Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

RootKit [Solved]

Started by soggywaffles , May 03 2012 01:18 AM

  • This topic is locked This topic is locked

#61
farbar
Posted 29 May 2012 - 02:31 AM

farbar

    Developer

  • Expert
  • 503 posts
The drive letter of your local drive where the operating system is located is probably another drive letter than C. If you type notepad in the command prompt and press Enter a notepad opens, under File click "Open", then open My Computer and see if you can find out the drive letter of your local drive.

If not please do the following:

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
  • Plug the flashdrive into the infected PC.

    Enter System Recovery Options.
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  • 0

Advertisements

#62
soggywaffles
Posted 29 May 2012 - 03:07 AM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Sorry about the silly mistake. Still not working though. This is before the dhcp.reg file.

Farbar Service Scanner Version: 08-05-2012
Ran by Owner (administrator) on 29-05-2012 at 04:02:56
Running from "C:\Users\Owner\Desktop"
Microsoft Windows 7 Home Premium (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
Unable to retrieve ServiceDll of Dhcp. The value does not exist.


Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 01:20] - [2011-09-29 10:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-14 15:22] - [2011-03-03 00:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#63
soggywaffles
Posted 29 May 2012 - 03:09 AM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
After

Farbar Service Scanner Version: 08-05-2012
Ran by Owner (administrator) on 29-05-2012 at 04:08:25
Running from "C:\Users\Owner\Desktop"
Microsoft Windows 7 Home Premium (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.


Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 01:20] - [2011-09-29 10:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-14 15:22] - [2011-03-03 00:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#64
farbar
Posted 29 May 2012 - 03:19 AM

farbar

    Developer

  • Expert
  • 503 posts
Please give me feedback about what you precisely did and if all the steps could be performed without any problem.
  • 0

#65
soggywaffles
Posted 29 May 2012 - 03:26 AM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
I didn't have any problems besides the booting up speeding of my computer had dramatically slowed down. It took a while for me to get in the system recovery option. Also for "A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0xA0", it did not have "TCP/IP" written exactly. One last thing was after the "On the Local Area Connection Properties screen select Internet Protocol Version 4 (TCP/Ipv4) and click Uninstall, and then click Yes to the prompt. (you may get notified that a driver is not digitally singed, this is normal)." step you said it would take some time, but it asked to restart immediately.
  • 0

#66
soggywaffles
Posted 29 May 2012 - 03:34 AM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Sorry after looking back it did say TCP/IP.
  • 0

#67
farbar
Posted 29 May 2012 - 03:53 AM

farbar

    Developer

  • Expert
  • 503 posts
Thank you for the feedback, it gives me a better idea about what is going on at the other end.

  • So you could change 0xA0 to 0x80 before installing and uninstalling and you could change it back to 0xA0 before installing Internet Protocol Version 4 (TCP/Ipv4)
  • After applying dhcp.reg did you restart before running FSS? If not please do so. The Dhcp service that is not running needs a restart to run properly.

  • 0

#68
soggywaffles
Posted 29 May 2012 - 04:18 AM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
1) Yes, I switched the A to an 8 successfully before installing then uninstalling and had no issues changing it back.
2) After I reinstalled the Internet version 4, I restarted and ran FSS. Then I ran dhcp.reg file successfully, restarted, and then ran FSS again.
  • 0

#69
farbar
Posted 29 May 2012 - 04:54 AM

farbar

    Developer

  • Expert
  • 503 posts
Thanks for the feedback. This has got very complicated, thanks for your patience.

We need a set of logs.

  • Please download Attached File  run.zip   210bytes   140 downloads
    Unzip it and transfer it to the infected computer.
    Important: Right-click run.bat and select "Run as administrator".
    A command window opens, wait until a log file opens. Please post it to your reply.
  • Please remove your copy of MiniToolBox and download the latest version from http://www.bleepingc...itoolbox/dl/65/
    Run the tool, check "List Winsock Entries" and "List Restore Points". Press "Go" and post the log it makes.
  • Please remove Farbar Service Scanner and download the latest version from http://www.bleepingc...-scanner/dl/62/
    Run it, check all the options, press "Scan" and post the log.
  • Please follow the steps in Post #61 and post the log.

  • 0

#70
soggywaffles
Posted 30 May 2012 - 12:15 AM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
The service is starting or stopping. Please try again later.

The DNS Client service is starting.
The DNS Client service could not be started.

A system error has occurred.

System error 10107 has occurred.

A system call has failed.

Unable to initialize Windows Sockets interface. General failure.
Unable to initialize Windows Sockets interface. General failure.
  • 0

Advertisements

#71
soggywaffles
Posted 30 May 2012 - 12:16 AM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
MiniToolBox by Farbar Version: 14-01-2012
Ran by Owner (administrator) on 30-05-2012 at 00:46:13
Microsoft Windows 7 Home Premium (X86)
Boot Mode: Normal
***************************************************************************
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [51712] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
========================= Restore Points ==================================

04-05-2012 06:33:33 Windows Defender Checkpoint
04-05-2012 08:00:12 Windows Update
04-05-2012 17:46:05 Windows Update
05-05-2012 19:57:52 Restore Operation
06-05-2012 00:57:24 Installed Xirrus Wi-Fi Inspector
06-05-2012 01:28:31 Tweaking.com - Windows Repair
06-05-2012 01:30:57 Tweaking.com - Windows Repair
13-05-2012 22:20:18 Tweaking.com - Windows Repair
17-05-2012 06:17:55 Installed Microsoft Fix it 50199
17-05-2012 06:22:03 Installed Microsoft Fix it 50199
24-05-2012 00:25:13 ComboFix created restore point

**** End of log ****
  • 0

#72
soggywaffles
Posted 30 May 2012 - 12:16 AM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Farbar Service Scanner Version: 27-05-2012
Ran by Owner (administrator) on 30-05-2012 at 00:49:15
Running from "C:\Users\Owner\Desktop"
Microsoft Windows 7 Home Premium (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.


Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 01:20] - [2011-09-29 10:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-14 15:22] - [2011-03-03 00:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-13 18:53] - [2009-07-13 20:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 18:54] - [2009-07-13 20:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 18:23] - [2009-07-13 20:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 18:24] - [2009-07-13 20:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2011-02-08 16:12] - [2010-12-21 00:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 19:15] - [2009-07-13 20:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 18:30] - [2009-07-13 20:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#73
soggywaffles
Posted 30 May 2012 - 12:17 AM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 29-05-2012 02
Ran by SYSTEM at 30-05-2012 01:00:33
Running from E:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background [623960 2009-11-19] (Research In Motion Limited)
HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [981680 2012-04-04] (Malwarebytes Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKU\Owner\...\Run: [fklogger.exe] C:\Program Files\FKRMonitor\fklogger.exe [514560 2010-02-19] ()
HKU\Owner\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
ShortcutTarget: WDDMStatus.lnk -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
ShortcutTarget: WDSmartWare.lnk -> C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)
Startup: C:\Users\Owner\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

================================ Services (Whitelisted) ==================

3 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [253600 2012-03-27] (Adobe Systems Incorporated)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
2 Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [935208 2009-07-20] (Nero AG)
2 WDDMService; "C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe" [110592 2009-11-13] (WDC)
2 WDSmartWareBackgroundService; "C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe" [20480 2009-06-16] (Memeo)
2 ac97intc; C:\Windows\System32\WBHWDOCT.dll [x]
2 acnusvc; C:\Windows\System32\marvinbus.dll [x]
2 alertservice; C:\Windows\System32\asp.net_2.0.50727.dll [x]
2 armoucfltr; C:\Windows\System32\hsvcmod.dll [x]
2 aswmon2; C:\Windows\System32\eskerlicensecontrol.dll [x]
2 backupexecnotificationserver; C:\Windows\System32\roxupnpserver.dll [x]
2 cqmgstor; C:\Windows\System32\VRcore.dll [x]
2 CTAudSvcService; C:\Windows\System32\marvinbus.dll [x]
2 CTDevice_Srv; C:\Windows\System32\w200bus.dll [x]
2 CX88ENC; C:\Windows\System32\cfosspeed.dll [x]
2 djsnetcn; C:\Windows\System32\w810obex.dll [x]
2 GoBack2K; C:\Windows\System32\tsscoreservice.dll [x]
2 GVCplDrv; C:\Windows\System32\GTWModem.dll [x]
2 hibernation; C:\Windows\System32\nipsvc.dll [x]
2 LHidFilt; C:\Windows\System32\vgasave.dll [x]
2 MASPINT; C:\Windows\System32\tbhsd.dll [x]
2 mcp; C:\Windows\System32\tvtpktfilter.dll [x]
2 MSFWHLPR; C:\Windows\System32\kservice.dll [x]
2 naveng; C:\Windows\System32\PGPdisk.dll [x]
2 NWHOST; C:\Windows\System32\PhilCam8116_XP.dll [x]
3 OpcEnum; C:\Windows\system32\OpcEnum.exe [x]
2 pdscheduler; C:\Windows\System32\starwindservice.dll [x]
2 pepifilter; C:\Windows\System32\FETNDIS.dll [x]
2 puscsrvc; C:\Windows\System32\W8335XP.dll [x]
2 s117unic; C:\Windows\System32\smservaz.dll [x]
2 snoopfreesvc; C:\Windows\System32\wpdusb.dll [x]
2 SRS_SSCFilter; C:\Windows\System32\NTIDrvr.dll [x]
2 TMBMServer; C:\Windows\System32\USBDeviceService.dll [x]
2 umxfwhlp; C:\Windows\System32\sshrmd.dll [x]
2 W55U01; C:\Windows\System32\fsbwsys.dll [x]
2 websenserealtimeanalyzer; C:\Windows\System32\PBADRV.dll [x]
2 wintab32; C:\Windows\System32\sr_watchdog.dll [x]
2 WLAN_USB; C:\Windows\System32\audstub.dll [x]
2 WmaCDriverV32; C:\Windows\System32\odserv.dll [x]
2 z800bus; C:\Windows\System32\HPFXBULK.dll [x]
2 zpnodecollector; C:\Windows\System32\atikmdag.dll [x]

========================== Drivers (Whitelisted) =============

3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [78336 2009-07-13] (Microsoft Corporation)
3 dmodusb; C:\Windows\System32\DRIVERS\dmodusb.sys [26240 2009-05-11] (Windows ® Codename Longhorn DDK provider)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)
2 XilinxPC4Driver; C:\Windows\System32\drivers\xpc4drvr.sys [16000 2012-01-07] (Xilinx, Inc.)
3 catchme; \??\C:\Users\Owner\AppData\Local\Temp\catchme.sys [x]
3 cpuz132; \??\C:\Users\Owner\AppData\Local\Temp\cpuz132\cpuz132_x32.sys [x]
3 mcdbus; C:\Windows\System32\DRIVERS\mcdbus.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: snoopfreesvc
NETSVC: armoucfltr
NETSVC: ac97intc
NETSVC: GoBack2K
NETSVC: pdscheduler
NETSVC: alertservice
NETSVC: TMBMServer
NETSVC: puscsrvc
NETSVC: zpnodecollector
NETSVC: WLAN_USB
NETSVC: SRS_SSCFilter
NETSVC: acnusvc
NETSVC: MtxDma0
NETSVC: MASPINT
NETSVC: aswmon2
NETSVC: MSFWHLPR
NETSVC: NWHOST
NETSVC: wintab32
NETSVC: hibernation
NETSVC: naveng
NETSVC: mcp
NETSVC: z800bus
NETSVC: s117unic
NETSVC: NdisFilt
NETSVC: GVCplDrv
NETSVC: CX88ENC
NETSVC: LHidFilt
NETSVC: cqmgstor
NETSVC: pepifilter
NETSVC: CTDevice_Srv
NETSVC: backupexecnotificationserver
NETSVC: WmaCDriverV32
NETSVC: websenserealtimeanalyzer
NETSVC: umxfwhlp
NETSVC: W55U01
NETSVC: djsnetcn
NETSVC: CTAudSvcService

============ One Month Created Files and Folders ==============

2012-05-30 01:00 - 2012-05-30 01:00 - 0000000 ____D C:\FRST
2012-05-29 21:46 - 2012-05-29 21:46 - 0002972 ____A C:\Users\Owner\Desktop\Result.txt
2012-05-29 21:39 - 2012-05-29 21:39 - 0000000 ____D C:\Users\Owner\Desktop\1
2012-05-29 21:39 - 2012-05-29 21:36 - 0396465 ____A C:\Users\Owner\Desktop\MiniToolBox.exe
2012-05-29 21:39 - 2012-05-29 21:36 - 0337441 ____A C:\Users\Owner\Desktop\FSS.exe
2012-05-29 21:39 - 2012-05-29 13:02 - 0000161 ____A C:\Users\Owner\Desktop\run.bat
2012-05-29 01:02 - 2012-05-29 21:49 - 0003802 ____A C:\Users\Owner\Desktop\FSS.txt
2012-05-28 23:33 - 2012-05-28 17:18 - 0000274 ____A C:\Users\Owner\Desktop\enable.reg
2012-05-28 23:33 - 2012-05-27 14:30 - 0000356 ____A C:\Users\Owner\Desktop\dhcp.reg
2012-05-23 16:45 - 2012-05-23 16:45 - 0020644 ____A C:\ComboFix.txt
2012-05-23 16:44 - 2012-05-23 16:44 - 0000000 __SHD C:\$RECYCLE.BIN
2012-05-23 16:25 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-05-23 16:25 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-05-23 16:25 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-05-23 16:25 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-05-23 16:25 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-05-23 16:25 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-05-23 16:25 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-05-23 16:25 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-05-23 16:11 - 2012-05-23 16:13 - 0123000 ____A C:\TDSSKiller.2.7.34.0_23.05.2012_19.11.46_log.txt
2012-05-22 10:43 - 2012-05-21 05:30 - 0000061 ____A C:\Users\Owner\Desktop\reset.bat
2012-05-18 01:25 - 2012-05-18 01:25 - 0000000 ____A C:\VEW.txt
2012-05-18 01:12 - 2012-05-18 01:07 - 0061440 ____A ( ) C:\Users\Owner\Desktop\VEW.exe
2012-05-16 22:21 - 2012-05-16 22:16 - 0650240 ____A C:\Users\Owner\Desktop\MicrosoftFixit50199.msi
2012-05-14 00:39 - 2012-05-14 00:39 - 0002102 ____A C:\avenger.txt
2012-05-13 15:05 - 2012-05-13 15:06 - 0000042 ____A C:\repairs_running.dat
2012-05-13 13:57 - 2012-05-13 13:57 - 0002217 ____A C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2012-05-13 13:57 - 2012-05-13 13:57 - 0000000 ____D C:\Program Files\Tweaking.com
2012-05-13 13:54 - 2012-05-13 13:49 - 4484304 ____A C:\Users\Owner\Desktop\tweaking.com_windows_repair_aio_setup.exe
2012-05-09 17:55 - 2012-05-14 00:39 - 0000000 ____D C:\Avenger
2012-05-09 17:53 - 2008-05-30 20:09 - 0731136 ____A C:\Users\Owner\Desktop\avenger.exe
2012-05-09 11:37 - 2012-05-09 11:39 - 0125608 ____A C:\TDSSKiller.2.7.34.0_09.05.2012_14.37.29_log.txt
2012-05-09 11:30 - 2012-05-09 11:33 - 0123216 ____A C:\TDSSKiller.2.7.34.0_09.05.2012_14.30.38_log.txt
2012-05-08 15:29 - 2012-05-08 15:29 - 0000560 ____A C:\Users\Owner\Desktop\MBR.zip
2012-05-08 15:24 - 2012-05-08 15:24 - 0000544 ____A C:\Users\Owner\Desktop\MBR.rar
2012-05-08 15:14 - 2012-05-08 14:50 - 4731392 ____A (AVAST Software) C:\Users\Owner\Desktop\aswMBR.exe
2012-05-08 14:54 - 2012-05-08 14:54 - 0000000 ____D C:\_OTL
2012-05-07 17:43 - 2012-05-07 17:42 - 0595456 ____A (OldTimer Tools) C:\Users\Owner\Desktop\OTL.exe
2012-05-07 12:20 - 2012-05-07 12:20 - 0013152 ____N C:\bootsqm.dat
2012-05-07 12:09 - 2012-05-07 12:09 - 0000000 ____D C:\Users\Owner\Desktop\New folder
2012-05-05 17:26 - 2012-05-13 15:06 - 0000000 ____D C:\Tweaking.com_Windows_Repair_Logs
2012-05-05 16:58 - 2012-05-05 16:58 - 0001224 ____A C:\Users\Public\Desktop\Xirrus Wi-Fi Inspector.lnk
2012-05-05 16:58 - 2012-05-05 16:58 - 0000000 ____D C:\Program Files\Xirrus
2012-05-05 16:57 - 2012-05-05 16:57 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Xirrus
2012-05-05 11:45 - 2012-05-09 11:38 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-05-05 00:14 - 2012-05-23 16:39 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG1
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG1
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG1
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG1
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG1
2012-05-04 23:55 - 2011-04-24 19:24 - 0338944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.svs
2012-05-04 23:17 - 2012-05-04 23:18 - 2075184 ____A (Kaspersky Lab ZAO) C:\Users\Owner\Desktop\tdsskiller.exe
2012-05-03 22:33 - 2009-07-13 15:12 - 0074240 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdx.sys
2012-05-03 22:01 - 2012-05-23 16:45 - 0000000 ____D C:\Qoobox
2012-05-03 22:01 - 2012-05-07 12:14 - 0000000 ____D C:\Windows\ERDNT
2012-05-01 21:55 - 2012-05-01 21:55 - 0000000 ____D C:\Users\Owner\AppData\Roaming\XBMC
2012-05-01 21:55 - 2010-05-26 08:41 - 2106216 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_43.dll
2012-05-01 21:55 - 2010-05-26 08:41 - 1998168 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_43.dll
2012-05-01 21:53 - 2012-05-01 21:54 - 0000000 ____D C:\Program Files\XBMC
2012-05-01 21:50 - 2012-05-01 21:51 - 52798812 ____A C:\Users\Owner\Downloads\xbmc-11.0.exe

============ 3 Months Modified Files and Folders ===============

2012-05-30 01:00 - 2012-05-30 01:00 - 0000000 ____D C:\FRST
2012-05-29 21:50 - 2009-07-13 20:34 - 0014416 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-29 21:50 - 2009-07-13 20:34 - 0014416 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-29 21:49 - 2012-05-29 01:02 - 0003802 ____A C:\Users\Owner\Desktop\FSS.txt
2012-05-29 21:46 - 2012-05-29 21:46 - 0002972 ____A C:\Users\Owner\Desktop\Result.txt
2012-05-29 21:45 - 2010-02-26 15:59 - 1690862 ____A C:\Windows\WindowsUpdate.log
2012-05-29 21:41 - 2009-07-13 20:39 - 0081547 ____A C:\Windows\setupact.log
2012-05-29 21:40 - 2010-02-26 17:03 - 2327760896 __ASH C:\hiberfil.sys
2012-05-29 21:39 - 2012-05-29 21:39 - 0000000 ____D C:\Users\Owner\Desktop\1
2012-05-29 21:36 - 2012-05-29 21:39 - 0396465 ____A C:\Users\Owner\Desktop\MiniToolBox.exe
2012-05-29 21:36 - 2012-05-29 21:39 - 0337441 ____A C:\Users\Owner\Desktop\FSS.exe
2012-05-29 13:02 - 2012-05-29 21:39 - 0000161 ____A C:\Users\Owner\Desktop\run.bat
2012-05-28 17:18 - 2012-05-28 23:33 - 0000274 ____A C:\Users\Owner\Desktop\enable.reg
2012-05-27 14:30 - 2012-05-28 23:33 - 0000356 ____A C:\Users\Owner\Desktop\dhcp.reg
2012-05-23 16:45 - 2012-05-23 16:45 - 0020644 ____A C:\ComboFix.txt
2012-05-23 16:45 - 2012-05-03 22:01 - 0000000 ____D C:\Qoobox
2012-05-23 16:44 - 2012-05-23 16:44 - 0000000 __SHD C:\$RECYCLE.BIN
2012-05-23 16:39 - 2012-05-05 00:14 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-05-23 16:39 - 2009-07-13 18:04 - 0000215 ____A C:\Windows\system.ini
2012-05-23 16:36 - 2010-03-11 17:00 - 0036714 ____A C:\Windows\PFRO.log
2012-05-23 16:13 - 2012-05-23 16:11 - 0123000 ____A C:\TDSSKiller.2.7.34.0_23.05.2012_19.11.46_log.txt
2012-05-23 09:48 - 2011-02-13 09:34 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Dropbox
2012-05-23 09:47 - 2012-04-13 23:48 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-05-23 09:47 - 2012-04-13 23:48 - 0000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-05-23 09:47 - 2009-07-13 20:53 - 0032550 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-23 09:47 - 2009-07-13 20:53 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-21 05:30 - 2012-05-22 10:43 - 0000061 ____A C:\Users\Owner\Desktop\reset.bat
2012-05-18 01:25 - 2012-05-18 01:25 - 0000000 ____A C:\VEW.txt
2012-05-18 01:13 - 2010-02-26 15:59 - 0000000 ____D C:\Users\Owner\AppData\Local\VirtualStore
2012-05-18 01:07 - 2012-05-18 01:12 - 0061440 ____A ( ) C:\Users\Owner\Desktop\VEW.exe
2012-05-16 22:16 - 2012-05-16 22:21 - 0650240 ____A C:\Users\Owner\Desktop\MicrosoftFixit50199.msi
2012-05-14 03:52 - 2010-03-28 10:09 - 0000000 ____D C:\users\Guest
2012-05-14 03:52 - 2010-03-08 12:29 - 0000000 ____D C:\Users\Owner\AppData\Local\Microsoft Help
2012-05-14 03:52 - 2010-03-08 12:29 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-05-14 03:52 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\wfp
2012-05-14 03:52 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\NDF
2012-05-14 03:52 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\DriverStore
2012-05-14 03:51 - 2009-07-13 18:37 - 0000000 __RHD C:\users\Default
2012-05-14 03:51 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\registration
2012-05-14 00:53 - 2010-02-26 15:59 - 0000000 ____D C:\users\Owner
2012-05-14 00:53 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\config\TxR
2012-05-14 00:39 - 2012-05-14 00:39 - 0002102 ____A C:\avenger.txt
2012-05-14 00:39 - 2012-05-09 17:55 - 0000000 ____D C:\Avenger
2012-05-13 15:06 - 2012-05-13 15:05 - 0000042 ____A C:\repairs_running.dat
2012-05-13 15:06 - 2012-05-05 17:26 - 0000000 ____D C:\Tweaking.com_Windows_Repair_Logs
2012-05-13 14:13 - 2011-06-16 09:20 - 0338944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2012-05-13 13:57 - 2012-05-13 13:57 - 0002217 ____A C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2012-05-13 13:57 - 2012-05-13 13:57 - 0000000 ____D C:\Program Files\Tweaking.com
2012-05-13 13:49 - 2012-05-13 13:54 - 4484304 ____A C:\Users\Owner\Desktop\tweaking.com_windows_repair_aio_setup.exe
2012-05-09 11:39 - 2012-05-09 11:37 - 0125608 ____A C:\TDSSKiller.2.7.34.0_09.05.2012_14.37.29_log.txt
2012-05-09 11:38 - 2012-05-05 11:45 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-05-09 11:33 - 2012-05-09 11:30 - 0123216 ____A C:\TDSSKiller.2.7.34.0_09.05.2012_14.30.38_log.txt
2012-05-08 15:29 - 2012-05-08 15:29 - 0000560 ____A C:\Users\Owner\Desktop\MBR.zip
2012-05-08 15:24 - 2012-05-08 15:24 - 0000544 ____A C:\Users\Owner\Desktop\MBR.rar
2012-05-08 14:54 - 2012-05-08 14:54 - 0000000 ____D C:\_OTL
2012-05-08 14:50 - 2012-05-08 15:14 - 4731392 ____A (AVAST Software) C:\Users\Owner\Desktop\aswMBR.exe
2012-05-07 17:42 - 2012-05-07 17:43 - 0595456 ____A (OldTimer Tools) C:\Users\Owner\Desktop\OTL.exe
2012-05-07 12:20 - 2012-05-07 12:20 - 0013152 ____N C:\bootsqm.dat
2012-05-07 12:15 - 2009-07-13 18:03 - 57094144 ____A C:\Windows\System32\config\software.bak
2012-05-07 12:15 - 2009-07-13 18:03 - 29884416 ____A C:\Windows\System32\config\system.bak
2012-05-07 12:15 - 2009-07-13 18:03 - 0192512 ____A C:\Windows\System32\config\default.bak
2012-05-07 12:15 - 2009-07-13 18:03 - 0057344 ____A C:\Windows\System32\config\sam.bak
2012-05-07 12:15 - 2009-07-13 18:03 - 0028672 ____A C:\Windows\System32\config\security.bak
2012-05-07 12:14 - 2012-05-03 22:01 - 0000000 ____D C:\Windows\ERDNT
2012-05-07 12:09 - 2012-05-07 12:09 - 0000000 ____D C:\Users\Owner\Desktop\New folder
2012-05-06 16:09 - 2010-11-12 22:27 - 0000000 ____D C:\Program Files\Logitech
2012-05-05 17:01 - 2010-02-26 17:11 - 0738704 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-05 16:58 - 2012-05-05 16:58 - 0001224 ____A C:\Users\Public\Desktop\Xirrus Wi-Fi Inspector.lnk
2012-05-05 16:58 - 2012-05-05 16:58 - 0000000 ____D C:\Program Files\Xirrus
2012-05-05 16:57 - 2012-05-05 16:57 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Xirrus
2012-05-05 00:29 - 2009-07-13 18:37 - 0000000 ___RD C:\users\Public
2012-05-04 23:57 - 2012-03-27 17:39 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG1
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG1
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG1
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG1
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG2
2012-05-04 23:56 - 2012-05-04 23:56 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG1
2012-05-04 23:23 - 2010-07-28 21:04 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2100668513-2013100433-1882734447-1000UA.job
2012-05-04 23:18 - 2012-05-04 23:17 - 2075184 ____A (Kaspersky Lab ZAO) C:\Users\Owner\Desktop\tdsskiller.exe
2012-05-04 17:36 - 2010-07-28 21:04 - 0000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2100668513-2013100433-1882734447-1000Core.job
2012-05-03 22:39 - 2011-02-13 09:37 - 0000000 ___RD C:\Users\Owner\Dropbox
2012-05-03 21:17 - 2011-08-27 16:42 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Spotify
2012-05-03 19:04 - 2011-08-27 16:42 - 0000000 ____D C:\Users\Owner\AppData\Local\Spotify
2012-05-02 22:52 - 2010-03-23 21:44 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-05-01 21:55 - 2012-05-01 21:55 - 0000000 ____D C:\Users\Owner\AppData\Roaming\XBMC
2012-05-01 21:54 - 2012-05-01 21:53 - 0000000 ____D C:\Program Files\XBMC
2012-05-01 21:51 - 2012-05-01 21:50 - 52798812 ____A C:\Users\Owner\Downloads\xbmc-11.0.exe
2012-04-30 23:05 - 2011-01-31 22:27 - 0000000 ____D C:\Users\Owner\Documents\MATLAB
2012-04-27 02:55 - 2010-03-12 17:48 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Apple Computer
2012-04-26 06:56 - 2010-08-24 09:44 - 0000000 ____D C:\Program Files\Safari
2012-04-25 21:54 - 2012-04-25 21:49 - 0000000 ____D C:\Program Files\iTunes
2012-04-25 21:49 - 2012-04-25 21:49 - 0000000 ____D C:\Program Files\iPod
2012-04-25 21:49 - 2010-03-12 17:46 - 0000000 ____D C:\Program Files\Common Files\Apple
2012-04-20 12:39 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\Microsoft.NET
2012-04-15 09:24 - 2012-04-15 09:24 - 0000000 _RASH C:\MSDOS.SYS
2012-04-15 09:24 - 2012-04-15 09:24 - 0000000 _RASH C:\IO.SYS
2012-04-15 05:04 - 2010-03-13 22:47 - 0000000 ____D C:\Users\Owner\AppData\Roaming\uTorrent
2012-04-14 00:34 - 2012-04-14 00:34 - 0000093 ____A C:\Windows\wininit.ini
2012-04-13 23:47 - 2012-04-13 23:46 - 16409960 ____A (Safer Networking Limited ) C:\Users\Owner\Downloads\spybotsd162.exe
2012-04-11 23:27 - 2012-04-11 23:27 - 0360552 ____A C:\Windows\Minidump\041212-13915-01.dmp
2012-04-11 23:27 - 2010-03-25 21:12 - 0000000 ____D C:\Windows\Minidump
2012-04-11 15:57 - 2012-04-11 15:57 - 0000000 ____D C:\Program Files\Common Files\Java
2012-04-11 15:55 - 2012-04-11 15:55 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-04-11 15:55 - 2012-04-11 15:55 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-04-11 15:55 - 2012-04-11 15:55 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-04-11 15:55 - 2010-12-10 22:28 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-04-11 08:55 - 2010-03-17 23:29 - 55154568 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-08 20:17 - 2012-04-08 20:17 - 0000258 ____A C:\Windows\ODBC.INI
2012-04-08 19:23 - 2012-04-08 19:23 - 0000000 ____D C:\Windows\System32\mfcdlls
2012-04-08 19:22 - 2012-04-08 19:22 - 0000000 ____D C:\OrCAD
2012-04-08 19:21 - 2010-04-20 23:31 - 0000000 ___HD C:\Program Files\InstallShield Installation Information
2012-04-08 19:17 - 2009-07-13 18:04 - 0017486 ____A C:\Windows\System32\Drivers\etc\services
2012-04-08 19:15 - 2012-04-08 19:15 - 0000000 ____D C:\Program Files\Common Files\Business Objects
2012-04-08 19:15 - 2012-04-08 19:15 - 0000000 ____D C:\Program Files\Business Objects
2012-04-08 19:14 - 2012-04-08 19:14 - 0000000 ____D C:\OrCAD_Data
2012-04-08 19:07 - 2012-04-08 19:07 - 0000000 ____D C:\Cadence
2012-04-08 18:26 - 2012-04-08 18:26 - 0000000 ____D C:\Program Files\OUP
2012-04-08 18:24 - 2012-04-08 18:24 - 9601024 ____A C:\Users\Owner\Downloads\Sedra&Smith-6th-Edition-Simulation-Material.msi
2012-04-04 12:56 - 2012-04-01 21:32 - 0022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-03 23:27 - 2010-03-16 21:33 - 0000000 ____D C:\Program Files\Opera
2012-04-03 18:46 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\schemas
2012-04-01 21:49 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\Branding
2012-04-01 21:32 - 2012-04-01 21:32 - 9502424 ____A (Malwarebytes Corporation ) C:\Users\Owner\Downloads\mbam-setup-1.60.1.1000.exe
2012-04-01 12:48 - 2012-04-01 12:48 - 2930923 ____A C:\Users\Owner\Downloads\wins.zip
2012-03-31 01:10 - 2011-11-12 19:25 - 0000000 ____D C:\Windows\Sun
2012-03-31 00:41 - 2012-03-31 00:41 - 9502424 ____A (Malwarebytes Corporation ) C:\Users\Owner\Downloads\mbam--setup-1.60.1.1000.exe
2012-03-28 07:47 - 2009-07-13 18:37 - 0000000 ____D C:\Program Files\Common Files\microsoft shared
2012-03-28 07:45 - 2009-07-13 18:04 - 0000478 ____A C:\Windows\win.ini
2012-03-27 19:13 - 2010-02-26 17:02 - 0000000 ____D C:\Windows\Panther
2012-03-27 19:13 - 2009-07-13 20:34 - 0000000 ____D C:\Windows\ServiceProfiles
2012-03-27 17:39 - 2012-03-27 17:39 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-03-27 17:39 - 2011-05-18 09:59 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-03-27 17:30 - 2010-05-17 19:58 - 0000000 ____D C:\Users\All Users\DivX
2012-03-27 17:30 - 2010-03-12 22:54 - 0000000 ____D C:\Program Files\DivX
2012-03-27 17:29 - 2010-03-12 22:54 - 0000000 ____D C:\Program Files\Common Files\DivX Shared
2012-03-27 16:35 - 2012-03-27 16:34 - 0000000 ____D C:\Users\Owner\Documents\statements
2012-03-22 09:54 - 2009-07-13 20:33 - 0409752 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-12 00:09 - 2012-03-12 00:09 - 0053816 ____A C:\Users\Owner\Downloads\cnene2007_files.txt
2012-03-07 07:58 - 2011-04-04 23:25 - 0000000 ____D C:\Program Files\National Instruments
2012-03-07 07:57 - 2011-04-04 23:21 - 0000000 ____D C:\Users\All Users\National Instruments
2012-03-05 21:59 - 2012-04-11 08:53 - 3958128 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-03-05 21:59 - 2012-04-11 08:53 - 3902320 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-04 22:23 - 2011-12-05 15:30 - 0000000 ____D C:\Users\Owner\Documents\Books
2012-03-04 21:54 - 2012-03-04 20:27 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Xilinx
2012-03-04 21:49 - 2012-03-04 21:01 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Digilent
2012-03-04 21:47 - 2012-03-04 21:45 - 0000000 ____D C:\Program Files\Common Files\Digilent
2012-03-04 21:47 - 2012-03-04 20:39 - 0029354 ____A C:\Windows\DPINST.LOG
2012-03-04 21:47 - 2012-03-04 20:39 - 0000000 ____D C:\Program Files\Digilent
2012-03-04 21:44 - 2012-03-04 21:43 - 21215377 ____A C:\Users\Owner\Downloads\digilent.adept.system_v2.9.4.exe
2012-03-04 20:57 - 2012-03-04 20:55 - 4172310 ____A C:\Users\Owner\Downloads\DigilentAdept_v2-3-0.exe
2012-03-04 20:50 - 2012-03-04 20:49 - 0000000 ____D C:\.Xilinx
2012-03-04 20:42 - 2012-03-04 20:42 - 0000000 ____D C:\Users\Owner\Xilinx
2012-03-04 20:40 - 2012-03-04 20:40 - 0000000 ____D C:\Users\All Users\.cse
2012-03-04 20:32 - 2012-03-04 20:28 - 0000000 ____D C:\Program Files\Zero G Registry
2012-03-04 20:28 - 2012-03-04 20:28 - 0000000 ____D C:\Users\Owner\InstallAnywhere
2012-03-04 18:38 - 2012-03-04 18:38 - 0000000 ____D C:\Xilinx
2012-03-04 16:44 - 2012-03-04 14:34 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Download Manager
2012-03-04 14:21 - 2011-12-09 15:25 - 0000000 ____D C:\Users\Owner\AppData\Local\Deployment

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 23%
Total physical RAM: 2959.9 MB
Available physical RAM: 2255.72 MB
Total Pagefile: 2958.18 MB
Available Pagefile: 2260.98 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:119.14 GB) (Free:18.7 GB) NTFS
2 Drive e: () (Removable) (Total:3.67 GB) (Free:2.82 GB) FAT32
3 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
4 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 119 GB 0 B
Disk 1 Online 3768 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 119 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 119 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3764 MB 4096 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E FAT32 Removable 3764 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-31 18:31

======================= End Of Log ==========================
  • 0

#74
farbar
Posted 30 May 2012 - 01:28 AM

farbar

    Developer

  • Expert
  • 503 posts
Well done. :thumbsup:

Due to damage the malware has done to the system it is very difficult to restore winsock2. We have the option to use the system restore but the available restore points are from the time that the system was infected. So we try to restore only the registry hives from end of March. The operation is reversible if it didn't work. If everything goes well we have a bootable system with internet connection. But there could be some broken programs that we can repair. Please make sure you run the fix in recovery mode the same way you ran FRST in previous post.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Please download Attached File  fixlist.txt   39bytes   131 downloads
Save it to your flash drive where FRST.exe is located.

Boot to System Recovery Options by using F8 at startup and select "Command Prompt".

Run FRST again like before and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart the computer and let me know how is the system functioning.
  • 0

#75
soggywaffles
Posted 30 May 2012 - 06:13 PM

soggywaffles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
The internet is now working again.

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 29-05-2012 02
Ran by SYSTEM at 2012-05-30 19:10:00 Run:1
Running from E:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP