes
    2011-12-28 21:04 - 2011-10-16 19:35 - 0001864 ____A C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    2011-12-28 21:04 - 2011-02-07 22:53 - 0000834 ____A C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    2011-12-28 21:01 - 2011-02-08 20:51 - 0001137 ____A C:\Users\Public\Desktop\Yahoo! Messenger.lnk
    2011-12-28 21:01 - 2011-02-08 20:51 - 0001137 ____A C:\Users\All Users\Desktop\Yahoo! Messenger.lnk
    2011-12-28 21:01 - 2011-02-08 20:07 - 0001106 ____A C:\Users\Public\Desktop\Picasa 3.lnk
    2011-12-28 21:01 - 2011-02-08 20:07 - 0001106 ____A C:\Users\All Users\Desktop\Picasa 3.lnk
    2011-12-28 20:40 - 2009-04-20 06:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2011-12-28 20:39 - 2011-12-31 01:13 - 0000000 ____D C:\Windows\ERDNT
    2011-12-28 19:35 - 2011-12-30 11:57 - 0000000 ____D C:\Nasty_****
    2011-12-28 19:21 - 2011-12-28 19:21 - 0000000 ____D C:\Users\Raluca\Downloads\uniextract161_noinst
    2011-12-28 19:20 - 2011-12-28 19:20 - 5186991 ____A C:\Users\Raluca\Downloads\uniextract161_noinst.rar
    2011-12-28 19:07 - 2011-12-28 19:08 - 0000000 ____D C:\Users\Raluca\Downloads\xvi32
    2011-12-28 19:05 - 2011-12-28 19:05 - 0571004 ____A C:\Users\Raluca\Downloads\xvi32.zip
    2011-12-28 18:50 - 2011-12-28 18:50 - 0000000 ____D C:\Users\Raluca\Downloads\Autoruns
    2011-12-28 18:49 - 2011-12-28 18:49 - 0532781 ____A C:\Users\Raluca\Downloads\Autoruns.zip
    2011-12-28 18:46 - 2011-12-31 18:18 - 0000000 ____D C:\Users\Raluca\Downloads\ProcessExplorer
    2011-12-28 18:45 - 2011-12-28 18:46 - 1851394 ____A C:\Users\Raluca\Downloads\ProcessExplorer.zip
    2011-12-26 00:13 - 2011-12-26 00:13 - 4095614 ____A C:\Users\Raluca\Downloads\Ugly Kid Joe - Cats In The Cradle.mp3
    2011-12-26 00:12 - 2011-12-26 00:12 - 3933027 ____A C:\Users\Raluca\Downloads\Let it be.mp3
    2011-12-26 00:03 - 2011-12-26 00:03 - 2903176 ____A C:\Users\Raluca\Downloads\Bob Marley- Three Little Birds (With Lyrics!).mp3
    2011-12-25 23:39 - 2011-12-25 23:39 - 4566236 ____A C:\Users\Raluca\Downloads\R.E.M. - Losing My Religion (Video).mp3
    2011-12-25 23:38 - 2011-12-26 00:13 - 0000000 ____D C:\Users\Raluca\Desktop\I AM A DOLPHIN
    2011-12-18 18:25 - 2011-12-19 19:57 - 0000000 ____D C:\Users\Raluca\Desktop\rage faces
    2011-12-15 21:58 - 2011-12-15 21:58 - 0000000 ____A C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf
    2011-12-14 22:04 - 2011-11-04 04:38 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2011-12-14 22:04 - 2011-11-04 03:59 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2011-12-14 22:04 - 2011-11-04 03:53 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2011-12-14 22:04 - 2011-11-04 03:46 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2011-12-14 22:04 - 2011-11-04 03:44 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2011-12-14 22:04 - 2011-11-04 03:44 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2011-12-14 22:04 - 2011-11-04 03:43 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2011-12-14 22:04 - 2011-11-04 03:41 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2011-12-14 22:04 - 2011-11-04 03:39 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2011-12-14 22:04 - 2011-11-04 03:36 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2011-12-14 22:04 - 2011-11-04 03:35 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2011-12-14 22:04 - 2011-11-04 03:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2011-12-14 22:04 - 2011-11-04 03:30 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2011-12-14 22:04 - 2011-11-04 01:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2011-12-14 22:04 - 2011-11-04 00:47 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2011-12-14 22:04 - 2011-11-04 00:46 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2011-12-14 22:04 - 2011-11-04 00:40 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2011-12-14 22:04 - 2011-11-04 00:40 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2011-12-14 22:04 - 2011-11-04 00:39 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2011-12-14 22:04 - 2011-11-04 00:38 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2011-12-14 22:04 - 2011-11-04 00:37 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2011-12-14 22:04 - 2011-11-04 00:34 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2011-12-14 22:04 - 2011-11-04 00:32 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2011-12-14 22:04 - 2011-11-04 00:32 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2011-12-14 22:04 - 2011-11-04 00:31 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2011-12-14 22:04 - 2011-11-04 00:28 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2011-12-14 11:28 - 2011-11-24 06:52 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2011-12-14 11:28 - 2011-11-05 07:32 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
    2011-12-14 11:28 - 2011-11-05 06:26 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
    2011-12-14 11:28 - 2011-10-26 07:21 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
    2011-12-14 11:28 - 2011-10-15 08:31 - 0723456 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
    2011-12-14 11:28 - 2011-10-15 07:38 - 0534528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
    2011-12-13 21:24 - 2011-12-13 21:24 - 0000000 ____D C:\Windows\SysWOW64\AGEIA
    2011-12-13 21:24 - 2011-12-13 21:24 - 0000000 ____D C:\Program Files (x86)\AGEIA Technologies
    2011-12-13 21:21 - 2011-12-13 21:21 - 0000000 ____D C:\Users\Raluca\My Documents\My Games
    2011-12-13 21:21 - 2011-12-13 21:21 - 0000000 ____D C:\Users\Raluca\Documents\My Games
    2011-12-13 21:20 - 2011-12-13 21:20 - 0001283 ____A C:\Users\Raluca\Desktop\Borderlands.lnk
    2011-12-09 10:19 - 2008-01-24 14:32 - 0094720 ____A C:\Users\Raluca\Downloads\Ion de Liviu Rebreanu - Rezumat.doc
    2011-12-09 10:18 - 2011-12-09 10:18 - 0023884 ____A C:\Users\Raluca\Downloads\referat.clopotel.ro_13263.zip
    2011-12-08 21:14 - 2011-12-16 20:43 - 0000000 ____D C:\Users\Raluca\Desktop\romanul
    2011-12-06 21:20 - 2011-12-26 01:44 - 0000000 ____D C:\Users\Raluca\Desktop\DR.Pepper
    2011-12-01 20:36 - 2011-12-06 21:21 - 0000000 ____D C:\Users\Raluca\Desktop\fuuuuuuuuuu


    ============ 3 Months Modified Files and Folders =============

    2011-12-31 21:15 - 2011-12-31 21:14 - 0000000 ____D C:\FRST
    2011-12-31 21:14 - 2011-12-31 21:14 - 1377537 ____A C:\Users\Raluca\Desktop\FRST64.exe
    2011-12-31 21:14 - 2009-07-14 07:13 - 0726316 ____A C:\Windows\System32\PerfStringBackup.INI
    2011-12-31 20:25 - 2011-12-31 20:25 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Desktop\lkjoijoqiwjoiqjoifqj.exe
    2011-12-31 20:21 - 2011-12-31 20:21 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\tdsskiller(1).exe
    2011-12-31 20:21 - 2011-12-31 20:21 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Desktop\tdsskiller.exe
    2011-12-31 20:20 - 2011-02-07 21:17 - 1473181 ____A C:\Windows\WindowsUpdate.log
    2011-12-31 19:28 - 2011-04-18 17:58 - 0000000 ____D C:\Users\Raluca\Desktop\Everything Teen Press Related
    2011-12-31 19:07 - 2011-12-31 19:02 - 77086912 ____A (Microsoft Corporation) C:\Users\Raluca\Downloads\msert.exe
    2011-12-31 18:34 - 2009-07-14 06:45 - 0021200 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2011-12-31 18:34 - 2009-07-14 06:45 - 0021200 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2011-12-31 18:27 - 2011-02-08 04:11 - 2307932160 __ASH C:\hiberfil.sys
    2011-12-31 18:27 - 2009-07-14 07:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
    2011-12-31 18:27 - 2009-07-14 06:51 - 0033104 ____A C:\Windows\setupact.log
    2011-12-31 18:18 - 2011-12-28 18:46 - 0000000 ____D C:\Users\Raluca\Downloads\ProcessExplorer
    2011-12-31 18:16 - 2011-12-30 20:41 - 0388676 ____A C:\Windows\ntbtlog.txt
    2011-12-31 18:03 - 2011-12-31 18:03 - 0000000 ____D C:\Users\Raluca\Downloads\TCPView
    2011-12-31 18:02 - 2011-12-31 18:02 - 0291606 ____A C:\Users\Raluca\Downloads\TCPView(1).zip
    2011-12-31 10:03 - 2011-12-31 10:03 - 0291606 ____A C:\Users\Raluca\Downloads\TCPView.zip
    2011-12-31 09:24 - 2011-12-30 23:15 - 0000512 ____A C:\Users\Raluca\Desktop\MBR.dat
    2011-12-31 09:15 - 2011-12-31 09:15 - 0000000 __SHD C:\$RECYCLE.BIN
    2011-12-31 09:13 - 2011-12-31 00:35 - 0000000 ____D C:\ComboFix
    2011-12-31 09:13 - 2011-12-30 19:05 - 0000000 ____D C:\Qoobox
    2011-12-31 08:56 - 2009-07-14 04:34 - 0000215 ____A C:\Windows\system.ini
    2011-12-31 08:55 - 2009-07-14 04:34 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
    2011-12-31 01:15 - 2011-02-07 21:57 - 0030138 ____A C:\Windows\PFRO.log
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
    2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
    2011-12-31 01:14 - 2009-07-14 04:34 - 54788096 ____A C:\Windows\System32\config\SOFTWARE.bak
    2011-12-31 01:14 - 2009-07-14 04:34 - 16252928 ____A C:\Windows\System32\config\SYSTEM.bak
    2011-12-31 01:14 - 2009-07-14 04:34 - 0262144 ____A C:\Windows\System32\config\SECURITY.bak
    2011-12-31 01:14 - 2009-07-14 04:34 - 0262144 ____A C:\Windows\System32\config\SAM.bak
    2011-12-31 01:14 - 2009-07-14 04:34 - 0262144 ____A C:\Windows\System32\config\DEFAULT.bak
    2011-12-31 01:13 - 2011-12-28 20:39 - 0000000 ____D C:\Windows\ERDNT
    2011-12-31 00:33 - 2011-12-30 23:16 - 4358014 ____R (Swearware) C:\Users\Raluca\Desktop\ComboFix.exe
    2011-12-30 23:09 - 2011-12-30 20:34 - 4702720 ____A (AVAST Software) C:\Users\Raluca\Downloads\aswMBR.exe
    2011-12-30 22:58 - 2011-12-30 22:58 - 2721168 ____A (Microsoft Corporation) C:\Users\Raluca\Downloads\Windows7-USB-DVD-tool.exe
    2011-12-30 22:50 - 2011-12-30 22:49 - 0000000 ____D C:\Users\Raluca\Downloads\qwsqws
    2011-12-30 22:48 - 2011-12-30 22:48 - 0231390 ____A C:\Users\Raluca\Downloads\RootkitRevealer.zip
    2011-12-30 22:39 - 2011-12-30 22:39 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\iexplore.com
    2011-12-30 22:30 - 2011-12-30 22:30 - 0035712 ____A C:\Windows\SysWOW64\Drivers\BlackBox.sys
    2011-12-30 21:24 - 2011-12-30 21:23 - 0139264 ____A () C:\Users\Raluca\Downloads\RKUnhookerLE.EXE
    2011-12-30 21:06 - 2011-12-30 21:06 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\tdsskiller.exe
    2011-12-30 20:57 - 2011-12-30 20:57 - 1410192 ____A C:\Users\Raluca\Downloads\sar_15_sfx.exe
    2011-12-30 20:57 - 2011-12-30 20:57 - 0000000 ____D C:\Program Files (x86)\Sophos
    2011-12-30 20:52 - 2011-12-30 20:51 - 0000000 ____D C:\Users\Raluca\Downloads\bootkit_remover
    2011-12-30 20:51 - 2011-12-30 20:51 - 0044607 ____A C:\Users\Raluca\Downloads\bootkit_remover(1).zip
    2011-12-30 20:37 - 2011-12-30 20:37 - 0044607 ____A C:\Users\Raluca\Downloads\bootkit_remover.zip
    2011-12-30 20:27 - 2011-12-30 20:25 - 0000000 ____D C:\Users\Raluca\Downloads\qwekjdhwkjhkjwtdsskiller
    2011-12-30 20:25 - 2011-12-30 20:25 - 1558406 ____A C:\Users\Raluca\Downloads\tdsskiller.zip
    2011-12-30 20:17 - 2011-12-30 20:17 - 1008141 ____A C:\Users\Raluca\Downloads\rkill.com
    2011-12-30 19:04 - 2011-12-30 19:04 - 4356196 ____R (Swearware) C:\Users\Raluca\Downloads\ComboFix.exe
    2011-12-30 19:00 - 2011-12-29 22:03 - 0012439 ____A C:\Users\Raluca\Desktop\System Check.docx
    2011-12-30 11:57 - 2011-12-28 19:35 - 0000000 ____D C:\Nasty_****
    2011-12-30 11:45 - 2011-12-28 23:21 - 0000199 ____A C:\Users\Raluca\Desktop\anti_vir_notes.txt
    2011-12-30 11:09 - 2011-12-30 11:09 - 0607260 ____R (Swearware) C:\Users\Raluca\Downloads\dds.scr
    2011-12-30 11:05 - 2011-12-30 11:05 - 0302592 ____A C:\Users\Raluca\Downloads\xvzexw70.exe
    2011-12-30 10:59 - 2011-12-30 10:59 - 0001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2011-12-30 10:59 - 2011-12-30 10:59 - 0001109 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2011-12-30 10:59 - 2011-12-30 10:59 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-30 10:40 - 2011-12-30 10:40 - 0684297 ____A C:\Users\Raluca\Downloads\unhide.exe
    2011-12-28 23:10 - 2011-12-28 23:10 - 0004849 ____A C:\Users\Raluca\Downloads\fix_desktop.reg
    2011-12-28 22:08 - 2011-12-28 22:08 - 0302592 ____A C:\Users\Raluca\Downloads\pzg6kin8.exe
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\Raluca\Application Data\Malwarebytes
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\Malwarebytes
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\All Users\Malwarebytes
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\ProgramData\Malwarebytes
    2011-12-28 21:42 - 2009-07-14 05:20 - 0000000 ___RD C:\users\Public
    2011-12-28 21:42 - 2009-07-14 05:20 - 0000000 ___RD C:\users\Default
    2011-12-28 21:17 - 2009-07-14 07:32 - 0000000 ____D C:\Windows\Downloaded Program Files
    2011-12-28 20:25 - 2011-04-24 22:55 - 0000000 ___RD C:\Program Files (x86)\Skype
    2011-12-28 20:02 - 2011-02-08 16:32 - 0000000 ____D C:\Users\Raluca\Desktop\Claudia
    2011-12-28 19:21 - 2011-12-28 19:21 - 0000000 ____D C:\Users\Raluca\Downloads\uniextract161_noinst
    2011-12-28 19:20 - 2011-12-28 19:20 - 5186991 ____A C:\Users\Raluca\Downloads\uniextract161_noinst.rar
    2011-12-28 19:08 - 2011-12-28 19:07 - 0000000 ____D C:\Users\Raluca\Downloads\xvi32
    2011-12-28 19:05 - 2011-12-28 19:05 - 0571004 ____A C:\Users\Raluca\Downloads\xvi32.zip
    2011-12-28 18:50 - 2011-12-28 18:50 - 0000000 ____D C:\Users\Raluca\Downloads\Autoruns
    2011-12-28 18:49 - 2011-12-28 18:49 - 0532781 ____A C:\Users\Raluca\Downloads\Autoruns.zip
    2011-12-28 18:46 - 2011-12-28 18:45 - 1851394 ____A C:\Users\Raluca\Downloads\ProcessExplorer.zip
    2011-12-28 18:07 - 2011-03-01 23:03 - 0000000 ____D C:\Users\Raluca\Desktop\Stuffzuh
    2011-12-28 18:07 - 2011-02-07 21:30 - 0002046 ____A C:\Users\Raluca\My Documents\Default.rdp
    2011-12-28 18:07 - 2011-02-07 21:30 - 0002046 ____A C:\Users\Raluca\Documents\Default.rdp
    2011-12-26 01:44 - 2011-12-06 21:20 - 0000000 ____D C:\Users\Raluca\Desktop\DR.Pepper
    2011-12-26 01:44 - 2011-03-10 19:50 - 0000000 ____D C:\Users\Raluca\Desktop\Tabss
    2011-12-26 01:44 - 2011-03-01 23:04 - 0000000 ____D C:\Users\Raluca\Desktop\WORD Docs
    2011-12-26 01:42 - 2011-09-07 16:16 - 0000000 ____D C:\Users\Raluca\Desktop\puls
    2011-12-26 00:13 - 2011-12-26 00:13 - 4095614 ____A C:\Users\Raluca\Downloads\Ugly Kid Joe - Cats In The Cradle.mp3
    2011-12-26 00:13 - 2011-12-25 23:38 - 0000000 ____D C:\Users\Raluca\Desktop\I AM A DOLPHIN
    2011-12-26 00:12 - 2011-12-26 00:12 - 3933027 ____A C:\Users\Raluca\Downloads\Let it be.mp3
    2011-12-26 00:03 - 2011-12-26 00:03 - 2903176 ____A C:\Users\Raluca\Downloads\Bob Marley- Three Little Birds (With Lyrics!).mp3
    2011-12-25 23:39 - 2011-12-25 23:39 - 4566236 ____A C:\Users\Raluca\Downloads\R.E.M. - Losing My Religion (Video).mp3
    2011-12-20 00:45 - 2011-05-06 21:46 - 0000000 ____D C:\Users\Raluca\Desktop\GIFFFFFF
    2011-12-19 19:57 - 2011-12-18 18:25 - 0000000 ____D C:\Users\Raluca\Desktop\rage faces
    2011-12-18 20:33 - 2011-07-17 15:36 - 0000000 ____D C:\Users\Raluca\Desktop\photo
    2011-12-18 17:19 - 2011-02-08 16:32 - 0000000 ____D C:\Users\Raluca\Desktop\People and Pictures
    2011-12-16 20:43 - 2011-12-08 21:14 - 0000000 ____D C:\Users\Raluca\Desktop\romanul
    2011-12-16 18:51 - 2011-07-14 13:26 - 0000000 ____D C:\Users\Raluca\Desktop\NEW tribute ****
    2011-12-15 21:58 - 2011-12-15 21:58 - 0000000 ____A C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf
    2011-12-15 20:56 - 2009-07-14 05:20 - 0000000 ____D C:\Windows\rescache
    2011-12-15 20:31 - 2009-07-14 06:45 - 0412704 ____A C:\Windows\System32\FNTCACHE.DAT
    2011-12-14 22:08 - 2011-02-07 23:16 - 0000000 ____D C:\Users\All Users\Microsoft Help
    2011-12-14 22:08 - 2011-02-07 23:16 - 0000000 ____D C:\Users\All Users\Application Data\Microsoft Help
    2011-12-14 22:08 - 2011-02-07 23:16 - 0000000 ____D C:\ProgramData\Microsoft Help
    2011-12-14 22:06 - 2011-02-07 23:43 - 54867776 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2011-12-13 21:24 - 2011-12-13 21:24 - 0000000 ____D C:\Windows\SysWOW64\AGEIA
    2011-12-13 21:24 - 2011-12-13 21:24 - 0000000 ____D C:\Program Files (x86)\AGEIA Technologies
    2011-12-13 21:21 - 2011-12-13 21:21 - 0000000 ____D C:\Users\Raluca\My Documents\My Games
    2011-12-13 21:21 - 2011-12-13 21:21 - 0000000 ____D C:\Users\Raluca\Documents\My Games
    2011-12-13 21:20 - 2011-12-13 21:20 - 0001283 ____A C:\Users\Raluca\Desktop\Borderlands.lnk
    2011-12-13 20:31 - 2011-02-07 21:25 - 0000000 ____D C:\Kits
    2011-12-09 10:18 - 2011-12-09 10:18 - 0023884 ____A C:\Users\Raluca\Downloads\referat.clopotel.ro_13263.zip
    2011-12-06 21:48 - 2011-08-18 18:09 - 0000000 ____D C:\Users\Raluca\Desktop\Y U NO LIKE SPONGEBOB
    2011-12-06 21:21 - 2011-12-01 20:36 - 0000000 ____D C:\Users\Raluca\Desktop\fuuuuuuuuuu
    2011-11-27 12:42 - 2011-07-08 12:51 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2011-11-24 06:52 - 2011-12-14 11:28 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2011-11-22 18:49 - 2011-02-08 16:33 - 0000000 ____D C:\Users\Raluca\Desktop\Sketches and co
    2011-11-13 19:58 - 2011-06-26 17:31 - 0000000 ____D C:\Users\Raluca\.gimp-2.6
    2011-11-13 19:56 - 2011-11-13 19:56 - 0003411 ____A C:\Users\Raluca\.recently-used.xbel
    2011-11-13 19:56 - 2011-06-26 17:33 - 0000000 ____D C:\Users\Raluca\Application Data\gtk-2.0
    2011-11-13 19:56 - 2011-06-26 17:33 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\gtk-2.0
    2011-11-13 19:56 - 2011-02-07 21:17 - 0000000 ____D C:\users\Raluca
    2011-11-13 19:37 - 2011-02-26 18:59 - 0000000 ____D C:\Users\Raluca\Desktop\.picasaoriginals
    2011-11-13 18:06 - 2011-02-08 22:03 - 0000000 ____D C:\Users\Raluca\Desktop\POze la Scoalaaa...LoL
    2011-11-10 23:18 - 2009-07-14 05:20 - 0000000 ____D C:\Program Files\Common Files\System
    2011-11-05 07:32 - 2011-12-14 11:28 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
    2011-11-05 06:26 - 2011-12-14 11:28 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
    2011-11-04 04:38 - 2011-12-14 22:04 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2011-11-04 03:59 - 2011-12-14 22:04 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2011-11-04 03:53 - 2011-12-14 22:04 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2011-11-04 03:46 - 2011-12-14 22:04 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2011-11-04 03:44 - 2011-12-14 22:04 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2011-11-04 03:44 - 2011-12-14 22:04 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2011-11-04 03:43 - 2011-12-14 22:04 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2011-11-04 03:41 - 2011-12-14 22:04 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2011-11-04 03:39 - 2011-12-14 22:04 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2011-11-04 03:36 - 2011-12-14 22:04 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2011-11-04 03:35 - 2011-12-14 22:04 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2011-11-04 03:34 - 2011-12-14 22:04 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2011-11-04 03:30 - 2011-12-14 22:04 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2011-11-04 01:02 - 2011-12-14 22:04 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2011-11-04 00:47 - 2011-12-14 22:04 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2011-11-04 00:46 - 2011-12-14 22:04 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2011-11-04 00:40 - 2011-12-14 22:04 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2011-11-04 00:40 - 2011-12-14 22:04 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2011-11-04 00:39 - 2011-12-14 22:04 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2011-11-04 00:38 - 2011-12-14 22:04 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2011-11-04 00:37 - 2011-12-14 22:04 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2011-11-04 00:34 - 2011-12-14 22:04 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2011-11-04 00:32 - 2011-12-14 22:04 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2011-11-04 00:32 - 2011-12-14 22:04 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2011-11-04 00:31 - 2011-12-14 22:04 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2011-11-04 00:28 - 2011-12-14 22:04 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2011-10-26 07:21 - 2011-12-14 11:28 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
    2011-10-24 20:44 - 2011-07-06 19:53 - 0000000 ____D C:\Users\Raluca\Desktop\tribute ****
    2011-10-23 17:30 - 2011-07-19 13:55 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2011-10-17 16:38 - 2011-10-17 16:37 - 0000000 ____D C:\Users\Raluca\Local Settings\Microsoft Games
    2011-10-17 16:38 - 2011-10-17 16:37 - 0000000 ____D C:\Users\Raluca\Local Settings\Application Data\Microsoft Games
    2011-10-17 16:38 - 2011-10-17 16:37 - 0000000 ____D C:\Users\Raluca\AppData\Local\Microsoft Games
    2011-10-16 23:17 - 2011-02-08 16:32 - 0000000 ____D C:\Users\Raluca\Desktop\Rock
    2011-10-16 19:35 - 2011-12-28 21:04 - 0001864 ____A C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    2011-10-15 19:28 - 2011-10-15 19:28 - 0035562 ____A C:\Users\Raluca\Desktop\First Song.gp5
    2011-10-15 13:32 - 2011-10-15 13:32 - 0000000 ____D C:\Windows\System32\Macromed
    2011-10-15 08:31 - 2011-12-14 11:28 - 0723456 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
    2011-10-15 07:38 - 2011-12-14 11:28 - 0534528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
    2011-10-11 19:29 - 2011-10-11 19:26 - 0000000 ____D C:\Users\Raluca\Application Data\IrfanView
    2011-10-11 19:29 - 2011-10-11 19:26 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\IrfanView
    2011-10-06 21:58 - 2011-04-24 22:55 - 0000000 ____D C:\Users\Raluca\Application Data\Skype
    2011-10-06 21:58 - 2011-04-24 22:55 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\Skype
    2011-10-06 19:12 - 2011-04-24 22:56 - 0000000 ____D C:\Users\Raluca\Application Data\skypePM
    2011-10-06 19:12 - 2011-04-24 22:56 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\skypePM
    2011-10-05 23:00 - 2011-04-24 22:56 - 0000000 ____D C:\Users\All Users\Skype Extras
    2011-10-05 23:00 - 2011-04-24 22:56 - 0000000 ____D C:\Users\All Users\Application Data\Skype Extras
    2011-10-05 23:00 - 2011-04-24 22:56 - 0000000 ____D C:\ProgramData\Skype Extras
    2011-10-05 18:26 - 2011-02-07 23:16 - 0000000 ____D C:\Users\Raluca\Local Settings\Microsoft Help
    2011-10-05 18:26 - 2011-02-07 23:16 - 0000000 ____D C:\Users\Raluca\Local Settings\Application Data\Microsoft Help
    2011-10-05 18:26 - 2011-02-07 23:16 - 0000000 ____D C:\Users\Raluca\AppData\Local\Microsoft Help

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit

    C:\Windows\System32\wininit.exe => MD5 is legit

    C:\Windows\explorer.exe => MD5 is legit

    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ========================= Memory info ======================

    Percentage of memory in use: 39%
    Total physical RAM: 2934.69 MB
    Available physical RAM: 1765.21 MB
    Total Pagefile: 5867.57 MB
    Available Pagefile: 4349.32 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.86 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:297.99 GB) (Free:122.1 GB) NTFS
    2 Drive d: (SpongeBob S2) (CDROM) (Total:4.02 GB) (Free:0 GB) CDFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B

    Partitions of Disk 0:

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 297 GB 101 MB
    Partition 3 Primary 1360 KB 298 GB

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 System Rese NTFS Partition 100 MB Healthy System

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 297 GB Healthy Boot

    Disk: 0
    Partition 3
    Type : 17
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.

    ==========================================================

    Last Boot: 2011-12-31 01:44

    ======================= End Of Log ==========================
     
  11. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    We're dealing here with the newest TDL rootkit.

    WARNING!
    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.


    ===========================================================================================

    Download gparted-live-0.10.0-3.iso (115.1 MB)

    Burn it to a CD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

    Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    Boot off of the newly created Gparted CD.

    You should be here:
    [​IMG]
    Press Enter.

    By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER:
    [​IMG]

    Choose your language and press ENTER. English is default [33]:
    [​IMG]

    Once again, at this prompt, press ENTER:
    [​IMG]

    You will now be taken to the main GUI screen below:
    [​IMG]
    According to your logs, the partition that you want to delete is the small partition of 1360 KB (1.4MB).
    Click on it to highlight it.
    Click the trash can icon to delete and then click Apply.

    You should now be here confirming your actions:
    [​IMG]

    Now you should be here:
    [​IMG]

    Is "boot" next to your OS drive?
    [​IMG]

    If "boot" is NOT next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags.

    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]

    Now double-click the [​IMG] button.

    You should receive a small pop up like this:
    [​IMG]

    Choose reboot and then press OK.
     
  12. setmostra

    setmostra TS Rookie Topic Starter

    It looks that we need to use the heavy artillery. :)

    Unfortunately I am not at home and I cannot take these steps until after 5th of January. You can close the topic and I will PM you when I followed you last advice or leave it open until then.

    One question though: It is my understanding that my MBR is infected. When computer starts that virus in MBR reads more data from hidden partition and executes it. That code is executed instead of regular Windows code. The virus also use that partition to store original code form infected files.
    So if I just delete that hidden partition, wouldn’t this prevent my laptop form start?

    Until next year many thanks for your help and a great new year!
     
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    No.

    [​IMG]
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please Boot to the System Recovery Options
    If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
    It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt

    Choose Command Prompt
    You should see X:\SOURCES>...

    Execute the following commands in bold.
    Press Enter after every one of them.

    bootrec /fixmbr (<--- there is a "space" after "bootrec")

    bootrec /fixboot (<--- there is a "space" after "bootrec")

    exit

    Restart computer.

    Post new aswMBR log.
     
  15. setmostra

    setmostra TS Rookie Topic Starter

    Done

    bootrec /fixmbr (<--- there is a "space" after "bootrec")
    bootrec /fixboot (<--- there is a "space" after "bootrec")

    Both finished successfully.

    Still unable to boot: STOP: 0X0000007B (0XFFFFF880009A98E8, 0XFFFFFFFFC000000D, 0X0000000000000000, 0X0000000000000000)

    Thank you.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  17. setmostra

    setmostra TS Rookie Topic Starter

    Managed finally. Initially did not want to boot until I put my HDD in BIOS on ATA mode.

    Anyway here is the log:

    OTL logfile created on: 1/7/2012 1:58:59 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    64bit-Windows 7 Ultimate Service Pack 1 (Version = 6.1.7601) - Type = System
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files (x86)
    Drive C: | 100.00 Mb Total Space | 75.55 Mb Free Space | 75.56% Space Free | Partition Type: NTFS
    Drive D: | 196.67 Gb Total Space | 20.31 Gb Free Space | 10.33% Space Free | Partition Type: NTFS
    Drive E: | 101.32 Gb Total Space | 101.23 Gb Free Space | 99.91% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2010/06/17 14:10:14 | 000,258,048 | ---- | M] (IDT, Inc.) [Auto] -- D:\Program Files\IDT\WDM\stacsv64.exe -- (STacSV)
    SRV:64bit: - [2009/12/29 07:19:12 | 000,873,248 | ---- | M] (Broadcom Corporation.) [Auto] -- D:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
    SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Windows\System32\appmgmts.dll -- (AppMgmt)
    SRV:64bit: - [2009/03/02 19:42:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto] -- D:\Program Files\IDT\WDM\AESTSr64.exe -- (AESTFilters)
    SRV - [2011/12/24 10:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto] -- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2011/06/28 16:21:05 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2011/04/27 11:37:57 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2010/03/18 06:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- D:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- D:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2011/07/28 11:37:10 | 000,052,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
    DRV:64bit: - [2011/06/28 16:21:05 | 000,123,784 | ---- | M] (Avira GmbH) [Kernel | System] -- D:\Windows\System32\drivers\avipbb.sys -- (avipbb)
    DRV:64bit: - [2011/06/28 16:21:05 | 000,088,288 | ---- | M] (Avira GmbH) [File_System | Auto] -- D:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
    DRV:64bit: - [2011/02/11 11:16:38 | 010,628,640 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\igdkmd64.sys -- (igfx)
    DRV:64bit: - [2010/12/01 09:12:06 | 000,250,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
    DRV:64bit: - [2010/11/20 06:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 06:03:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
    DRV:64bit: - [2010/08/30 04:17:38 | 000,289,280 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
    DRV:64bit: - [2010/07/21 09:59:28 | 000,045,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\point64.sys -- (Point64)
    DRV:64bit: - [2010/06/17 14:10:14 | 000,515,584 | ---- | M] (IDT, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\stwrt64.sys -- (STHDA)
    DRV:64bit: - [2010/03/30 04:58:06 | 000,053,800 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\btusbflt.sys -- (btusbflt)
    DRV:64bit: - [2010/02/26 16:32:14 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\Impcd.sys -- (Impcd)
    DRV:64bit: - [2010/02/02 07:13:08 | 000,020,984 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\bcmvwl64.sys -- (BcmVWL)
    DRV:64bit: - [2010/02/02 07:13:04 | 003,058,168 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\BCMWL664.SYS -- (BCM43XX)
    DRV:64bit: - [2010/01/12 07:37:34 | 000,325,152 | ---- | M] (Realtek ) [Kernel | On_Demand] -- D:\Windows\System32\drivers\Rt64win7.sys -- (RTL8167)
    DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- D:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
    DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)

    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Raluca_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\Raluca_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\Raluca_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 27 77 69 2A FC C6 CB 01 [binary data]
    IE - HKU\Raluca_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - prefs.js..network.proxy.type: 0

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: D:\Windows\System32\Macromed\Flash\NPSWF64_11_0_1.dll ()
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: D:\Windows\System32\Wat\npWatWeb.dll (Microsoft Corporation)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: D:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: D:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin: D:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: D:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE: D:\Windows\SysWOW64\Wat\npWatWeb.dll (Microsoft Corporation)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@oberon-media.com/ONCAdapter: File not found

    FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/11/27 05:42:38 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

    [2011/07/08 05:51:32 | 000,000,000 | ---D | M] (No name found) -- D:\Users\Raluca\AppData\Roaming\Mozilla\Extensions
    [2011/11/27 05:42:44 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files (x86)\Mozilla Firefox\extensions
    File not found (No name found) --
    [2011/11/27 05:42:37 | 000,134,104 | ---- | M] (Mozilla Foundation) -- D:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2011/11/16 16:28:44 | 000,002,252 | ---- | M] () -- D:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2011/11/27 05:42:37 | 000,002,040 | ---- | M] () -- D:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2011/12/28 14:19:36 | 000,000,027 | ---- | M]) - D:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O4:64bit: - HKLM..\Run: [IntelliPoint] D:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
    O4:64bit: - HKLM..\Run: [SysTrayApp] D:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
    O4 - HKLM..\Run: [avgnt] D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKU\Raluca_ON_D..\Run: [Messenger (Yahoo!)] D:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
    O4:64bit: - HKLM..\RunOnce: [*Restore] D:\Windows\System32\rstrui.exe (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\LocalService_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\NetworkService_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\Raluca_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\Raluca_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\systemprofile_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8:64bit: - Extra context menu item: Send image to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
    O8:64bit: - Extra context menu item: Send page to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - D:\Windows\SysWow64\GPhotos.scr (Google Inc.)
    O8 - Extra context menu item: Send image to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
    O8 - Extra context menu item: Send page to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9:64bit: - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - D:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - D:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
    64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
    O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/12/31 14:14:51 | 000,000,000 | ---D | C] -- D:\FRST
    [2011/12/31 02:13:17 | 000,000,000 | ---D | C] -- D:\Windows\temp
    [2011/12/30 12:05:31 | 000,000,000 | ---D | C] -- D:\Qoobox
    [2011/12/30 12:01:21 | 000,000,000 | --SD | C] -- D:\ComboFix
    [2011/12/30 03:59:13 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/12/30 03:59:11 | 000,000,000 | ---D | C] -- D:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2011/12/28 15:31:38 | 000,000,000 | -HSD | C] -- D:\$RECYCLE.BIN
    [2011/12/28 15:05:23 | 000,000,000 | ---D | C] -- D:\Users\Raluca\AppData\Roaming\Malwarebytes
    [2011/12/28 15:05:12 | 000,000,000 | ---D | C] -- D:\ProgramData\Malwarebytes
    [2011/12/28 14:03:38 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
    [2011/12/28 13:40:11 | 000,060,416 | ---- | C] (NirSoft) -- D:\Windows\NIRCMD.exe
    [2011/12/28 13:39:06 | 000,000,000 | ---D | C] -- D:\Windows\ERDNT
    [2011/12/28 12:35:54 | 000,000,000 | ---D | C] -- D:\Nasty_****
    [2011/12/28 11:24:45 | 000,000,000 | ---D | C] -- D:\Users\Raluca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
    [2011/12/25 16:38:51 | 000,000,000 | ---D | C] -- D:\Users\Raluca\Desktop\I AM A DOLPHIN
    [2011/12/18 11:25:37 | 000,000,000 | ---D | C] -- D:\Users\Raluca\Desktop\rage faces
    [2011/12/14 15:04:30 | 000,096,256 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\mshtmled.dll
    [2011/12/14 15:04:30 | 000,072,704 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\mshtmled.dll
    [2011/12/14 15:04:29 | 000,237,056 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\url.dll
    [2011/12/14 15:04:29 | 000,231,936 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\url.dll
    [2011/12/14 15:04:28 | 000,248,320 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\ieui.dll
    [2011/12/14 15:04:28 | 000,176,640 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\ieui.dll
    [2011/12/14 15:04:27 | 001,427,456 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\inetcpl.cpl
    [2011/12/14 15:04:26 | 002,309,120 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\jscript9.dll
    [2011/12/14 15:04:26 | 001,798,144 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\jscript9.dll
    [2011/12/14 15:04:26 | 001,493,504 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\inetcpl.cpl
    [2011/12/14 15:04:26 | 000,716,800 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\jscript.dll
    [2011/12/14 15:04:25 | 000,818,688 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\jscript.dll
    [2011/12/14 04:28:30 | 000,043,520 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\csrsrv.dll
    [2011/12/14 04:28:28 | 000,723,456 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\EncDec.dll
    [2011/12/14 04:28:28 | 000,534,528 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\EncDec.dll
    [2011/12/13 14:24:58 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
    [2011/12/13 14:24:51 | 000,000,000 | ---D | C] -- D:\Windows\SysWow64\AGEIA
    [2011/12/13 14:24:50 | 000,000,000 | ---D | C] -- D:\Program Files (x86)\AGEIA Technologies
    [2011/12/13 14:23:40 | 000,000,000 | ---D | C] -- D:\Program Files (x86)\Common Files\Wise Installation Wizard
    [2011/12/13 14:21:29 | 000,000,000 | ---D | C] -- D:\Users\Raluca\Documents\My Games
    [2011/12/08 14:14:42 | 000,000,000 | ---D | C] -- D:\Users\Raluca\Desktop\romanul
    [6 D:\Windows\SysWow64\*.tmp files -> D:\Windows\SysWow64\*.tmp -> ]
    [1 D:\Windows\*.tmp files -> D:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/01/07 04:24:00 | 000,067,584 | --S- | M] () -- D:\Windows\bootstat.dat
    [2012/01/07 01:06:50 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    [2012/01/07 01:06:50 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
    [2012/01/07 01:06:50 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
    [2012/01/07 01:06:50 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
    [2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
    [2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picasa 3
    [2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF-XChange PDF Viewer
    [2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
    [2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
    [2012/01/07 01:06:48 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance
    [2012/01/07 01:06:48 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
    [2012/01/07 01:06:48 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    [2012/01/07 01:06:48 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
    [2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mouse
    [2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
    [2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Guitar Pro 5
    [2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP
    [2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Combined Community Codec Pack
    [2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
    [2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
    [2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
    [2012/01/06 07:44:51 | 000,128,854 | ---- | M] () -- D:\Users\Raluca\Desktop\reject-toys-methlab.jpg
    [2012/01/06 05:03:59 | 000,440,754 | ---- | M] () -- D:\Users\Raluca\Desktop\kids-shows-bert.gif
    [2012/01/06 05:03:58 | 000,499,545 | ---- | M] () -- D:\Users\Raluca\Desktop\kids-show-lazytown-xmas.gif
    [2012/01/06 05:03:58 | 000,370,116 | ---- | M] () -- D:\Users\Raluca\Desktop\kids-shows-teletubbies-*****.gif
    [2012/01/04 16:00:14 | 2307,932,160 | -HS- | M] () -- D:\hiberfil.sys
    [2011/12/31 02:24:28 | 000,000,512 | ---- | M] () -- D:\Users\Raluca\Desktop\MBR.dat
    [2011/12/30 11:31:27 | 000,021,200 | ---- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/12/30 11:31:27 | 000,021,200 | ---- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/12/30 11:30:24 | 000,624,178 | ---- | M] () -- D:\Windows\System32\perfh009.dat
    [2011/12/30 11:30:24 | 000,106,522 | ---- | M] () -- D:\Windows\System32\perfc009.dat
    [2011/12/30 03:59:13 | 000,001,109 | ---- | M] () -- D:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2011/12/28 14:19:36 | 000,000,027 | ---- | M] () -- D:\Windows\System32\drivers\etc\hosts
    [2011/12/28 11:24:46 | 000,000,677 | ---- | M] () -- D:\Users\Raluca\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2011/12/28 11:07:07 | 000,002,046 | ---- | M] () -- D:\Users\Raluca\Documents\Default.rdp
    [2011/12/15 14:58:14 | 000,000,000 | ---- | M] () -- D:\Windows\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
    [2011/12/15 13:31:19 | 000,412,704 | ---- | M] () -- D:\Windows\System32\FNTCACHE.DAT
    [2011/12/13 14:20:54 | 000,001,283 | ---- | M] () -- D:\Users\Raluca\Desktop\Borderlands.lnk
    [6 D:\Windows\SysWow64\*.tmp files -> D:\Windows\SysWow64\*.tmp -> ]
    [1 D:\Windows\*.tmp files -> D:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/01/06 07:54:46 | 000,128,854 | ---- | C] () -- D:\Users\Raluca\Desktop\reject-toys-methlab.jpg
    [2012/01/06 05:24:07 | 000,440,754 | ---- | C] () -- D:\Users\Raluca\Desktop\kids-shows-bert.gif
    [2012/01/06 05:22:04 | 000,499,545 | ---- | C] () -- D:\Users\Raluca\Desktop\kids-show-lazytown-xmas.gif
    [2012/01/06 05:21:54 | 000,370,116 | ---- | C] () -- D:\Users\Raluca\Desktop\kids-shows-teletubbies-*****.gif
    [2011/12/30 16:15:27 | 000,000,512 | ---- | C] () -- D:\Users\Raluca\Desktop\MBR.dat
    [2011/12/30 03:59:13 | 000,001,109 | ---- | C] () -- D:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2011/12/28 14:04:08 | 000,001,864 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    [2011/12/28 14:04:07 | 000,000,834 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
    [2011/12/28 14:02:09 | 000,001,246 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
    [2011/12/28 14:02:08 | 000,001,547 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
    [2011/12/28 14:02:07 | 000,001,210 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
    [2011/12/28 14:02:06 | 000,001,326 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
    [2011/12/28 14:02:04 | 000,001,330 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
    [2011/12/28 14:02:03 | 000,001,146 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    [2011/12/28 14:02:02 | 000,001,345 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
    [2011/12/28 14:01:59 | 000,001,137 | ---- | C] () -- D:\Users\Public\Desktop\Yahoo! Messenger.lnk
    [2011/12/28 14:01:58 | 000,001,106 | ---- | C] () -- D:\Users\Public\Desktop\Picasa 3.lnk
    [2011/12/28 11:24:46 | 000,000,677 | ---- | C] () -- D:\Users\Raluca\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2011/12/15 14:58:14 | 000,000,000 | ---- | C] () -- D:\Windows\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
    [2011/12/13 14:20:54 | 000,001,283 | ---- | C] () -- D:\Users\Raluca\Desktop\Borderlands.lnk
    [2011/05/08 14:07:59 | 000,007,632 | ---- | C] () -- D:\Users\Raluca\AppData\Local\Resmon.ResmonCfg
    [2011/05/08 14:01:37 | 000,252,928 | ---- | C] () -- D:\Windows\SysWow64\DShowRdpFilter.dll
    [2011/04/24 15:56:26 | 000,000,056 | ---- | C] () -- D:\ProgramData\ezsidmv.dat
    [2011/03/03 17:10:44 | 000,004,608 | ---- | C] () -- D:\Users\Raluca\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/02/11 11:15:08 | 000,874,048 | ---- | C] () -- D:\Windows\SysWow64\igkrng575.bin
    [2010/08/25 12:34:30 | 000,127,868 | ---- | C] () -- D:\Windows\SysWow64\igcompkrng575.bin
    [2010/08/25 12:34:30 | 000,104,796 | ---- | C] () -- D:\Windows\SysWow64\igfcg575m.bin
    [2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- D:\Windows\bootstat.dat
    [2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- D:\Windows\SysWow64\NOISE.DAT
    [2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- D:\Windows\SysWow64\dssec.dat
    [2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- D:\Windows\mib.bin
    [2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- D:\Windows\SysWow64\BWContextHandler.dll
    [2009/07/13 17:25:04 | 000,197,632 | ---- | C] () -- D:\Windows\SysWow64\ir32_32.dll
    [2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- D:\Windows\SysWow64\msjetoledb40.dll
    [2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- D:\Windows\SysWow64\mlang.dat
    [2008/10/07 02:13:30 | 000,197,912 | ---- | C] () -- D:\Windows\SysWow64\physxcudart_20.dll
    [2008/10/07 02:13:22 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
    [2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelSwedish.dll
    [2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelSpanish.dll
    [2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
    [2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelPortugese.dll
    [2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelKorean.dll
    [2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelJapanese.dll
    [2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelGerman.dll
    [2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelFrench.dll

    ========== LOP Check ==========

    [2011/08/21 20:07:07 | 000,000,000 | ---D | M] -- D:\ProgramData\Alawar Stargaze
    [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Application Data
    [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Desktop
    [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Documents
    [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Favorites
    [2011/08/20 09:02:22 | 000,000,000 | ---D | M] -- D:\ProgramData\Floodlight Games
    [2011/06/27 15:40:28 | 000,000,000 | ---D | M] -- D:\ProgramData\Oberon Media
    [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Start Menu
    [2011/08/31 15:25:20 | 000,000,000 | ---D | M] -- D:\ProgramData\TEMP
    [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Templates
    [2011/07/17 08:37:00 | 000,000,000 | ---D | M] -- D:\ProgramData\Top Evidence
    [2009/07/14 00:08:49 | 000,021,134 | ---- | M] () -- D:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 178 bytes -> D:\ProgramData\TEMP:18DEBC51
    @Alternate Data Stream - 139 bytes -> D:\ProgramData\TEMP:8CE601F5
    @Alternate Data Stream - 134 bytes -> D:\ProgramData\TEMP:F5D01D7C
    @Alternate Data Stream - 126 bytes -> D:\ProgramData\TEMP:6A0A47E7
    @Alternate Data Stream - 118 bytes -> D:\ProgramData\TEMP:D999FFD5
    @Alternate Data Stream - 117 bytes -> D:\ProgramData\TEMP:F89F2593
    @Alternate Data Stream - 101 bytes -> D:\ProgramData\TEMP:5C321E34
    < End of report >
     
  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    O4:64bit: - HKLM..\RunOnce: [*Restore] D:\Windows\System32\rstrui.exe (Microsoft Corporation)
    @Alternate Data Stream - 178 bytes -> D:\ProgramData\TEMP:18DEBC51
    @Alternate Data Stream - 139 bytes -> D:\ProgramData\TEMP:8CE601F5
    @Alternate Data Stream - 134 bytes -> D:\ProgramData\TEMP:F5D01D7C
    @Alternate Data Stream - 126 bytes -> D:\ProgramData\TEMP:6A0A47E7
    @Alternate Data Stream - 118 bytes -> D:\ProgramData\TEMP:D999FFD5
    @Alternate Data Stream - 117 bytes -> D:\ProgramData\TEMP:F89F2593
    @Alternate Data Stream - 101 bytes -> D:\ProgramData\TEMP:5C321E34
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into Windows.
     
  19. setmostra

    setmostra TS Rookie Topic Starter

    Run the fix successfully, but the laptop still don't boot. :-(
    Same BSOD: STOP: 0X0000007B (0XFFFFF880009A98E8, 0XFFFFFFFFC000000D, 0X0000000000000000, 0X0000000000000000)

    See log file bellow.

    ========== OTL ==========
    64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore deleted successfully.
    Invalid CLSID key: *Restore
    File D:\Windows\System32\rstrui.exe not found.
    ADS D:\ProgramData\TEMP:18DEBC51 deleted successfully.
    ADS D:\ProgramData\TEMP:8CE601F5 deleted successfully.
    ADS D:\ProgramData\TEMP:F5D01D7C deleted successfully.
    ADS D:\ProgramData\TEMP:6A0A47E7 deleted successfully.
    ADS D:\ProgramData\TEMP:D999FFD5 deleted successfully.
    ADS D:\ProgramData\TEMP:F89F2593 deleted successfully.
    ADS D:\ProgramData\TEMP:5C321E34 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 01072012_112711
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Did you try Safe Mode?
     
  21. setmostra

    setmostra TS Rookie Topic Starter

    Yes.
    Safe Mode, Safe mode with command prompt, with BIOS setting of HDD on ATA and AHCI.

    I tried them all. :-(

    Same STOP: 0X0000007B (0XFFFFF880009A98E8, 0XFFFFFFFFC000000D, 0X0000000000000000, 0X0000000000000000) , same driver CLASSPNP.SYS
     
  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Unfortunately I'm afraid this is beyond repair and you'll have to reinstall Windows.
    I'm sorry.
    We tried :(
     
  23. setmostra

    setmostra TS Rookie Topic Starter

    That's life!

    Thanks for all the effort!
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Rarely, but happens :(
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...