[Chrisk-K]

Two days ago, Norton gave me a warning about a trojan. It couldn't remove it. I launched Malwarebyte and it also detected it. It removed the malware and asked me to restart. Since then, I haven't been able to boot because of BSOD.

My OS: Genuine Vista Ultimate 32

-BSOD tells me an error 0x000000F4.
-Cannot boot to even Safe Mode
-"Last known configuration" or something like that results in the same BSOD.
-I launched "Vista Recovery Console" but it could not find the OS! Interestingly, the C: drive is reported as D: in the recovery console.
-I ran chkdsk from the recovery console. No problem.
-I scanned my HDD with the AVIRA rescue CD. It reported boot sector errors.
-I loaded a Partition Magic bootable disk to fix the problem. It says, "No Windows was found!" although I do see it on the HDD.

I suspect that the trojan might have screwed up the boot sector, etc. I can reformat the HDD and reinstall. But I'd LOVE to avoid such a hassle...(sigh).

[Advertisements]

Hello, Chrisk-K!

I'm Nedklaw and I'll be glad to help you with your malware issues.

I am currently still in training and my posts have to be approved by an expert so please expect a delay between my posts.

These instructions are specifically designed for Chrisk-K only. No one else should follow these instructions because it can cause serious damage to your computer.

Before we start to clean your computer of malware, please read through the following points to help me and you, and prevent damage to your computer:

• Please completely read through all of the instructions given to you before attempting to follow them. Reading too lightly will cause you to miss important steps, which could have DESTRUCTIVE effects. If you can't perform a certain step or you are unsure about what to do, let me know!
• Don't be afraid to ask questions! If you are unsure about anything, ask me! No question is considered stupid here!
• Be patient with me, logs can take some time to research and my life can mean that I'm busy.
• Please copy and paste all logs into your reply. Do not attach logs to a post unless I tell you to or if they don't fit in the post.
• If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
• NEVER fix anything in OTL or other programs on your own! This can be very dangerous and cause harm to your system.
• Refrain from running any other tools apart from the ones I tell you to.

Note: You should save or print out my instructions for easy reference, as part of the fix may be in Safe Mode and you won't be able to access GeeksToGo.


Step 1

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt.
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Things I want to see in your next reply

• FRST.txt

[Nedklaw]

Hello, Chrisk-K!

I'm Nedklaw and I'll be glad to help you with your malware issues.

I am currently still in training and my posts have to be approved by an expert so please expect a delay between my posts.

These instructions are specifically designed for Chrisk-K only. No one else should follow these instructions because it can cause serious damage to your computer.

Before we start to clean your computer of malware, please read through the following points to help me and you, and prevent damage to your computer:

• Please completely read through all of the instructions given to you before attempting to follow them. Reading too lightly will cause you to miss important steps, which could have DESTRUCTIVE effects. If you can't perform a certain step or you are unsure about what to do, let me know!
• Don't be afraid to ask questions! If you are unsure about anything, ask me! No question is considered stupid here!
• Be patient with me, logs can take some time to research and my life can mean that I'm busy.
• Please copy and paste all logs into your reply. Do not attach logs to a post unless I tell you to or if they don't fit in the post.
• If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
• NEVER fix anything in OTL or other programs on your own! This can be very dangerous and cause harm to your system.
• Refrain from running any other tools apart from the ones I tell you to.

Note: You should save or print out my instructions for easy reference, as part of the fix may be in Safe Mode and you won't be able to access GeeksToGo.


Step 1

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt.
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Things I want to see in your next reply

• FRST.txt

[Chrisk-K]

Hello Ned,

Thank you SO MUCH for helping me. It's so nice of you!!

Before getting your reply, I ran AVG as instructed in the Malware section. No virus was found. But it gave me a message, "Smartctl reports some problems with the disk."

Here's FRST.txt.
--------
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 05-08-2012 01
Ran by SYSTEM at 06-08-2012 15:30:58
Running from K:\
Windows Vista ™ Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe [136080 2009-09-16] (Symantec Corporation)
HKLM\...\Run: [TrkMonitor] "C:\Program Files\Canon Electronics\DR1210C\TrkMonitor.exe" [86016 2008-01-29] (Canon Electronics Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] "E:\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini [308 2012-08-04] ()
HKLM\...\Run: [pdfFactory Pro Dispatcher v3] "C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM [565248 2008-08-01] (FinePrint Software, LLC)
HKLM\...\Run: [PaperPort PTD] "E:\ScanSoft\PaperPort\pptd40nt.exe" [x]
HKLM\...\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] (Nero AG)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKLM\...\Run: [Jomantha] C:\Program Files\n52te\n52teHid.exe [159744 2008-06-13] (Razer USA Ltd.)
HKLM\...\Run: [IndexSearch] "E:\ScanSoft\PaperPort\IndexSearch.exe" [x]
HKLM\...\Run: [FinePrint Dispatcher v5] C:\Windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe [442368 2004-08-25] (FinePrint Software, LLC)
HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [115560 2009-05-04] (Symantec Corporation)
HKLM\...\Run: [CTxfiHlp] CTXFIHLP.EXE [x]
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641664 2012-04-05] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [NUSB3MON] "C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [115048 2011-09-16] (Renesas Electronics Corporation)
HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1387288 2011-10-07] (Logitech, Inc.)
HKU\Christian\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Christian\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [357696 2010-04-01] (DT Soft Ltd)
HKU\Christian\...\Run: [Copernic Desktop Search - Home] "e:\Copernic Desktop Search - Home\DesktopSearchService.exe" /tray [x]
Tcpip\..\Interfaces\{9694FFD1-60EC-4AA6-8D10-80EEDB11D9D9}: [NameServer]75.75.75.75,75.75.76.76

================================ Services (Whitelisted) ==================

2 AcronisOSSReinstallSvc; "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2217416 2007-02-22] ()
2 ccEvtMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-05-04] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-05-04] (Symantec Corporation)
2 CVPND; "C:\Program Files\JHSecure\VPN Client\cvpnd.exe" [1516584 2007-04-03] (Cisco Systems, Inc.)
2 DefWatch; "C:\Program Files\Symantec AntiVirus\DefWatch.exe" [31120 2009-09-16] (Symantec Corporation)
2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [670792 2011-11-14] (Juniper Networks)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
2 FlipShare Service; "C:\Program Files\Flip Video\FlipShare\FlipShareService.exe" [460144 2011-05-06] ()
2 FlipShareServer; "C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe" [1085440 2011-05-06] ()
3 Futuremark SystemInfo Service; "C:\Program Files\Futuremark\Futuremark SystemInfo\FMSISvc.exe" [130976 2011-03-01] (Futuremark Corporation)
2 hasplms; C:\Windows\system32\hasplms.exe -run [4180576 2010-09-27] (SafeNet Inc.)
2 Intel® PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [132768 2011-11-09] (Intel Corporation)
3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093880 2010-09-07] (Symantec Corporation)
3 Macromedia Licensing Service; "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" [68096 2009-10-16] ()
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" [335872 2006-10-26] (Microsoft Corporation)
4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -NetMsmqActivator [129880 2009-02-18] (Microsoft Corporation)
2 NetPipeActivator; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [129880 2009-02-18] (Microsoft Corporation)
2 NetTcpActivator; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [129880 2009-02-18] (Microsoft Corporation)
3 SavRoam; "C:\Program Files\Symantec AntiVirus\SavRoam.exe" [121744 2009-09-16] (symantec)
4 SharedAccess; C:\Windows\System32\svchost.exe -k netsvcs [21504 2008-01-18] (Microsoft Corporation)
2 Symantec AntiVirus; "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" [1961768 2009-09-16] (Symantec Corporation)
3 CT20XUT.DLL; C:\Windows\System32\CT20XUT.DLL [x]
3 CTEXFIFX.DLL; C:\Windows\System32\CTEXFIFX.DLL [x]
3 CTHWIUT.DLL; C:\Windows\System32\CTHWIUT.DLL [x]
3 NBService; C:\Nero 7\Nero BackItUp\NBService.exe [x]
2 PDAgent; "C:\Program Files\Raxco\PerfectDisk\PDAgent.exe" [x]
3 PDEngine; "C:\Program Files\Raxco\PerfectDisk\PDEngine.exe" [x]

========================== Drivers (Whitelisted) =============

3 61883; C:\Windows\System32\DRIVERS\61883.sys [45696 2008-01-18] (Microsoft Corporation)
2 aksfridge; \??\C:\Windows\system32\drivers\aksfridge.sys [356864 2010-09-27] (SafeNet Inc.)
0 amacpi; C:\Windows\System32\DRIVERS\null.sys [4608 2008-01-18] (Microsoft Corporation)
3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdLH3.sys [83984 2012-02-23] (Advanced Micro Devices)
3 AtiHdmiService; C:\Windows\System32\drivers\AtiHdmi.sys [105488 2010-05-06] (ATI Technologies, Inc.)
2 cpuz135; \??\C:\Windows\system32\drivers\cpuz135_x32.sys [21992 2011-09-21] (CPUID)
3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [347080 2008-10-07] (Creative Technology Ltd)
3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
2 CVPNDRVA; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [306295 2007-04-03] (Cisco Systems, Inc.)
0 DefragFS; C:\Windows\System32\Drivers\DefragFS.sys [68624 2007-10-22] (Raxco Software, Inc.)
3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [128144 2007-08-01] (Deterministic Networks, Inc.)
3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [26624 2011-11-14] (Juniper Networks)
3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6032.sys [292008 2012-03-15] (Intel Corporation)
2 EBIOS32; C:\Windows\System32\Drivers\EBIOS32.SYS [13922 2008-07-03] (Intel Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-05-15] (Symantec Corporation)
3 EfiVariable; \??\C:\Windows\System32\Drivers\variable.sys [7680 2011-05-19] (Windows ® Server 2003 DDK provider)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-05-15] (Symantec Corporation)
2 hardlock; \??\C:\Windows\system32\drivers\hardlock.sys [588800 2009-12-09] (SafeNet Inc.)
3 JmtFltr; C:\Windows\System32\Drivers\JmtFltr.sys [48896 2007-09-27] ()
3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.Sys [42648 2011-09-01] (Logitech, Inc.)
3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.Sys [12184 2011-09-01] (Logitech, Inc.)
3 LUsbFilt; C:\Windows\System32\Drivers\LUsbFilt.Sys [28560 2009-11-10] (Logitech, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41216 2011-09-23] (Intel Corporation)
3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20120804.009\NAVENG.SYS [87928 2012-04-25] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20120804.009\NAVEX15.SYS [1589752 2012-04-25] (Symantec Corporation)
3 nusb3hub; C:\Windows\System32\DRIVERS\nusb3hub.sys [73984 2011-10-25] (Renesas Electronics Corporation)
3 nusb3xhc; C:\Windows\System32\DRIVERS\nusb3xhc.sys [165120 2011-10-25] (Renesas Electronics Corporation)
3 SaiMini; C:\Windows\System32\DRIVERS\SaiMini.sys [14080 2007-10-05] (Saitek)
3 SaiNtBus; C:\Windows\System32\drivers\SaiBus.sys [35200 2007-10-05] (Saitek)
0 snapman380; C:\Windows\System32\DRIVERS\snman380.sys [134272 2008-11-20] (Acronis)
1 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [420400 2008-01-17] (Symantec Corporation)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2010-06-20] (Duplex Secure Ltd.)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [280112 2009-03-04] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [319920 2009-03-04] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43824 2009-03-04] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [123952 2011-03-06] (Symantec Corporation)
3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [27576 2007-01-09] (Symantec Corporation)
1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [191544 2007-01-09] (Symantec Corporation)
3 uisp; C:\Windows\System32\Drivers\usbicp.sys [14592 2005-12-22] (Motorola)
3 vhidmini; C:\Windows\System32\DRIVERS\vhidmini.sys [12672 2007-09-19] (Windows ® Codename Longhorn DDK provider)
3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [55808 2007-08-28] (Microsoft Corporation)
0 axmoycj; C:\Windows\System32\drivers\ytuevyk.sys [x]
0 bbfbb; C:\Windows\System32\drivers\pcpru.sys [x]
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 e1express; C:\Windows\System32\DRIVERS\e1e6032.sys [x]
3 Invoker; \??\C:\Windows\System32\Drivers\Invoker.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 smbusp; C:\Windows\System32\DRIVERS\intelsmb.sys [x]
3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-06 15:30 - 2012-08-06 15:30 - 00000000 ____D C:\FRST
2012-07-26 13:24 - 2012-07-26 13:24 - 00000000 ____D C:\Program Files\Logitech
2012-07-26 13:21 - 2012-07-26 13:21 - 25914640 ____A (Logitech Inc.) C:\Users\Christian\Desktop\setpoint632.exe
2012-07-26 13:06 - 2012-07-26 13:06 - 00000000 ____D C:\Users\All Users\Logitech
2012-07-26 09:35 - 2012-08-06 07:09 - 124531207 ____A C:\Windows\MEMORY.DMP
2012-07-26 09:35 - 2012-07-26 09:35 - 00139816 ____A C:\Windows\Minidump\Mini072612-01.dmp
2012-07-17 04:42 - 2012-07-26 13:13 - 00000000 ____D C:\Users\Christian\Desktop\Steff


============ 3 Months Modified Files ========================

2012-08-06 07:09 - 2012-07-26 09:35 - 00000000 _____ C:\Windows\MEMORY.DMP
2012-08-06 07:08 - 2012-05-17 21:17 - 00009254 ____A C:\Windows\PFRO.log
2012-08-05 05:44 - 2008-11-27 22:15 - 02063291 ____A C:\Windows\WindowsUpdate.log
2012-08-05 05:44 - 2006-11-02 05:00 - 00032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-05 05:44 - 2006-11-02 05:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-05 05:44 - 2006-11-02 04:46 - 00003952 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-05 05:44 - 2006-11-02 04:46 - 00003952 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-04 17:04 - 2006-11-02 02:33 - 00773782 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-03 11:39 - 2008-11-21 22:56 - 00002373 ____A C:\Users\Christian\Desktop\Word.lnk
2012-08-02 13:28 - 2012-07-01 10:41 - 00001252 ____A C:\Windows\LkmdfCoInst.log
2012-08-02 13:28 - 2012-05-31 14:22 - 00001020 ____A C:\Windows\setupact.log
2012-08-02 13:28 - 2010-06-01 18:16 - 00016400 ____A (Logitech, Inc.) C:\Windows\System32\Drivers\LNonPnP.sys
2012-07-30 22:36 - 2010-10-14 22:24 - 00000069 ____A C:\Windows\NeroDigital.ini
2012-07-30 22:31 - 2010-12-03 00:02 - 00002335 ____A C:\Users\Christian\Desktop\Excel.lnk
2012-07-27 17:41 - 2009-07-29 18:55 - 00000183 ____A C:\Windows\setscan.ini
2012-07-27 17:40 - 2009-07-29 19:08 - 00002187 ____A C:\Users\Public\Desktop\PaperPort.lnk
2012-07-26 13:25 - 2012-07-01 10:30 - 00037349 ____A C:\Windows\LDPINST.LOG
2012-07-26 13:21 - 2012-07-26 13:21 - 25914640 ____A (Logitech Inc.) C:\Users\Christian\Desktop\setpoint632.exe
2012-07-26 13:15 - 2006-11-02 02:22 - 49807360 ____A C:\Windows\System32\config\software_previous
2012-07-26 13:15 - 2006-11-02 02:22 - 42205184 ____A C:\Windows\System32\config\components_previous
2012-07-26 13:15 - 2006-11-02 02:22 - 33030144 ____A C:\Windows\System32\config\system_previous
2012-07-26 13:15 - 2006-11-02 02:22 - 04980736 ____A C:\Windows\System32\config\default_previous
2012-07-26 13:15 - 2006-11-02 02:22 - 00061440 ____A C:\Windows\System32\config\sam_previous
2012-07-26 13:15 - 2006-11-02 02:22 - 00024576 ____A C:\Windows\System32\config\security_previous
2012-07-26 09:35 - 2012-07-26 09:35 - 00139816 ____A C:\Windows\Minidump\Mini072612-01.dmp
2012-07-17 14:46 - 2008-11-24 11:15 - 00000086 ____A C:\Windows\DrSaju.ini
2012-07-03 09:46 - 2010-01-19 17:06 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-14 17:22 - 2012-06-14 17:22 - 00739832 ____A (Google Inc.) C:\Users\Christian\Downloads\GoogleVoiceAndVideoSetup.exe
2012-06-12 10:33 - 2011-12-10 22:11 - 00014094 ____A C:\Users\Christian\Desktop\Book1.xlsx
2012-06-02 14:19 - 2012-06-23 07:32 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 07:32 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-23 07:32 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 07:32 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-23 07:32 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-23 07:32 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-23 07:32 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-23 07:32 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-23 07:32 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-31 14:22 - 2012-05-31 14:22 - 00000000 ____A C:\Windows\setuperr.log
2012-05-25 18:22 - 2006-11-02 02:23 - 00000402 ____A C:\Windows\win.ini
2012-05-25 15:02 - 2009-07-30 04:44 - 00014201 ___AH C:\Users\Christian\Documents\maxdesk.ini2
2012-05-25 15:02 - 2009-07-30 04:44 - 00008934 ___AH C:\Users\Christian\Documents\PP11Thumbs.ptn2
2012-05-25 15:02 - 2009-07-30 04:43 - 17107975 ___AH C:\Users\Christian\Documents\PP11Thumbs.ptn
2012-05-22 16:36 - 2012-05-22 16:36 - 00053290 ____A C:\Users\Christian\Downloads\NAsummer2012.xlsx
2012-05-17 21:15 - 2008-11-20 18:51 - 00001356 ____A C:\Users\Christian\AppData\Local\d3d9caps.dat
2012-05-14 12:49 - 2008-11-21 23:08 - 00211456 ____A C:\Users\Christian\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-10 09:11 - 2012-05-10 09:11 - 02014704 ____A (Google) C:\Users\Christian\Downloads\GoogleDesktopSetup.exe
2012-05-10 08:26 - 2012-05-10 08:26 - 00000631 ____A C:\Users\Public\Desktop\Copernic.lnk
2012-05-09 21:10 - 2006-11-02 04:46 - 00364520 ____A C:\Windows\System32\FNTCACHE.DAT

ZeroAccess:
C:\Windows\Installer\{2b182635-1dee-bc28-bed3-3f868e4a6e27}
C:\Windows\Installer\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\@
C:\Windows\Installer\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\L
C:\Windows\Installer\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\U

ZeroAccess:
C:\Users\Christian\AppData\Local\{2b182635-1dee-bc28-bed3-3f868e4a6e27}
C:\Users\Christian\AppData\Local\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\@
C:\Users\Christian\AppData\Local\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\L
C:\Users\Christian\AppData\Local\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\n
C:\Users\Christian\AppData\Local\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 4072.63 MB
Available physical RAM: 3577.7 MB
Total Pagefile: 3822.54 MB
Available Pagefile: 3652.03 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (MAIN) (Fixed) (Total:125.47 GB) (Free:41.44 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (DATA) (Fixed) (Total:139.73 GB) (Free:118.24 GB) NTFS
3 Drive f: (ACADEMIC) (Fixed) (Total:39.07 GB) (Free:33.26 GB) NTFS
4 Drive g: (PROGRAMS) (Fixed) (Total:39.07 GB) (Free:35.11 GB) NTFS
5 Drive h: (FUN) (Fixed) (Total:94.48 GB) (Free:78.72 GB) NTFS
7 Drive j: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF
8 Drive k: (4GB USB STI) (Removable) (Total:3.78 GB) (Free:2.49 GB) FAT
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
10 Drive y: (MUSIC) (Fixed) (Total:139.73 GB) (Free:57.71 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 279 GB 9 MB
Disk 1 Online 298 GB 1624 KB
Disk 2 Online 3875 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 140 GB 32 KB
Partition 0 Extended 140 GB 140 GB
Partition 2 Logical 140 GB 140 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 Y MUSIC NTFS Partition 140 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E DATA NTFS Partition 140 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 125 GB 32 KB
Partition 0 Extended 173 GB 125 GB
Partition 2 Logical 39 GB 125 GB
Partition 3 Logical 39 GB 165 GB
Partition 4 Logical 94 GB 204 GB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C MAIN NTFS Partition 125 GB Healthy

==================================================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 F ACADEMIC NTFS Partition 39 GB Healthy

==================================================================================

Disk: 1
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 G PROGRAMS NTFS Partition 39 GB Healthy

==================================================================================

Disk: 1
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 H FUN NTFS Partition 94 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3875 MB 0 B

==================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

==========================================================

Last Boot: 2012-08-04 17:18

======================= End Of Log ==========================

[Nedklaw]

Hi.


Step 1

Download and save the following file to your flash drive:  fixlist.txt   361bytes   240 downloads

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt). Please post it in your next reply.


Step 2

Please run Farbar Service Scanner.
Type the following in the edit box after "Search:".

services.exe

Click the Search Files button and post the log (FSS.txt) it makes in your reply.


Things I want to see in your next reply

• Fixlog.txt
• FSS.txt

[Chrisk-K]

Hi!

Step 1 worked and generated Fixlog.txt (please see below).

However, Step 2 did not create FSS.txt. It only created Search.txt. FYI, I'm copying Search.txt.

What am I doing wrong?


Fixlog.txt
-----
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01
Ran by SYSTEM at 2012-08-08 11:44:14 Run:1
Running from K:\

==============================================

axmoycj service deleted successfully.
bbfbb service deleted successfully.
C:\Windows\System32\drivers\ytuevyk.sys not found.
C:\Windows\System32\drivers\pcpru.sys not found.
C:\Windows\Installer\{2b182635-1dee-bc28-bed3-3f868e4a6e27} moved successfully.
C:\Users\Christian\AppData\Local\{2b182635-1dee-bc28-bed3-3f868e4a6e27} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.

==== End of Fixlog ====



Search.txt
----Farbar Recovery Scan Tool Version: 05-08-2012 01
Ran by SYSTEM at 2012-08-08 11:49:32
Running from K:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-06-14 19:24] - [2009-04-10 19:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-11-20 19:04] - [2008-01-18 20:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\ERDNT\cache\services.exe
[2011-03-04 21:53] - [2009-04-10 19:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

[Chrisk-K]

Hi!

I didn't know that Farbar Service Scanner is different from FRST.exe.

I downloaded it and typed "services.exe" in the edit box. It gave me the following (empty!) FSS.txt.

--------------------
Farbar Service Scanner Version: 06-08-2012
Ran by SYSTEM (administrator) on 08-08-2012 at 13:11:49
Windows ™ Code Name "Longhorn" Preinstallation Environment (X86)

************************************************
======== Search: "services.exe" =========

====== End Of Search ======

[Nedklaw]

Hi.
Sorry for the confusion. FRST was the right tool to use but I posted instructions for FSS.


Step 1

Download and save the following file to your flash drive:  fixlist.txt   78bytes   253 downloads

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt). Please post it in your next reply.


Step 2

Can you now boot from your computer normally?


Things I want to see in your next reply

• Fixlog.txt
• Answer to my question

[Chrisk-K]

OH MY GOD!!! It booted!!! God Bless You!!

------------------
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01
Ran by SYSTEM at 2012-08-08 16:05:23 Run:2
Running from K:\

==============================================

Could not find C:\Windows\System32\services.exe.
C:\Windows\ERDNT\cache\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

[Nedklaw]

Hi.
I'm glad to hear that you can now boot.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


IMPORTANT!!! You need to Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here.
• Double click on ComboFix.exe & follow the prompts.
  
  
  
  
• Please be patient and don't use the PC whilst it is scanning.
• When finished, it shall produce a log for you. Please copy & paste the contents of this log at C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get this error "Illegal operation attempted on a registry key that has been marked for deletion" then reboot, that will cure it.


Things I want to see in your next reply

• ComboFix.txt

[Chrisk-K]

Hi

Below is combofix.txt. Symantec was disabled before I ran Combofix. But Combofix thought it was active...

ComboFix 12-08-08.01 - Christian 8/2012 Wed 21:08:03.3.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.949.82.1033.18.3569.1916 [GMT -4:00]
Running from: C:\Users\Christian\Desktop\ComboFix.exe
AV: SymantecAntiVirus *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: SymantecAntiVirus *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Users\Christian\AppData\Roaming\lanat.dll
C:\Users\Christian\AppData\Roaming\unapt.dll
C:\Windows\jimglib.dll
C:\Windows\system32\
C:\Windows\system32\shsvcs.dll.vgorg
C:\Windows\system32\themeui.dll.vgorg
C:\Windows\system32\uxtheme.dll.vgorg


((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))


2012-08-09 01:12:22 . 2012-08-09 01:25:21 -------- d-----w- C:\Users\Christian\AppData\Local\temp
2012-08-09 01:12:22 . 2012-08-09 01:12:22 -------- d-----w- C:\Users\Public\AppData\Local\temp
2012-08-09 01:12:22 . 2012-08-09 01:12:22 -------- d-----w- C:\Users\Guest\AppData\Local\temp
2012-08-09 01:12:22 . 2012-08-09 01:12:22 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-08-09 01:01:27 . 2012-08-09 01:01:27 -------- d-----w- C:\Users\Christian\AppData\Local\{BCEDC268-E1BD-11E1-8270-B8AC6F996F26}
2012-08-09 00:05:24 . 2009-04-11 03:28:00 279552 ----a-w- C:\Windows\system32\services.exe
2012-08-06 23:30:36 . 2012-08-06 23:30:36 -------- d-----w- C:\FRST
2012-07-26 21:25:43 . 2012-07-26 21:25:43 53248 ----a-r- C:\Users\Christian\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-07-26 21:24:15 . 2012-07-26 21:24:32 -------- d-----w- C:\Program Files\Logitech
2012-07-26 21:06:39 . 2012-07-26 21:06:39 -------- d-----w- C:\ProgramData\Logitech
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-08-02 21:28:17 . 2010-06-02 02:16:18 16400 ----a-w- C:\Windows\system32\drivers\LNonPnP.sys
2012-07-03 17:46:44 . 2010-01-20 01:06:18 22344 ----a-w- C:\Windows\system32\drivers\mbam.sys
2012-06-02 22:19:33 . 2012-06-23 15:32:38 53784 ----a-w- C:\Windows\system32\wuauclt.exe
2012-06-02 22:19:33 . 2012-06-23 15:32:38 45080 ----a-w- C:\Windows\system32\wups2.dll
2012-06-02 22:19:32 . 2012-06-23 15:32:18 35864 ----a-w- C:\Windows\system32\wups.dll
2012-06-02 22:19:23 . 2012-06-23 15:32:18 577048 ----a-w- C:\Windows\system32\wuapi.dll
2012-06-02 22:19:17 . 2012-06-23 15:32:38 1933848 ----a-w- C:\Windows\system32\wuaueng.dll
2012-06-02 22:12:32 . 2012-06-23 15:32:38 2422272 ----a-w- C:\Windows\system32\wucltux.dll
2012-06-02 22:12:13 . 2012-06-23 15:32:18 88576 ----a-w- C:\Windows\system32\wudriver.dll
2012-06-02 19:19:42 . 2012-06-23 15:32:04 171904 ----a-w- C:\Windows\system32\wuwebv.dll
2012-06-02 19:12:20 . 2012-06-23 15:32:04 33792 ----a-w- C:\Windows\system32\wuapp.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 03:28:04 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 04:33:10 125952]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 09:16:20 357696]
"Copernic Desktop Search - Home"="e:\Copernic Desktop Search - Home\DesktopSearchService.exe" [2011-11-22 19:14:26 1648600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2009-09-16 14:52:18 136080]
"TrkMonitor"="C:\Program Files\Canon Electronics\DR1210C\TrkMonitor.exe" [2008-01-29 16:46:34 86016]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 17:06:06 254696]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 13:03:38 210472]
"PPort11reminder"="E:\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 17:46:58 255528]
"pdfFactory Pro Dispatcher v3"="C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-08-01 15:41:51 565248]
"PaperPort PTD"="E:\ScanSoft\PaperPort\pptd40nt.exe" [2008-04-30 17:37:26 29984]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 20:40:44 155648]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 17:46:44 462920]
"Jomantha"="C:\Program Files\n52te\n52teHid.exe" [2008-06-13 16:19:46 159744]
"IndexSearch"="E:\ScanSoft\PaperPort\IndexSearch.exe" [2008-04-30 17:35:28 46368]
"FinePrint Dispatcher v5"="C:\Windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2004-08-25 17:26:46 442368]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2009-05-04 20:08:10 115560]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-10-08 03:41:36 23552]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 05:24:32 641664]
"NUSB3MON"="C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 18:39:24 115048]
"EvtMgr6"="C:\Program Files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 09:40:42 1387288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync\0C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\Windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37:53 843712 ----a-w- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4167628224-1300899903-4152363779-1000]
"EnableNotificationsRef"=dword:00000001

S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - WS2IFSL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 21:23:54 38400 ----a-w- C:\Windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 15:50:50 30720 ----a-w- C:\Windows\System32\soundschemes2.exe


------- Supplementary Scan -------

uStart Page = hxxp://yahoo.com/
IE: E&xport to Microsoft Excel - D:\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: johnshopkins.edu\sslconnect
TCP: Interfaces\{9694FFD1-60EC-4AA6-8D10-80EEDB11D9D9}: NameServer = 75.75.75.75,75.75.76.76
DPF: {283A7932-A386-496A-9AB0-E8DBFACFF1E5} - hxxp://ondisk.co.kr/setup/OnDiskWebControl.cab
DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} - hxxp://touch.imbc.com/ActiveX/iMBCOnlineService.cab
FF - ProfilePath - C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\9vb1f7xa.default\
FF - prefs.js: browser.search.selectedEngine - Arccosine
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.arccosine.com/search.php?q=

- - - - ORPHANS REMOVED - - - -

HKLM-Run-lanat - C:\Users\Christian\AppData\Roaming\lanat.dll
HKLM-Run-unapt - C:\Users\Christian\AppData\Roaming\unapt.dll
AddRemove-{65153EA5-8B6E-43B6-857B-C6E4FC25798A} - C:\Program Files\Intel\Intel® Management Engine Components\Uninstall\setup.exe

[Nedklaw]

Hi.
Is that the complete ComboFix log?

[Chrisk-K]

Hi!

I'm not sure if it's complete. Based on your question, I assume it's not complete, Probably I didn't copy the entire contents of Combofix.txt. I got illegal operation errors after Combofix did its job. So after I rebooted my PC, the contents in the Combofix folder were gone. What should I do now? Thanks.

Edited by Chrisk-K, 09 August 2012 - 02:01 PM.

[Chrisk-K]

Hi!

My bad. I found "combofix.txt" is at c:\ as you instructed. I incorrectly thought it should be at c:\combofix.

Here's the entire log.

ComboFix 12-08-08.01 - Christian 8/2012 Wed 21:08:03.3.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.949.82.1033.18.3569.1916 [GMT -4:00]
Running from: c:\users\Christian\Desktop\ComboFix.exe
AV: SymantecAntiVirus *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: SymantecAntiVirus *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Christian\AppData\Roaming\lanat.dll
c:\users\Christian\AppData\Roaming\unapt.dll
c:\windows\jimglib.dll
c:\windows\system32\
c:\windows\system32\shsvcs.dll.vgorg
c:\windows\system32\themeui.dll.vgorg
c:\windows\system32\uxtheme.dll.vgorg
.
.
((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
.
.
2012-08-09 01:12 . 2012-08-09 01:25 -------- d-----w- c:\users\Christian\AppData\Local\temp
2012-08-09 01:12 . 2012-08-09 01:12 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-09 01:12 . 2012-08-09 01:12 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-08-09 01:12 . 2012-08-09 01:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-09 01:01 . 2012-08-09 01:01 -------- d-----w- c:\users\Christian\AppData\Local\{BCEDC268-E1BD-11E1-8270-B8AC6F996F26}
2012-08-09 00:05 . 2009-04-11 03:28 279552 ----a-w- c:\windows\system32\services.exe
2012-08-06 23:30 . 2012-08-06 23:30 -------- d-----w- C:\FRST
2012-07-26 21:25 . 2012-07-26 21:25 53248 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-07-26 21:24 . 2012-07-26 21:24 -------- d-----w- c:\program files\Logitech
2012-07-26 21:06 . 2012-07-26 21:06 -------- d-----w- c:\programdata\Logitech
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 21:28 . 2010-06-02 02:16 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-07-03 17:46 . 2010-01-20 01:06 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-23 15:32 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 15:32 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 15:32 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 15:32 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 15:32 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 15:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 15:32 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-23 15:32 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-23 15:32 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Copernic Desktop Search - Home"="e:\copernic desktop search - home\DesktopSearchService.exe" [2011-11-22 1648600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-09-16 136080]
"TrkMonitor"="c:\program files\Canon Electronics\DR1210C\TrkMonitor.exe" [2008-01-29 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PPort11reminder"="e:\scansoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"pdfFactory Pro Dispatcher v3"="c:\windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-08-01 565248]
"PaperPort PTD"="e:\scansoft\PaperPort\pptd40nt.exe" [2008-04-30 29984]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"Jomantha"="c:\program files\n52te\n52teHid.exe" [2008-06-13 159744]
"IndexSearch"="e:\scansoft\PaperPort\IndexSearch.exe" [2008-04-30 46368]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2004-08-25 442368]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-04 115560]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-10-08 23552]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4167628224-1300899903-4152363779-1000]
"EnableNotificationsRef"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 21:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
IE: E&xport to Microsoft Excel - d:\micros~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: johnshopkins.edu\sslconnect
TCP: Interfaces\{9694FFD1-60EC-4AA6-8D10-80EEDB11D9D9}: NameServer = 75.75.75.75,75.75.76.76
DPF: {283A7932-A386-496A-9AB0-E8DBFACFF1E5} - hxxp://ondisk.co.kr/setup/OnDiskWebControl.cab
DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} - hxxp://touch.imbc.com/ActiveX/iMBCOnlineService.cab
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\9vb1f7xa.default\
FF - prefs.js: browser.search.selectedEngine - Arccosine
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.arccosine.com/search.php?q=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-lanat - c:\users\Christian\AppData\Roaming\lanat.dll
HKLM-Run-unapt - c:\users\Christian\AppData\Roaming\unapt.dll
AddRemove-{65153EA5-8B6E-43B6-857B-C6E4FC25798A} - c:\program files\Intel\Intel® Management Engine Components\Uninstall\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-08 21:25
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
.
c:\users\CHRIST~1\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4167628224-1300899903-4152363779-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{975DE660-31DB-1589-124C-A3BF07AAC89F}*]
"jafepacpafmaihmbobhf"=hex:62,61,63,70,00,00
"jafepacpafmaihmbobdf"=hex:62,61,61,70,00,00
.
[HKEY_USERS\S-1-5-21-4167628224-1300899903-4152363779-1000\Software\SecuROM\License information*]
"datasecu"=hex:f7,e7,0f,c7,c8,6c,f2,13,ef,2d,07,46,88,4c,ca,6d,dd,99,73,7f,11,
a4,52,ce,59,4d,ea,70,f4,c7,45,f9,0c,fe,96,88,5a,c9,6c,53,1d,75,3a,11,d1,83,\
"rkeysecu"=hex:25,6e,26,75,92,ce,4f,64,cb,53,79,fc,02,ed,22,d1
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(5764)
c:\program files\Common Files\Ahead\Lib\MediaLibraryNSE.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\atieclxx.exe
c:\program files\JHSecure\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe
c:\windows\system32\hasplms.exe
c:\windows\system32\IProsetMonitor.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
e:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\program files\Canon Electronics\DR1210C\trkhost.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\wbem\unsecapp.exe
e:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe
c:\windows\system32\conime.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Mail\WinMail.exe
c:\windows\system32\NOTEPAD.EXE
.
**************************************************************************
.
Completion time: 2012-08-08 21:29:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-09 01:29
.
Pre-Run: 40,547,950,592 bytes free
Post-Run: 40,839,708,672 bytes free
.
- - End Of File - - F8EC2FF7AA08B5C5D6CFC11C080D4AC4

[Nedklaw]

Hi.
How is your system running? Are you experiencing any problems?


Step 1

1. Close any open browsers.

2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

RegNull::
[HKEY_USERS\S-1-5-21-4167628224-1300899903-4152363779-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{975DE660-31DB-1589-124C-A3BF07AAC89F}*]

Save this as CFScript.txt, in the same location as ComboFix.exe.




Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 2

• Run Malwarebytes' Anti-Malware.
• Update Malwarebytes' Anti-Malware.
• Once the program has updated, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note).
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Step 3

Please run a free online scan with the ESET Online Scanner.
Note: You will need to use Internet Explorer or Mozilla Firefox for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start.
• When asked, allow the ActiveX control to install.
• Click Start.
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked.
• Click Scan. (This scan can take several hours, so please be patient).
• Once the scan is completed, you may close the window.
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Things I want to see in your next reply

• Answers to my questions
• ComboFix.txt
• MBAM Log
• log.txt

[Chrisk-K]

Hi

1. My PC has been running fine!
2. The contents of 3 files are copied below.

Combofix.txt
------------------------
ComboFix 12-08-08.01 - Christian 1/2012 Sat 12:29:25.4.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.949.82.1033.18.3569.2090 [GMT -4:00]
Running from: c:\users\Christian\Desktop\ComboFix.exe
Command switches used :: c:\users\Christian\Desktop\CFScript.txt
AV: SymantecAntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: SymantecAntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))
.
.
2012-08-11 16:34 . 2012-08-11 16:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-11 16:34 . 2012-08-11 16:34 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-08-11 16:34 . 2012-08-11 16:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-09 01:12 . 2012-08-11 16:34 -------- d-----w- c:\users\Christian\AppData\Local\temp
2012-08-09 01:01 . 2012-08-09 01:01 -------- d-----w- c:\users\Christian\AppData\Local\{BCEDC268-E1BD-11E1-8270-B8AC6F996F26}
2012-08-09 00:05 . 2009-04-11 03:28 279552 ----a-w- c:\windows\system32\services.exe
2012-08-06 23:30 . 2012-08-06 23:30 -------- d-----w- C:\FRST
2012-07-26 21:25 . 2012-07-26 21:25 53248 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-07-26 21:24 . 2012-07-26 21:24 -------- d-----w- c:\program files\Logitech
2012-07-26 21:06 . 2012-07-26 21:06 -------- d-----w- c:\programdata\Logitech
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 21:28 . 2010-06-02 02:16 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-07-03 17:46 . 2010-01-20 01:06 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-23 15:32 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 15:32 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 15:32 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 15:32 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 15:32 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 15:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 15:32 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-23 15:32 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-23 15:32 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Copernic Desktop Search - Home"="e:\copernic desktop search - home\DesktopSearchService.exe" [2011-11-22 1648600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-09-16 136080]
"TrkMonitor"="c:\program files\Canon Electronics\DR1210C\TrkMonitor.exe" [2008-01-29 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PPort11reminder"="e:\scansoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"pdfFactory Pro Dispatcher v3"="c:\windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-08-01 565248]
"PaperPort PTD"="e:\scansoft\PaperPort\pptd40nt.exe" [2008-04-30 29984]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"Jomantha"="c:\program files\n52te\n52teHid.exe" [2008-06-13 159744]
"IndexSearch"="e:\scansoft\PaperPort\IndexSearch.exe" [2008-04-30 46368]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2004-08-25 442368]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-04 115560]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-10-08 23552]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4167628224-1300899903-4152363779-1000]
"EnableNotificationsRef"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ERASERUTILDRV11220
*Deregistered* - EraserUtilDrv11220
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 21:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
IE: E&xport to Microsoft Excel - d:\micros~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: johnshopkins.edu\sslconnect
TCP: Interfaces\{9694FFD1-60EC-4AA6-8D10-80EEDB11D9D9}: NameServer = 75.75.75.75,75.75.76.76
DPF: {283A7932-A386-496A-9AB0-E8DBFACFF1E5} - hxxp://ondisk.co.kr/setup/OnDiskWebControl.cab
DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} - hxxp://touch.imbc.com/ActiveX/iMBCOnlineService.cab
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\9vb1f7xa.default\
FF - prefs.js: browser.search.selectedEngine - Arccosine
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.arccosine.com/search.php?q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-11 12:34
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4167628224-1300899903-4152363779-1000\Software\SecuROM\License information*]
"datasecu"=hex:f7,e7,0f,c7,c8,6c,f2,13,ef,2d,07,46,88,4c,ca,6d,dd,99,73,7f,11,
a4,52,ce,59,4d,ea,70,f4,c7,45,f9,0c,fe,96,88,5a,c9,6c,53,1d,75,3a,11,d1,83,\
"rkeysecu"=hex:25,6e,26,75,92,ce,4f,64,cb,53,79,fc,02,ed,22,d1
.
Completion time: 2012-08-11 12:36:27
ComboFix-quarantined-files.txt 2012-08-11 16:36
ComboFix2.txt 2012-08-09 01:29
.
Pre-Run: 42,097,360,896 bytes free
Post-Run: 42,510,159,872 bytes free
.
- - End Of File - - 88FFA98D71B35E72DF086DAE1602D329


MBAM.log
-------------------------
Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.11.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Christian :: CHRISTIAN-PC [administrator]

Protection: Disabled

8/11/2012 12:42:14 PM
mbam-log-2012-08-11 (12-42-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215239
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


ESSET scan result
---------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f81310442e554c438fd4d1ffd815f6b1
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-11 07:07:06
# local_time=2012-08-11 03:07:06 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 14068025 181311628 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=248751
# found=13
# cleaned=13
# scan_time=8053
C:\FRST\Quarantine\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\n Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Christian\AppData\Roaming\lanat.dll.vir a variant of Win32/Medfos.CE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Christian\AppData\Roaming\unapt.dll.vir a variant of Win32/Medfos.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\AppData\Local\{BCEDC268-E1BD-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\1290de77-15235afe Java/Exploit.CVE-2011-3544.F trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\6387dfbd-116208cd multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Desktop\My Doc\1-Old\My Job\mangrovejackwp.exe multiple threats (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Desktop\Steff\UmileEncoder_v2.2.1.0.exe multiple threats (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\dolphinaw(2).exe probably a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\dolphinaw(3).exe probably a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\dolphinaw(4).exe probably a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\dolphinaw.exe probably a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\waterscenes.exe a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C