Solved Win32/Sirefef.ab

Status
Not open for further replies.
R

Rajneel.S

Posts: 15   +0
Hi there just today I noticed that my antivirus realtime proctection wasn't on. So I installed Microsoft security essentials again and ran a scan which told me that my computer was infected. In the middle of removing it I got this message saying windows has encountered a critical problem and will restart. And it kept repeating every time I tried to restart. I even tried safe mode but to no avail.
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.


Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

If you have Windows XP, let me know instead of following directions below.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button. It will do its scan and save a log on your flash drive.
  • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
    frst2.jpg

    When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
  • Type exit in the Command Prompt window and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-09-2012
Ran by SYSTEM at 22-09-2012 17:05:27
Running from G:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [] [x]
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-03-15] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2009-11-19] ()
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [480608 2009-11-05] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [460088 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [742712 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1697064 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [TWebCamera] "C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [163840 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [611672 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [22840 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [30040 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [467816 2010-03-19] (TOSHIBA Corporation)
HKLM\...\Run: [VodafoneNZ_McciTrayApp] "C:\Program Files\VodafoneNZ\McciTrayApp.exe" [1574912 2010-12-06] (Alcatel-Lucent)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-02] (Malwarebytes Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [runfile] C:\Program Files\DisplayLink\DLsetup\NoConsoleExe.exe [7168 2011-03-17] ()
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-25] (Microsoft Corporation)
HKU\Rajneel\...\Run: [AdobeBridge] [x]
HKU\Rajneel\...\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe [3077528 2011-08-16] ()
HKU\Rajneel\...\Run: [Akamai NetSession Interface] "C:\Users\Rajneel\AppData\Local\Akamai\netsession_win.exe" [4440896 2012-08-09] (Akamai Technologies, Inc.)
HKU\Rajneel\...\Run: [MPC] "C:\ProgramData\0e4a2c\MP0e4_8040.exe" /s [x]
HKU\Rajneel\...\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount [75624 2012-01-05] (Alcohol Soft Development Team)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Startup: C:\Users\Rajneel\Start Menu\Programs\Startup\networx - Shortcut.lnk
ShortcutTarget: networx - Shortcut.lnk -> (No File)

==================== Services (Whitelisted) ===================

2 AxAutoMntSrv; C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [75624 2012-01-05] (Alcohol Soft Development Team)
2 cfWiMAXService; "C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe" [185712 2010-01-28] (TOSHIBA CORPORATION)
2 ConfigFree Service; "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" [46448 2009-03-10] (TOSHIBA CORPORATION)
2 DisplayLinkService; "C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe" [5240168 2011-04-10] (DisplayLink Corp.)
3 GameConsoleService; "C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [238328 2009-12-03] (WildTangent, Inc.)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-02] (Malwarebytes Corporation)
2 StarWindServiceAE; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [370688 2009-12-23] (StarWind Software)
3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [51512 2009-10-06] (TOSHIBA Corporation)
2 TosCoSrv; "C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe" [468320 2009-11-05] (TOSHIBA Corporation)
3 TOSHIBA HDD SSD Alert Service; "C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe" [111960 2010-02-05] (TOSHIBA Corporation)
2 Akamai; c:\program files\common files\akamai/netsession_win_5891ae0.dll [x]
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x]
2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

==================== Drivers (Whitelisted) ====================

3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [5340160 2010-03-15] (ATI Technologies Inc.)
3 DisplayLinkUsbPort; C:\Windows\System32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [21888 2012-05-27] (http://libusb-win32.sourceforge.net)
3 dlkmd; C:\Windows\system32\drivers\dlkmd.sys [182896 2011-04-10] (DisplayLink Corp.)
0 dlkmdldr; C:\Windows\System32\drivers\dlkmdldr.sys [14448 2011-04-10] (DisplayLink Corp.)
3 LgBttPort; C:\Windows\System32\DRIVERS\lgbtport.sys [12160 2009-09-28] (LG Electronics Inc.)
3 lgbusenum; C:\Windows\System32\DRIVERS\lgbtbus.sys [10496 2009-09-28] (LG Electronics Inc.)
3 LGVMODEM; C:\Windows\System32\DRIVERS\lgvmodem.sys [12928 2009-09-28] (LG Electronics Inc.)
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [22344 2012-07-02] (Malwarebytes Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 PGEffect; C:\Windows\System32\DRIVERS\pgeffect.sys [24064 2009-06-22] (TOSHIBA Corporation)
1 SASDIFSV; \??\C:\Users\Rajneel\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [12872 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Users\Rajneel\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [67656 2010-05-10] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [477240 2012-06-15] (Duplex Secure Ltd.)
3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [13056 2010-04-12] (LG Electronics Inc.)
3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [24960 2010-04-12] (LG Electronics Inc.)
3 EagleXNt; \??\C:\windows\system32\drivers\EagleXNt.sys [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-09-22 17:05 - 2012-09-22 17:05 - 00000000 ____D C:\FRST
2012-09-21 05:17 - 2012-09-21 05:17 - 00043600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eweqqvgx.sys
2012-09-21 05:14 - 2012-09-21 05:14 - 00001281 ____A C:\Users\Rajneel\Desktop\shutdown.lnk
2012-09-21 04:31 - 2012-09-21 04:31 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-21 04:29 - 2012-09-21 04:29 - 10288512 ____A (Microsoft Corporation) C:\Users\Rajneel\Downloads\mseinstall(1).exe
2012-09-21 03:03 - 2012-09-21 03:03 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{811CC38D-B279-46BB-A097-8F2928761674}
2012-09-20 05:09 - 2012-09-20 05:10 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{80F3B1A6-33DA-4B79-B7DA-F938BFEE56D1}
2012-09-19 04:12 - 2012-09-19 04:12 - 00143728 ____A C:\Windows\Minidump\092012-19281-01.dmp
2012-09-19 01:04 - 2012-09-19 01:05 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{D32C4D40-BAEC-4D0E-BD7F-723A4838F4A8}
2012-09-17 23:55 - 2012-09-17 23:55 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{D8A9B0D7-AB08-440B-85D6-CA16D92E4255}
2012-09-17 02:03 - 2012-09-17 02:03 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{F7B54E83-416B-4325-86A8-9FE65F0FF130}
2012-09-16 02:30 - 2012-09-16 02:30 - 00143728 ____A C:\Windows\Minidump\091612-20311-01.dmp
2012-09-16 01:19 - 2012-09-19 04:12 - 209068520 ____A C:\Windows\MEMORY.DMP
2012-09-16 01:19 - 2012-09-19 04:12 - 00000000 ____D C:\Windows\Minidump
2012-09-16 01:19 - 2012-09-16 01:19 - 00143728 ____A C:\Windows\Minidump\091612-20794-01.dmp
2012-09-15 19:34 - 2012-09-15 19:34 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{613A3723-7D1A-43F9-9B74-605728CAB71E}
2012-09-15 05:21 - 2012-09-15 05:22 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{E5B2A0AD-8B00-4A77-9BBD-476BFD11964B}
2012-09-14 17:21 - 2012-09-14 17:21 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{ADED95C6-D291-487A-A213-57D31193787E}
2012-09-14 00:26 - 2012-09-14 00:26 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{22288931-EA7F-4CCE-9C91-83D671139EF3}
2012-09-13 03:00 - 2012-09-13 03:00 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{36E389B2-4C3C-4AD2-86C3-0E61CE7192F3}
2012-09-12 03:47 - 2012-09-12 03:47 - 00000000 ____D C:\Users\Rajneel\Desktop\PokeMMO-Client
2012-09-12 03:37 - 2012-09-12 03:40 - 06712943 ____A C:\Users\Rajneel\Downloads\PokeMMO-Client.zip
2012-09-12 00:56 - 2012-09-12 00:56 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{EB412FB6-B665-4205-BC91-84564E263E30}
2012-09-11 02:18 - 2012-09-11 02:18 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{56D1ED00-339D-43DA-A771-D3D103E7AB83}
2012-09-10 05:04 - 2012-09-10 05:04 - 00000000 ____D C:\Users\Rajneel\Desktop\BASTILLE_-_OTHER_PEOPLE'S_HEARTACHE
2012-09-10 04:46 - 2012-09-10 04:52 - 62947359 ____A C:\Users\Rajneel\Downloads\BASTILLE_-_OTHER_PEOPLE'S_HEARTACHE.zip
2012-09-10 00:01 - 2012-09-10 00:01 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{B1A6D14A-B821-4C61-B25C-1C63CEE50FC9}
2012-09-08 23:56 - 2012-09-08 23:56 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{650F541B-B4BD-4B52-9989-6C58DD4618DC}
2012-09-08 18:00 - 2012-09-08 18:00 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-09-07 17:51 - 2012-09-07 17:51 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{DA0F7B07-2300-4AB6-82E4-BF97DDE74826}
2012-09-06 18:19 - 2012-09-06 18:19 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{18002C75-D938-4019-A5E8-29CA4989A758}
2012-09-06 02:45 - 2012-09-06 02:45 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{EE990674-75A9-427A-89CB-70F0C38E0D1E}
2012-09-05 04:43 - 2012-09-05 04:44 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{AF1C9306-FA28-4C35-B60C-F53C97521BF3}
2012-09-05 04:35 - 2012-09-05 04:35 - 39539243 ____A C:\Users\Rajneel\Documents\c2.psd
2012-09-05 04:34 - 2012-09-05 04:34 - 55372746 ____A C:\Users\Rajneel\Documents\n2.psd
2012-09-05 04:34 - 2012-09-05 04:34 - 46745082 ____A C:\Users\Rajneel\Documents\d2.psd
2012-09-05 04:34 - 2012-09-05 04:34 - 22647172 ____A C:\Users\Rajneel\Documents\t1.psd
2012-09-05 04:33 - 2012-09-05 04:33 - 11724216 ____A C:\Users\Rajneel\Documents\0000063.psd
2012-09-04 01:30 - 2012-09-04 01:30 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{9E4702F5-D523-4E3E-9C23-F8A48BA79242}
2012-09-03 21:21 - 2012-09-03 21:21 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-09-02 19:03 - 2012-09-02 19:03 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{248A5454-1953-456C-89D4-B08D5C8219C6}
2012-09-01 18:28 - 2012-09-01 18:29 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{899338A7-11F1-4318-8750-026AD3FE92C0}
2012-08-31 23:31 - 2012-08-31 23:31 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{0810DC22-CF2C-42EC-B3C0-9D6222CF23DB}
2012-08-31 01:35 - 2012-08-31 01:35 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{590A17A5-22F3-4EC3-A57D-871B73F1F001}
2012-08-30 01:05 - 2012-08-30 01:06 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{A2282862-D2A0-4578-9D31-CDC70C82E0C6}
2012-08-28 17:18 - 2012-08-28 17:18 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{6F88A3A7-CAB6-47BA-9E04-2D415AB2E1D4}
2012-08-27 17:18 - 2012-08-27 17:19 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{B6338DB8-3310-448E-96E6-632C1BE91ADA}
2012-08-27 00:21 - 2012-08-27 03:11 - 00000000 ____D C:\Users\Rajneel\Desktop\teen wolf
2012-08-26 17:07 - 2012-08-26 17:07 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{C3C18081-E58C-4D70-B328-E09A390F6FBB}
2012-08-25 22:52 - 2012-08-25 22:55 - 00000000 ____D C:\Program Files\SPSS
2012-08-25 18:56 - 2012-08-25 18:56 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{73546CB6-5255-4E71-ACA3-78448DD8A0C0}
2012-08-24 18:15 - 2012-08-24 18:16 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{F5EC7237-250F-4CA0-893D-76D495E30497}
2012-08-24 00:04 - 2012-08-24 00:04 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{A39312B8-6D1A-4310-89B8-C49E68F20910}
2012-08-23 00:27 - 2012-08-23 00:28 - 00000000 ____D C:\Users\Rajneel\AppData\Local\{241D6DCF-84C9-4D15-8824-C253A5A26C2E}

==================== 3 Months Modified Files ==================

2012-09-21 05:17 - 2012-09-21 05:17 - 00043600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eweqqvgx.sys
2012-09-21 05:16 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-21 05:15 - 2011-01-20 01:09 - 00046838 ____A C:\Windows\setupact.log
2012-09-21 05:14 - 2012-09-21 05:14 - 00001281 ____A C:\Users\Rajneel\Desktop\shutdown.lnk
2012-09-21 04:32 - 2011-01-20 01:11 - 01714614 ____A C:\Windows\WindowsUpdate.log
2012-09-21 04:31 - 2011-01-13 02:41 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-21 04:31 - 2010-03-22 22:55 - 00854120 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-21 04:29 - 2012-09-21 04:29 - 10288512 ____A (Microsoft Corporation) C:\Users\Rajneel\Downloads\mseinstall(1).exe
2012-09-21 04:27 - 2012-01-25 19:36 - 00001082 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-21 00:13 - 2009-07-13 20:34 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-21 00:13 - 2009-07-13 20:34 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-19 04:13 - 2009-07-13 20:53 - 00032652 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-19 04:12 - 2012-09-19 04:12 - 00143728 ____A C:\Windows\Minidump\092012-19281-01.dmp
2012-09-19 04:12 - 2012-09-16 01:19 - 209068520 ____A C:\Windows\MEMORY.DMP
2012-09-16 02:30 - 2012-09-16 02:30 - 00143728 ____A C:\Windows\Minidump\091612-20311-01.dmp
2012-09-16 01:19 - 2012-09-16 01:19 - 00143728 ____A C:\Windows\Minidump\091612-20794-01.dmp
2012-09-13 05:41 - 2012-04-07 23:39 - 00000870 ____A C:\Users\Rajneel\Desktop\New Text Document.txt
2012-09-12 03:40 - 2012-09-12 03:37 - 06712943 ____A C:\Users\Rajneel\Downloads\PokeMMO-Client.zip
2012-09-10 04:52 - 2012-09-10 04:46 - 62947359 ____A C:\Users\Rajneel\Downloads\BASTILLE_-_OTHER_PEOPLE'S_HEARTACHE.zip
2012-09-05 04:35 - 2012-09-05 04:35 - 39539243 ____A C:\Users\Rajneel\Documents\c2.psd
2012-09-05 04:34 - 2012-09-05 04:34 - 55372746 ____A C:\Users\Rajneel\Documents\n2.psd
2012-09-05 04:34 - 2012-09-05 04:34 - 46745082 ____A C:\Users\Rajneel\Documents\d2.psd
2012-09-05 04:34 - 2012-09-05 04:34 - 22647172 ____A C:\Users\Rajneel\Documents\t1.psd
2012-09-05 04:33 - 2012-09-05 04:33 - 11724216 ____A C:\Users\Rajneel\Documents\0000063.psd
2012-08-30 03:23 - 2012-03-16 03:35 - 00000728 ____A C:\Users\Rajneel\.drjava
2012-08-26 16:12 - 2009-07-13 20:33 - 03783808 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-25 23:46 - 2010-08-25 17:17 - 00115120 ____A C:\Users\Rajneel\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-19 01:54 - 2012-07-28 20:40 - 00000425 ____A C:\Users\Rajneel\Desktop\current classes.txt
2012-08-18 23:06 - 2012-08-18 23:06 - 43797043 ____A C:\Users\Rajneel\Desktop\Call_of_Duty_for_N00BS___How_to_Improve_Your_Game.flv
2012-08-15 03:20 - 2012-08-15 03:19 - 68595484 ____A C:\Users\Rajneel\Desktop\videoplayback_video_mp4_Object.mp4
2012-08-13 04:11 - 2012-07-19 22:25 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-13 04:11 - 2011-11-30 18:30 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-08 23:39 - 2011-01-04 22:24 - 00007602 ____A C:\Users\Rajneel\AppData\Local\resmon.resmoncfg
2012-08-05 02:39 - 2012-08-05 02:39 - 00000758 ____A C:\Users\Rajneel\Downloads\Game1vs2.csv
2012-08-05 00:16 - 2012-08-05 00:16 - 00000470 ____A C:\Users\Rajneel\Downloads\Coaster%20Data.csv
2012-08-02 02:06 - 2012-06-20 23:21 - 00000732 ____A C:\Users\Rajneel\Desktop\songz.txt
2012-08-01 04:19 - 2012-08-01 04:19 - 04903183 ____A C:\Users\Rajneel\Downloads\The Devil Wears Prada_Group 3.pptx
2012-08-01 02:52 - 2012-08-01 02:50 - 05953400 ____A (ManiacTools.com ) C:\Users\Rajneel\Downloads\m4a-to-mp3-converter.exe
2012-07-31 03:54 - 2012-07-31 03:44 - 114689849 ____A C:\Users\Rajneel\Downloads\Kendrick+Lamar+-+Overly+Dedicated.zip
2012-07-26 02:10 - 2012-07-26 02:10 - 39856063 ____A C:\Users\Rajneel\Desktop\MW3__ULTIMATE_Custom_Class_Tutorial.flv
2012-07-25 22:57 - 2012-07-25 22:57 - 33015963 ____A C:\Users\Rajneel\Desktop\MW3_Type_95_MOAB__41_1.flv
2012-07-25 22:53 - 2012-07-25 22:53 - 46726112 ____A C:\Users\Rajneel\Desktop\FIRST_2_M.O.A.B_s_in_1_Game.flv
2012-07-24 23:54 - 2012-07-24 23:54 - 32583775 ____A C:\Users\Rajneel\Desktop\Ab_Soul_Day_In_A_Life.flv
2012-07-21 21:27 - 2012-07-21 21:24 - 24469187 ____A C:\Users\Rajneel\Desktop\FIFA 12 _ Race to Division One _ PACE PACE PACE!!! 33.flv
2012-07-21 21:24 - 2012-07-21 21:24 - 09933531 ____A C:\Users\Rajneel\Desktop\FIFA 12 Top 5 Goals of the Week #42.flv
2012-07-02 17:46 - 2011-01-13 02:35 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-30 02:47 - 2012-06-30 02:47 - 39868373 ____A C:\Users\Rajneel\Desktop\Great_Modern_Warfare_Multiplayer_Guides_and_Tips_For_Beginners.flv


ZeroAccess:
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\@
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\L
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\n
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\U
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\L\00000004.@
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\L\201d3dde
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\U\80000032.@

ZeroAccess:
C:\Users\Rajneel\AppData\Local\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}
C:\Users\Rajneel\AppData\Local\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\@
C:\Users\Rajneel\AppData\Local\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\L
C:\Users\Rajneel\AppData\Local\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-09 23:08:06
Restore point made on: 2012-08-17 01:38:54
Restore point made on: 2012-08-25 22:51:15
Restore point made on: 2012-09-13 01:30:14
Restore point made on: 2012-09-21 00:14:01

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 1786.9 MB
Available physical RAM: 1405.46 MB
Total Pagefile: 1786.9 MB
Available Pagefile: 1411.51 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.95 MB

==================== Partitions =============================

1 Drive c: (S3A8954D004) (Fixed) (Total:286.31 GB) (Free:159.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.29 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: (RSHA541) (Removable) (Total:3.7 GB) (Free:2.48 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 3801 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 286 GB 1501 MB
Partition 3 Primary 10 GB 287 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C S3A8954D004 NTFS Partition 286 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3800 MB 40 KB

=========================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G RSHA541 FAT32 Removable 3800 MB Healthy

=========================================================

Last Boot: 2012-09-17 01:13

==================== End Of Log ============================
 
Farbar Recovery Scan Tool (x86) Version: 20-09-2012
Ran by SYSTEM at 2012-09-22 17:08:02
Running from G:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9
=== End Of Search ===
 
FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}
C:\Users\Rajneel\AppData\Local\{6fca6a87-7ed2-144a-f90a-7090a8acec9b}
C:\Windows\assembly\GAC\Desktop.ini
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
Hi still the same problem. Here is the log you wanted.
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-09-2012
Ran by SYSTEM at 2012-09-23 13:56:09 Run:1
Running from F:\
==============================================
Could not find C:\Windows\System32\services.exe
Could not find C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
==== End of Fixlog ====
 
Download the attached text file, replace the fixlist.txt on your flash drive with the one you downloaded.

Try the fix again as instructed above.
 

Attachments

  • fixlist.txt
    348 bytes · Views: 3
The restart thing looks like it stopped, is it okay to do the further steps on the problem laptop or should I continue to use my other computer?
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-09-2012
Ran by SYSTEM at 2012-09-24 11:48:52 Run:2
Running from F:\
==============================================
C:\Windows\Installer\{6fca6a87-7ed2-144a-f90a-7090a8acec9b} moved successfully.
C:\Users\Rajneel\AppData\Local\{6fca6a87-7ed2-144a-f90a-7090a8acec9b} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====
 
Let's now go with infected computer in to Normal Mode of Windows:

ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
  • Like
Reactions: Rajneel.S
ComboFix 12-09-23.03 - Rajneel 24/09/2012 21:13:35.1.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.64.1033.18.1787.1047 [GMT 12:00]
Running from: c:\users\Rajneel\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Rajneel\AppData\Local\TempDIR
c:\users\Rajneel\AppData\Local\TempDIR\BetterInstaller.exe
c:\users\Rajneel\AppData\Roaming\Local
c:\users\Rajneel\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi
c:\users\Rajneel\AppData\Roaming\Local\Temp\DDM\Settings\Misfits.S01E01.DVDRip.XviD-P0W4_ns.avi.ddr
c:\users\Rajneel\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi
c:\users\Rajneel\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\Misfits.S01E01.DVDRip.XviD-P0W4_ns.avi.ddp
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2012-08-24 to 2012-09-24 )))))))))))))))))))))))))))))))
.
.
2012-09-24 09:29 . 2012-09-24 09:32 -------- d-----w- c:\users\Rajneel\AppData\Local\temp
2012-09-24 09:02 . 2012-09-24 09:30 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AD2C033A-0DD3-445D-A34F-06493B1306E8}\offreg.dll
2012-09-23 01:05 . 2012-09-23 01:05 -------- d-----w- C:\FRST
2012-09-21 12:33 . 2012-02-09 02:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D7169FEA-4E87-4595-A377-8DE4B2B52D38}\gapaengine.dll
2012-09-21 12:33 . 2012-09-18 12:59 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AD2C033A-0DD3-445D-A34F-06493B1306E8}\mpengine.dll
2012-09-21 12:31 . 2012-09-21 12:31 -------- d-----w- c:\program files\Microsoft Security Client
2012-09-04 05:21 . 2012-09-04 05:21 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-26 06:52 . 2012-08-26 06:55 -------- d-----w- c:\program files\SPSS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-13 12:11 . 2012-07-20 06:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-13 12:11 . 2011-12-01 02:30 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 01:46 . 2011-01-13 10:35 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 02:00 . 2012-09-09 02:00 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-17 3077528]
"Akamai NetSession Interface"="c:\users\Rajneel\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2012-01-05 75624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-11-06 480608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2010-03-03 742712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-11 1697064]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-10-20 163840]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 611672]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 22840]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2010-03-03 30040]
"TosNC"="c:\program files\Toshiba\BulletinBoard\TosNcCore.exe" [2010-03-19 467816]
"VodafoneNZ_McciTrayApp"="c:\program files\VodafoneNZ\McciTrayApp.exe" [2010-12-07 1574912]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"runfile"="c:\program files\DisplayLink\DLsetup\NoConsoleExe.exe" [2011-03-18 7168]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\users\Rajneel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
networx - Shortcut.lnk - c:\users\Rajneel\Downloads\networx_portable\32-bit\networx.exe [2012-2-18 3331072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 05:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-13 18:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-11 19:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-24 22:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-17 07:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-07 22:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R1 SASDIFSV;SASDIFSV;c:\users\Rajneel\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Rajneel\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [x]
R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [x]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [x]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\DRIVERS\lgbtport.sys [x]
S3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys [x]
S3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.co.nz/
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\users\Rajneel\AppData\Roaming\Mozilla\Firefox\Profiles\x8j510zq.default\
FF - prefs.js: browser.startup.homepage - www.google.co.nz
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-MPC - c:\programdata\0e4a2c\MP0e4_8040.exe
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AddRemove-Notepad++ - e:\notepad++\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_5891ae0.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\atieclxx.exe
c:\program files\DisplayLink Core Software\DisplayLinkUserAgent.exe
c:\program files\DisplayLink Core Software\DisplayLinkUI.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\taskhost.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\conhost.exe
c:\windows\system32\DllHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Microsoft Security Client\MpCmdRun.exe
c:\program files\Microsoft Security Client\MpCmdRun.exe
c:\windows\system32\conhost.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\taskhost.exe
c:\windows\SoftwareDistribution\Download\Install\AM_Delta.exe
c:\windows\system32\MpSigStub.exe
.
**************************************************************************
.
Completion time: 2012-09-24 21:46:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-24 09:46
.
Pre-Run: 191,339,495,424 bytes free
Post-Run: 191,717,847,040 bytes free
.
- - End Of File - - 827E0A504B4E59BE9995924DC9F189A1
 
Download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

avast! aswMBR

Please download aswMBR from here
  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below
aswMBR_Scan.jpg


Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
  • Once the scan finishes click Save log to save the log to your Desktop
    aswMBR_SaveLog.png
  • Copy and paste the contents of aswMBR.txt back here for review
  • Please also find MBR.dat on your Desktop, and rename it to MBR.txt. Upload that as well.
 
# AdwCleaner v2.003 - Logfile created 09/25/2012 at 21:03:17
# Updated 23/09/2012 by Xplode
# Operating system : Windows 7 Home Premium (32 bits)
# User : Rajneel - RAJNEEL-PC
# Boot Mode : Normal
# Running from : C:\Users\Rajneel\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Rajneel\AppData\LocalLow\boost_interprocess

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16385

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Rajneel\AppData\Roaming\Mozilla\Firefox\Profiles\x8j510zq.default\prefs.js

Deleted : user_pref("SothinkWebVideoDownloaderWebVideoDownloader.HistoryArray_916.name", "mofos_rough_cut_d_oc[...]
Deleted : user_pref("SothinkWebVideoDownloaderWebVideoDownloader.HistoryArray_916.url", "hxxp://cdn1.ads.conte[...]
Deleted : user_pref("extensions.facemoods.first_time", false);
Deleted : user_pref("extensions.facemoods.newTab", false);

*************************

AdwCleaner[S1].txt - [1637 octets] - [25/09/2012 21:03:17]

########## EOF - C:\AdwCleaner[S1].txt - [1697 octets] ##########
 
After aswMBR, please do the following:

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-25 21:09:23
-----------------------------
21:09:23.266 OS Version: Windows 6.1.7600
21:09:23.266 Number of processors: 1 586 0x603
21:09:23.266 ComputerName: RAJNEEL-PC UserName: Rajneel
21:09:45.452 Initialize success
21:13:32.886 AVAST engine defs: 12092500
21:13:50.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
21:13:50.546 Disk 0 Vendor: Hitachi_HTS545032B9A300 PB3OC64G Size: 305245MB BusType: 11
21:13:50.576 Disk 0 MBR read successfully
21:13:50.586 Disk 0 MBR scan
21:13:50.596 Disk 0 Windows VISTA default MBR code
21:13:50.616 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
21:13:50.626 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 293180 MB offset 3074048
21:13:50.666 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 10564 MB offset 603506688
21:13:50.686 Disk 0 scanning sectors +625141760
21:13:50.826 Disk 0 scanning C:\windows\system32\drivers
21:14:00.236 Service scanning
21:14:47.653 Modules scanning
21:15:28.332 Disk 0 trace - called modules:
21:15:28.405 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84c9c1e8]<<
21:15:28.415 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85ac0030]
21:15:28.415 3 CLASSPNP.SYS[88a0a59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85a74030]
21:15:28.425 \Driver\atapi[0x859a4ab8] -> IRP_MJ_CREATE -> 0x84c9c1e8
21:15:29.975 AVAST engine scan C:\windows
21:15:37.775 AVAST engine scan C:\windows\system32
21:18:37.572 AVAST engine scan C:\windows\system32\drivers
21:18:49.625 AVAST engine scan C:\Users\Rajneel
21:29:17.262 AVAST engine scan C:\ProgramData
21:32:45.427 Scan finished successfully
21:33:54.944 Disk 0 MBR has been saved successfully to "C:\Users\Rajneel\Desktop\MBR.dat"
21:33:54.954 The log file has been saved successfully to "C:\Users\Rajneel\Desktop\aswMBR.txt"
 
A3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~ | …ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu ÷Á tþFf`€~ t&fh fÿvh h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþN… €~ €„Š ²€ë‚U2äŠV Í]뜁>þ}Uªunÿv èŠ … °Ñædè °ßæ`èx °ÿædèq ¸ »Íf#Àu;fûTCPAu2ùr,fh» fh  fh fSfSfUfh fh | fah ÍZ2öê | Í ·ë ¶ë µ2ä ‹ð¬< tü» ´Íëò+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating system *œ<- € ! 'Y¿  à. Y¿þÿÿ è. àÉ# þÿÿþÿÿ Èø# J Uª
 
Farbar Service Scanner Version: 19-09-2012
Ran by Rajneel (administrator) on 25-09-2012 at 21:35:54
Running from "C:\Users\Rajneel\Downloads"
Microsoft Windows 7 Home Premium (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys
[2011-06-16 19:40] - [2011-04-25 16:56] - 1286016 ____A (Microsoft Corporation) 0158D5E9982E9D6A90DFC802F618E130

C:\windows\system32\dnsrslvr.dll
[2011-04-14 20:45] - [2011-03-03 17:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\windows\system32\mpssvc.dll
[2009-07-14 11:53] - [2009-07-14 13:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\windows\system32\bfe.dll
[2009-07-14 11:54] - [2009-07-14 13:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll
[2009-07-14 11:23] - [2009-07-14 13:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\windows\system32\vssvc.exe
[2009-07-14 11:24] - [2009-07-14 13:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll
[2009-07-14 11:30] - [2009-07-14 13:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
 
Good job!

ComboFix Script
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    ClearJavaCache::
    Click to expand...
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.
 
ComboFix 12-09-23.03 - Rajneel 26/09/2012 8:35.2.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.64.1033.18.1787.1039 [GMT 12:00]
Running from: c:\users\Rajneel\Desktop\ComboFix.exe
Command switches used :: c:\users\Rajneel\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-25 to 2012-09-25 )))))))))))))))))))))))))))))))
.
.
2012-09-25 20:49 . 2012-09-25 20:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-25 20:27 . 2012-09-25 20:27 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B3A694DF-9B57-40F8-A0D8-D3F818860EBD}\offreg.dll
2012-09-24 09:46 . 2012-09-18 12:59 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B3A694DF-9B57-40F8-A0D8-D3F818860EBD}\mpengine.dll
2012-09-24 09:29 . 2012-09-25 20:49 -------- d-----w- c:\users\Rajneel\AppData\Local\temp
2012-09-23 01:05 . 2012-09-23 01:05 -------- d-----w- C:\FRST
2012-09-21 12:33 . 2012-02-09 02:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D7169FEA-4E87-4595-A377-8DE4B2B52D38}\gapaengine.dll
2012-09-21 12:33 . 2012-09-18 12:59 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-21 12:31 . 2012-09-21 12:31 -------- d-----w- c:\program files\Microsoft Security Client
2012-09-04 05:21 . 2012-09-04 05:21 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-13 12:11 . 2012-07-20 06:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-13 12:11 . 2011-12-01 02:30 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 01:46 . 2011-01-13 10:35 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 02:00 . 2012-09-09 02:00 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-17 3077528]
"Akamai NetSession Interface"="c:\users\Rajneel\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2012-01-05 75624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-11-06 480608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2010-03-03 742712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-11 1697064]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-10-20 163840]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 611672]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 22840]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2010-03-03 30040]
"TosNC"="c:\program files\Toshiba\BulletinBoard\TosNcCore.exe" [2010-03-19 467816]
"VodafoneNZ_McciTrayApp"="c:\program files\VodafoneNZ\McciTrayApp.exe" [2010-12-07 1574912]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"runfile"="c:\program files\DisplayLink\DLsetup\NoConsoleExe.exe" [2011-03-18 7168]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\users\Rajneel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
networx - Shortcut.lnk - c:\users\Rajneel\Downloads\networx_portable\32-bit\networx.exe [2012-2-18 3331072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 05:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-13 18:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-11 19:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-24 22:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-17 07:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-07 22:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R1 SASDIFSV;SASDIFSV;c:\users\Rajneel\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Rajneel\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [x]
R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [x]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [x]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\DRIVERS\lgbtport.sys [x]
S3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys [x]
S3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.co.nz/
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\users\Rajneel\AppData\Roaming\Mozilla\Firefox\Profiles\x8j510zq.default\
FF - prefs.js: browser.startup.homepage - www.google.co.nz
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_5891ae0.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-26 08:53:04
ComboFix-quarantined-files.txt 2012-09-25 20:53
ComboFix2.txt 2012-09-24 09:46
.
Pre-Run: 190,766,014,464 bytes free
Post-Run: 192,991,997,952 bytes free
.
- - End Of File - - 1A1DC5AD476DDF5864A4C954A07E8988
 
Any more issues?

Please let me know about any error messages or other trouble we need to give attention to.

Good job so far! :)
 
If there are no more issues, then we shall finish up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Results of screen317's Security Check version 0.99.51
Windows 7 x86 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
(On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
TweakNow RegCleaner 2011
Java(TM) 6 Update 35
Java(TM) SE Development Kit 6 Update 31
Java DB 10.6.2.1
Java version out of Date!
Adobe Flash Player 11.3.300.265
Mozilla Firefox (15.0)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 
Follow these instructions to obtain the latest Service Pack for Windows 7: http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1

Remove the following from the Programs list (located in Control Panel):

Java(TM) 6 Update 35
Java(TM) SE Development Kit 6 Update 31


Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

Any other questions before I mark this topic solved?
 
Status
Not open for further replies.

Similar threads

H
Freezes after BSOD
Replies
10
Views
1K
bazz2004
B
H
BSOD during youtube video - Windows 7 64 - suspected hardware malfunction
Replies
15
Views
2K
Kshipper
Kshipper
midian182
China-based network tried to influence midterms, but long lunches and 9-to-5 hours hampered...
Replies
5
Views
651
DSirius
DSirius

Latest posts

Back