Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Ping.exe 32* infection

Started by Garlet01 , Dec 07 2011 01:25 PM

  • Please log in to reply

#16
Garlet01
Posted 16 December 2011 - 10:40 PM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
i ran Combofix when came bk it was done couuld't find the file
about 4 hrs later the ping 32 exe came bk with the win 7 malware
except the malware changed a bit... b4 image name was gre* now somthing llb (it changed image name...)
got any ideas?
  • 0

Advertisements

#17
RKinner
Posted 16 December 2011 - 11:08 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Actually I do. Do you see all of the entries in the OTL log that look like:

[2011/12/07 13:27:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At28.job

These are tasks whose job is to reinstall the malware if it gets deleted. They are probably set to trigger at random times.

I was hoping that one of the scans would take them out but they didn't so I guess we need to manually delete them.

Start, All Programs, Accessories then right click on Command Prompt and select Run As Admin. Type:

cd  \windows\tasks
(Prompt should change to show you are in C:\Windows\tasks)
del  At*.job

(If it asks you if you are sure say "y" )
I use two Spaces in the code box so you can see where 1 Space goes.)

Now run Combofix again

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Run MBAM again.

Finish with an OTL, Quickscan.
  • 0

#18
Garlet01
Posted 20 December 2011 - 05:45 PM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
sry i been busy latly i will do this tmrw and inform you about results
  • 0

#19
Garlet01
Posted 23 December 2011 - 08:28 PM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
it said windows could not find C:\Windows\task\at*.job
  • 0

#20
Garlet01
Posted 23 December 2011 - 08:29 PM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
it said windows could not find C:\Windows\task\at*.job
  • 0

#21
Garlet01
Posted 23 December 2011 - 08:29 PM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
disregard the last comment (2 oops) i forgot the period
  • 0

#22
Garlet01
Posted 23 December 2011 - 08:38 PM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
problem
C:\Windows\Tasks>del. at*.job
C:\Windows\Tasks\*, Are you sure (Y/N)? y
C:\Windows\Tasks\SCHEDLGU.TXT
The process cannot access the file because it is being used by another process.
i tryed to run it with it only running nop =\
  • 0

#23
RKinner
Posted 23 December 2011 - 10:04 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Can you run OTL, quickscan and post the logs. Let's see where we are now.
  • 0

#24
Garlet01
Posted 24 December 2011 - 01:11 PM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
OTL logfile created on: 12/24/2011 2:06:02 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Ante Koscica\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00003009 | Country: Zimbabwe | Language: ENW | Date Format: M/d/yyyy

3.68 Gb Total Physical Memory | 2.76 Gb Available Physical Memory | 74.94% Memory free
7.35 Gb Paging File | 6.19 Gb Available in Paging File | 84.15% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.65 Gb Total Space | 165.33 Gb Free Space | 36.52% Space Free | Partition Type: NTFS

Computer Name: ANTEKOSCICA-PC | User Name: Ante Koscica | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/23 21:06:04 | 000,325,632 | ---- | M] (Microsoft Corporation) -- C:\Users\Ante Koscica\AppData\Local\leo.exe
PRC - [2011/12/07 14:16:48 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Ante Koscica\Downloads\OTL.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/07/31 22:55:38 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2009/07/13 20:14:28 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\PING.EXE


========== Modules (No Company Name) ==========

MOD - [2010/11/20 07:19:56 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.DLL


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/04/22 12:39:54 | 000,171,040 | ---- | M] (Acer Incorporated) [Disabled | Stopped] -- C:\Program Files\Gateway\Optical Drive Power Management\ODDPWRSvc.exe -- (ODDPwrSvc)
SRV:64bit: - [2010/03/17 12:56:12 | 000,866,336 | ---- | M] (Acer Incorporated) [Disabled | Stopped] -- C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe -- (ePowerSvc)
SRV:64bit: - [2010/01/28 18:27:36 | 000,243,232 | ---- | M] (Acer Group) [Disabled | Stopped] -- C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe -- (Updater Service)
SRV - [2011/12/04 20:28:42 | 000,670,224 | ---- | M] (Wellbia.com Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWOW64\xsherlock.xem -- (xsherlock)
SRV - [2011/11/10 19:23:52 | 000,490,840 | ---- | M] (IObit) [Auto | Stopped] -- C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5)
SRV - [2011/11/05 18:29:23 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/15 15:18:12 | 002,329,480 | ---- | M] (LogMeIn Inc.) [Auto | Stopped] -- C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2011/07/31 22:55:38 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010/10/21 15:09:00 | 004,208,208 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWow64\GameMon.des -- (npggsvc)
SRV - [2010/04/07 23:18:40 | 000,312,400 | ---- | M] (Dritek System Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe -- (DsiWMIService)
SRV - [2010/03/18 15:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/08 18:58:24 | 000,250,368 | ---- | M] (NewTech Infosystems, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe -- (NTI IScheduleSvc)
SRV - [2010/01/15 16:08:38 | 000,935,208 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2010/01/08 08:21:22 | 000,023,584 | ---- | M] (Acer Incorporated) [Disabled | Stopped] -- C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe -- (GREGService)
SRV - [2009/12/23 19:39:04 | 000,013,336 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel®
SRV - [2009/09/30 07:01:32 | 002,320,920 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2009/09/30 07:01:30 | 000,268,824 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/11/26 14:18:01 | 000,270,912 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2011/08/31 17:00:50 | 000,025,416 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 08:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 06:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/04/15 00:40:10 | 000,301,688 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2010/04/14 21:46:56 | 000,727,608 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
DRV:64bit: - [2010/04/06 21:04:22 | 002,216,960 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2010/03/24 04:57:20 | 000,243,744 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/03/04 04:53:00 | 000,075,816 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2010/01/25 04:51:02 | 007,842,272 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/01/07 14:51:38 | 000,271,872 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud) Intel®
DRV:64bit: - [2010/01/06 08:33:14 | 000,158,848 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2009/12/17 12:42:08 | 000,538,136 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/09/16 23:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel®
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/05 18:46:08 | 000,018,432 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV:64bit: - [2009/05/05 18:46:08 | 000,016,896 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UBHelper.sys -- (UBHelper)
DRV:64bit: - [2009/03/18 16:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi)
DRV - [2011/12/03 16:37:38 | 000,040,056 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Game\SoftnyxGame\WolfTeamIS\wolf64.sys -- (wolf)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2004/12/31 10:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\npptNT2.sys -- (NPPTNT2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...34z165a4622d261
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...34z165a4622d261

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yandex.ru/?clid=161107
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "Bing"
FF - prefs.js..browser.search.order.1: "Bing"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/?..._date=20110805"
FF - prefs.js..keyword.URL: "http://www.bing.com/...te=20110805&q="


FF:64bit: - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Ante Koscica\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Ante Koscica\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Ante Koscica\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Ante Koscica\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Ante Koscica\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{184AA5E6-741D-464a-820E-94B3ABC2F3B4}: C:\Users\Ante Koscica\AppData\Roaming\5053 [2011/12/08 20:11:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/11/13 11:13:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/08/27 14:18:13 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\extensions\\{184AA5E6-741D-464a-820E-94B3ABC2F3B4}: C:\Users\Ante Koscica\AppData\Roaming\5053 [2011/12/08 20:11:06 | 000,000,000 | ---D | M]

[2011/10/03 12:51:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ante Koscica\AppData\Roaming\Mozilla\Extensions
[2011/10/03 12:51:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ante Koscica\AppData\Roaming\Mozilla\Extensions\[email protected]
[2011/12/12 10:18:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ante Koscica\AppData\Roaming\Mozilla\Firefox\Profiles\te0wne8n.default\extensions
[2011/10/08 12:20:20 | 000,000,000 | ---D | M] (Battlefield Heroes Updater) -- C:\Users\Ante Koscica\AppData\Roaming\Mozilla\Firefox\Profiles\te0wne8n.default\extensions\[email protected]
[2011/10/10 15:15:12 | 000,000,000 | ---D | M] (Battlefield Play4Free) -- C:\Users\Ante Koscica\AppData\Roaming\Mozilla\Firefox\Profiles\te0wne8n.default\extensions\[email protected]
[2011/05/18 18:33:19 | 000,002,242 | ---- | M] () -- C:\Users\Ante Koscica\AppData\Roaming\Mozilla\Firefox\Profiles\te0wne8n.default\searchplugins\AOL Search.xml
[2011/11/14 06:55:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/10/22 12:50:38 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/11/13 11:13:15 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2010/07/27 15:13:46 | 000,027,136 | ---- | M] (NHN USA Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
[2010/07/28 17:14:08 | 000,022,016 | ---- | M] (NHN USA Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npijjiFFPlugin1.dll
[2011/05/18 18:33:19 | 000,002,242 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\AOL Search.xml
[2011/09/30 18:22:52 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml.old
[2011/11/13 11:13:15 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Users\Ante Koscica\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0\npSkypeChromePlugin.dll
CHR - plugin: downloadUpdater (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
CHR - plugin: downloadUpdater2 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
CHR - plugin: ijji Auto Install Plugin for Mozilla (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
CHR - plugin: ijji Web Launching Plugin for FF (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Best Buy pc app Detector (Enabled) = C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\Ante Koscica\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Skype Click to Call = C:\Users\Ante Koscica\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\

Hosts file not found
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [combofix] C:\ComboFix\CF2664.3XE (Microsoft Corporation)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4:64bit: - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Users\Ante Koscica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GameRanger.lnk = C:\Users\Ante Koscica\AppData\Roaming\GameRanger\GameRanger\GameRanger.exe (GameRanger Technologies)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - %SystemRoot%\System32\winrnr.dll File not found
O15 - HKCU\..Trusted Ranges: Range1979 ([http] in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.237.161.12 71.243.0.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7A4F623B-9285-4B7D-B04B-6902F83E0D05}: DhcpNameServer = 68.237.161.12 71.243.0.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7A4F623B-9285-4B7D-B04B-6902F83E0D05}: NameServer = 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E87118A4-5ACA-4C3D-99FD-08A79A3CA1C1}: NameServer = 208.67.220.220
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klartew: DllName - (C:\Windows\system32\config\systemprofile\AppData\Local\klartew.dll) - C:\Windows\SysWOW64\config\systemprofile\AppData\Local\klartew.dll ()
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = imX] -- "C:\Users\Ante Koscica\AppData\Local\leo.exe" -a "%1" %* (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/12/23 21:06:04 | 000,325,632 | ---- | C] (Microsoft Corporation) -- C:\Users\Ante Koscica\AppData\Local\leo.exe
[2011/12/23 20:39:01 | 000,332,800 | ---- | C] (Microsoft Corporation) -- C:\Users\Ante Koscica\AppData\Local\gss.exe
[2011/12/23 18:22:49 | 000,329,728 | ---- | C] (Microsoft Corporation) -- C:\Users\Ante Koscica\AppData\Local\nql.exe
[2011/12/22 13:07:08 | 000,000,000 | ---D | C] -- C:\244eb488acf32089a63a29dcb5
[2011/12/20 21:49:58 | 000,000,000 | ---D | C] -- C:\3defeba66442315dfc254abfd121
[2011/12/19 20:23:37 | 000,000,000 | -HSD | C] -- C:\found.006
[2011/12/18 10:25:04 | 000,329,728 | ---- | C] (Microsoft Corporation) -- C:\Users\Ante Koscica\AppData\Local\bmc.exe
[2011/12/18 09:11:04 | 000,000,000 | ---D | C] -- C:\ebbdea961f1abb7a09ed87d7
[2011/12/17 13:35:31 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/12/17 13:26:25 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\FileHunter
[2011/12/16 23:12:59 | 000,000,000 | ---D | C] -- C:\Windows\system64
[2011/12/16 23:12:42 | 000,324,096 | ---- | C] (Microsoft Corporation) -- C:\Users\Ante Koscica\AppData\Local\llq.exe
[2011/12/16 17:47:56 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/16 17:34:13 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/12/16 14:39:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/16 14:39:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/12/15 21:07:11 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/12 10:02:58 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/12 10:02:58 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/12 10:02:58 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/12 10:00:21 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/12 09:56:50 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/10 13:46:37 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\Pogo
[2011/12/10 13:46:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Pogo
[2011/12/10 13:45:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monopoly City
[2011/12/10 13:45:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Monopoly City
[2011/12/08 20:11:06 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\5053
[2011/12/08 19:14:55 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\xmldm
[2011/12/08 19:14:51 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\kock
[2011/12/07 19:56:06 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\Desktop\New folder (4)
[2011/12/06 13:52:41 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\Reviversoft
[2011/12/06 13:51:42 | 000,018,760 | ---- | C] (ReviverSoft) -- C:\Windows\SysNative\roboot64.exe
[2011/12/06 13:51:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Reviversoft
[2011/12/04 20:28:42 | 000,670,224 | ---- | C] (Wellbia.com Co., Ltd.) -- C:\Windows\SysWow64\xsherlock.xem
[2011/12/03 15:47:11 | 000,000,000 | ---D | C] -- C:\Game
[2011/12/03 14:20:10 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2011/12/03 14:19:34 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\IObit
[2011/12/03 14:19:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit
[2011/12/01 21:58:13 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\Grand Ages Rome
[2011/11/29 18:44:51 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CorsixTH
[2011/11/29 18:44:51 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\CorsixTH
[2011/11/29 18:44:50 | 000,000,000 | ---D | C] -- C:\Program Files\CorsixTH
[2011/11/29 15:48:42 | 000,000,000 | ---D | C] -- C:\Users\Ante Koscica\AppData\Roaming\Reign of Augustus
[2011/11/29 13:30:17 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/11/28 13:19:33 | 000,000,000 | ---D | C] -- C:\Windows\Simple Port Forwarding
[2011/11/28 13:19:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Simple Port Forwarding
[2011/11/27 19:10:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Akella Games
[2011/11/26 14:18:01 | 000,270,912 | ---- | C] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
[2011/11/26 14:17:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
[2011/11/26 14:17:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DAEMON Tools Lite
[2011/05/18 17:13:53 | 000,049,464 | ---- | C] ( ) -- C:\Windows\AutosetFrequency.exe

========== Files - Modified Within 30 Days ==========

[2011/12/24 14:05:54 | 000,014,816 | -HS- | M] () -- C:\Users\Ante Koscica\AppData\Local\637137n7y858v116t034c5egj2p7
[2011/12/24 14:05:54 | 000,014,816 | -HS- | M] () -- C:\ProgramData\637137n7y858v116t034c5egj2p7
[2011/12/23 20:40:31 | 000,010,302 | -HS- | M] () -- C:\Users\Ante Koscica\AppData\Local\ofl8br2sh1704f74n2enxlo7ywh501
[2011/12/23 20:40:31 | 000,010,302 | -HS- | M] () -- C:\ProgramData\ofl8br2sh1704f74n2enxlo7ywh501
[2011/12/23 18:23:52 | 000,006,124 | -HS- | M] () -- C:\Users\Ante Koscica\AppData\Local\524v5ot87f87m85221stvy6g42ce1q8i00gmdwq7
[2011/12/23 18:23:52 | 000,006,124 | -HS- | M] () -- C:\ProgramData\524v5ot87f87m85221stvy6g42ce1q8i00gmdwq7
[2011/12/23 14:42:38 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/23 14:42:38 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/23 14:40:08 | 000,007,720 | -HS- | M] () -- C:\Users\Ante Koscica\AppData\Local\430266g8g434x342c241p4vjs8y0
[2011/12/23 14:40:08 | 000,007,720 | -HS- | M] () -- C:\ProgramData\430266g8g434x342c241p4vjs8y0
[2011/12/21 20:40:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/21 20:40:20 | 2962,219,008 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/20 18:39:25 | 000,348,632 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/12/17 13:29:44 | 000,003,108 | -HS- | M] () -- C:\Users\Ante Koscica\AppData\Local\s4tx87v5rt4vto
[2011/12/17 13:29:44 | 000,003,108 | -HS- | M] () -- C:\ProgramData\s4tx87v5rt4vto
[2011/12/16 16:42:49 | 000,084,520 | ---- | M] () -- C:\Users\Ante Koscica\Desktop\NiceTry.jpg
[2011/12/16 15:57:08 | 000,002,347 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2011/12/16 14:39:30 | 000,001,116 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/15 21:10:06 | 000,015,162 | -HS- | M] () -- C:\Users\Ante Koscica\AppData\Local\304740a6t017u215p041i7jpv2k3
[2011/12/15 21:10:06 | 000,015,162 | -HS- | M] () -- C:\ProgramData\304740a6t017u215p041i7jpv2k3
[2011/12/12 10:53:44 | 000,000,512 | ---- | M] () -- C:\Users\Ante Koscica\Desktop\MBR.dat
[2011/12/12 09:59:59 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/12/12 09:52:18 | 000,012,440 | -HS- | M] () -- C:\Users\Ante Koscica\AppData\Local\frvivf3i4vur5rmx1wal1i614o0j
[2011/12/12 09:52:18 | 000,012,440 | -HS- | M] () -- C:\ProgramData\frvivf3i4vur5rmx1wal1i614o0j
[2011/12/11 21:19:38 | 002,180,378 | ---- | M] () -- C:\Users\Ante Koscica\Desktop\974817_700b.jpg
[2011/12/11 21:10:44 | 000,049,184 | ---- | M] () -- C:\Users\Ante Koscica\Desktop\963676_460s.jpg
[2011/12/11 21:08:14 | 000,116,323 | ---- | M] () -- C:\Users\Ante Koscica\Desktop\978148_460s.jpg
[2011/12/11 20:51:31 | 000,214,750 | ---- | M] () -- C:\Users\Ante Koscica\Desktop\838153_700b_v1.jpg
[2011/12/10 13:45:59 | 000,001,965 | ---- | M] () -- C:\Users\Public\Desktop\Monopoly City.lnk
[2011/12/10 10:53:31 | 000,000,112 | ---- | M] () -- C:\ProgramData\mXSYmh3.dat
[2011/12/10 10:51:12 | 000,000,001 | ---- | M] () -- C:\Windows\SysWow64\7XMWv.com.b
[2011/12/08 20:56:53 | 000,000,068 | ---- | M] () -- C:\Users\Ante Koscica\AppData\Roaming\blckdom.res
[2011/12/06 17:05:02 | 000,012,076 | -HS- | M] () -- C:\Users\Ante Koscica\AppData\Local\105818a8j030q312r082c0vio3s4
[2011/12/06 17:05:02 | 000,012,076 | -HS- | M] () -- C:\ProgramData\105818a8j030q312r082c0vio3s4
[2011/12/04 20:28:42 | 000,670,224 | ---- | M] (Wellbia.com Co., Ltd.) -- C:\Windows\SysWow64\xsherlock.xem
[2011/12/04 20:22:14 | 000,015,414 | -HS- | M] () -- C:\Users\Ante Koscica\AppData\Local\6m87wd2e03u886
[2011/12/04 20:22:14 | 000,015,414 | -HS- | M] () -- C:\ProgramData\6m87wd2e03u886
[2011/12/03 18:27:59 | 000,116,224 | ---- | M] () -- C:\Windows\SysWow64\7XMWv.com_
[2011/11/26 14:18:01 | 000,270,912 | ---- | M] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys

========== Files Created - No Company Name ==========

[2011/12/23 21:06:10 | 000,014,816 | -HS- | C] () -- C:\Users\Ante Koscica\AppData\Local\637137n7y858v116t034c5egj2p7
[2011/12/23 21:06:10 | 000,014,816 | -HS- | C] () -- C:\ProgramData\637137n7y858v116t034c5egj2p7
[2011/12/23 20:39:06 | 000,010,302 | -HS- | C] () -- C:\Users\Ante Koscica\AppData\Local\ofl8br2sh1704f74n2enxlo7ywh501
[2011/12/23 20:39:06 | 000,010,302 | -HS- | C] () -- C:\ProgramData\ofl8br2sh1704f74n2enxlo7ywh501
[2011/12/23 18:22:54 | 000,006,124 | -HS- | C] () -- C:\Users\Ante Koscica\AppData\Local\524v5ot87f87m85221stvy6g42ce1q8i00gmdwq7
[2011/12/23 18:22:54 | 000,006,124 | -HS- | C] () -- C:\ProgramData\524v5ot87f87m85221stvy6g42ce1q8i00gmdwq7
[2011/12/23 14:46:09 | 001,182,857 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\CIMG0202.JPG
[2011/12/23 14:46:09 | 001,175,710 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\CIMG0203.JPG
[2011/12/23 14:46:09 | 000,851,457 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\CIMG0205.JPG
[2011/12/23 14:46:09 | 000,843,334 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\CIMG0206.JPG
[2011/12/23 14:46:09 | 000,811,920 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\CIMG0204.JPG
[2011/12/23 14:46:09 | 000,804,873 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\CIMG0207.JPG
[2011/12/18 10:25:09 | 000,007,720 | -HS- | C] () -- C:\Users\Ante Koscica\AppData\Local\430266g8g434x342c241p4vjs8y0
[2011/12/18 10:25:09 | 000,007,720 | -HS- | C] () -- C:\ProgramData\430266g8g434x342c241p4vjs8y0
[2011/12/16 23:12:48 | 000,003,108 | -HS- | C] () -- C:\Users\Ante Koscica\AppData\Local\s4tx87v5rt4vto
[2011/12/16 23:12:48 | 000,003,108 | -HS- | C] () -- C:\ProgramData\s4tx87v5rt4vto
[2011/12/16 16:42:29 | 000,084,520 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\NiceTry.jpg
[2011/12/16 14:39:30 | 000,001,116 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/13 19:52:45 | 000,015,162 | -HS- | C] () -- C:\Users\Ante Koscica\AppData\Local\304740a6t017u215p041i7jpv2k3
[2011/12/13 19:52:45 | 000,015,162 | -HS- | C] () -- C:\ProgramData\304740a6t017u215p041i7jpv2k3
[2011/12/12 10:52:18 | 000,000,512 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\MBR.dat
[2011/12/12 10:02:58 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/12 10:02:58 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/12 10:02:58 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/12 10:02:58 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/12 10:02:58 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/12 09:26:40 | 000,012,440 | -HS- | C] () -- C:\Users\Ante Koscica\AppData\Local\frvivf3i4vur5rmx1wal1i614o0j
[2011/12/12 09:26:40 | 000,012,440 | -HS- | C] () -- C:\ProgramData\frvivf3i4vur5rmx1wal1i614o0j
[2011/12/11 21:19:25 | 002,180,378 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\974817_700b.jpg
[2011/12/11 21:10:44 | 000,049,184 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\963676_460s.jpg
[2011/12/11 21:08:14 | 000,116,323 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\978148_460s.jpg
[2011/12/11 20:51:29 | 000,214,750 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\838153_700b_v1.jpg
[2011/12/10 13:45:59 | 000,001,965 | ---- | C] () -- C:\Users\Public\Desktop\Monopoly City.lnk
[2011/12/08 19:15:05 | 000,000,068 | ---- | C] () -- C:\Users\Ante Koscica\AppData\Roaming\blckdom.res
[2011/12/06 16:11:54 | 000,012,076 | -HS- | C] () -- C:\Users\Ante Koscica\AppData\Local\105818a8j030q312r082c0vio3s4
[2011/12/06 16:11:54 | 000,012,076 | -HS- | C] () -- C:\ProgramData\105818a8j030q312r082c0vio3s4
[2011/12/06 13:14:57 | 000,077,824 | ---- | C] () -- C:\Windows\SysWow64\vorbisfile.dll
[2011/12/04 20:07:56 | 000,015,414 | -HS- | C] () -- C:\Users\Ante Koscica\AppData\Local\6m87wd2e03u886
[2011/12/04 20:07:56 | 000,015,414 | -HS- | C] () -- C:\ProgramData\6m87wd2e03u886
[2011/12/03 19:27:06 | 000,116,224 | ---- | C] () -- C:\Windows\SysWow64\7XMWv.com_
[2011/12/03 18:28:25 | 000,000,001 | ---- | C] () -- C:\Windows\SysWow64\7XMWv.com.b
[2011/12/03 14:50:11 | 000,022,872 | ---- | C] () -- C:\Windows\SysNative\RegistryDefragBootTime.exe
[2011/11/27 19:11:33 | 002,390,779 | ---- | C] () -- C:\Users\Ante Koscica\Desktop\Data.hpk
[2011/11/15 19:49:01 | 000,000,112 | ---- | C] () -- C:\ProgramData\mXSYmh3.dat
[2011/09/23 20:45:40 | 000,000,534 | ---- | C] () -- C:\Windows\eReg.dat
[2011/08/21 15:45:02 | 000,000,155 | ---- | C] () -- C:\Windows\GKLauncherInfo.ini
[2011/07/31 22:55:39 | 000,270,240 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/07/31 22:55:38 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/07/22 11:47:45 | 000,051,270 | ---- | C] () -- C:\Users\Ante Koscica\AppData\Roaming\room_v3.dat
[2011/07/20 13:21:24 | 000,000,032 | R--- | C] () -- C:\ProgramData\hash.dat
[2011/05/23 14:56:17 | 000,772,430 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/05/20 21:31:00 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011/05/18 18:03:07 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/05/18 17:13:53 | 000,206,208 | ---- | C] () -- C:\Windows\PLFSetI.exe
[2011/05/18 17:13:53 | 000,000,637 | ---- | C] () -- C:\Windows\AutoSetFrequency.ini
[2011/05/18 17:13:53 | 000,000,378 | ---- | C] () -- C:\Windows\PidList.ini
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2010/04/29 23:09:45 | 000,870,544 | ---- | C] () -- C:\Windows\SysWow64\igkrng575.bin
[2010/04/29 23:09:45 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2010/04/29 23:09:45 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
[2010/04/29 23:09:44 | 000,051,068 | ---- | C] () -- C:\Windows\SysWow64\igfcg575m.bin
[2010/04/29 23:09:43 | 000,127,896 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng575.bin
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[1997/06/13 20:56:08 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\iyvu9_32.dll

========== LOP Check ==========

[2011/12/03 10:22:23 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\.minecraft
[2011/12/08 20:11:06 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\5053
[2011/05/18 18:34:09 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\acccore
[2011/11/29 18:44:51 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\CorsixTH
[2011/08/12 16:01:57 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\DAEMON Tools Lite
[2011/12/17 13:26:26 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\FileHunter
[2011/10/02 08:44:22 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\GameRanger
[2011/08/19 10:23:20 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\go
[2011/12/02 20:15:22 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Grand Ages Rome
[2011/07/22 11:28:33 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\ijjigame
[2011/12/03 14:19:34 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\IObit
[2011/12/08 19:14:51 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\kock
[2011/10/19 15:46:35 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Mount&Blade Warband
[2011/10/19 11:44:31 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Mount&Blade With Fire and Sword
[2011/10/09 19:21:06 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Need for Speed World
[2011/06/05 16:38:24 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\NeopleLauncherDFO
[2011/07/28 22:50:03 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\ooVoo Details
[2011/08/05 11:03:35 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\OpenCandy
[2011/10/23 17:55:33 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Opera
[2011/09/04 15:22:26 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Packard Bell
[2011/12/10 13:46:37 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Pogo
[2011/10/03 12:51:14 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Prism
[2011/08/05 11:06:16 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Publish Providers
[2011/12/01 15:25:04 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Reign of Augustus
[2011/12/06 16:50:10 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Reviversoft
[2011/10/31 19:39:01 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Sierra
[2011/05/20 20:48:58 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\SNS
[2011/08/05 11:06:13 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Sony
[2011/10/20 20:13:09 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Spotify
[2011/12/10 12:28:28 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\SystemRequirementsLab
[2011/08/12 15:59:14 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\TeamViewer
[2011/09/22 15:17:25 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\The Creative Assembly
[2011/08/05 15:30:14 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Unity
[2011/12/18 00:00:00 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\uTorrent
[2011/09/01 11:26:00 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\Virtual City
[2011/12/08 19:14:55 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\xmldm
[2011/09/01 09:27:22 | 000,000,000 | ---D | M] -- C:\Users\Ante Koscica\AppData\Roaming\YoudaGames
[2011/11/14 21:54:56 | 000,032,638 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:F3AB0B43

< End of report >
  • 0

#25
RKinner
Posted 24 December 2011 - 02:11 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
OK. You have a combination of at least two infections. ZeroAccess and FakeAV. The FakeAV modifies the registry so that most .exe files so not work.


Shut off Hibernation:
right-click the desktop and click on and click on "properties".
click the screen saver tab.
click the power settings button
in the power options properties dialog box click the hibernate tab.
uncheck the enable hibernation check box.
click OK then click OK again



Now that hibernation is disabled you may check the root directory of your hard drive to see if a file named hiberfil.sys exists. If you find it delete it. If you can't delete it then you may have to restart your computer first.


See if you can download FixNCR.reg

http://download.blee.../reg/FixNCR.reg

Save it to your desktop then right click and MERGE.


You may find that Combofix runs faster and more reliably in Safe Mode with Networking:
(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.) Anytime you reboot MERGE the FixNCR.reg.



Then
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

File::
C:\Users\Ante Koscica\AppData\Local\leo.exe
C:\Users\Ante Koscica\AppData\Local\gss.exe
C:\Users\Ante Koscica\AppData\Local\nql.exe
C:\Users\Ante Koscica\AppData\Local\bmc.exe
C:\Users\Ante Koscica\AppData\Local\llq.exe
C:\Users\Ante Koscica\AppData\Local\637137n7y858v116t034c5egj2p7
C:\ProgramData\637137n7y858v116t034c5egj2p7
C:\Users\Ante Koscica\AppData\Local\ofl8br2sh1704f74n2enxlo7ywh501
C:\ProgramData\ofl8br2sh1704f74n2enxlo7ywh501
C:\Users\Ante Koscica\AppData\Local\524v5ot87f87m85221stvy6g42ce1q8i00gmdwq7
C:\ProgramData\524v5ot87f87m85221stvy6g42ce1q8i00gmdwq7
C:\Users\Ante Koscica\AppData\Local\430266g8g434x342c241p4vjs8y0
C:\Users\Ante Koscica\AppData\Local\s4tx87v5rt4vto
C:\ProgramData\s4tx87v5rt4vto
C:\Users\Ante Koscica\AppData\Local\304740a6t017u215p041i7jpv2k3
C:\ProgramData\304740a6t017u215p041i7jpv2k3
C:\Users\Ante Koscica\AppData\Local\frvivf3i4vur5rmx1wal1i614o0j
C:\ProgramData\frvivf3i4vur5rmx1wal1i614o0j
C:\ProgramData\mXSYmh3.dat
C:\Windows\SysWow64\7XMWv.com.b
C:\Users\Ante Koscica\AppData\Roaming\blckdom.res
C:\Users\Ante Koscica\AppData\Local\105818a8j030q312r082c0vio3s4
C:\ProgramData\105818a8j030q312r082c0vio3s4
C:\Users\Ante Koscica\AppData\Local\6m87wd2e03u886
C:\ProgramData\6m87wd2e03u886
C:\Windows\SysWow64\7XMWv.com_
C:\Windows\system32\config\systemprofile\AppData\Local\klartew.dll
C:\Windows\SysNative\roboot64.exe

Folder::
C:\Windows\system64
C:\Users\Ante Koscica\AppData\Roaming\5053
C:\Users\Ante Koscica\AppData\Roaming\xmldm
C:\Users\Ante Koscica\AppData\Roaming\kock
C:\Users\Ante Koscica\AppData\Roaming\Reviversoft
C:\Program Files (x86)\Reviversoft


RootKit::
C:\Users\Ante Koscica\AppData\Local\leo.exe
C:\Users\Ante Koscica\AppData\Local\gss.exe
C:\Users\Ante Koscica\AppData\Local\nql.exe
C:\Users\Ante Koscica\AppData\Local\bmc.exe
C:\Users\Ante Koscica\AppData\Local\llq.exe
C:\Users\Ante Koscica\AppData\Local\637137n7y858v116t034c5egj2p7
C:\ProgramData\637137n7y858v116t034c5egj2p7
C:\Users\Ante Koscica\AppData\Local\ofl8br2sh1704f74n2enxlo7ywh501
C:\ProgramData\ofl8br2sh1704f74n2enxlo7ywh501
C:\Users\Ante Koscica\AppData\Local\524v5ot87f87m85221stvy6g42ce1q8i00gmdwq7
C:\ProgramData\524v5ot87f87m85221stvy6g42ce1q8i00gmdwq7
C:\Users\Ante Koscica\AppData\Local\430266g8g434x342c241p4vjs8y0
C:\Users\Ante Koscica\AppData\Local\s4tx87v5rt4vto
C:\ProgramData\s4tx87v5rt4vto
C:\Users\Ante Koscica\AppData\Local\304740a6t017u215p041i7jpv2k3
C:\ProgramData\304740a6t017u215p041i7jpv2k3
C:\Users\Ante Koscica\AppData\Local\frvivf3i4vur5rmx1wal1i614o0j
C:\ProgramData\frvivf3i4vur5rmx1wal1i614o0j
C:\ProgramData\mXSYmh3.dat
C:\Windows\SysWow64\7XMWv.com.b
C:\Users\Ante Koscica\AppData\Roaming\blckdom.res
C:\Users\Ante Koscica\AppData\Local\105818a8j030q312r082c0vio3s4
C:\ProgramData\105818a8j030q312r082c0vio3s4
C:\Users\Ante Koscica\AppData\Local\6m87wd2e03u886
C:\ProgramData\6m87wd2e03u886
C:\Windows\SysWow64\7XMWv.com_
C:\Windows\system32\config\systemprofile\AppData\Local\klartew.dll
C:\Windows\SysNative\roboot64.exe


Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\Notify\klartew]

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Download new TDSSKiller and aswMBR programs and run them as before.

Ron
  • 0

Advertisements

#26
Garlet01
Posted 24 December 2011 - 07:03 PM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
i have a problem finding the disable hibernating thing
and what u mean by check the root directory is that like seeing where the shortcut goes to ?
  • 0

#27
RKinner
Posted 24 December 2011 - 07:41 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Root directory is C:\ so we are looking for the file C:\hiberfil.sys. I gave you the XP instructions. Sorry.

Go to http://support.microsoft.com/kb/920730

Click on the Disable hibernation on Windows Fix it.
  • 0

#28
Garlet01
Posted 28 December 2011 - 11:34 PM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
oky disabled it and merged the fix but i got 1 big problem =\ i can;t start in safe mode for some reason is it oky if i don;t use it ?
  • 0

#29
RKinner
Posted 28 December 2011 - 11:52 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Good to know. Yes. Start in regular mode.
  • 0

#30
Garlet01
Posted 29 December 2011 - 10:48 AM

Garlet01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
anther problem i get a blue screen with error message when running Combofix
want me to do anther OTL
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP