Solved Sirefef AH and R infection

[thetwo]

I can't get Combofix to run. I am in safe mode right now and ran RKill, I downloaded the renamed your_name . RKill runs fine and in the log there isn't any processes killed. When I run ComboFix, it says Microsoft Security Essentials is running (but it is red and the protection is disabled, thats how it was due to the trojan) and then a blue commadn prompt like window pops up and closes.

 

[Broni]

Uninstall MSE temporarily.

 

[thetwo]

I can't run the Rkill as an administrator, that option doesn't show up for it.

Also I uninstalled Microsoft Security Essentials, now that warning doesn't show up, but still nothing happens.

 

[Broni]

• Download RogueKiller on the desktop
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
• Otherwise just double-click on RogueKiller.exe
• Pre-scan will start. Let it finish.
• Click on SCAN button.
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

===================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

[thetwo]

Is it fine if I do these in Safe Mode or do I restart and boot normally?

 

[Broni]

Try normal boot.
If any problem use safe mode.

 

[thetwo]

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User: Abhi [Admin rights]
Mode: Scan -- Date: 07/17/2012 22:29:55

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[Faked.Drv][FAKED] dfsc.sys : c:\windows\system32\drivers\dfsc.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-65A7B0 ATA Device +++++
--- User ---
[MBR] d110abe1e35231c0d4133bae5d88a36c
[BSP] 96c9a7a46b100b77294be8d48375e78f : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 199996 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409593240 | Size: 410481 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST3400620AS ATA Device +++++
--- User ---
[MBR] 9802d947347ef49869beefbf02566ce1
[BSP] 007003efb55143942a01db33287866b3 : Standard MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 16065 | Size: 381543 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: ST31000528AS ATA Device +++++
--- User ---
[MBR] 061db42412c13e6debeb10d7afd93540
[BSP] 83a76bb613b27684cd6cca3457d0aba7 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: CENTON DS Pro USB Device +++++
--- User ---
[MBR] 0cfa9373b5b712d3e2a13f238a030a89
[BSP] a88b503a4dd08425becd66782ce39379 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNOWN (0x72) [VISIBLE] Offset (sectors): 778135908 | Size: 557377 Mo
1 - [XXXXXX] UNKNOWN (0x65) [VISIBLE] Offset (sectors): 168689522 | Size: 945326 Mo
2 - [XXXXXX] UNKNOWN (0x79) [VISIBLE] Offset (sectors): 1869881465 | Size: 945326 Mo
3 - [XXXXXX] UNKNOWN (0x0d) [VISIBLE] Offset (sectors): 2885681152 | Size: 27 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

 

[thetwo]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-17 22:31:23
-----------------------------
22:31:23.729 OS Version: Windows 6.1.7601 Service Pack 1
22:31:23.729 Number of processors: 4 586 0x1706
22:31:23.729 ComputerName: ABHI-PC UserName: Abhi
22:31:24.449 Initialize success
22:32:27.530 AVAST engine defs: 12071701
22:32:29.902 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
22:32:29.902 Disk 0 Vendor: WDC_WD6400AAKS-65A7B0 01.03B01 Size: 610480MB BusType: 3
22:32:29.902 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-5
22:32:29.902 Disk 1 Vendor: ST3400620AS 3.AAK Size: 381554MB BusType: 3
22:32:29.917 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T1L0-6
22:32:29.917 Disk 2 Vendor: ST31000528AS CC3E Size: 953869MB BusType: 3
22:32:29.933 Disk 0 MBR read successfully
22:32:29.933 Disk 0 MBR scan
22:32:29.933 Disk 0 Windows 7 default MBR code
22:32:29.948 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199996 MB offset 63
22:32:29.964 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 410481 MB offset 409593240
22:32:29.964 Disk 0 scanning sectors +1250258625
22:32:30.089 Disk 0 scanning C:\Windows\system32\drivers
22:32:38.501 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-PL [Rtk]
22:32:47.066 Disk 0 trace - called modules:
22:32:47.082 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x90676698]<<
22:32:47.097 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863e7030]
22:32:47.097 3 CLASSPNP.SYS[8bd8059e] -> nt!IofCallDriver -> [0x86772378]
22:32:47.097 \Driver\00000527[0x867724b0] -> IRP_MJ_CREATE -> 0x90676698
22:32:47.986 AVAST engine scan C:\Windows
22:32:49.765 AVAST engine scan C:\Windows\system32
22:35:16.100 AVAST engine scan C:\Windows\system32\drivers
22:35:21.123 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-PL [Rtk]
22:35:38.794 AVAST engine scan C:\Users\Abhi
23:00:58.387 Disk 0 MBR has been saved successfully to "C:\Users\Abhi\Desktop\MBR.dat"
23:00:58.387 The log file has been saved successfully to "C:\Users\Abhi\Desktop\aswMBR.txt"


It sort of looked like it got stuck because it was on the same location for like 15 mins. So I just clicked save log.

 

[Broni]

Aha...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box and paste it into the main textfield:
  

  :filefind
  dfsc.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[thetwo]

SystemLook 30.07.11 by jpshortstuff
Log created at 23:11 on 17/07/2012 by Abhi
Administrator - Elevation successful

========== filefind ==========

Searching for "dfsc.sys"
C:\Windows\System32\drivers\dfsc.sys --a---- 78336 bytes [00:40 24/01/2012] [08:42 20/11/2010] F024449C97EC1E464AAFFDA18593DB88
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16385_none_87708401476f7a4f\dfsc.sys --a---- 78336 bytes [23:14 13/07/2009] [23:14 13/07/2009] 8E09E52EE2E3CEB199EF3DD99CF9E3FB
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys --a---- 78336 bytes [09:10 22/01/2012] [02:33 27/04/2011] 83D1ECEA8FAAE75604C0FA49AC7AD996
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.20953_none_8818997a6076855b\dfsc.sys --a---- 78336 bytes [09:10 22/01/2012] [02:24 27/04/2011] 886E8C1608146CC355DDD455F5C8DD87
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys --a---- 78336 bytes [00:40 24/01/2012] [08:42 20/11/2010] F024449C97EC1E464AAFFDA18593DB88

-= EOF =-

 

[thetwo]

I guess the aswMBR is still running since it found another one, and still says scanning.
23:05:24.066 File: C:\Users\Abhi\Documents\784b6b0.exe **INFECTED** Win32:Winwebsec-B [Trj]

 

[thetwo]

Ok just says Scan finished Successfully.

 

[Broni]

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys | C:\Windows\System32\drivers\dfsc.sys

File::
C:\Users\Abhi\Documents\784b6b0.exe

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

On a top of it post new RogueKiller, aswMBR and System Look logs.

 

[thetwo]

It just does the same installing thing and just closes. Should I try in safe mode?

 

[thetwo]

Also not sure if this means anything, but I noticed these files I downloaded have a small blue and yellow shield in their icon.

 

[Broni]

What files?

Forget Combofix.

Post new FRST log and we'll run the fix from there.
It'll be safer than with Combofix.

 

[thetwo]

Ok, running it now. Oh I mean files that I have been downloading on the desktop like Combofix, Systemlook.

 

[thetwo]

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 08-07-2012
Ran by SYSTEM at 17-07-2012 23:47:21
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-11-09] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" [119152 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)
HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKU\Abhi\...\Run: [googletalk] C:\Users\Abhi\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKU\Abhi\...\Run: [Google Update] "C:\Users\Abhi\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-08-31] (Google Inc.)
HKU\Mcx1-ABHI-PC\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [313344 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Startup: C:\Users\Abhi\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

================================ Services (Whitelisted) ==================

2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [176128 2011-11-09] (AMD)
2 AppHostSvc; C:\Windows\system32\inetsrv\apphostsvc.dll [61440 2010-11-20] (Microsoft Corporation)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 IntuitUpdateServiceV4; "C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" [13672 2011-08-25] (Intuit Inc.)
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
3 WAS; C:\Windows\system32\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

3 amdkmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [8913920 2011-11-09] (Advanced Micro Devices, Inc.)
3 atikmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [8913920 2011-11-09] (Advanced Micro Devices, Inc.)
1 DfsC; C:\Windows\System32\Drivers\dfsc.sys [78336 2010-11-20] ()
3 MSHUSBVideo; C:\Windows\System32\Drivers\nx6000.sys [30576 2010-01-28] (Microsoft Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
3 yukonw7; C:\Windows\System32\DRIVERS\yk62x86.sys [311296 2009-07-13] (Marvell)
3 catchme; \??\C:\Users\Abhi\AppData\Local\Temp\catchme.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-17 20:25 - 2012-07-17 20:25 - 00000227 ____A C:\Users\Abhi\Desktop\CFScript.txt
2012-07-17 20:10 - 2012-07-17 20:10 - 00139264 ____A C:\Users\Abhi\Desktop\SystemLook.exe
2012-07-17 20:00 - 2012-07-17 20:16 - 00007566 ____A C:\Users\Abhi\Desktop\aswMBR.txt
2012-07-17 20:00 - 2012-07-17 20:16 - 00000512 ____A C:\Users\Abhi\Desktop\MBR.dat
2012-07-17 19:31 - 2012-07-17 19:31 - 04731392 ____A (AVAST Software) C:\Users\Abhi\Desktop\aswMBR.exe
2012-07-17 19:29 - 2012-07-17 19:29 - 00002628 ____A C:\Users\Abhi\Desktop\RKreport[1].txt
2012-07-17 19:28 - 2012-07-17 19:29 - 00000000 ____D C:\Users\Abhi\Desktop\RK_Quarantine
2012-07-17 19:28 - 2012-07-17 19:28 - 01552384 ____A C:\Users\Abhi\Desktop\RogueKiller.exe
2012-07-17 19:21 - 2012-07-17 19:21 - 00000000 _RASH C:\MSDOS.SYS
2012-07-17 19:21 - 2012-07-17 19:21 - 00000000 _RASH C:\IO.SYS
2012-07-17 19:17 - 2012-07-17 20:44 - 00000000 ___SD C:\32788R22FWJFW
2012-07-17 19:14 - 2012-07-17 19:14 - 00000000 ___SD C:\your_name
2012-07-17 19:11 - 2012-07-17 19:11 - 01012656 ____A C:\Users\Abhi\Downloads\rkill.com
2012-07-17 18:48 - 2012-07-17 19:21 - 00000413 ____A C:\rkill.log
2012-07-17 18:09 - 2012-07-17 18:09 - 00000000 ____D C:\FRST
2012-07-16 18:02 - 2012-07-16 18:02 - 00000000 ____D C:\Program Files\Oracle
2012-07-16 18:02 - 2012-07-16 18:02 - 00000000 ____D C:\Program Files\Common Files\Java
2012-07-16 18:01 - 2012-07-16 18:01 - 00000000 ____D C:\Users\Abhi\Downloads\JavaRa-1.16-16-12-11
2012-07-16 18:01 - 2012-07-05 19:06 - 00772544 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-07-16 18:00 - 2012-07-16 18:00 - 00893936 ____A (Oracle Corporation) C:\Users\Abhi\Downloads\jxpiinstall.exe
2012-07-16 18:00 - 2012-07-16 18:00 - 00160639 ____A C:\Users\Abhi\Downloads\JavaRa-1.16-16-12-11.zip
2012-07-16 18:00 - 2012-07-16 18:00 - 00000000 ____D C:\Users\All Users\McAfee
2012-07-16 14:54 - 2012-07-16 14:54 - 00002270 ____A C:\Users\Abhi\Desktop\malware 7-16 eset scan.txt
2012-07-15 19:38 - 2012-07-15 19:38 - 00000000 ____D C:\Program Files\ESET
2012-07-15 19:18 - 2012-07-15 19:19 - 00000000 ____D C:\Users\All Users\6C82D0FF0007BD8C0252A63CF875EF7E
2012-07-15 19:17 - 2012-07-15 19:17 - 00413696 ____A C:\Users\Abhi\Documents\784b6b0.exe
2012-07-12 00:04 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-12 00:04 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-12 00:04 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-12 00:04 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-12 00:04 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-12 00:04 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-12 00:04 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-12 00:04 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-12 00:04 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-12 00:04 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-12 00:04 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-12 00:04 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-12 00:04 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-12 00:04 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-12 00:01 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 00:18 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 00:18 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 00:18 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 00:18 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 00:18 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 00:18 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 00:18 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 00:18 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 00:18 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 00:18 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-09 18:40 - 2012-07-09 18:40 - 02721568 ____A (TeamViewer) C:\Users\Abhi\Downloads\TeamViewerQJ_en-idm70736643.exe
2012-07-08 13:12 - 2012-07-08 13:12 - 00688663 ____A (Farbar) C:\Users\Abhi\Downloads\FSS.exe
2012-07-08 13:10 - 2012-07-08 13:10 - 00869194 ____A C:\Users\Abhi\Downloads\SecurityCheck.exe
2012-07-08 13:02 - 2012-07-08 13:02 - 00000000 ____D C:\_OTL
2012-07-08 09:45 - 2012-07-08 09:45 - 00000901 ____A C:\Users\Public\Desktop\Market Samurai.lnk
2012-07-08 09:45 - 2012-07-08 09:45 - 00000000 ____D C:\Program Files\Market Samurai
2012-07-08 09:26 - 2012-07-08 09:26 - 00056240 ____A C:\Users\Abhi\Downloads\Extras.Txt
2012-07-08 09:24 - 2012-07-15 19:36 - 00076872 ____A C:\Users\Abhi\Downloads\OTL.Txt
2012-07-08 09:15 - 2012-07-08 09:15 - 00595968 ____A (OldTimer Tools) C:\Users\Abhi\Downloads\OTL.exe
2012-07-08 08:45 - 2012-07-17 18:52 - 00000000 ____D C:\Windows\erdnt
2012-07-08 08:45 - 2012-07-17 18:40 - 00000000 ___AD C:\Qoobox
2012-07-08 08:45 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-08 08:45 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-08 08:45 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-08 08:45 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-08 08:45 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-08 08:45 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-08 08:45 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-08 08:45 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-08 07:30 - 2012-07-08 07:30 - 00000000 ____D C:\Users\Abhi\AppData\Roaming\GetRightToGo
2012-07-08 06:34 - 2012-07-08 06:34 - 10288512 ____A (Microsoft Corporation) C:\Users\Abhi\Downloads\mseinstall(1).exe
2012-07-07 20:10 - 2012-07-07 20:10 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-04 20:19 - 2012-07-04 20:34 - 90164053 ____A C:\Users\Abhi\Downloads\BEMarigoldHotel.rar
2012-07-04 15:52 - 2012-07-13 18:23 - 00000000 ____D C:\Users\Abhi\Desktop\IMN
2012-07-02 15:50 - 2012-07-02 15:53 - 00000000 ____D C:\Users\Abhi\AppData\Local\QuickPar
2012-07-02 15:49 - 2012-07-02 15:49 - 00000965 ____A C:\Users\Mcx1-ABHI-PC\Desktop\QuickPar.lnk
2012-07-02 15:49 - 2012-07-02 15:49 - 00000000 ____D C:\Program Files\QuickPar
2012-07-02 15:48 - 2012-07-02 15:49 - 00501363 ____A (Peter B Clements) C:\Users\Abhi\Downloads\QuickPar-0.9.1.0.exe
2012-07-01 16:37 - 2012-07-04 06:34 - 00000000 ____D C:\Users\Abhi\Desktop\Resume
2012-06-23 08:29 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-23 08:29 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-23 08:29 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-23 08:29 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-23 08:29 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-23 08:29 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-23 08:29 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-23 08:29 - 2012-06-02 12:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-23 08:29 - 2012-06-02 12:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-20 19:52 - 2012-06-20 19:52 - 00111208 ____A C:\Users\Abhi\Downloads\6-19-12.rar


============ 3 Months Modified Files ========================

2012-07-17 20:43 - 2012-07-17 20:43 - 04579127 ____R (Swearware) C:\Users\Abhi\Desktop\your_name.exe
2012-07-17 20:40 - 2012-01-21 18:36 - 01777646 ____A C:\Windows\WindowsUpdate.log
2012-07-17 20:25 - 2012-07-17 20:25 - 00000227 ____A C:\Users\Abhi\Desktop\CFScript.txt
2012-07-17 20:25 - 2012-01-21 18:48 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3783522489-612346976-376495541-1000UA.job
2012-07-17 20:24 - 2012-04-11 04:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-17 20:16 - 2012-07-17 20:00 - 00007566 ____A C:\Users\Abhi\Desktop\aswMBR.txt
2012-07-17 20:16 - 2012-07-17 20:00 - 00000512 ____A C:\Users\Abhi\Desktop\MBR.dat
2012-07-17 20:10 - 2012-07-17 20:10 - 00139264 ____A C:\Users\Abhi\Desktop\SystemLook.exe
2012-07-17 19:34 - 2012-01-21 18:40 - 00762428 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-17 19:34 - 2009-07-13 20:34 - 00014976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-17 19:34 - 2009-07-13 20:34 - 00014976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-17 19:31 - 2012-07-17 19:31 - 04731392 ____A (AVAST Software) C:\Users\Abhi\Desktop\aswMBR.exe
2012-07-17 19:29 - 2012-07-17 19:29 - 00002628 ____A C:\Users\Abhi\Desktop\RKreport[1].txt
2012-07-17 19:28 - 2012-07-17 19:28 - 01552384 ____A C:\Users\Abhi\Desktop\RogueKiller.exe
2012-07-17 19:27 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-17 19:27 - 2009-07-13 20:39 - 00063561 ____A C:\Windows\setupact.log
2012-07-17 19:21 - 2012-07-17 19:21 - 00000000 _RASH C:\MSDOS.SYS
2012-07-17 19:21 - 2012-07-17 19:21 - 00000000 _RASH C:\IO.SYS
2012-07-17 19:21 - 2012-07-17 18:48 - 00000413 ____A C:\rkill.log
2012-07-17 19:11 - 2012-07-17 19:11 - 01012656 ____A C:\Users\Abhi\Downloads\rkill.com
2012-07-17 19:11 - 2012-01-27 19:25 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-17 19:09 - 2012-02-25 18:17 - 00000362 _RASH C:\Users\All Users\ntuser.pol
2012-07-17 18:39 - 2012-01-21 19:56 - 00036892 ____A C:\Users\Abhi\Documents\Database.kdb
2012-07-17 15:06 - 2012-01-21 18:48 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3783522489-612346976-376495541-1000Core.job
2012-07-16 18:01 - 2012-02-18 09:56 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-07-16 18:01 - 2012-02-18 09:56 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-07-16 18:00 - 2012-07-16 18:00 - 00893936 ____A (Oracle Corporation) C:\Users\Abhi\Downloads\jxpiinstall.exe
2012-07-16 18:00 - 2012-07-16 18:00 - 00160639 ____A C:\Users\Abhi\Downloads\JavaRa-1.16-16-12-11.zip
2012-07-16 14:54 - 2012-07-16 14:54 - 00002270 ____A C:\Users\Abhi\Desktop\malware 7-16 eset scan.txt
2012-07-15 19:36 - 2012-07-08 09:24 - 00076872 ____A C:\Users\Abhi\Downloads\OTL.Txt
2012-07-15 19:27 - 2012-01-21 20:36 - 00014264 ____A C:\Windows\PFRO.log
2012-07-15 19:23 - 2012-01-21 18:51 - 00001067 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-15 19:17 - 2012-07-15 19:17 - 00413696 ____A C:\Users\Abhi\Documents\784b6b0.exe
2012-07-12 08:31 - 2012-04-11 04:45 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-12 08:31 - 2012-01-21 18:47 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-12 00:22 - 2009-07-13 20:33 - 00349944 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 00:02 - 2012-01-27 19:36 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-09 18:40 - 2012-07-09 18:40 - 02721568 ____A (TeamViewer) C:\Users\Abhi\Downloads\TeamViewerQJ_en-idm70736643.exe
2012-07-08 13:12 - 2012-07-08 13:12 - 00688663 ____A (Farbar) C:\Users\Abhi\Downloads\FSS.exe
2012-07-08 13:10 - 2012-07-08 13:10 - 00869194 ____A C:\Users\Abhi\Downloads\SecurityCheck.exe
2012-07-08 09:45 - 2012-07-08 09:45 - 00000901 ____A C:\Users\Public\Desktop\Market Samurai.lnk
2012-07-08 09:26 - 2012-07-08 09:26 - 00056240 ____A C:\Users\Abhi\Downloads\Extras.Txt
2012-07-08 09:15 - 2012-07-08 09:15 - 00595968 ____A (OldTimer Tools) C:\Users\Abhi\Downloads\OTL.exe
2012-07-08 08:54 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
2012-07-08 06:34 - 2012-07-08 06:34 - 10288512 ____A (Microsoft Corporation) C:\Users\Abhi\Downloads\mseinstall(1).exe
2012-07-05 19:06 - 2012-07-16 18:01 - 00772544 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-07-05 19:06 - 2012-02-18 09:56 - 00227760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-07-05 19:06 - 2012-01-21 18:48 - 00687544 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-07-04 20:34 - 2012-07-04 20:19 - 90164053 ____A C:\Users\Abhi\Downloads\BEMarigoldHotel.rar
2012-07-03 10:46 - 2012-01-21 18:51 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-02 15:49 - 2012-07-02 15:49 - 00000965 ____A C:\Users\Mcx1-ABHI-PC\Desktop\QuickPar.lnk
2012-07-02 15:49 - 2012-07-02 15:48 - 00501363 ____A (Peter B Clements) C:\Users\Abhi\Downloads\QuickPar-0.9.1.0.exe
2012-06-14 19:33 - 2012-06-14 19:33 - 00001056 ____A C:\Users\Abhi\Downloads\products_general_06152012.csv
2012-06-11 18:40 - 2012-07-12 00:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-11 00:18 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:05 - 2012-07-11 00:18 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-11 00:18 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-11 00:18 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-06-23 08:29 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 08:29 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-23 08:29 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 08:29 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-23 08:29 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-23 08:29 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-23 08:29 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-23 08:29 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:12 - 2012-06-23 08:29 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 12:11 - 2012-01-21 18:50 - 00000976 ____A C:\Users\Abhi\Desktop\Dropbox.lnk
2012-06-02 01:07 - 2012-07-12 00:04 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-12 00:04 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-12 00:04 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-12 00:04 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-12 00:04 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-12 00:04 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-12 00:04 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-12 00:04 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-12 00:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-12 00:04 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-12 00:04 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-12 00:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-12 00:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-12 00:04 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-11 00:18 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-11 00:18 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-11 00:18 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-11 00:18 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-11 00:18 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-28 15:50 - 2012-04-21 15:01 - 00013331 ____A C:\Users\Abhi\Desktop\Running 2012.xlsx
2012-05-25 19:51 - 2012-05-25 19:51 - 00002898 ____A C:\Users\Abhi\Downloads\AnchorPhrases_20120526T035111Z.csv
2012-05-22 18:31 - 2012-05-22 18:31 - 00106870 ____A C:\Users\Abhi\Downloads\Enhancer.exe
2012-05-22 16:21 - 2012-02-25 21:00 - 00004608 ____A C:\Users\Mcx1-ABHI-PC\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-10 19:06 - 2012-05-10 19:05 - 10114495 ____A C:\Users\Abhi\Downloads\thephotographs.zip
2012-04-30 20:44 - 2012-06-13 15:09 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-13 15:09 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 20:45 - 2012-06-13 15:09 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:45 - 2012-06-13 15:09 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:41 - 2012-06-13 15:09 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 20:36 - 2012-06-13 15:09 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 20:36 - 2012-06-13 15:09 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 20:36 - 2012-06-13 15:09 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-22 18:42 - 2012-04-22 18:42 - 04251083 ____A C:\Users\Abhi\Downloads\wordpress-3.3.2.zip
2012-04-21 21:13 - 2012-04-21 21:13 - 01388260 ____A C:\Users\Abhi\Downloads\products_Price_04222012.csv
2012-04-21 19:52 - 2012-04-21 19:51 - 01496960 ____A C:\Users\Abhi\Downloads\products_Export Layout_04212012.csv


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 4095.05 MB
Available physical RAM: 3623.53 MB
Total Pagefile: 4093.32 MB
Available Pagefile: 3626.4 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.6 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:195.31 GB) (Free:42.94 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive d: () (Fixed) (Total:97.66 GB) (Free:1.4 GB) NTFS
4 Drive e: () (Fixed) (Total:274.94 GB) (Free:18.4 GB) NTFS
5 Drive f: (New Volume) (Fixed) (Total:400.86 GB) (Free:38.01 GB) NTFS
7 Drive h: () (Removable) (Total:15.38 GB) (Free:7.53 GB) FAT32
8 Drive t: (New Volume) (Fixed) (Total:931.51 GB) (Free:113.91 GB) NTFS
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 1024 KB
Disk 1 Online 372 GB 7168 KB
Disk 2 Online 931 GB 0 B *
Disk 3 Online 15 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 195 GB 31 KB
Partition 2 Primary 400 GB 195 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 195 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F New Volume NTFS Partition 400 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 0 Extended 372 GB 8032 KB
Partition 1 Logical 97 GB 8064 KB
Partition 2 Logical 274 GB 97 GB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D NTFS Partition 97 GB Healthy

==================================================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 E NTFS Partition 274 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Dynamic Data 931 GB 31 KB

==================================================================================

Disk: 2
Partition 1
Type : 42
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 T New Volume NTFS Simple 931 GB Healthy

==================================================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 15 GB 0 B

==================================================================================

Disk: 3
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

==========================================================

Last Boot: 2012-07-08 11:42

======================= End Of Log ==========================

 

[Broni]

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Restart normally and see if you can run Combofix.

My bed time is up so I'll check on you tomorrow.

 

[thetwo]

Thank you a ton for your hard work!

ComboFix ran this time, it talked about some hard to remove TCP rootkit infection. Here is the log:

ComboFix 12-07-16.01 - Abhi 07/18/2012 0:15.2.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3327.2277 [GMT -5:00]
Running from: c:\users\Abhi\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Abhi\AppData\Roaming\Microsoft\Windows\Cookies\Index_05970870.dat
c:\users\Abhi\AppData\Roaming\Microsoft\Windows\Cookies\IndexIE_05970870.dat
c:\users\Abhi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\Abhi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
c:\windows\$NtUninstallKB3257$
c:\windows\$NtUninstallKB3257$\1332298704\@
c:\windows\$NtUninstallKB3257$\1332298704\Desktop.ini
c:\windows\$NtUninstallKB3257$\1332298704\L\00000004.@
c:\windows\$NtUninstallKB3257$\1332298704\L\1afb2d56
c:\windows\$NtUninstallKB3257$\1332298704\L\201d3dde
c:\windows\$NtUninstallKB3257$\1332298704\L\xadqgnnk
c:\windows\$NtUninstallKB3257$\1332298704\U\00000004.@
c:\windows\$NtUninstallKB3257$\1332298704\U\00000008.@
c:\windows\$NtUninstallKB3257$\1332298704\U\000000cb.@
c:\windows\$NtUninstallKB3257$\1332298704\U\80000000.@
c:\windows\$NtUninstallKB3257$\1332298704\U\80000032.@
c:\windows\$NtUninstallKB3257$\897231473
.
.
((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-18 05:21 . 2012-07-18 05:23 -------- d-----w- c:\users\Abhi\AppData\Local\temp
2012-07-18 05:21 . 2012-07-18 05:21 -------- d-----w- c:\users\Mcx1-ABHI-PC\AppData\Local\temp
2012-07-18 05:21 . 2012-07-18 05:21 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2012-07-18 05:21 . 2012-07-18 05:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-18 02:09 . 2012-07-18 02:09 -------- d-----w- C:\FRST
2012-07-17 02:02 . 2012-07-17 02:02 -------- d-----w- c:\program files\Common Files\Java
2012-07-17 02:02 . 2012-07-17 02:02 -------- d-----w- c:\program files\Oracle
2012-07-17 02:01 . 2012-07-06 03:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-17 02:00 . 2012-07-17 02:00 -------- d-----w- c:\programdata\McAfee
2012-07-16 03:38 . 2012-07-16 03:38 -------- d-----w- c:\program files\ESET
2012-07-16 03:18 . 2012-07-16 03:19 -------- d-----w- c:\programdata\6C82D0FF0007BD8C0252A63CF875EF7E
2012-07-12 08:01 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 02:40 . 2012-07-10 02:40 -------- d-----w- c:\users\Abhi\temp
2012-07-08 21:02 . 2012-07-08 21:02 -------- d-----w- C:\_OTL
2012-07-08 17:45 . 2012-07-08 17:45 -------- d-----w- c:\program files\Market Samurai
2012-07-08 15:30 . 2012-07-08 15:30 -------- d-----w- c:\users\Abhi\AppData\Roaming\GetRightToGo
2012-07-08 04:10 . 2012-07-08 04:10 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-02 23:50 . 2012-07-02 23:53 -------- d-----w- c:\users\Abhi\AppData\Local\QuickPar
2012-07-02 23:49 . 2012-07-02 23:49 -------- d-----w- c:\program files\QuickPar
2012-06-23 16:29 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-23 16:29 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-23 16:29 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-23 16:29 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-23 16:29 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-23 16:29 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-23 16:29 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-23 16:29 . 2012-06-02 20:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-23 16:29 . 2012-06-02 20:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 02:38 . 2012-06-22 02:38 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-22 02:38 . 2012-06-22 02:38 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 16:31 . 2012-04-11 12:45 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 16:31 . 2012-01-22 02:47 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 03:06 . 2012-01-22 02:48 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 18:46 . 2012-01-22 02:51 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-01 04:44 . 2012-06-13 23:09 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17 . 2012-06-13 23:09 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45 . 2012-06-13 23:09 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45 . 2012-06-13 23:09 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41 . 2012-06-13 23:09 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 04:36 . 2012-06-13 23:09 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 04:36 . 2012-06-13 23:09 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-13 23:09 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-22 02:38 . 2012-01-22 02:38 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Abhi\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Abhi\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Abhi\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Abhi\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\Abhi\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 343168]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\users\Abhi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Abhi\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 16:31]
.
2012-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3783522489-612346976-376495541-1000Core.job
- c:\users\Abhi\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-22 06:15]
.
2012-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3783522489-612346976-376495541-1000UA.job
- c:\users\Abhi\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-22 06:15]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Abhi\AppData\Roaming\Mozilla\Firefox\Profiles\o2pe929j.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3832)
c:\users\Abhi\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\taskhost.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-07-18 00:26:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-18 05:26
.
Pre-Run: 46,156,763,136 bytes free
Post-Run: 46,034,440,192 bytes free
.
- - End Of File - - 293C9F690720259C6C6464ED6E9C45E9

 

[thetwo]

Oh and here's the Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 08-07-2012
Ran by SYSTEM at 2012-07-18 00:06:11 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
C:\Users\Abhi\Documents\784b6b0.exe moved successfully.
C:\Windows\System32\drivers\dfsc.sys moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys copied successfully to C:\Windows\System32\drivers\dfsc.sys

==== End of Fixlog ====

 

[thetwo]

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User: Abhi [Admin rights]
Mode: Scan -- Date: 07/18/2012 00:32:23

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-65A7B0 ATA Device +++++
--- User ---
[MBR] d110abe1e35231c0d4133bae5d88a36c
[BSP] 96c9a7a46b100b77294be8d48375e78f : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 199996 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409593240 | Size: 410481 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST3400620AS ATA Device +++++
--- User ---
[MBR] 9802d947347ef49869beefbf02566ce1
[BSP] 007003efb55143942a01db33287866b3 : Standard MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 16065 | Size: 381543 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: ST31000528AS ATA Device +++++
--- User ---
[MBR] 061db42412c13e6debeb10d7afd93540
[BSP] 83a76bb613b27684cd6cca3457d0aba7 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: CENTON DS Pro USB Device +++++
--- User ---
[MBR] 0cfa9373b5b712d3e2a13f238a030a89
[BSP] a88b503a4dd08425becd66782ce39379 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNOWN (0x72) [VISIBLE] Offset (sectors): 778135908 | Size: 557377 Mo
1 - [XXXXXX] UNKNOWN (0x65) [VISIBLE] Offset (sectors): 168689522 | Size: 945326 Mo
2 - [XXXXXX] UNKNOWN (0x79) [VISIBLE] Offset (sectors): 1869881465 | Size: 945326 Mo
3 - [XXXXXX] UNKNOWN (0x0d) [VISIBLE] Offset (sectors): 2885681152 | Size: 27 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

 

[thetwo]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-18 00:34:01
-----------------------------
00:34:01.986 OS Version: Windows 6.1.7601 Service Pack 1
00:34:01.986 Number of processors: 4 586 0x1706
00:34:01.986 ComputerName: ABHI-PC UserName: Abhi
00:34:02.426 Initialize success
00:34:33.928 AVAST engine defs: 12071701
00:34:50.757 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
00:34:50.773 Disk 0 Vendor: WDC_WD6400AAKS-65A7B0 01.03B01 Size: 610480MB BusType: 3
00:34:50.773 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-5
00:34:50.773 Disk 1 Vendor: ST3400620AS 3.AAK Size: 381554MB BusType: 3
00:34:50.773 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T1L0-6
00:34:50.773 Disk 2 Vendor: ST31000528AS CC3E Size: 953869MB BusType: 3
00:34:50.788 Disk 0 MBR read successfully
00:34:50.804 Disk 0 MBR scan
00:34:50.804 Disk 0 Windows 7 default MBR code
00:34:50.804 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199996 MB offset 63
00:34:50.820 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 410481 MB offset 409593240
00:34:50.835 Disk 0 scanning sectors +1250258625
00:34:50.898 Disk 0 scanning C:\Windows\system32\drivers
00:34:58.547 Service scanning
00:35:14.899 Modules scanning
00:35:18.390 Disk 0 trace - called modules:
00:35:18.400 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
00:35:18.410 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863e9650]
00:35:18.410 3 CLASSPNP.SYS[8bbcb59e] -> nt!IofCallDriver -> [0x85eab918]
00:35:18.420 5 ACPI.sys[8b8993d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85eef908]
00:35:19.370 AVAST engine scan C:\Windows
00:35:21.185 AVAST engine scan C:\Windows\system32
00:37:19.618 AVAST engine scan C:\Windows\system32\drivers
00:37:28.257 AVAST engine scan C:\Users\Abhi
01:07:38.789 AVAST engine scan C:\ProgramData
01:08:27.455 Scan finished successfully
13:46:16.385 Disk 0 MBR has been saved successfully to "C:\Users\Abhi\Desktop\MBR.dat"
13:46:16.401 The log file has been saved successfully to "C:\Users\Abhi\Desktop\aswMBR.txt"
13:47:19.914 Disk 0 MBR has been saved successfully to "C:\Users\Abhi\Desktop\MBR.dat"
13:47:19.914 The log file has been saved successfully to "C:\Users\Abhi\Desktop\aswMBR.txt"

 

[thetwo]

Looks clean and fixed for now...

 

[Broni]

No redirection?

If so, go ahead and complete all steps from my reply #16.