Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win32.patched hn Trojan/rootkit + possibly others [Solved]


  • This topic is locked This topic is locked

#1
kilkennycat

kilkennycat

    Member

  • Member
  • PipPip
  • 13 posts
Hi there,

I have a laptop running Vista that has been very badly infected by what shows up as win32 patched Hn and Win32/Sirefef.CH trojan

It wouldnt allow us to run any exe files, or access any anti virus or malware software.

I created a second user and managed to get eset online scanner running which detected 13 threats listed as Trojan.win32. Patched.mf, win32, jorik.xtoober, trojan.psw.win32., backdoor.win32.zacess.avy

after scanning I rebooted and logged into the main user, tried to install and run MAMB. it failed again.

I found your thread on malware removal and tried first the exehelper, and rkill which seemed to help a little as I was able to install MAMB on the main user, it found 3 threats one listed as a rootkit, after fixing and rebooting however it now crashes MAMB.

Next I tried VIPERresue which gave me a warning - could not enable root kit engine and crashed halfway through scan.

I really have exhausted my knowledge and ability to get rid of this thing now so would very much appreciate any help and advise.

I have also finally managed to run a completed eset online scanner scan and here is the results -

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe Win32/Patched.HN trojan cleaned - quarantined
C:\Windows\System32\drivers\afd.sys Win32/Sirefef.DA trojan unable to clean
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
Operating memory a variant of Win32/Sirefef.CH trojan




the following is the OTL log

OTL logfile created on: 05/01/2012 12:36:38 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = E:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19170)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

1.75 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.16% Memory free
3.74 Gb Paging File | 3.02 Gb Available in Paging File | 80.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 103.78 Gb Total Space | 23.64 Gb Free Space | 22.78% Space Free | Partition Type: NTFS
Drive E: | 1.85 Gb Total Space | 1.64 Gb Free Space | 88.57% Space Free | Partition Type: FAT32

Computer Name: ELLA-PC | User Name: Ella | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/05 11:52:26 | 000,584,192 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2011/12/24 17:50:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/06/26 18:09:18 | 000,167,936 | ---- | M] (Applian Technologies, Inc.) -- C:\Program Files\Freecorder\FLVSrvc.exe
PRC - [2009/04/11 06:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/11/20 20:56:07 | 000,185,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2007/07/25 17:45:38 | 000,643,072 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\Realtek Semiconductor Corp\Realtek Card Reader Monitor\CardReaderMonitor.exe


========== Modules (No Company Name) ==========

MOD - [2009/11/03 15:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/11/03 15:51:26 | 000,039,712 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\ASL.dll
MOD - [2009/04/11 06:28:22 | 000,223,232 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/01/04 15:15:40 | 000,532,480 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\dlcfcoms.exe -- (dlcf_device)
SRV - [2012/01/04 15:15:12 | 000,049,152 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\sdpasvc.exe -- (SDPASVC)
SRV - [2012/01/04 14:40:37 | 000,049,152 | ---- | M] () [Auto | Stopped] -- C:\Program Files\CNC\SD-JukeboxV2\sdjbmgr.exe -- (SDJB Manager)
SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)


========== Driver Services (SafeList) ==========

DRV - [2012/01/04 16:33:49 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\00961993.sys -- (00961993)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/09/10 12:55:58 | 000,102,912 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/07/24 13:51:38 | 000,101,248 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbdev.sys -- (hwusbdev)
DRV - [2009/04/11 04:46:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2007/11/14 15:20:08 | 000,020,936 | ---- | M] (MIDIMAN) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usb22ldr.sys -- (USB22LDR)
DRV - [2007/11/14 15:20:04 | 000,031,752 | ---- | M] (M-Audio) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MA_CMIDI.SYS -- (MA_CMIDI)
DRV - [2007/11/05 11:59:10 | 000,182,272 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2007/10/05 22:59:40 | 000,288,256 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8187B.sys -- (RTL8187B)
DRV - [2007/09/19 12:05:00 | 007,626,400 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/09/07 11:34:38 | 000,943,016 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vm331avs.sys -- (vm331avs)
DRV - [2007/03/06 05:15:58 | 001,059,112 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/02/16 00:50:32 | 000,012,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2007/01/04 11:15:08 | 000,009,336 | ---- | M] (http://www.internals.com) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\WinIo.sys -- (WINIO)
DRV - [1999/09/10 11:06:00 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\Windows\System32\drivers\ASPI32.SYS -- (ASPI32)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.c...earch.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.c...earch.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
IE - HKLM\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFre2.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files\FreeSoundRecorder\prxtbFre0.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {3303e956-2a3a-48e0-be39-2e0ef11a2f44} - C:\Program Files\Power_Karaoke\tbPowe.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files\NCH_EN\prxtbNCH_.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.co...w.facebook.com/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT2704262
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFre2.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files\FreeSoundRecorder\prxtbFre0.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {3303e956-2a3a-48e0-be39-2e0ef11a2f44} - C:\Program Files\Power_Karaoke\tbPowe.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files\NCH_EN\prxtbNCH_.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Users\Ella\Pictures\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Users\Ella\Pictures\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Users\Ella\Pictures\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)


[2010/09/03 18:15:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2008/01/16 14:34:09 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/04/12 13:01:54 | 000,002,476 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml

O1 HOSTS File: ([2006/09/18 21:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFre2.dll (Conduit Ltd.)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (FreeSoundRecorder Toolbar) - {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files\FreeSoundRecorder\prxtbFre0.dll (Conduit Ltd.)
O2 - BHO: (Power Karaoke Toolbar) - {3303e956-2a3a-48e0-be39-2e0ef11a2f44} - C:\Program Files\Power_Karaoke\tbPowe.dll (Conduit Ltd.)
O2 - BHO: (NCH EN Toolbar) - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files\NCH_EN\prxtbNCH_.dll (Conduit Ltd.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFre2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (FreeSoundRecorder Toolbar) - {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files\FreeSoundRecorder\prxtbFre0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Power Karaoke Toolbar) - {3303e956-2a3a-48e0-be39-2e0ef11a2f44} - C:\Program Files\Power_Karaoke\tbPowe.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (NCH EN Toolbar) - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files\NCH_EN\prxtbNCH_.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Freecorder Toolbar) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - C:\Program Files\Freecorder\prxtbFre2.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (FreeSoundRecorder Toolbar) - {32B29DF0-2237-4370-9A29-37CEBB730E9B} - C:\Program Files\FreeSoundRecorder\prxtbFre0.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Power Karaoke Toolbar) - {3303E956-2A3A-48E0-BE39-2E0EF11A2F44} - C:\Program Files\Power_Karaoke\tbPowe.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (NCH EN Toolbar) - {37483B40-C254-4A72-BDA4-22EE90182C1E} - C:\Program Files\NCH_EN\prxtbNCH_.dll (Conduit Ltd.)
O4 - HKLM..\Run: [CardReaderMonitor] C:\Program Files\Realtek Semiconductor Corp\Realtek Card Reader Monitor\CardReaderMonitor.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [DLCFCATS] C:\Windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.DLL ()
O4 - HKLM..\Run: [Freecorder FLV Service] C:\Program Files\Freecorder\FLVSrvc.exe (Applian Technologies, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe ( )
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - %SystemRoot%\System32\winrnr.dll File not found
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{043BB8E8-70A0-4C66-993B-AFA1BEF1F80D}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CEE08E6A-C23A-4E72-82D6-CF5B8E8034F4}: DhcpNameServer = 192.168.0.1
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -Explorer.exe ()
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Ella\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Ella\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{2ea6f88a-4f5e-11dd-9537-0015af6e8533}\Shell - "" = AutoRun
O33 - MountPoints2\{2ea6f88a-4f5e-11dd-9537-0015af6e8533}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{7cc4c3dc-3eb2-11dd-918a-0015af6e8533}\Shell - "" = AutoRun
O33 - MountPoints2\{7cc4c3dc-3eb2-11dd-918a-0015af6e8533}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{852cfb9a-1937-11dd-8bec-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{852cfb9a-1937-11dd-8bec-806e6f6e6963}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{90ada5c8-b797-11df-94ca-0015af6e8533}\Shell - "" = AutoRun
O33 - MountPoints2\{90ada5c8-b797-11df-94ca-0015af6e8533}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{90ada5ee-b797-11df-94ca-0015af6e8533}\Shell - "" = AutoRun
O33 - MountPoints2\{90ada5ee-b797-11df-94ca-0015af6e8533}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{be7efa04-153c-11dd-bd3c-0015af6e8533}\Shell - "" = AutoRun
O33 - MountPoints2\{be7efa04-153c-11dd-bd3c-0015af6e8533}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\Windows\System32\
[2012/01/05 09:55:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/05 09:55:16 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/04 17:08:30 | 000,133,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Windows\System32\drivers\00961993.sys
[2012/01/04 13:33:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2012/01/04 13:29:37 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012/01/04 13:01:17 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/03 20:27:12 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/01/03 20:05:24 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2012/01/03 20:00:54 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2012/01/02 22:11:59 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/01/02 22:08:08 | 000,000,000 | -HSD | C] -- C:\Users\Ella\AppData\Local\37a96981
[2011/12/20 16:41:03 | 002,043,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/12/20 16:40:59 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/12/20 16:40:58 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/12/20 16:40:55 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/12/20 16:40:52 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll
[2011/12/20 16:40:21 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2011/12/20 16:39:00 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/12/20 16:38:56 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/12/20 16:38:46 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/12/20 16:38:46 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/12/20 16:38:45 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011/12/20 16:38:45 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/12/20 16:38:45 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/12/20 16:38:44 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/12/20 16:38:44 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/12/20 16:38:44 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/12/20 16:38:43 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/12/20 16:38:43 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/12/20 16:38:42 | 000,174,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/12/20 16:38:42 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/12/20 16:38:42 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/12/20 16:38:42 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/12/20 16:38:41 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/12/20 16:38:41 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2008/01/16 14:24:49 | 000,131,072 | ---- | C] ( ) -- C:\Windows\vm331Rmv.exe
[2006/11/01 21:15:50 | 000,385,928 | ---- | C] ( ) -- C:\Windows\System32\dlcfih.exe
[2006/11/01 21:15:48 | 000,381,832 | ---- | C] ( ) -- C:\Windows\System32\dlcfcfg.exe
[2006/10/11 17:01:40 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\dlcfpmui.dll
[2006/10/11 16:59:56 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\dlcfserv.dll
[2006/10/11 16:54:10 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\dlcfcomm.dll
[2006/10/11 16:52:34 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\dlcflmpm.dll
[2006/10/11 16:51:16 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\dlcfiesc.dll
[2006/10/11 16:48:58 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\dlcfpplc.dll
[2006/10/11 16:48:14 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\dlcfcomc.dll
[2006/10/11 16:47:42 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\dlcfprox.dll
[2006/10/11 16:41:42 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\dlcfinpa.dll
[2006/10/11 16:41:04 | 000,991,232 | ---- | C] ( ) -- C:\Windows\System32\dlcfusb1.dll
[2006/10/11 16:37:14 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\dlcfhbn3.dll
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\Windows\System32\
[2012/01/05 12:35:23 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{8AF5E251-A4AD-44D2-B556-9E8B8E0EDAB4}.job
[2012/01/05 12:34:16 | 000,027,240 | ---- | M] () -- C:\Users\Ella\AppData\Roaming\nvModes.001
[2012/01/05 12:34:06 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/05 12:33:36 | 000,608,706 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/05 12:33:36 | 000,109,542 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/05 12:30:00 | 000,000,338 | ---- | M] () -- C:\Windows\tasks\Recovery DVD Creator.job
[2012/01/05 12:21:48 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/05 12:21:48 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/05 12:21:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/05 11:49:07 | 000,000,000 | ---- | M] () -- C:\Windows\System32\SBRC.dat
[2012/01/05 11:08:01 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/05 09:55:25 | 000,000,909 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/04 17:35:03 | 295,024,791 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/01/04 16:33:49 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\Windows\System32\drivers\00961993.sys
[2012/01/04 15:15:40 | 000,532,480 | ---- | M] () -- C:\Windows\System32\dlcfcoms.exe
[2012/01/04 15:15:12 | 000,049,152 | ---- | M] () -- C:\Windows\System32\sdpasvc.exe
[2012/01/03 20:27:52 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/01/03 19:42:50 | 000,010,874 | -HS- | M] () -- C:\Users\Ella\AppData\Local\72x46sy148rwfnw18g1nu7d4lya5y1ibrwps8w2q1d282
[2012/01/03 19:42:50 | 000,010,874 | -HS- | M] () -- C:\ProgramData\72x46sy148rwfnw18g1nu7d4lya5y1ibrwps8w2q1d282
[2012/01/03 19:39:16 | 000,027,240 | ---- | M] () -- C:\Users\Ella\AppData\Roaming\nvModes.dat
[2012/01/01 20:44:54 | 000,057,856 | ---- | M] () -- C:\Users\Ella\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/25 21:01:14 | 000,002,377 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2011/12/22 16:39:54 | 000,339,816 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/12/07 21:45:34 | 000,027,648 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\Marys Boy Child.wps
[2011/12/07 21:45:34 | 000,005,612 | ---- | M] () -- C:\Users\Ella\AppData\Roaming\wklnhst.dat
[2011/12/07 21:33:11 | 000,010,240 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\Christmas.wps
[2011/12/07 21:28:20 | 000,010,240 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\Silent Night.wps
[2011/12/07 21:24:37 | 000,009,216 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\White Christmas.wps
[2011/12/07 21:21:10 | 000,009,216 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\Jingle Bells.wps
[2011/12/07 21:17:56 | 000,010,752 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\Winter Wonderland.wps
[2011/12/07 21:14:24 | 000,009,728 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\Rudolph The Red Nosed Reindeer.wps
[2011/12/07 21:06:35 | 000,010,240 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\Santa laus Is Coming To Town.wps
[2011/12/07 21:00:53 | 000,009,728 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\I Saw Mommy Kissing Santa Claus.wps
[2011/12/07 20:54:51 | 000,010,240 | ---- | M] () -- C:\Users\Ella\Desktop\Documents\Rocking Around The Christmas Tree.wps
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/05 11:49:07 | 000,000,000 | ---- | C] () -- C:\Windows\System32\SBRC.dat
[2012/01/05 09:55:25 | 000,000,909 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/04 13:29:28 | 295,024,791 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/01/02 22:08:28 | 000,010,874 | -HS- | C] () -- C:\Users\Ella\AppData\Local\72x46sy148rwfnw18g1nu7d4lya5y1ibrwps8w2q1d282
[2012/01/02 22:08:28 | 000,010,874 | -HS- | C] () -- C:\ProgramData\72x46sy148rwfnw18g1nu7d4lya5y1ibrwps8w2q1d282
[2011/12/07 21:44:32 | 000,027,648 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\Marys Boy Child.wps
[2011/12/07 21:33:07 | 000,010,240 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\Christmas.wps
[2011/12/07 21:28:20 | 000,010,240 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\Silent Night.wps
[2011/12/07 21:24:37 | 000,009,216 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\White Christmas.wps
[2011/12/07 21:21:09 | 000,009,216 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\Jingle Bells.wps
[2011/12/07 21:17:49 | 000,010,752 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\Winter Wonderland.wps
[2011/12/07 21:13:46 | 000,009,728 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\Rudolph The Red Nosed Reindeer.wps
[2011/12/07 21:06:35 | 000,010,240 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\Santa laus Is Coming To Town.wps
[2011/12/07 20:58:49 | 000,009,728 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\I Saw Mommy Kissing Santa Claus.wps
[2011/12/07 20:54:51 | 000,010,240 | ---- | C] () -- C:\Users\Ella\Desktop\Documents\Rocking Around The Christmas Tree.wps
[2011/10/17 20:27:49 | 000,038,629 | ---- | C] () -- C:\Users\Ella\AppData\Roaming\WavePad.dmp
[2010/11/24 22:37:27 | 000,000,128 | ---- | C] () -- C:\Windows\cdplayer.ini
[2010/09/03 20:19:23 | 000,071,262 | ---- | C] () -- C:\Windows\Huawei ModemsUninstall.exe
[2010/09/03 19:27:50 | 000,000,092 | ---- | C] () -- C:\Users\Ella\AppData\Local\fusioncache.dat
[2010/08/27 14:24:48 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/08/16 15:21:32 | 000,000,045 | ---- | C] () -- C:\Windows\System32\SYNSOPOS.exe.cfg
[2010/08/16 15:05:46 | 000,002,892 | ---- | C] () -- C:\Windows\System32\audcon.sys
[2010/08/16 15:03:38 | 000,086,016 | ---- | C] () -- C:\Windows\System32\SYNSOPOS.exe
[2010/03/06 21:12:34 | 000,000,680 | ---- | C] () -- C:\Users\Ella\AppData\Local\d3d9caps.dat
[2009/09/29 16:00:56 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/29 16:00:55 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/29 15:59:39 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/08/13 19:55:09 | 000,049,152 | ---- | C] () -- C:\Windows\System32\sdpasvc.exe
[2009/08/13 19:55:09 | 000,040,960 | ---- | C] () -- C:\Windows\System32\sdsrvctl.exe
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2008/04/19 23:08:48 | 000,027,240 | ---- | C] () -- C:\Users\Ella\AppData\Roaming\nvModes.001
[2008/04/19 23:03:50 | 000,027,240 | ---- | C] () -- C:\Users\Ella\AppData\Roaming\nvModes.dat
[2008/04/19 22:35:49 | 000,057,856 | ---- | C] () -- C:\Users\Ella\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/19 22:29:07 | 000,005,612 | ---- | C] () -- C:\Users\Ella\AppData\Roaming\wklnhst.dat
[2008/01/16 14:24:49 | 000,001,211 | ---- | C] () -- C:\Windows\vm331Rmv.ini
[2008/01/16 14:22:41 | 000,001,732 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2007/07/16 10:16:32 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/02/13 07:48:38 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 12:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 12:47:37 | 000,339,816 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 12:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 10:33:01 | 000,608,706 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 10:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 10:33:01 | 000,109,542 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 10:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 10:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 08:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 08:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 07:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/01 21:15:50 | 000,532,480 | ---- | C] () -- C:\Windows\System32\dlcfcoms.exe
[2006/10/28 09:31:44 | 000,344,064 | ---- | C] () -- C:\Windows\System32\dlcfcoin.dll
[2006/10/20 12:42:24 | 000,106,496 | ---- | C] () -- C:\Windows\System32\dlcfinsr.dll
[2006/10/20 12:42:18 | 000,036,864 | ---- | C] () -- C:\Windows\System32\dlcfcur.dll
[2006/10/20 12:41:46 | 000,131,072 | ---- | C] () -- C:\Windows\System32\dlcfjswr.dll
[2006/10/20 12:37:22 | 000,221,184 | ---- | C] () -- C:\Windows\System32\dlcfinsb.dll
[2006/10/20 12:37:16 | 000,086,016 | ---- | C] () -- C:\Windows\System32\dlcfcub.dll
[2006/10/20 12:37:00 | 000,073,728 | ---- | C] () -- C:\Windows\System32\dlcfcu.dll
[2006/10/20 12:36:54 | 000,159,744 | ---- | C] () -- C:\Windows\System32\dlcfins.dll
[2006/10/20 12:35:36 | 000,434,176 | ---- | C] () -- C:\Windows\System32\dlcfutil.dll
[2006/09/06 04:27:08 | 000,069,632 | ---- | C] () -- C:\Windows\System32\dlcfcfg.dll
[2005/08/18 05:26:46 | 000,040,960 | ---- | C] () -- C:\Windows\System32\dlcfvs.dll
[1997/06/14 00:56:08 | 000,056,832 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll

========== Files - Unicode (All) ==========
[2011/08/21 21:41:36 | 000,000,000 | ---- | M] ()(C:\Users\Ella\Desktop\??????????????????????????????????) -- C:\Users\Ella\Desktop\㩃啜敳獲䕜汬屡灁䑰瑡屡潒浡湩屧楍牣獯景屴楗摮睯屳潃歯敩屳〸㕖䑍吱琮瑸
[2011/08/21 21:41:36 | 000,000,000 | ---- | C] ()(C:\Users\Ella\Desktop\??????????????????????????????????) -- C:\Users\Ella\Desktop\㩃啜敳獲䕜汬屡灁䑰瑡屡潒浡湩屧楍牣獯景屴楗摮睯屳潃歯敩屳〸㕖䑍吱琮瑸

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\WHEN IRISH EYES ARE SMILING.wav:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\WHAT WOULD YOU DO {F} 1.wav:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Welcome to my world instrumental.mp3:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Unstoppable[2010]DvDrip.avi:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Unknown [2011] DVDRiP.avi:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\The Adjustment Bureau [2011]Dvdrip.avi:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Salt (2010)R5.Noir.avi:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\PICT5626.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\PICT5625.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\PICT5624.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\PICT5623.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Pics:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\New Karaokes Sept 2011:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Hall Pass (2011) DVDRip.avi:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Gnomeo and Juliet (2011) DVDRip.avi:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Downloads:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\Untitled.wma:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\Test.wma:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\Sony:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\PCDJ Recordcase:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\OneNote Notebooks:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\My Google Gadgets:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\Freecorder 4:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\Free Sound Recorder:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\BABY:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\ACID Pro 7.0 Projects:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents\135_3593.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Documents:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Backing Tracks:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Ella\Desktop\Baby2:Roxio EMC Stream

< End of report >


edited to Add: have now also sucessfully ran MAMB and it identifies rootkit.0Access .... but seems unable to delete it

Edited by kilkennycat, 05 January 2012 - 01:26 PM.

  • 0

Advertisements


#2
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome to Geeks to Go. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Vista Advice:

All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.

The Operating System in use comes with a inbuilt utility called User Access Control(UAC) when prompted by this with anything I ask you to do carry out please select the option Allow.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Scan with aswMBR:

Please download aswMBR.exe to your desktop.

  • Right-click the aswMBR.exe and select Run as Administrator to run it
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
  • Now click on the Scan button to start scan
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Note: There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).

Re-scan with OTL:

Please delete your current version of OTL and all logs, then download OTL and save it to your Desktop.

Alternate downloads are here and here.

  • Right-click on OTL.exe and select Run as Administrator to start OTL.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.
When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • aswMBR Log.
  • Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.

  • 0

#3
kilkennycat

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Dakeyras, and thank you for your help in advance.

I will back up the personal files right now and get back to you with the logs you requested as soon as possible

Cat
  • 0

#4
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
OK and you're most welcome! :)
  • 0

#5
kilkennycat

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
of course I should have asked what is safest way to back up the files without passing the infection on ?

I do have an external HDD would it be safe to just moves pics and music onto there ?
  • 0

#6
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts

I do have an external HDD would it be safe to just moves pics and music onto there ?

Aye those mentioned should be fine to do so for the time being...then once I deem your machine is clean we can actually scan the aforementioned drive as a precuation etc. :)

Also please carry out the below:-

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
  • Use the default install settings but say No to the portion that asks you to add ERUNT to the Start-Up folder.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Scan with GMER:

Please download GMER Rootkit Scanner from here.

  • Right-click on the the .exe file and select Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Posted Image

    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

Next:

When completed above post the requested OTL logs, the GMER log and update and we will go from there, thank you.
  • 0

#7
kilkennycat

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I have yet to backup the registry but wanted to post results of first two scans you requested.

Neither OTL nor aswMBR would run on the main( infected ) user

so I tried on the second user which I had been able to use to run otl before, however immediately I chose 'run as administrator' a little icon like that for 'sharing' ( two people ) appears on the exe's on the desktop and Im told I need permission, it will not even let me delete them.

I created a 3rd new user and copied aswMBR and OTL onto that destop and managed to get aswMBR to run a scan

the following is the result :

swMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-09 16:57:22
-----------------------------
16:57:22.271 OS Version: Windows 6.0.6002 Service Pack 2
16:57:22.271 Number of processors: 2 586 0x6802
16:57:22.271 ComputerName: ELLA-PC UserName:
16:57:40.006 Initialize success
16:57:46.582 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
16:57:46.598 Disk 0 Vendor: ST9120822AS 3.ALC Size: 114473MB BusType: 3
16:57:46.879 Disk 0 MBR read successfully
16:57:46.894 Disk 0 MBR scan
16:57:46.910 Disk 0 Windows VISTA default MBR code
16:57:46.972 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 8197 MB offset 63
16:57:46.988 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 106275 MB offset 16787925
16:57:47.004 Disk 0 scanning sectors +234439600
16:57:47.175 Disk 0 scanning C:\Windows\system32\drivers
16:57:53.680 File: C:\Windows\system32\drivers\dfsc.sys **SUSPICIOUS**
16:58:11.496 Disk 0 trace - called modules:
16:58:11.511 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86dda4a0]<<
16:58:11.527 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8545bac8]
16:58:11.527 3 CLASSPNP.SYS[879a58b3] -> nt!IofCallDriver -> [0x86ca2ef8]
16:58:12.042 \Driver\00000904[0x86c9ae30] -> IRP_MJ_CREATE -> 0x86dda4a0
16:58:12.042 Scan finished successfully
16:58:24.475 Disk 0 MBR has been saved successfully to "C:\Users\virusfixer\Documents\MBR.dat"
16:58:24.475 The log file has been saved successfully to "C:\Users\virusfixer\Documents\aswMBR.txt"
16:58:52.315 Disk 0 MBR has been saved successfully to "C:\Users\virusfixer\Desktop\MBR.dat"
16:58:52.331 The log file has been saved successfully to "C:\Users\virusfixer\Desktop\aswMBR.txt"




I have been unable to run OTL, each time the virus takes control of it and stops it running changing the icon to a shared one and then not even me allow to delete it.
The same thing happens with the.com and.scr options, immediately after I press 'run scan' the icons change to show the 'shared' people icon and they stop working.

I am running in normal mode atm, should I be trying to run them in safe mode ?

updated to add : I managed to backup the registry but when I tried to run GMER it immediately crashes and presents yet again with the little icon.

Edited by kilkennycat, 09 January 2012 - 11:33 AM.

  • 0

#8
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

I am running in normal mode atm, should I be trying to run them in safe mode ?

No need.

updated to add : I managed to backup the registry but when I tried to run GMER it immediately crashes and presents yet again with the little icon.

OK and thanks for the feedback.

Download/run Rkill:

Please download Rkill from one of the following links and save to your Desktop:

(If one fails to work delete it and download/try another):

One, Two,Three, Four or Five

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

  • Right-click on Rkill and select Run as Administrator.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: A logfile will have been created, it can be located at the root of your installed Hard-Drive. EG: C:\rkill.txt. I do not need to review the log at this time though.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activity and asks to reboot the system, please allow this to be done.

If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.

  • 0

#9
kilkennycat

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi,

I managed to run rkill and it saved a log

just as I hit enter for it to run I received a pop up saying mAMB had stopped working so i clicked ok and got a popup saying "To help protect you Data execution prevention has disabled MAMB ... followed by another error " [Open Event] Failed to performed desired action. Error Code: 2"

ignoring all of that I moved combofix over and start to run and get a message warning me that microsoft security essential antivirus and antimalware are runnng and need to be switched off before running pressing ok -

to the best of my knowledge MSE is not even installed on this laptop, and no search finds it for me to disable ( certainly not running in the systray that i can see )

should I continue with the scan anyway and press OK ?


thank you
  • 0

#10
kilkennycat

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ok ... I accidentally pressed ok while the pc was coming out of hibernation so it ran the scan anyway ... here is the log

ComboFix 12-01-09.07 - virusfixer 10/01/2012 19:16:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.1790.1225 [GMT 0:00]
Running from: E:\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Mozilla Firefox\components\npclntax.xpt
c:\users\Ella\AppData\Roaming\EurekaLog
c:\windows\$NtUninstallKB41431$
c:\windows\$NtUninstallKB41431$\2039265174
c:\windows\$NtUninstallKB41431$\933849473\@
c:\windows\$NtUninstallKB41431$\933849473\L\qnbwvoto
c:\windows\$NtUninstallKB41431$\933849473\loader.tlb
c:\windows\$NtUninstallKB41431$\933849473\U\@00000001
c:\windows\$NtUninstallKB41431$\933849473\U\@000000c0
c:\windows\$NtUninstallKB41431$\933849473\U\@000000cb
c:\windows\$NtUninstallKB41431$\933849473\U\@000000cf
c:\windows\$NtUninstallKB41431$\933849473\U\@80000000
c:\windows\$NtUninstallKB41431$\933849473\U\@800000c0
c:\windows\$NtUninstallKB41431$\933849473\U\@800000cb
c:\windows\$NtUninstallKB41431$\933849473\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
c:\windows\system32\
c:\windows\system32\c_51343.nl_
c:\windows\system32\system
c:\windows\system32\WinIo.sys
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6002.18005_none_1fd1ab49e8ca6ebb\mscorsvw.exe
.
Infected copy of c:\windows\system32\drivers\dfsc.sys was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys
.
Infected copy of c:\program files\SUPERAntiSpyware\SASCORE.EXE was found and disinfected
Restored copy from - c:\program files\SUPERAntiSpyware\
.
Infected copy of c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy4_!Program Files!Malwarebytes' Anti-Malware!mbamservice.exe
.
Infected copy of c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy4_!Program Files!Malwarebytes' Anti-Malware!mbamservice.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_37a96981
-------\Legacy_WINIO
-------\Service_WINIO
.
.
((((((((((((((((((((((((( Files Created from 2011-12-10 to 2012-01-10 )))))))))))))))))))))))))))))))
.
.
2012-01-10 19:24 . 2012-01-10 19:24 -------- d-----w- c:\users\Ella\AppData\Local\temp
2012-01-10 19:24 . 2012-01-10 19:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-10 09:14 . 2012-01-10 09:14 -------- d--h--w- c:\windows\PIF
2012-01-09 17:28 . 2012-01-09 17:29 -------- d-----w- c:\program files\ERUNT
2012-01-09 17:07 . 2012-01-09 17:07 -------- d-----w- c:\users\virus2
2012-01-09 16:56 . 2012-01-09 16:56 -------- d-----w- c:\users\virusfixer
2012-01-06 14:01 . 2012-01-06 14:01 -------- d-----w- c:\users\Ella\AppData\Roaming\SUPERAntiSpyware.com
2012-01-06 14:01 . 2012-01-10 19:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-06 14:01 . 2012-01-06 14:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-06 13:56 . 2012-01-06 13:56 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-06 13:55 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-06 13:27 . 2012-01-06 13:27 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2012-01-06 12:11 . 2012-01-06 12:11 273408 ----a-w- c:\windows\system32\drivers\afd.sys.vir
2012-01-04 13:33 . 2012-01-04 13:33 -------- d-----w- c:\programdata\Kaspersky Lab
2012-01-04 13:01 . 2012-01-04 13:01 -------- d-----w- c:\program files\ESET
2012-01-03 20:05 . 2012-01-03 20:05 -------- d--h--w- c:\programdata\Common Files
2012-01-03 20:00 . 2012-01-06 13:43 -------- d-----w- c:\programdata\MFAData
2012-01-03 19:43 . 2012-01-03 20:18 -------- d-----w- c:\users\Seamus
2012-01-02 22:11 . 2012-01-02 22:11 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-01-02 22:08 . 2012-01-04 13:27 -------- d-sh--w- c:\users\Ella\AppData\Local\37a96981
2011-12-20 16:41 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-20 16:40 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-20 16:40 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-20 16:40 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-20 16:40 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-20 16:40 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-20 16:39 . 2011-11-03 06:22 916992 ----a-w- c:\windows\system32\wininet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 12:11 . 2012-01-06 12:11 273408 ----a-w- c:\windows\system32\drivers\afd.sys.org
2012-01-04 15:15 . 2006-11-01 21:15 532480 ----a-w- c:\windows\system32\dlcfcoms.exe
2012-01-04 15:15 . 2009-08-13 19:55 49152 ----a-w- c:\windows\system32\sdpasvc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Freecorder\prxtbFre2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32b29df0-2237-4370-9a29-37cebb730e9b}]
2011-05-09 09:49 176936 ----a-w- c:\program files\FreeSoundRecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3303e956-2a3a-48e0-be39-2e0ef11a2f44}]
2009-06-16 14:57 2206744 ----a-w- c:\program files\Power_Karaoke\tbPowe.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}]
2011-01-17 15:54 175912 ----a-w- c:\program files\NCH_EN\prxtbNCH_.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3303e956-2a3a-48e0-be39-2e0ef11a2f44}"= "c:\program files\Power_Karaoke\tbPowe.dll" [2009-06-16 2206744]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
"{32b29df0-2237-4370-9a29-37cebb730e9b}"= "c:\program files\FreeSoundRecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3303e956-2a3a-48e0-be39-2e0ef11a2f44}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_CLASSES_ROOT\clsid\{32b29df0-2237-4370-9a29-37cebb730e9b}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-09 845360]
"CardReaderMonitor"="c:\program files\Realtek Semiconductor Corp.\Realtek Card Reader Monitor\CardReaderMonitor.exe" [2007-07-25 643072]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-01-11 232184]
"toolbar_eula_launcher"="c:\program files\Packard Bell\GOOGLE_EULA\EULALauncher.exe" [2007-02-20 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-20 185872]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"DLCFCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 73728]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\users\Seamus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
_uninst_00961993.lnk - c:\users\virusfixer\AppData\Local\Temp\_uninst_00961993.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3123884431-2446454708-2420171608-1002]
"EnableNotificationsRef"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2012-01-10 116608]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 22:38]
.
2012-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 22:38]
.
2012-01-10 c:\windows\Tasks\User_Feed_Synchronization-{8AF5E251-A4AD-44D2-B556-9E8B8E0EDAB4}.job
- c:\windows\system32\msfeedssync.exe [2011-12-20 04:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=8&key=IESTART
mStart Page = hxxp://uk.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-10 22:36
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3932)
c:\users\virusfixer\AppData\Local\FLVService\lib\FLVSrvLib.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Realtek Semiconductor Corp\Realtek Card Reader Monitor\CardReaderMonitor.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-10 22:43:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-10 22:43
.
Pre-Run: 29,365,899,264 bytes free
Post-Run: 28,921,335,808 bytes free
.
- - End Of File - - 45FD7DEAED3C05E58D7458022BC05A1A
  • 0

Advertisements


#11
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

to the best of my knowledge MSE is not even installed on this laptop, and no search finds it for me to disable ( certainly not running in the systray that i can see )

Do you actually have a Anti-Virus installed or not?

ok ... I accidentally pressed ok while the pc was coming out of hibernation so it ran the scan anyway

Not a problem.

I see you have been running executables on the E Drive that may be a USB one, not a problem for now but when I give the all clean please move all onto the actual Desktop as they need to be there so can be uninstalled/removed correctly.

Next:

I would also like to see a new list of installed programs, so please do this:

Click on Start(Vista Orb) >> Run... then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Post the contents of that file in your next reply.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/ users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan...Click on Scan Now

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan if one is installed!

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • Answer to my Anti-Virus query.
  • Add-Remove Programs.txt.
  • ESET Log.

  • 0

#12
kilkennycat

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi again ,

Yes I am following your instructions on a clean pc and downloaded exe's to a usb stick, then transferring onto the infected systems desktop to run.

when I went online to download eset a google toolbar was installing itself and 3 others were blanked out and also trying to install

There is no av installed other than windows defender which I cannot get access too.
the exe's I tranferred to desktop which the virus took over are still there and unable to delete without 'permissions'.

the only other software is superantispy and mAMB

mAMB now runs on startup again as was fixed by combofix yesterday.( I haven't touched it except to close it on systray to run eset )

The following is the list of programs files -

ACID Pro 7.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
Adobe Reader 8.3.1
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Audacity 1.3.13 (Unicode)
Bison WebCam
Bonjour
Canon MP Navigator 3.1
Canon MP140 series
Canon Utilities Easy-LayoutPrint
Canon Utilities Easy-PhotoPrint
CCleaner
Compatibility Pack for the 2007 Office system
Conduit Engine
Conexant HD Audio
Creator 9
eLicenser Control
ERUNT 1.1j
ESET Online Scanner v3
Express Burn Disc Burning Software
Express Rip
Firefox
Flash Player 9 Internet Explorer
ForceHCResetOnResume 1.1.0
Free Sound Recorder v9.2.7
Freecorder
Freecorder Toolbar
FreeSoundRecorder Toolbar
GearDrvs
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Huawei modem
iTunes
KaraFun Player
Karaoke for DirectX (remove only)
Karaoke Island's MP3 karaoke plugin
Karaoke Sound Tools
Lexicon Omega Software (remove only)
Lexicon Pantheon VST Plug-in (remove only)
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Microsoft Works 9 SE


I have run eset online scanner on the infected laptop prior to coming to here for help, when I follow your instructions it tells me antivirus windows defender is running and may interfere ( I have been unable to access windows defender since the virus started )

I carry on with scan and get the following message :

set online scanner has already been run on this computer in the past only files necesary to update to the current version wll be downloaded and then half way through downloading

unexpected error 101

so in some ways its better, in others the virus is still hanging on in there !
  • 0

#13
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi and thanks for the update! :)

Vista Startup Repair:

You will require your Vista DVD for the below...

  • Bootup your computer with the Vista DVD.
  • If not sure how to, a very good tutorial can be read here
  • You will have to answer a few basic questions then select the option Repair your computer
  • At the the System Recovery Options screen click Windows Vista to highlight then Next>
  • You should now see the Searching for Problems...
  • Note: If given the option to Perform a System Restore, do not select and cancel the option.
  • If problems found let Startup Repair complete and follow the prompts.
Download/Install a AV:

Please download the installer for Microsoft Security Essentials to the Desktop.

Right-click on the installer for Microsoft Security Essentials(mseinstall.exe) and select and select Run as Administrator.

Follow the prompts to install >> when asked if you want to turn one the Windows Firewall, agree to this...

Update >> Carry Out a Complete Scan. Have it fix anything it finds.

Note: If anything was removed please make a note of it, to copy anything found/removed:-

Click on Start(Vista Orb) >> Control Panel >> Administrative Tools >> Event Viewer >> Windows Logs >> System

Locate:-

Source= Microsoft Antimalware Event ID=1001 (scan finished)

Next:

Let myself know when completed the above...if any problems encountered and or any further issues, thank you.
  • 0

#14
kilkennycat

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi,

I was afraid this would happen .... we didnt get a windows vista DVD !

We have of course the key that came with the laptop but no DVD's :(.
  • 0

#15
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

I was afraid this would happen .... we didnt get a windows vista DVD !

No problem...

Visit this Microsoft page, then click on How do I use Startup Repair?

Scroll down to:-

If Startup Repair is a preinstalled recovery option on your computer:

And follow the instructions.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP