Inactive "System Check" malware partially removed

S

setmostra

Posts: 12   +0
My computer (win 7, 64) got infected by a malware posing as a fake system utility.
The program, named "System Check" start throwing lots of false error messages like:
  • "Hard drive clusters are partly damaged"
  • "Windows OS can't detects a free hard drive space. hard drive error."
  • "Failed to save all the components for the file: //system32"
In addition I was unable to start Task Manager and my files started disappear.


What I have done so far:
  • Downloaded ProcessExplorer, renamed the executable and killed two suspicious process: "BeMDscAw6xceXe" and "rcIkTucXrvMQpF"
  • Moved the executables and some similar files " ~BeMDscAw6xceXe", "~BeMDscAw6xceXer", "BeMDscAw6xceXe" from ProgramData to another directory.
  • Used Autoruns and removed one "BeMDscAw6xceXe" entry. Nothing else looked suspicious.
  • Search the registry and removed two keys: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\BeMDscAw6xceXe_RASAPI32" and
  • "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\BeMDscAw6xceXe_RASMANCS"
  • Removed a Deny permissions for Everyone added to lots of files using: icacls c:\ /remove:d Everyone /T /C /L
  • Remove the hidden attribute from lots of files, probably most of them.
  • Additionally I run unhide from http://download.bleepingcomputer.com/grinler/unhide.exe

What is still happening?
  • Explorer.exe tries to contact various sites like preview.pulpfree.com
  • When I click a link in a Google search results page got redirected to various other pages. Happens in IE and Firefox.

If is of any help see also this report: http://www.threatexpert.com/report.aspx?md5=5f0ea0d857e4685826c2adb3b0528f9e

I put in following posts the logs. I mention I run Avira Free up to date.

Thank you very much for your help!
 
Logs

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.30.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Raluca :: RALUCA-PC [administrator]

Protection: Disabled

12/30/2011 11:00:06 AM
mbam-log-2011-12-30 (11-00-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 175444
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


=======================================

GMER produces no log.

=======================================

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Raluca at 11:10:45 on 2011-12-30
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2935.1256 [GMT 2:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\splwow64.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{408B305C-2278-4B83-A223-1F3E79275DF0} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{408B305C-2278-4B83-A223-1F3E79275DF0}\34F6E6E656364796F6E605F696E647 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{408B305C-2278-4B83-A223-1F3E79275DF0}\74163747C616E646D413 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{408B305C-2278-4B83-A223-1F3E79275DF0}\D4966496021403337302355636572756 : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Raluca\AppData\Roaming\Mozilla\Firefox\Profiles\lm5ry5n3.default\
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-2-7 89600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-2-7 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-2-7 269480]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\system32\DRIVERS\bcmvwl64.sys --> C:\Windows\system32\DRIVERS\bcmvwl64.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-30 08:59:12 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-30 08:59:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-28 20:31:38 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-28 20:05:23 -------- d-----w- C:\Users\Raluca\AppData\Roaming\Malwarebytes
2011-12-28 20:05:12 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-28 18:40:11 98816 ----a-w- C:\Windows\sed.exe
2011-12-28 18:40:11 518144 ----a-w- C:\Windows\SWREG.exe
2011-12-28 18:40:11 256000 ----a-w- C:\Windows\PEV.exe
2011-12-28 18:40:11 208896 ----a-w- C:\Windows\MBR.exe
2011-12-28 17:35:54 -------- d-----w- C:\Nasty_****
2011-12-14 09:28:30 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-14 09:28:28 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-14 09:28:28 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-14 09:28:27 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-14 09:28:24 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-14 09:28:24 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-13 19:24:51 -------- d-----w- C:\Windows\SysWow64\AGEIA
2011-12-13 19:23:40 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
.
==================== Find3M ====================
.
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-23 15:30:57 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
.
============= FINISH: 11:17:53.29 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 2/7/2011 9:17:33 PM
System Uptime: 12/30/2011 9:18:51 AM (2 hours ago)
.
Motherboard: Dell Inc. | | 0WXY9J
Processor: Intel(R) Core(TM) i3 CPU M 380 @ 2.53GHz | CPU 1 | 1971/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 113.959 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Virtual WiFi Miniport Adapter
Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&1BCCC4E7&0&01
Manufacturer: Microsoft
Name: Microsoft Virtual WiFi Miniport Adapter
PNP Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&1BCCC4E7&0&01
Service: vwifimp
.
==== System Restore Points ===================
.
RP80: 12/5/2011 12:09:09 AM - Scheduled Checkpoint
RP81: 12/12/2011 12:37:31 PM - Scheduled Checkpoint
RP82: 12/13/2011 9:23:54 PM - Installed NVIDIA PhysX
RP83: 12/14/2011 10:00:30 PM - Windows Update
RP85: 12/22/2011 1:17:28 AM - Scheduled Checkpoint
RP86: 12/28/2011 8:24:58 PM - Removed Skype Toolbars
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 11 ActiveX
Avira AntiVir Personal - Free Antivirus
Canon Utilities Digital Photo Professional 3.9
Canon Utilities EOS Utility
Combined Community Codec Pack 2010-10-10
GIMP 2.6.11
Guitar Pro 5.2
Haunted Manor Lord of Mirrors Collectors Edition 1.00
IDT Audio
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 25
Java(TM) 6 Update 26
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Romanian) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 8.0.1 (x86 en-US)
NVIDIA PhysX
Picasa 3
Realtek Ethernet Controller Driver For Windows 7
Realtek USB 2.0 Card Reader
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype™ 5.3
SpywareBlaster 4.4
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2596560)
VLC media player 1.1.7
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
12/30/2011 9:39:54 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
12/29/2011 9:05:03 PM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
12/29/2011 9:05:03 PM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
12/29/2011 10:03:30 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
12/28/2011 6:37:23 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
12/25/2011 9:23:31 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
.
==== End Of File ===========================
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2011-12-30 23:10:29
-----------------------------
23:10:29.757 OS Version: Windows x64 6.1.7601 Service Pack 1
23:10:29.757 Number of processors: 4 586 0x2505
23:10:29.759 ComputerName: RALUCA-PC UserName: Raluca
23:10:31.046 Initialize success
23:11:55.036 AVAST engine defs: 11123001
23:12:42.264 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:12:42.269 Disk 0 Vendor: TOSHIBA_MK3265GSX GJ002D Size: 305245MB BusType: 11
23:12:42.278 Disk 0 MBR read successfully
23:12:42.282 Disk 0 MBR scan
23:12:42.287 Disk 0 Windows 7 default MBR code
23:12:42.291 Disk 0 MBR hidden
23:12:42.299 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
23:12:42.314 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
23:12:42.346 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 625139712
23:12:42.353 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
23:12:42.359 Service scanning
23:12:43.457 Modules scanning
23:12:43.466 Disk 0 trace - called modules:
23:12:43.511 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003387334]<<
23:12:43.518 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003375060]
23:12:43.524 3 CLASSPNP.SYS[fffff8800199d43f] -> nt!IofCallDriver -> [0xfffffa80030b8520]
23:12:43.530 5 ACPI.sys[fffff88000d6c7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80030ce1f0]
23:12:43.536 \Driver\atapi[0xfffffa80030a7060] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8003387334
23:12:44.541 AVAST engine scan C:\Windows
23:12:47.646 AVAST engine scan C:\Windows\system32
23:14:51.402 AVAST engine scan C:\Windows\system32\drivers
23:15:04.633 AVAST engine scan C:\Users\Raluca
23:15:27.795 Disk 0 MBR has been saved successfully to "C:\Users\Raluca\Desktop\MBR.dat"
23:15:27.799 The log file has been saved successfully to "C:\Users\Raluca\Desktop\aswMBR.txt"


========================================


ComboFix 11-12-30.01 - Raluca 12/30/2011 23:24:44.3.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2935.1743 [GMT 2:00]
Running from: c:\users\Raluca\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-12-30 21:53 . 2011-12-30 21:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-30 20:30 . 2011-12-30 20:30 35712 ----a-w- c:\windows\SysWow64\drivers\BlackBox.sys
2011-12-30 19:00 . 2011-05-12 12:03 6144 ------w- c:\windows\system32\E4E3.tmp
2011-12-30 18:58 . 2011-05-12 12:03 6144 ------w- c:\windows\system32\1A24.tmp
2011-12-30 18:57 . 2011-12-30 18:57 -------- d-----w- c:\program files (x86)\Sophos
2011-12-30 08:59 . 2011-12-30 08:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-28 20:05 . 2011-12-28 20:05 -------- d-----w- c:\users\Raluca\AppData\Roaming\Malwarebytes
2011-12-28 20:05 . 2011-12-28 20:05 -------- d-----w- c:\programdata\Malwarebytes
2011-12-28 17:35 . 2011-12-30 09:57 -------- d-----w- C:\Nasty_****
2011-12-14 09:28 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 09:28 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 09:28 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-14 09:28 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 09:28 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 09:28 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-13 19:24 . 2011-12-13 19:24 -------- d-----w- c:\windows\SysWow64\AGEIA
2011-12-13 19:24 . 2011-12-13 19:24 -------- d-----w- c:\program files (x86)\AGEIA Technologies
2011-12-13 19:23 . 2011-12-13 19:23 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-23 15:30 . 2011-07-19 11:55 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-30_17.46.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-07 19:31 . 2011-12-30 18:46 26878 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-12-30 18:32 27872 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-07 19:25 . 2011-12-30 18:32 7892 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1408542232-2675205540-872438115-1000_UserData.bin
+ 2011-12-30 18:45 . 2011-12-30 18:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-30 16:24 . 2011-12-30 16:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-30 18:45 . 2011-12-30 18:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-30 16:24 . 2011-12-30 16:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-12-30 16:30 624178 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-12-30 18:51 624178 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-12-30 18:51 106522 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-12-30 16:30 106522 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-12-30 10:22 388944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-12-30 18:40 388944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-05-09 21:24 . 2011-12-30 18:40 6947860 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1408542232-2675205540-872438115-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
R3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\E4E3.tmp [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
R3 PROCEXP151;PROCEXP151;c:\windows\system32\Drivers\PROCEXP151.SYS [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-27 136360]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-06-17 487424]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Raluca\AppData\Roaming\Mozilla\Firefox\Profiles\lm5ry5n3.default\
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\E4E3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-12-31 00:12:10
ComboFix-quarantined-files.txt 2011-12-30 22:12
ComboFix2.txt 2011-12-30 18:03
.
Pre-Run: 131,779,100,672 bytes free
Post-Run: 131,614,232,576 bytes free
.
- - End Of File - - 3041C06DC7035163EBF79EC8BFE4BE7C
 
Run the following Combofix fix and then post new aswMBR log.

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\E4E3.tmp
c:\windows\system32\1A24.tmp

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
I run Combofix with the script. No reboot asked but after CF ended I got some "illegal operation" errors and rebooted.
After reboot I run aswMBR.

ComboFix 11-12-30.02 - Raluca 12/31/2011 0:43.4.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2935.1513 [GMT 2:00]
Running from: c:\users\Raluca\Desktop\ComboFix.exe
Command switches used :: c:\users\Raluca\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\1A24.tmp"
"c:\windows\system32\E4E3.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\1A24.tmp
c:\windows\system32\E4E3.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
.
.
2011-12-30 23:12 . 2011-12-30 23:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-30 20:30 . 2011-12-30 20:30 35712 ----a-w- c:\windows\SysWow64\drivers\BlackBox.sys
2011-12-30 18:57 . 2011-12-30 18:57 -------- d-----w- c:\program files (x86)\Sophos
2011-12-30 08:59 . 2011-12-30 08:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-28 20:05 . 2011-12-28 20:05 -------- d-----w- c:\users\Raluca\AppData\Roaming\Malwarebytes
2011-12-28 20:05 . 2011-12-28 20:05 -------- d-----w- c:\programdata\Malwarebytes
2011-12-28 17:35 . 2011-12-30 09:57 -------- d-----w- C:\Nasty_****
2011-12-14 09:28 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 09:28 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 09:28 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-14 09:28 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 09:28 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 09:28 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-13 19:24 . 2011-12-13 19:24 -------- d-----w- c:\windows\SysWow64\AGEIA
2011-12-13 19:24 . 2011-12-13 19:24 -------- d-----w- c:\program files (x86)\AGEIA Technologies
2011-12-13 19:23 . 2011-12-13 19:23 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-23 15:30 . 2011-07-19 11:55 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-30_17.46.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-07 19:31 . 2011-12-30 18:46 26878 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-12-30 18:32 27872 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-08 02:15 . 2011-12-31 05:48 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-08 02:15 . 2011-12-30 07:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-08 02:15 . 2011-12-31 05:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-08 02:15 . 2011-12-30 07:56 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-31 05:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-30 07:56 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-07 19:25 . 2011-12-30 18:32 7892 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1408542232-2675205540-872438115-1000_UserData.bin
- 2011-12-30 16:24 . 2011-12-30 16:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-30 23:15 . 2011-12-30 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-30 23:15 . 2011-12-30 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-30 16:24 . 2011-12-30 16:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-07 22:26 . 2011-12-31 06:55 282294 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2011-12-30 16:30 624178 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-12-31 05:48 624178 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-12-31 05:48 106522 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-12-30 16:30 106522 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-12-30 10:22 388944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-12-30 23:14 388944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-19 13:25 . 2011-12-30 23:14 704852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1408542232-2675205540-872438115-1000-12288.dat
- 2011-07-19 13:25 . 2011-07-19 13:25 704852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1408542232-2675205540-872438115-1000-12288.dat
+ 2011-05-09 21:24 . 2011-12-30 23:14 9365124 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1408542232-2675205540-872438115-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
R3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [x]
R3 BlackBox;BlackBox SR2; [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
R3 PROCEXP151;PROCEXP151;c:\windows\system32\Drivers\PROCEXP151.SYS [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-27 136360]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-06-17 487424]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
"combofix"="c:\combofix\CF20529.3XE" [2010-11-20 345088]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Raluca\AppData\Roaming\Mozilla\Firefox\Profiles\lm5ry5n3.default\
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Completion time: 2011-12-31 09:12:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-31 07:12
ComboFix2.txt 2011-12-30 22:12
ComboFix3.txt 2011-12-30 18:03
.
Pre-Run: 131,655,385,088 bytes free
Post-Run: 131,207,516,160 bytes free
.
- - End Of File - - 16EED6E0EA3FDDBC8C96FB903FF89507



==============================================


aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2011-12-30 23:10:29
-----------------------------
23:10:29.757 OS Version: Windows x64 6.1.7601 Service Pack 1
23:10:29.757 Number of processors: 4 586 0x2505
23:10:29.759 ComputerName: RALUCA-PC UserName: Raluca
23:10:31.046 Initialize success
23:11:55.036 AVAST engine defs: 11123001
23:12:42.264 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:12:42.269 Disk 0 Vendor: TOSHIBA_MK3265GSX GJ002D Size: 305245MB BusType: 11
23:12:42.278 Disk 0 MBR read successfully
23:12:42.282 Disk 0 MBR scan
23:12:42.287 Disk 0 Windows 7 default MBR code
23:12:42.291 Disk 0 MBR hidden
23:12:42.299 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
23:12:42.314 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
23:12:42.346 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 625139712
23:12:42.353 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
23:12:42.359 Service scanning
23:12:43.457 Modules scanning
23:12:43.466 Disk 0 trace - called modules:
23:12:43.511 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003387334]<<
23:12:43.518 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003375060]
23:12:43.524 3 CLASSPNP.SYS[fffff8800199d43f] -> nt!IofCallDriver -> [0xfffffa80030b8520]
23:12:43.530 5 ACPI.sys[fffff88000d6c7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80030ce1f0]
23:12:43.536 \Driver\atapi[0xfffffa80030a7060] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8003387334
23:12:44.541 AVAST engine scan C:\Windows
23:12:47.646 AVAST engine scan C:\Windows\system32
23:14:51.402 AVAST engine scan C:\Windows\system32\drivers
23:15:04.633 AVAST engine scan C:\Users\Raluca
23:15:27.795 Disk 0 MBR has been saved successfully to "C:\Users\Raluca\Desktop\MBR.dat"
23:15:27.799 The log file has been saved successfully to "C:\Users\Raluca\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2011-12-31 09:17:52
-----------------------------
09:17:52.334 OS Version: Windows x64 6.1.7601 Service Pack 1
09:17:52.334 Number of processors: 4 586 0x2505
09:17:52.335 ComputerName: RALUCA-PC UserName: Raluca
09:17:53.931 Initialize success
09:19:12.628 AVAST engine defs: 11123001
09:20:01.292 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
09:20:01.302 Disk 0 Vendor: TOSHIBA_MK3265GSX GJ002D Size: 305245MB BusType: 11
09:20:01.317 Disk 0 MBR read successfully
09:20:01.320 Disk 0 MBR scan
09:20:01.326 Disk 0 Windows 7 default MBR code
09:20:01.328 Disk 0 MBR hidden
09:20:01.371 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
09:20:01.398 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
09:20:01.441 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 625139712
09:20:01.528 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
09:20:01.538 Service scanning
09:20:15.645 Modules scanning
09:20:15.653 Disk 0 trace - called modules:
09:20:15.807 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003385334]<<
09:20:15.816 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800336f060]
09:20:15.826 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa80030ff520]
09:20:15.833 5 ACPI.sys[fffff88000ef57a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80030fb680]
09:20:15.839 \Driver\atapi[0xfffffa80030b3550] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8003385334
09:20:20.260 AVAST engine scan C:\Windows
09:20:27.116 AVAST engine scan C:\Windows\system32
09:24:00.216 AVAST engine scan C:\Windows\system32\drivers
09:24:15.161 AVAST engine scan C:\Users\Raluca
09:24:28.524 Disk 0 MBR has been saved successfully to "C:\Users\Raluca\Desktop\MBR.dat"
09:24:28.555 The log file has been saved successfully to "C:\Users\Raluca\Desktop\aswMBR.txt"
 
Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
I tried to run TDSSKiller but no success: after UAC prompt nothing happens and no log file found.

I tried also to save to desktop under another random name. No success either.


Thank you very much for you help and Happy New Year!!!
 
For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

  • Double click on downloaded file to run it.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log (FRST.txt) on your desktop.
  • Please copy and paste it to your reply.
 
Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.1
Ran by Raluca at 2011-12-31 21:15:03
Running from C:\Users\Raluca\Desktop
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

========================== Registry (Whitelisted) =============

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit]
HKLM\...\Winlogon: [Shell]
HKLM-x32\...\Winlogon: [Shell] [x x] ()

==================== Services (Whitelisted) ======


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-12-31 21:14 - 2011-12-31 21:14 - 1377537 ____A C:\Users\Raluca\Desktop\FRST64.exe
2011-12-31 20:25 - 2011-12-31 20:25 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Desktop\lkjoijoqiwjoiqjoifqj.exe
2011-12-31 20:21 - 2011-12-31 20:21 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\tdsskiller(1).exe
2011-12-31 20:21 - 2011-12-31 20:21 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Desktop\tdsskiller.exe
2011-12-31 19:02 - 2011-12-31 19:07 - 77086912 ____A (Microsoft Corporation) C:\Users\Raluca\Downloads\msert.exe
2011-12-31 18:03 - 2011-12-31 18:03 - 0000000 ____D C:\Users\Raluca\Downloads\TCPView
2011-12-31 18:02 - 2011-12-31 18:02 - 0291606 ____A C:\Users\Raluca\Downloads\TCPView(1).zip
2011-12-31 10:03 - 2011-12-31 10:03 - 0291606 ____A C:\Users\Raluca\Downloads\TCPView.zip
2011-12-31 09:15 - 2011-12-31 09:15 - 0000000 __SHD C:\$RECYCLE.BIN
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2011-12-31 00:35 - 2011-12-31 09:13 - 0000000 ____D C:\ComboFix
2011-12-30 23:16 - 2011-12-31 00:33 - 4358014 ____R (Swearware) C:\Users\Raluca\Desktop\ComboFix.exe
2011-12-30 23:15 - 2011-12-31 09:24 - 0000512 ____A C:\Users\Raluca\Desktop\MBR.dat
2011-12-30 22:58 - 2011-12-30 22:58 - 2721168 ____A (Microsoft Corporation) C:\Users\Raluca\Downloads\Windows7-USB-DVD-tool.exe
2011-12-30 22:49 - 2011-12-30 22:50 - 0000000 ____D C:\Users\Raluca\Downloads\qwsqws
2011-12-30 22:48 - 2011-12-30 22:48 - 0231390 ____A C:\Users\Raluca\Downloads\RootkitRevealer.zip
2011-12-30 22:39 - 2011-12-30 22:39 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\iexplore.com
2011-12-30 22:30 - 2011-12-30 22:30 - 0035712 ____A C:\Windows\SysWOW64\Drivers\BlackBox.sys
2011-12-30 21:23 - 2011-12-30 21:24 - 0139264 ____A () C:\Users\Raluca\Downloads\RKUnhookerLE.EXE
2011-12-30 21:06 - 2011-12-30 21:06 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\tdsskiller.exe
2011-12-30 20:57 - 2011-12-30 20:57 - 1410192 ____A C:\Users\Raluca\Downloads\sar_15_sfx.exe
2011-12-30 20:57 - 2011-12-30 20:57 - 0000000 ____D C:\Program Files (x86)\Sophos
2011-12-30 20:51 - 2011-12-30 20:52 - 0000000 ____D C:\Users\Raluca\Downloads\bootkit_remover
2011-12-30 20:51 - 2011-12-30 20:51 - 0044607 ____A C:\Users\Raluca\Downloads\bootkit_remover(1).zip
2011-12-30 20:41 - 2011-12-31 18:16 - 0388676 ____A C:\Windows\ntbtlog.txt
2011-12-30 20:37 - 2011-12-30 20:37 - 0044607 ____A C:\Users\Raluca\Downloads\bootkit_remover.zip
2011-12-30 20:34 - 2011-12-30 23:09 - 4702720 ____A (AVAST Software) C:\Users\Raluca\Downloads\aswMBR.exe
2011-12-30 20:25 - 2011-12-30 20:27 - 0000000 ____D C:\Users\Raluca\Downloads\qwekjdhwkjhkjwtdsskiller
2011-12-30 20:25 - 2011-12-30 20:25 - 1558406 ____A C:\Users\Raluca\Downloads\tdsskiller.zip
2011-12-30 20:17 - 2011-12-30 20:17 - 1008141 ____A C:\Users\Raluca\Downloads\rkill.com
2011-12-30 19:07 - 2011-06-26 08:45 - 0256000 ____A C:\Windows\PEV.exe
2011-12-30 19:07 - 2010-11-07 19:20 - 0208896 ____A C:\Windows\MBR.exe
2011-12-30 19:07 - 2000-08-31 02:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2011-12-30 19:07 - 2000-08-31 02:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2011-12-30 19:07 - 2000-08-31 02:00 - 0098816 ____A C:\Windows\sed.exe
2011-12-30 19:07 - 2000-08-31 02:00 - 0080412 ____A C:\Windows\grep.exe
2011-12-30 19:07 - 2000-08-31 02:00 - 0068096 ____A C:\Windows\zip.exe
2011-12-30 19:05 - 2011-12-31 09:13 - 0000000 ____D C:\Qoobox
2011-12-30 19:04 - 2011-12-30 19:04 - 4356196 ____R (Swearware) C:\Users\Raluca\Downloads\ComboFix.exe
2011-12-30 11:09 - 2011-12-30 11:09 - 0607260 ____R (Swearware) C:\Users\Raluca\Downloads\dds.scr
2011-12-30 11:05 - 2011-12-30 11:05 - 0302592 ____A C:\Users\Raluca\Downloads\xvzexw70.exe
2011-12-30 10:59 - 2011-12-30 10:59 - 0001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2011-12-30 10:59 - 2011-12-30 10:59 - 0001109 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2011-12-30 10:59 - 2011-12-30 10:59 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-30 10:40 - 2011-12-30 10:40 - 0684297 ____A C:\Users\Raluca\Downloads\unhide.exe
2011-12-29 22:03 - 2011-12-30 19:00 - 0012439 ____A C:\Users\Raluca\Desktop\System Check.docx
2011-12-28 23:21 - 2011-12-30 11:45 - 0000199 ____A C:\Users\Raluca\Desktop\anti_vir_notes.txt
2011-12-28 23:10 - 2011-12-28 23:10 - 0004849 ____A C:\Users\Raluca\Downloads\fix_desktop.reg
2011-12-28 22:08 - 2011-12-28 22:08 - 0302592 ____A C:\Users\Raluca\Downloads\pzg6kin8.exe
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\Raluca\Application Data\Malwarebytes
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\Malwarebytes
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-12-28 21:04 - 2011-10-16 19:35 - 0001864 ____A C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
2011-12-28 21:04 - 2011-02-07 22:53 - 0000834 ____A C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
2011-12-28 21:01 - 2011-02-08 20:51 - 0001137 ____A C:\Users\Public\Desktop\Yahoo! Messenger.lnk
2011-12-28 21:01 - 2011-02-08 20:51 - 0001137 ____A C:\Users\All Users\Desktop\Yahoo! Messenger.lnk
2011-12-28 21:01 - 2011-02-08 20:07 - 0001106 ____A C:\Users\Public\Desktop\Picasa 3.lnk
2011-12-28 21:01 - 2011-02-08 20:07 - 0001106 ____A C:\Users\All Users\Desktop\Picasa 3.lnk
2011-12-28 20:40 - 2009-04-20 06:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2011-12-28 20:39 - 2011-12-31 01:13 - 0000000 ____D C:\Windows\ERDNT
2011-12-28 19:35 - 2011-12-30 11:57 - 0000000 ____D C:\Nasty_****
2011-12-28 19:21 - 2011-12-28 19:21 - 0000000 ____D C:\Users\Raluca\Downloads\uniextract161_noinst
2011-12-28 19:20 - 2011-12-28 19:20 - 5186991 ____A C:\Users\Raluca\Downloads\uniextract161_noinst.rar
2011-12-28 19:07 - 2011-12-28 19:08 - 0000000 ____D C:\Users\Raluca\Downloads\xvi32
2011-12-28 19:05 - 2011-12-28 19:05 - 0571004 ____A C:\Users\Raluca\Downloads\xvi32.zip
2011-12-28 18:50 - 2011-12-28 18:50 - 0000000 ____D C:\Users\Raluca\Downloads\Autoruns
2011-12-28 18:49 - 2011-12-28 18:49 - 0532781 ____A C:\Users\Raluca\Downloads\Autoruns.zip
2011-12-28 18:46 - 2011-12-31 18:18 - 0000000 ____D C:\Users\Raluca\Downloads\ProcessExplorer
2011-12-28 18:45 - 2011-12-28 18:46 - 1851394 ____A C:\Users\Raluca\Downloads\ProcessExplorer.zip
2011-12-26 00:13 - 2011-12-26 00:13 - 4095614 ____A C:\Users\Raluca\Downloads\Ugly Kid Joe - Cats In The Cradle.mp3
2011-12-26 00:12 - 2011-12-26 00:12 - 3933027 ____A C:\Users\Raluca\Downloads\Let it be.mp3
2011-12-26 00:03 - 2011-12-26 00:03 - 2903176 ____A C:\Users\Raluca\Downloads\Bob Marley- Three Little Birds (With Lyrics!).mp3
2011-12-25 23:39 - 2011-12-25 23:39 - 4566236 ____A C:\Users\Raluca\Downloads\R.E.M. - Losing My Religion (Video).mp3
2011-12-25 23:38 - 2011-12-26 00:13 - 0000000 ____D C:\Users\Raluca\Desktop\I AM A DOLPHIN
2011-12-18 18:25 - 2011-12-19 19:57 - 0000000 ____D C:\Users\Raluca\Desktop\rage faces
2011-12-15 21:58 - 2011-12-15 21:58 - 0000000 ____A C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf
2011-12-14 22:04 - 2011-11-04 04:38 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-12-14 22:04 - 2011-11-04 03:59 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-12-14 22:04 - 2011-11-04 03:53 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-12-14 22:04 - 2011-11-04 03:46 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-12-14 22:04 - 2011-11-04 03:44 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-12-14 22:04 - 2011-11-04 03:44 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-12-14 22:04 - 2011-11-04 03:43 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-12-14 22:04 - 2011-11-04 03:41 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-12-14 22:04 - 2011-11-04 03:39 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-12-14 22:04 - 2011-11-04 03:36 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-12-14 22:04 - 2011-11-04 03:35 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-12-14 22:04 - 2011-11-04 03:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-12-14 22:04 - 2011-11-04 03:30 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-12-14 22:04 - 2011-11-04 01:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-12-14 22:04 - 2011-11-04 00:47 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2011-12-14 22:04 - 2011-11-04 00:46 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-12-14 22:04 - 2011-11-04 00:40 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2011-12-14 22:04 - 2011-11-04 00:40 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-12-14 22:04 - 2011-11-04 00:39 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-12-14 22:04 - 2011-11-04 00:38 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-12-14 22:04 - 2011-11-04 00:37 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-12-14 22:04 - 2011-11-04 00:34 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2011-12-14 22:04 - 2011-11-04 00:32 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-12-14 22:04 - 2011-11-04 00:32 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-12-14 22:04 - 2011-11-04 00:31 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-12-14 22:04 - 2011-11-04 00:28 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-12-14 11:28 - 2011-11-24 06:52 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-12-14 11:28 - 2011-11-05 07:32 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-12-14 11:28 - 2011-11-05 06:26 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2011-12-14 11:28 - 2011-10-26 07:21 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2011-12-14 11:28 - 2011-10-15 08:31 - 0723456 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
2011-12-14 11:28 - 2011-10-15 07:38 - 0534528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
2011-12-13 21:24 - 2011-12-13 21:24 - 0000000 ____D C:\Windows\SysWOW64\AGEIA
2011-12-13 21:24 - 2011-12-13 21:24 - 0000000 ____D C:\Program Files (x86)\AGEIA Technologies
2011-12-13 21:21 - 2011-12-13 21:21 - 0000000 ____D C:\Users\Raluca\My Documents\My Games
2011-12-13 21:21 - 2011-12-13 21:21 - 0000000 ____D C:\Users\Raluca\Documents\My Games
2011-12-13 21:20 - 2011-12-13 21:20 - 0001283 ____A C:\Users\Raluca\Desktop\Borderlands.lnk
2011-12-09 10:19 - 2008-01-24 14:32 - 0094720 ____A C:\Users\Raluca\Downloads\Ion de Liviu Rebreanu - Rezumat.doc
2011-12-09 10:18 - 2011-12-09 10:18 - 0023884 ____A C:\Users\Raluca\Downloads\referat.clopotel.ro_13263.zip
2011-12-08 21:14 - 2011-12-16 20:43 - 0000000 ____D C:\Users\Raluca\Desktop\romanul
2011-12-06 21:20 - 2011-12-26 01:44 - 0000000 ____D C:\Users\Raluca\Desktop\DR.Pepper
2011-12-01 20:36 - 2011-12-06 21:21 - 0000000 ____D C:\Users\Raluca\Desktop\fuuuuuuuuuu


============ 3 Months Modified Files and Folders =============

2011-12-31 21:15 - 2011-12-31 21:14 - 0000000 ____D C:\FRST
2011-12-31 21:14 - 2011-12-31 21:14 - 1377537 ____A C:\Users\Raluca\Desktop\FRST64.exe
2011-12-31 21:14 - 2009-07-14 07:13 - 0726316 ____A C:\Windows\System32\PerfStringBackup.INI
2011-12-31 20:25 - 2011-12-31 20:25 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Desktop\lkjoijoqiwjoiqjoifqj.exe
2011-12-31 20:21 - 2011-12-31 20:21 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\tdsskiller(1).exe
2011-12-31 20:21 - 2011-12-31 20:21 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Desktop\tdsskiller.exe
2011-12-31 20:20 - 2011-02-07 21:17 - 1473181 ____A C:\Windows\WindowsUpdate.log
2011-12-31 19:28 - 2011-04-18 17:58 - 0000000 ____D C:\Users\Raluca\Desktop\Everything Teen Press Related
2011-12-31 19:07 - 2011-12-31 19:02 - 77086912 ____A (Microsoft Corporation) C:\Users\Raluca\Downloads\msert.exe
2011-12-31 18:34 - 2009-07-14 06:45 - 0021200 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2011-12-31 18:34 - 2009-07-14 06:45 - 0021200 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2011-12-31 18:27 - 2011-02-08 04:11 - 2307932160 __ASH C:\hiberfil.sys
2011-12-31 18:27 - 2009-07-14 07:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-12-31 18:27 - 2009-07-14 06:51 - 0033104 ____A C:\Windows\setupact.log
2011-12-31 18:18 - 2011-12-28 18:46 - 0000000 ____D C:\Users\Raluca\Downloads\ProcessExplorer
2011-12-31 18:16 - 2011-12-30 20:41 - 0388676 ____A C:\Windows\ntbtlog.txt
2011-12-31 18:03 - 2011-12-31 18:03 - 0000000 ____D C:\Users\Raluca\Downloads\TCPView
2011-12-31 18:02 - 2011-12-31 18:02 - 0291606 ____A C:\Users\Raluca\Downloads\TCPView(1).zip
2011-12-31 10:03 - 2011-12-31 10:03 - 0291606 ____A C:\Users\Raluca\Downloads\TCPView.zip
2011-12-31 09:24 - 2011-12-30 23:15 - 0000512 ____A C:\Users\Raluca\Desktop\MBR.dat
2011-12-31 09:15 - 2011-12-31 09:15 - 0000000 __SHD C:\$RECYCLE.BIN
2011-12-31 09:13 - 2011-12-31 00:35 - 0000000 ____D C:\ComboFix
2011-12-31 09:13 - 2011-12-30 19:05 - 0000000 ____D C:\Qoobox
2011-12-31 08:56 - 2009-07-14 04:34 - 0000215 ____A C:\Windows\system.ini
2011-12-31 08:55 - 2009-07-14 04:34 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2011-12-31 01:15 - 2011-02-07 21:57 - 0030138 ____A C:\Windows\PFRO.log
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2011-12-31 01:14 - 2011-12-31 01:14 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2011-12-31 01:14 - 2009-07-14 04:34 - 54788096 ____A C:\Windows\System32\config\SOFTWARE.bak
2011-12-31 01:14 - 2009-07-14 04:34 - 16252928 ____A C:\Windows\System32\config\SYSTEM.bak
2011-12-31 01:14 - 2009-07-14 04:34 - 0262144 ____A C:\Windows\System32\config\SECURITY.bak
2011-12-31 01:14 - 2009-07-14 04:34 - 0262144 ____A C:\Windows\System32\config\SAM.bak
2011-12-31 01:14 - 2009-07-14 04:34 - 0262144 ____A C:\Windows\System32\config\DEFAULT.bak
2011-12-31 01:13 - 2011-12-28 20:39 - 0000000 ____D C:\Windows\ERDNT
2011-12-31 00:33 - 2011-12-30 23:16 - 4358014 ____R (Swearware) C:\Users\Raluca\Desktop\ComboFix.exe
2011-12-30 23:09 - 2011-12-30 20:34 - 4702720 ____A (AVAST Software) C:\Users\Raluca\Downloads\aswMBR.exe
2011-12-30 22:58 - 2011-12-30 22:58 - 2721168 ____A (Microsoft Corporation) C:\Users\Raluca\Downloads\Windows7-USB-DVD-tool.exe
2011-12-30 22:50 - 2011-12-30 22:49 - 0000000 ____D C:\Users\Raluca\Downloads\qwsqws
2011-12-30 22:48 - 2011-12-30 22:48 - 0231390 ____A C:\Users\Raluca\Downloads\RootkitRevealer.zip
2011-12-30 22:39 - 2011-12-30 22:39 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\iexplore.com
2011-12-30 22:30 - 2011-12-30 22:30 - 0035712 ____A C:\Windows\SysWOW64\Drivers\BlackBox.sys
2011-12-30 21:24 - 2011-12-30 21:23 - 0139264 ____A () C:\Users\Raluca\Downloads\RKUnhookerLE.EXE
2011-12-30 21:06 - 2011-12-30 21:06 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Raluca\Downloads\tdsskiller.exe
2011-12-30 20:57 - 2011-12-30 20:57 - 1410192 ____A C:\Users\Raluca\Downloads\sar_15_sfx.exe
2011-12-30 20:57 - 2011-12-30 20:57 - 0000000 ____D C:\Program Files (x86)\Sophos
2011-12-30 20:52 - 2011-12-30 20:51 - 0000000 ____D C:\Users\Raluca\Downloads\bootkit_remover
2011-12-30 20:51 - 2011-12-30 20:51 - 0044607 ____A C:\Users\Raluca\Downloads\bootkit_remover(1).zip
2011-12-30 20:37 - 2011-12-30 20:37 - 0044607 ____A C:\Users\Raluca\Downloads\bootkit_remover.zip
2011-12-30 20:27 - 2011-12-30 20:25 - 0000000 ____D C:\Users\Raluca\Downloads\qwekjdhwkjhkjwtdsskiller
2011-12-30 20:25 - 2011-12-30 20:25 - 1558406 ____A C:\Users\Raluca\Downloads\tdsskiller.zip
2011-12-30 20:17 - 2011-12-30 20:17 - 1008141 ____A C:\Users\Raluca\Downloads\rkill.com
2011-12-30 19:04 - 2011-12-30 19:04 - 4356196 ____R (Swearware) C:\Users\Raluca\Downloads\ComboFix.exe
2011-12-30 19:00 - 2011-12-29 22:03 - 0012439 ____A C:\Users\Raluca\Desktop\System Check.docx
2011-12-30 11:57 - 2011-12-28 19:35 - 0000000 ____D C:\Nasty_****
2011-12-30 11:45 - 2011-12-28 23:21 - 0000199 ____A C:\Users\Raluca\Desktop\anti_vir_notes.txt
2011-12-30 11:09 - 2011-12-30 11:09 - 0607260 ____R (Swearware) C:\Users\Raluca\Downloads\dds.scr
2011-12-30 11:05 - 2011-12-30 11:05 - 0302592 ____A C:\Users\Raluca\Downloads\xvzexw70.exe
2011-12-30 10:59 - 2011-12-30 10:59 - 0001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2011-12-30 10:59 - 2011-12-30 10:59 - 0001109 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2011-12-30 10:59 - 2011-12-30 10:59 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-30 10:40 - 2011-12-30 10:40 - 0684297 ____A C:\Users\Raluca\Downloads\unhide.exe
2011-12-28 23:10 - 2011-12-28 23:10 - 0004849 ____A C:\Users\Raluca\Downloads\fix_desktop.reg
2011-12-28 22:08 - 2011-12-28 22:08 - 0302592 ____A C:\Users\Raluca\Downloads\pzg6kin8.exe
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\Raluca\Application Data\Malwarebytes
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\Malwarebytes
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2011-12-28 22:05 - 2011-12-28 22:05 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-12-28 21:42 - 2009-07-14 05:20 - 0000000 ___RD C:\users\Public
2011-12-28 21:42 - 2009-07-14 05:20 - 0000000 ___RD C:\users\Default
2011-12-28 21:17 - 2009-07-14 07:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2011-12-28 20:25 - 2011-04-24 22:55 - 0000000 ___RD C:\Program Files (x86)\Skype
2011-12-28 20:02 - 2011-02-08 16:32 - 0000000 ____D C:\Users\Raluca\Desktop\Claudia
2011-12-28 19:21 - 2011-12-28 19:21 - 0000000 ____D C:\Users\Raluca\Downloads\uniextract161_noinst
2011-12-28 19:20 - 2011-12-28 19:20 - 5186991 ____A C:\Users\Raluca\Downloads\uniextract161_noinst.rar
2011-12-28 19:08 - 2011-12-28 19:07 - 0000000 ____D C:\Users\Raluca\Downloads\xvi32
2011-12-28 19:05 - 2011-12-28 19:05 - 0571004 ____A C:\Users\Raluca\Downloads\xvi32.zip
2011-12-28 18:50 - 2011-12-28 18:50 - 0000000 ____D C:\Users\Raluca\Downloads\Autoruns
2011-12-28 18:49 - 2011-12-28 18:49 - 0532781 ____A C:\Users\Raluca\Downloads\Autoruns.zip
2011-12-28 18:46 - 2011-12-28 18:45 - 1851394 ____A C:\Users\Raluca\Downloads\ProcessExplorer.zip
2011-12-28 18:07 - 2011-03-01 23:03 - 0000000 ____D C:\Users\Raluca\Desktop\Stuffzuh
2011-12-28 18:07 - 2011-02-07 21:30 - 0002046 ____A C:\Users\Raluca\My Documents\Default.rdp
2011-12-28 18:07 - 2011-02-07 21:30 - 0002046 ____A C:\Users\Raluca\Documents\Default.rdp
2011-12-26 01:44 - 2011-12-06 21:20 - 0000000 ____D C:\Users\Raluca\Desktop\DR.Pepper
2011-12-26 01:44 - 2011-03-10 19:50 - 0000000 ____D C:\Users\Raluca\Desktop\Tabss
2011-12-26 01:44 - 2011-03-01 23:04 - 0000000 ____D C:\Users\Raluca\Desktop\WORD Docs
2011-12-26 01:42 - 2011-09-07 16:16 - 0000000 ____D C:\Users\Raluca\Desktop\puls
2011-12-26 00:13 - 2011-12-26 00:13 - 4095614 ____A C:\Users\Raluca\Downloads\Ugly Kid Joe - Cats In The Cradle.mp3
2011-12-26 00:13 - 2011-12-25 23:38 - 0000000 ____D C:\Users\Raluca\Desktop\I AM A DOLPHIN
2011-12-26 00:12 - 2011-12-26 00:12 - 3933027 ____A C:\Users\Raluca\Downloads\Let it be.mp3
2011-12-26 00:03 - 2011-12-26 00:03 - 2903176 ____A C:\Users\Raluca\Downloads\Bob Marley- Three Little Birds (With Lyrics!).mp3
2011-12-25 23:39 - 2011-12-25 23:39 - 4566236 ____A C:\Users\Raluca\Downloads\R.E.M. - Losing My Religion (Video).mp3
2011-12-20 00:45 - 2011-05-06 21:46 - 0000000 ____D C:\Users\Raluca\Desktop\GIFFFFFF
2011-12-19 19:57 - 2011-12-18 18:25 - 0000000 ____D C:\Users\Raluca\Desktop\rage faces
2011-12-18 20:33 - 2011-07-17 15:36 - 0000000 ____D C:\Users\Raluca\Desktop\photo
2011-12-18 17:19 - 2011-02-08 16:32 - 0000000 ____D C:\Users\Raluca\Desktop\People and Pictures
2011-12-16 20:43 - 2011-12-08 21:14 - 0000000 ____D C:\Users\Raluca\Desktop\romanul
2011-12-16 18:51 - 2011-07-14 13:26 - 0000000 ____D C:\Users\Raluca\Desktop\NEW tribute ****
2011-12-15 21:58 - 2011-12-15 21:58 - 0000000 ____A C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf
2011-12-15 20:56 - 2009-07-14 05:20 - 0000000 ____D C:\Windows\rescache
2011-12-15 20:31 - 2009-07-14 06:45 - 0412704 ____A C:\Windows\System32\FNTCACHE.DAT
2011-12-14 22:08 - 2011-02-07 23:16 - 0000000 ____D C:\Users\All Users\Microsoft Help
2011-12-14 22:08 - 2011-02-07 23:16 - 0000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2011-12-14 22:08 - 2011-02-07 23:16 - 0000000 ____D C:\ProgramData\Microsoft Help
2011-12-14 22:06 - 2011-02-07 23:43 - 54867776 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2011-12-13 21:24 - 2011-12-13 21:24 - 0000000 ____D C:\Windows\SysWOW64\AGEIA
2011-12-13 21:24 - 2011-12-13 21:24 - 0000000 ____D C:\Program Files (x86)\AGEIA Technologies
2011-12-13 21:21 - 2011-12-13 21:21 - 0000000 ____D C:\Users\Raluca\My Documents\My Games
2011-12-13 21:21 - 2011-12-13 21:21 - 0000000 ____D C:\Users\Raluca\Documents\My Games
2011-12-13 21:20 - 2011-12-13 21:20 - 0001283 ____A C:\Users\Raluca\Desktop\Borderlands.lnk
2011-12-13 20:31 - 2011-02-07 21:25 - 0000000 ____D C:\Kits
2011-12-09 10:18 - 2011-12-09 10:18 - 0023884 ____A C:\Users\Raluca\Downloads\referat.clopotel.ro_13263.zip
2011-12-06 21:48 - 2011-08-18 18:09 - 0000000 ____D C:\Users\Raluca\Desktop\Y U NO LIKE SPONGEBOB
2011-12-06 21:21 - 2011-12-01 20:36 - 0000000 ____D C:\Users\Raluca\Desktop\fuuuuuuuuuu
2011-11-27 12:42 - 2011-07-08 12:51 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2011-11-24 06:52 - 2011-12-14 11:28 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-11-22 18:49 - 2011-02-08 16:33 - 0000000 ____D C:\Users\Raluca\Desktop\Sketches and co
2011-11-13 19:58 - 2011-06-26 17:31 - 0000000 ____D C:\Users\Raluca\.gimp-2.6
2011-11-13 19:56 - 2011-11-13 19:56 - 0003411 ____A C:\Users\Raluca\.recently-used.xbel
2011-11-13 19:56 - 2011-06-26 17:33 - 0000000 ____D C:\Users\Raluca\Application Data\gtk-2.0
2011-11-13 19:56 - 2011-06-26 17:33 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\gtk-2.0
2011-11-13 19:56 - 2011-02-07 21:17 - 0000000 ____D C:\users\Raluca
2011-11-13 19:37 - 2011-02-26 18:59 - 0000000 ____D C:\Users\Raluca\Desktop\.picasaoriginals
2011-11-13 18:06 - 2011-02-08 22:03 - 0000000 ____D C:\Users\Raluca\Desktop\POze la Scoalaaa...LoL
2011-11-10 23:18 - 2009-07-14 05:20 - 0000000 ____D C:\Program Files\Common Files\System
2011-11-05 07:32 - 2011-12-14 11:28 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-11-05 06:26 - 2011-12-14 11:28 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2011-11-04 04:38 - 2011-12-14 22:04 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-11-04 03:59 - 2011-12-14 22:04 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-11-04 03:53 - 2011-12-14 22:04 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-11-04 03:46 - 2011-12-14 22:04 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-11-04 03:44 - 2011-12-14 22:04 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-11-04 03:44 - 2011-12-14 22:04 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-11-04 03:43 - 2011-12-14 22:04 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-11-04 03:41 - 2011-12-14 22:04 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-11-04 03:39 - 2011-12-14 22:04 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-11-04 03:36 - 2011-12-14 22:04 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-11-04 03:35 - 2011-12-14 22:04 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-11-04 03:34 - 2011-12-14 22:04 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-11-04 03:30 - 2011-12-14 22:04 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-11-04 01:02 - 2011-12-14 22:04 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-11-04 00:47 - 2011-12-14 22:04 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2011-11-04 00:46 - 2011-12-14 22:04 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-11-04 00:40 - 2011-12-14 22:04 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2011-11-04 00:40 - 2011-12-14 22:04 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-11-04 00:39 - 2011-12-14 22:04 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-11-04 00:38 - 2011-12-14 22:04 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-11-04 00:37 - 2011-12-14 22:04 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-11-04 00:34 - 2011-12-14 22:04 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2011-11-04 00:32 - 2011-12-14 22:04 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-11-04 00:32 - 2011-12-14 22:04 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-11-04 00:31 - 2011-12-14 22:04 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-11-04 00:28 - 2011-12-14 22:04 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-10-26 07:21 - 2011-12-14 11:28 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2011-10-24 20:44 - 2011-07-06 19:53 - 0000000 ____D C:\Users\Raluca\Desktop\tribute ****
2011-10-23 17:30 - 2011-07-19 13:55 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2011-10-17 16:38 - 2011-10-17 16:37 - 0000000 ____D C:\Users\Raluca\Local Settings\Microsoft Games
2011-10-17 16:38 - 2011-10-17 16:37 - 0000000 ____D C:\Users\Raluca\Local Settings\Application Data\Microsoft Games
2011-10-17 16:38 - 2011-10-17 16:37 - 0000000 ____D C:\Users\Raluca\AppData\Local\Microsoft Games
2011-10-16 23:17 - 2011-02-08 16:32 - 0000000 ____D C:\Users\Raluca\Desktop\Rock
2011-10-16 19:35 - 2011-12-28 21:04 - 0001864 ____A C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
2011-10-15 19:28 - 2011-10-15 19:28 - 0035562 ____A C:\Users\Raluca\Desktop\First Song.gp5
2011-10-15 13:32 - 2011-10-15 13:32 - 0000000 ____D C:\Windows\System32\Macromed
2011-10-15 08:31 - 2011-12-14 11:28 - 0723456 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
2011-10-15 07:38 - 2011-12-14 11:28 - 0534528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
2011-10-11 19:29 - 2011-10-11 19:26 - 0000000 ____D C:\Users\Raluca\Application Data\IrfanView
2011-10-11 19:29 - 2011-10-11 19:26 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\IrfanView
2011-10-06 21:58 - 2011-04-24 22:55 - 0000000 ____D C:\Users\Raluca\Application Data\Skype
2011-10-06 21:58 - 2011-04-24 22:55 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\Skype
2011-10-06 19:12 - 2011-04-24 22:56 - 0000000 ____D C:\Users\Raluca\Application Data\skypePM
2011-10-06 19:12 - 2011-04-24 22:56 - 0000000 ____D C:\Users\Raluca\AppData\Roaming\skypePM
2011-10-05 23:00 - 2011-04-24 22:56 - 0000000 ____D C:\Users\All Users\Skype Extras
2011-10-05 23:00 - 2011-04-24 22:56 - 0000000 ____D C:\Users\All Users\Application Data\Skype Extras
2011-10-05 23:00 - 2011-04-24 22:56 - 0000000 ____D C:\ProgramData\Skype Extras
2011-10-05 18:26 - 2011-02-07 23:16 - 0000000 ____D C:\Users\Raluca\Local Settings\Microsoft Help
2011-10-05 18:26 - 2011-02-07 23:16 - 0000000 ____D C:\Users\Raluca\Local Settings\Application Data\Microsoft Help
2011-10-05 18:26 - 2011-02-07 23:16 - 0000000 ____D C:\Users\Raluca\AppData\Local\Microsoft Help

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 39%
Total physical RAM: 2934.69 MB
Available physical RAM: 1765.21 MB
Total Pagefile: 5867.57 MB
Available Pagefile: 4349.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:297.99 GB) (Free:122.1 GB) NTFS
2 Drive d: (SpongeBob S2) (CDROM) (Total:4.02 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 297 GB 101 MB
Partition 3 Primary 1360 KB 298 GB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 System Rese NTFS Partition 100 MB Healthy System

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 297 GB Healthy Boot

Disk: 0
Partition 3
Type : 17
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

==========================================================

Last Boot: 2011-12-31 01:44

======================= End Of Log ==========================
 
We're dealing here with the newest TDL rootkit.

WARNING!
Proceed with extreme caution!
Deleting wrong partition will result with your computer being unusable.
If you have any doubts, ask.

===========================================================================================

Download gparted-live-0.10.0-3.iso (115.1 MB)

Burn it to a CD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
Boot off of the newly created Gparted CD.

You should be here:
gpartedsplash.png

Press Enter.

By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER:
gpartedkeymaps.png


Choose your language and press ENTER. English is default [33]:
gpartedlanguage.png


Once again, at this prompt, press ENTER:
gpartedgui.png


You will now be taken to the main GUI screen below:
gpartedo.png

According to your logs, the partition that you want to delete is the small partition of 1360 KB (1.4MB).
Click on it to highlight it.
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
gpartedsteps.png


Now you should be here:
gpartedsuccessclose.png


Is "boot" next to your OS drive?
gpartedboot.png


If "boot" is NOT next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags.

In the menu that pops up, place a checkmark in boot like the picture below:
gpartedmanageflagsboot.png


Now double-click the
gpartedexit.png
button.

You should receive a small pop up like this:
gpartedexitreboot.png


Choose reboot and then press OK.
 
It looks that we need to use the heavy artillery. :)

Unfortunately I am not at home and I cannot take these steps until after 5th of January. You can close the topic and I will PM you when I followed you last advice or leave it open until then.

One question though: It is my understanding that my MBR is infected. When computer starts that virus in MBR reads more data from hidden partition and executes it. That code is executed instead of regular Windows code. The virus also use that partition to store original code form infected files.
So if I just delete that hidden partition, wouldn’t this prevent my laptop form start?

Until next year many thanks for your help and a great new year!
 
I applied you final recommendation and now I only get a BSOD: STOP: 0X0000007B (0XFFFFF880009A98E8, 0XFFFFFFFFC0000034, 0X0000000000000000, 0X0000000000000000)

The error appears to CLASSPNP.SYS

I already tried modify in BIOS setting ATA/AHCI, Startup Repair, BootRec, Last Known Good Configuration.

Any other ideas?

Thank you.
Click to expand...

Please Boot to the System Recovery Options
If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Choose Command Prompt
You should see X:\SOURCES>...

Execute the following commands in bold.
Press Enter after every one of them.

bootrec /fixmbr (<--- there is a "space" after "bootrec")

bootrec /fixboot (<--- there is a "space" after "bootrec")

exit

Restart computer.

Post new aswMBR log.
 
Done

bootrec /fixmbr (<--- there is a "space" after "bootrec")
bootrec /fixboot (<--- there is a "space" after "bootrec")

Both finished successfully.

Still unable to boot: STOP: 0X0000007B (0XFFFFF880009A98E8, 0XFFFFFFFFC000000D, 0X0000000000000000, 0X0000000000000000)

Thank you.
 
Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • When asked Do you wish to load the remote registry, select Yes
  • When asked Do you wish to load remote user profile(s) for scanning, select Yes
  • Ensure the box Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.
 
Managed finally. Initially did not want to boot until I put my HDD in BIOS on ATA mode.

Anyway here is the log:

OTL logfile created on: 1/7/2012 1:58:59 AM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Ultimate Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files (x86)
Drive C: | 100.00 Mb Total Space | 75.55 Mb Free Space | 75.56% Space Free | Partition Type: NTFS
Drive D: | 196.67 Gb Total Space | 20.31 Gb Free Space | 10.33% Space Free | Partition Type: NTFS
Drive E: | 101.32 Gb Total Space | 101.23 Gb Free Space | 99.91% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/06/17 14:10:14 | 000,258,048 | ---- | M] (IDT, Inc.) [Auto] -- D:\Program Files\IDT\WDM\stacsv64.exe -- (STacSV)
SRV:64bit: - [2009/12/29 07:19:12 | 000,873,248 | ---- | M] (Broadcom Corporation.) [Auto] -- D:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Windows\System32\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/03/02 19:42:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto] -- D:\Program Files\IDT\WDM\AESTSr64.exe -- (AESTFilters)
SRV - [2011/12/24 10:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto] -- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/06/28 16:21:05 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/27 11:37:57 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/03/18 06:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- D:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- D:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/07/28 11:37:10 | 000,052,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
DRV:64bit: - [2011/06/28 16:21:05 | 000,123,784 | ---- | M] (Avira GmbH) [Kernel | System] -- D:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2011/06/28 16:21:05 | 000,088,288 | ---- | M] (Avira GmbH) [File_System | Auto] -- D:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2011/02/11 11:16:38 | 010,628,640 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/12/01 09:12:06 | 000,250,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/11/20 06:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 06:03:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/08/30 04:17:38 | 000,289,280 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
DRV:64bit: - [2010/07/21 09:59:28 | 000,045,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\point64.sys -- (Point64)
DRV:64bit: - [2010/06/17 14:10:14 | 000,515,584 | ---- | M] (IDT, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\stwrt64.sys -- (STHDA)
DRV:64bit: - [2010/03/30 04:58:06 | 000,053,800 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\btusbflt.sys -- (btusbflt)
DRV:64bit: - [2010/02/26 16:32:14 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2010/02/02 07:13:08 | 000,020,984 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\bcmvwl64.sys -- (BcmVWL)
DRV:64bit: - [2010/02/02 07:13:04 | 003,058,168 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2010/01/12 07:37:34 | 000,325,152 | ---- | M] (Realtek ) [Kernel | On_Demand] -- D:\Windows\System32\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- D:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\Raluca_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Raluca_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Raluca_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 27 77 69 2A FC C6 CB 01 [binary data]
IE - HKU\Raluca_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - prefs.js..network.proxy.type: 0

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: D:\Windows\System32\Macromed\Flash\NPSWF64_11_0_1.dll ()
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: D:\Windows\System32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: D:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: D:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin: D:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: D:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE: D:\Windows\SysWOW64\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@oberon-media.com/ONCAdapter: File not found

FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/11/27 05:42:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/07/08 05:51:32 | 000,000,000 | ---D | M] (No name found) -- D:\Users\Raluca\AppData\Roaming\Mozilla\Extensions
[2011/11/27 05:42:44 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files (x86)\Mozilla Firefox\extensions
File not found (No name found) --
[2011/11/27 05:42:37 | 000,134,104 | ---- | M] (Mozilla Foundation) -- D:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/11/16 16:28:44 | 000,002,252 | ---- | M] () -- D:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/11/27 05:42:37 | 000,002,040 | ---- | M] () -- D:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/12/28 14:19:36 | 000,000,027 | ---- | M]) - D:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4:64bit: - HKLM..\Run: [IntelliPoint] D:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [SysTrayApp] D:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [avgnt] D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKU\Raluca_ON_D..\Run: [Messenger (Yahoo!)] D:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4:64bit: - HKLM..\RunOnce: [*Restore] D:\Windows\System32\rstrui.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\LocalService_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Raluca_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Raluca_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\systemprofile_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8:64bit: - Extra context menu item: Send image to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8:64bit: - Extra context menu item: Send page to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Add to Google Photos Screensa&ver - D:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Send image to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - D:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - D:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/31 14:14:51 | 000,000,000 | ---D | C] -- D:\FRST
[2011/12/31 02:13:17 | 000,000,000 | ---D | C] -- D:\Windows\temp
[2011/12/30 12:05:31 | 000,000,000 | ---D | C] -- D:\Qoobox
[2011/12/30 12:01:21 | 000,000,000 | --SD | C] -- D:\ComboFix
[2011/12/30 03:59:13 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/30 03:59:11 | 000,000,000 | ---D | C] -- D:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/12/28 15:31:38 | 000,000,000 | -HSD | C] -- D:\$RECYCLE.BIN
[2011/12/28 15:05:23 | 000,000,000 | ---D | C] -- D:\Users\Raluca\AppData\Roaming\Malwarebytes
[2011/12/28 15:05:12 | 000,000,000 | ---D | C] -- D:\ProgramData\Malwarebytes
[2011/12/28 14:03:38 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
[2011/12/28 13:40:11 | 000,060,416 | ---- | C] (NirSoft) -- D:\Windows\NIRCMD.exe
[2011/12/28 13:39:06 | 000,000,000 | ---D | C] -- D:\Windows\ERDNT
[2011/12/28 12:35:54 | 000,000,000 | ---D | C] -- D:\Nasty_****
[2011/12/28 11:24:45 | 000,000,000 | ---D | C] -- D:\Users\Raluca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
[2011/12/25 16:38:51 | 000,000,000 | ---D | C] -- D:\Users\Raluca\Desktop\I AM A DOLPHIN
[2011/12/18 11:25:37 | 000,000,000 | ---D | C] -- D:\Users\Raluca\Desktop\rage faces
[2011/12/14 15:04:30 | 000,096,256 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\mshtmled.dll
[2011/12/14 15:04:30 | 000,072,704 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\mshtmled.dll
[2011/12/14 15:04:29 | 000,237,056 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\url.dll
[2011/12/14 15:04:29 | 000,231,936 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\url.dll
[2011/12/14 15:04:28 | 000,248,320 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\ieui.dll
[2011/12/14 15:04:28 | 000,176,640 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\ieui.dll
[2011/12/14 15:04:27 | 001,427,456 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\inetcpl.cpl
[2011/12/14 15:04:26 | 002,309,120 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\jscript9.dll
[2011/12/14 15:04:26 | 001,798,144 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\jscript9.dll
[2011/12/14 15:04:26 | 001,493,504 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\inetcpl.cpl
[2011/12/14 15:04:26 | 000,716,800 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\jscript.dll
[2011/12/14 15:04:25 | 000,818,688 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\jscript.dll
[2011/12/14 04:28:30 | 000,043,520 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\csrsrv.dll
[2011/12/14 04:28:28 | 000,723,456 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\EncDec.dll
[2011/12/14 04:28:28 | 000,534,528 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\EncDec.dll
[2011/12/13 14:24:58 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
[2011/12/13 14:24:51 | 000,000,000 | ---D | C] -- D:\Windows\SysWow64\AGEIA
[2011/12/13 14:24:50 | 000,000,000 | ---D | C] -- D:\Program Files (x86)\AGEIA Technologies
[2011/12/13 14:23:40 | 000,000,000 | ---D | C] -- D:\Program Files (x86)\Common Files\Wise Installation Wizard
[2011/12/13 14:21:29 | 000,000,000 | ---D | C] -- D:\Users\Raluca\Documents\My Games
[2011/12/08 14:14:42 | 000,000,000 | ---D | C] -- D:\Users\Raluca\Desktop\romanul
[6 D:\Windows\SysWow64\*.tmp files -> D:\Windows\SysWow64\*.tmp -> ]
[1 D:\Windows\*.tmp files -> D:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/07 04:24:00 | 000,067,584 | --S- | M] () -- D:\Windows\bootstat.dat
[2012/01/07 01:06:50 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
[2012/01/07 01:06:50 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
[2012/01/07 01:06:50 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2012/01/07 01:06:50 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
[2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picasa 3
[2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF-XChange PDF Viewer
[2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
[2012/01/07 01:06:49 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2012/01/07 01:06:48 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance
[2012/01/07 01:06:48 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
[2012/01/07 01:06:48 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/01/07 01:06:48 | 000,000,000 | R--D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mouse
[2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
[2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Guitar Pro 5
[2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP
[2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Combined Community Codec Pack
[2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
[2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2012/01/07 01:06:48 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
[2012/01/06 07:44:51 | 000,128,854 | ---- | M] () -- D:\Users\Raluca\Desktop\reject-toys-methlab.jpg
[2012/01/06 05:03:59 | 000,440,754 | ---- | M] () -- D:\Users\Raluca\Desktop\kids-shows-bert.gif
[2012/01/06 05:03:58 | 000,499,545 | ---- | M] () -- D:\Users\Raluca\Desktop\kids-show-lazytown-xmas.gif
[2012/01/06 05:03:58 | 000,370,116 | ---- | M] () -- D:\Users\Raluca\Desktop\kids-shows-teletubbies-*****.gif
[2012/01/04 16:00:14 | 2307,932,160 | -HS- | M] () -- D:\hiberfil.sys
[2011/12/31 02:24:28 | 000,000,512 | ---- | M] () -- D:\Users\Raluca\Desktop\MBR.dat
[2011/12/30 11:31:27 | 000,021,200 | ---- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/30 11:31:27 | 000,021,200 | ---- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/30 11:30:24 | 000,624,178 | ---- | M] () -- D:\Windows\System32\perfh009.dat
[2011/12/30 11:30:24 | 000,106,522 | ---- | M] () -- D:\Windows\System32\perfc009.dat
[2011/12/30 03:59:13 | 000,001,109 | ---- | M] () -- D:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/28 14:19:36 | 000,000,027 | ---- | M] () -- D:\Windows\System32\drivers\etc\hosts
[2011/12/28 11:24:46 | 000,000,677 | ---- | M] () -- D:\Users\Raluca\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2011/12/28 11:07:07 | 000,002,046 | ---- | M] () -- D:\Users\Raluca\Documents\Default.rdp
[2011/12/15 14:58:14 | 000,000,000 | ---- | M] () -- D:\Windows\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
[2011/12/15 13:31:19 | 000,412,704 | ---- | M] () -- D:\Windows\System32\FNTCACHE.DAT
[2011/12/13 14:20:54 | 000,001,283 | ---- | M] () -- D:\Users\Raluca\Desktop\Borderlands.lnk
[6 D:\Windows\SysWow64\*.tmp files -> D:\Windows\SysWow64\*.tmp -> ]
[1 D:\Windows\*.tmp files -> D:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/06 07:54:46 | 000,128,854 | ---- | C] () -- D:\Users\Raluca\Desktop\reject-toys-methlab.jpg
[2012/01/06 05:24:07 | 000,440,754 | ---- | C] () -- D:\Users\Raluca\Desktop\kids-shows-bert.gif
[2012/01/06 05:22:04 | 000,499,545 | ---- | C] () -- D:\Users\Raluca\Desktop\kids-show-lazytown-xmas.gif
[2012/01/06 05:21:54 | 000,370,116 | ---- | C] () -- D:\Users\Raluca\Desktop\kids-shows-teletubbies-*****.gif
[2011/12/30 16:15:27 | 000,000,512 | ---- | C] () -- D:\Users\Raluca\Desktop\MBR.dat
[2011/12/30 03:59:13 | 000,001,109 | ---- | C] () -- D:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/28 14:04:08 | 000,001,864 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/12/28 14:04:07 | 000,000,834 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
[2011/12/28 14:02:09 | 000,001,246 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2011/12/28 14:02:08 | 000,001,547 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011/12/28 14:02:07 | 000,001,210 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2011/12/28 14:02:06 | 000,001,326 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2011/12/28 14:02:04 | 000,001,330 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
[2011/12/28 14:02:03 | 000,001,146 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/12/28 14:02:02 | 000,001,345 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2011/12/28 14:01:59 | 000,001,137 | ---- | C] () -- D:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2011/12/28 14:01:58 | 000,001,106 | ---- | C] () -- D:\Users\Public\Desktop\Picasa 3.lnk
[2011/12/28 11:24:46 | 000,000,677 | ---- | C] () -- D:\Users\Raluca\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2011/12/15 14:58:14 | 000,000,000 | ---- | C] () -- D:\Windows\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
[2011/12/13 14:20:54 | 000,001,283 | ---- | C] () -- D:\Users\Raluca\Desktop\Borderlands.lnk
[2011/05/08 14:07:59 | 000,007,632 | ---- | C] () -- D:\Users\Raluca\AppData\Local\Resmon.ResmonCfg
[2011/05/08 14:01:37 | 000,252,928 | ---- | C] () -- D:\Windows\SysWow64\DShowRdpFilter.dll
[2011/04/24 15:56:26 | 000,000,056 | ---- | C] () -- D:\ProgramData\ezsidmv.dat
[2011/03/03 17:10:44 | 000,004,608 | ---- | C] () -- D:\Users\Raluca\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/11 11:15:08 | 000,874,048 | ---- | C] () -- D:\Windows\SysWow64\igkrng575.bin
[2010/08/25 12:34:30 | 000,127,868 | ---- | C] () -- D:\Windows\SysWow64\igcompkrng575.bin
[2010/08/25 12:34:30 | 000,104,796 | ---- | C] () -- D:\Windows\SysWow64\igfcg575m.bin
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- D:\Windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- D:\Windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- D:\Windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- D:\Windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- D:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:25:04 | 000,197,632 | ---- | C] () -- D:\Windows\SysWow64\ir32_32.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- D:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- D:\Windows\SysWow64\mlang.dat
[2008/10/07 02:13:30 | 000,197,912 | ---- | C] () -- D:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 02:13:22 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 02:13:20 | 000,058,648 | ---- | C] () -- D:\Windows\SysWow64\AgCPanelFrench.dll

========== LOP Check ==========

[2011/08/21 20:07:07 | 000,000,000 | ---D | M] -- D:\ProgramData\Alawar Stargaze
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Application Data
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Desktop
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Documents
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Favorites
[2011/08/20 09:02:22 | 000,000,000 | ---D | M] -- D:\ProgramData\Floodlight Games
[2011/06/27 15:40:28 | 000,000,000 | ---D | M] -- D:\ProgramData\Oberon Media
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Start Menu
[2011/08/31 15:25:20 | 000,000,000 | ---D | M] -- D:\ProgramData\TEMP
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Templates
[2011/07/17 08:37:00 | 000,000,000 | ---D | M] -- D:\ProgramData\Top Evidence
[2009/07/14 00:08:49 | 000,021,134 | ---- | M] () -- D:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 178 bytes -> D:\ProgramData\TEMP:18DEBC51
@Alternate Data Stream - 139 bytes -> D:\ProgramData\TEMP:8CE601F5
@Alternate Data Stream - 134 bytes -> D:\ProgramData\TEMP:F5D01D7C
@Alternate Data Stream - 126 bytes -> D:\ProgramData\TEMP:6A0A47E7
@Alternate Data Stream - 118 bytes -> D:\ProgramData\TEMP:D999FFD5
@Alternate Data Stream - 117 bytes -> D:\ProgramData\TEMP:F89F2593
@Alternate Data Stream - 101 bytes -> D:\ProgramData\TEMP:5C321E34
< End of report >
 
Do this on the computer you are posting from:
Copy the text in the codebox below:


Code: 
:OTL
O4:64bit: - HKLM..\RunOnce: [*Restore] D:\Windows\System32\rstrui.exe (Microsoft Corporation)
@Alternate Data Stream - 178 bytes -> D:\ProgramData\TEMP:18DEBC51
@Alternate Data Stream - 139 bytes -> D:\ProgramData\TEMP:8CE601F5
@Alternate Data Stream - 134 bytes -> D:\ProgramData\TEMP:F5D01D7C
@Alternate Data Stream - 126 bytes -> D:\ProgramData\TEMP:6A0A47E7
@Alternate Data Stream - 118 bytes -> D:\ProgramData\TEMP:D999FFD5
@Alternate Data Stream - 117 bytes -> D:\ProgramData\TEMP:F89F2593
@Alternate Data Stream - 101 bytes -> D:\ProgramData\TEMP:5C321E34

:Services

:Reg

:Files

:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

  • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
    • (The content of Fix.txt should appear in the box)
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log produced (you'll need to transfer it with USB stick)
  • Attempt to reboot normally into Windows.
 
Run the fix successfully, but the laptop still don't boot. :-(
Same BSOD: STOP: 0X0000007B (0XFFFFF880009A98E8, 0XFFFFFFFFC000000D, 0X0000000000000000, 0X0000000000000000)

See log file bellow.

========== OTL ==========
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore deleted successfully.
Invalid CLSID key: *Restore
File D:\Windows\System32\rstrui.exe not found.
ADS D:\ProgramData\TEMP:18DEBC51 deleted successfully.
ADS D:\ProgramData\TEMP:8CE601F5 deleted successfully.
ADS D:\ProgramData\TEMP:F5D01D7C deleted successfully.
ADS D:\ProgramData\TEMP:6A0A47E7 deleted successfully.
ADS D:\ProgramData\TEMP:D999FFD5 deleted successfully.
ADS D:\ProgramData\TEMP:F89F2593 deleted successfully.
ADS D:\ProgramData\TEMP:5C321E34 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 01072012_112711
 
Yes.
Safe Mode, Safe mode with command prompt, with BIOS setting of HDD on ATA and AHCI.

I tried them all. :-(

Same STOP: 0X0000007B (0XFFFFF880009A98E8, 0XFFFFFFFFC000000D, 0X0000000000000000, 0X0000000000000000) , same driver CLASSPNP.SYS
 
Unfortunately I'm afraid this is beyond repair and you'll have to reinstall Windows.
I'm sorry.
We tried :(
 
You must log in or register to reply here.

Similar threads

Cal Jeffrey
Recent system update intentionally borks emulators on Xbox consoles
Replies
6
Views
534
passwordistaco
P
Bob O'Donnell
Microsoft Copilot enables next-gen AI for Word, Excel and other Office applications
Replies
10
Views
978
Dimitrios
Dimitrios
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni

Latest posts

Back