Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan:DOS/Alureon.A [Solved]


  • This topic is locked This topic is locked

#16
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi gg101,

Please run Combofix scan again as you did first time and post log here for me.
  • 0

Advertisements


#17
gg101

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
ComboFix 12-10-31.03 - Glory 11/01/2012 10:50:28.2.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.2402 [GMT -5:00]
Running from: I:\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-01 to 2012-11-01 )))))))))))))))))))))))))))))))
.
.
2012-11-01 16:00 . 2012-11-01 16:00 -------- d-----w- c:\users\Mcx1-GLORY-PC\AppData\Local\temp
2012-11-01 16:00 . 2012-11-01 16:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-28 18:08 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B187F3B-303D-4706-AE6B-09D08C0E23B8}\mpengine.dll
2012-10-28 04:21 . 2012-10-28 04:21 -------- d-----w- C:\found.000
2012-10-27 03:08 . 2012-10-27 03:08 -------- d-----w- c:\windows\Sun
2012-10-27 00:12 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-11 18:45 . 2012-08-31 18:02 1656688 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-10-11 18:44 . 2012-09-14 19:23 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-11 18:44 . 2012-09-14 18:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-10-11 18:43 . 2012-08-30 18:11 5505904 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-11 18:43 . 2012-08-30 17:18 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-10-11 18:43 . 2012-08-30 17:18 3902832 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-10-11 18:43 . 2012-08-18 15:37 425984 ----a-w- c:\windows\system32\KernelBase.dll
2012-10-11 18:43 . 2012-08-18 15:37 1162240 ----a-w- c:\windows\system32\kernel32.dll
2012-10-11 18:43 . 2012-08-18 15:42 215040 ----a-w- c:\windows\system32\winsrv.dll
2012-10-11 18:43 . 2012-08-18 15:34 338432 ----a-w- c:\windows\system32\conhost.exe
2012-10-11 18:43 . 2012-08-18 11:17 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll
2012-10-11 18:41 . 2012-08-24 18:05 220160 ----a-w- c:\windows\system32\wintrust.dll
2012-10-11 18:41 . 2012-08-24 17:10 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-10-11 18:41 . 2012-08-11 00:53 714752 ----a-w- c:\windows\system32\kerberos.dll
2012-10-11 18:41 . 2012-08-10 23:54 541184 ----a-w- c:\windows\SysWow64\kerberos.dll
2012-10-11 18:41 . 2012-06-02 05:25 1462784 ----a-w- c:\windows\system32\crypt32.dll
2012-10-11 18:41 . 2012-06-02 05:25 182272 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-11 18:41 . 2012-06-02 04:45 1157632 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-10-11 18:41 . 2012-06-02 05:25 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-11 18:41 . 2012-06-02 04:45 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-10-11 18:41 . 2012-06-02 04:45 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-30 00:54 . 2011-02-08 23:12 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-26 17:00 . 2012-09-17 04:46 321384 ----a-w- c:\windows\SysWow64\Sendori.dll
2012-09-17 04:49 . 2012-09-17 04:49 31080 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2012-09-17 04:46 . 2012-09-17 04:46 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-08-31 03:03 . 2012-08-31 03:03 228768 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-31 03:03 . 2011-04-27 20:25 128456 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-24 11:15 . 2012-09-25 00:39 17810944 ----a-w- c:\windows\system32\mshtml.dll
2012-08-24 10:39 . 2012-09-25 00:39 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-08-24 10:31 . 2012-09-25 00:39 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 10:22 . 2012-09-25 00:39 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-08-24 10:21 . 2012-09-25 00:39 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 10:20 . 2012-09-25 00:39 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 10:18 . 2012-09-25 00:39 237056 ----a-w- c:\windows\system32\url.dll
2012-08-24 10:17 . 2012-09-25 00:39 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-08-24 10:14 . 2012-09-25 00:39 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 10:14 . 2012-09-25 00:39 816640 ----a-w- c:\windows\system32\jscript.dll
2012-08-24 10:13 . 2012-09-25 00:39 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 10:12 . 2012-09-25 00:39 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-08-24 10:11 . 2012-09-25 00:39 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-08-24 10:10 . 2012-09-25 00:40 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-08-24 10:09 . 2012-09-25 00:40 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-24 10:04 . 2012-09-25 00:39 248320 ----a-w- c:\windows\system32\ieui.dll
2012-08-24 06:59 . 2012-09-25 00:39 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-08-24 06:51 . 2012-09-25 00:39 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-08-24 06:51 . 2012-09-25 00:39 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-08-24 06:47 . 2012-09-25 00:39 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-08-24 06:47 . 2012-09-25 00:39 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-08-24 06:43 . 2012-09-25 00:40 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-08-22 20:22 . 2012-08-22 20:22 209269 ----a-w- C:\torrent.exe
2012-08-18 11:19 . 2012-10-11 18:42 44032 ----a-w- c:\windows\apppatch\acwow64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-07-27 1493160]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-09-17 04:49 1734240 ----a-w- c:\program files (x86)\AVG Secure Search\12.2.5.34\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-07-27 00:23 1493160 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-07-27 1493160]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\12.2.5.34\AVG Secure Search_toolbar.dll" [2012-09-17 1734240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"cdloader"="c:\users\Glory\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-10-08 50592]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-09-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-07-27 397992]
"Malwarebytes Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2012-09-30 981656]
"Sendori Tray"="c:\program files (x86)\Sendori\SendoriTray.exe" [2012-09-26 82792]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-09-17 947808]
"ROC_ROC_NT"="c:\program files (x86)\AVG Secure Search\ROC_ROC_NT.exe" [2012-09-17 856160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-09-30 1089608]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-5-24 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~3\BROWSE~1\23787~1.43\{16CDF~1\browsemngr.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R2 Application Sendori;Application Sendori;c:\program files (x86)\Sendori\SendoriSvc.exe [2012-09-26 118632]
R2 Browser Manager;Browser Manager;c:\programdata\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe [2012-10-10 2309656]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-16 116648]
R2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-01-18 20480]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-03-15 71168]
R2 Service Sendori;Service Sendori;c:\program files (x86)\Sendori\Sendori.Service.exe [2012-09-26 15208]
R2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [2012-09-17 722528]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-16 116648]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-03-05 144896]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-23 225280]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-28 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-09-17 31080]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-09-17 283200]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 sndappv2;sndappv2;c:\program files (x86)\Sendori\sndappv2.exe [2012-09-26 3569512]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-11-28 295424]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-01-20 1088544]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-16 18:21]
.
2012-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-16 18:21]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-01-29 6160928]
"RtkOSD"="c:\program files (x86)\Realtek\Audio\OSD\RtVOsd64.exe" [2010-01-13 995840]
"HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-01-18 451072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-05-15 172032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://search.gboxapp.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.6\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-RunOnce-<NO NAME> - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-{20E7BC40-33F6-4A81-9D52-B58349326206} - c:\programdata\Bcool\uninstall.exe
AddRemove-{B60DCA15-56A3-4D2D-8747-22CF7D7B588B} - c:\program files (x86)\InstallShield Installation Information\{B60DCA15-56A3-4D2D-8747-22CF7D7B588B}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{1E61ED7C-7CB8-49D6-B9E9-AB4C880C8414}"=hex:51,66,7a,6c,4c,1d,38,12,12,ee,72,
1a,8a,32,b8,0c,c6,ff,e8,0c,8d,52,c0,00
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:2c,e7,3c,83,34,b6,cd,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-01 11:03:52
ComboFix-quarantined-files.txt 2012-11-01 16:03
ComboFix2.txt 2012-10-29 07:53
.
Pre-Run: 205,055,008,768 bytes free
Post-Run: 205,816,664,064 bytes free
.
- - End Of File - - 986B27E4C1FD98CBB6C37A11FCD592C1
  • 0

#18
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
OK. How is your system now? Any problems?
  • 0

#19
gg101

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Its still showing up, here is the log....

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.31.04

Windows 7 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Glory :: GLORY-PC [administrator]

11/1/2012 11:21:54 PM
mbam-log-2012-11-01 (23-21-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221297
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 2384 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)
  • 0

#20
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Let's try this tool. After this run Malwarebytes again and see if it shows up again.

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Windows\svchost.exe

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will
    Restart your computer
    . ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system
    twice
    .
    )
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it
    creates a log file
    that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
5. Please copy/paste the content of c:\avenger.txt into your reply.
  • 0

#21
gg101

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
when I right clicl on the avenger.zip my options are: extract files, extract here, and extract to avengers. none say extract all .... which should I choose? nevermind i got figured it out.

Edited by gg101, 02 November 2012 - 10:54 AM.

  • 0

#22
gg101

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I did not find the c:\avenger.txt file, nothing popped up after it rebooted. I also ran malwarebytes and the virus is still there...

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.31.04

Windows 7 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Glory :: GLORY-PC [administrator]

11/2/2012 11:00:06 AM
mbam-log-2012-11-02 (11-00-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221740
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 2444 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)
  • 0

#23
gg101

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK, this is the only tx file that I found at the time I ran avenger... it was named oacux.txt. that was all on there...


Files to delete:
C:\Windows\svchost.exe
  • 0

#24
gg101

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
its still there...

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.31.04

Windows 7 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Glory :: GLORY-PC [administrator]

11/2/2012 11:42:00 AM
mbam-log-2012-11-02 (11-42-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221777
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 2380 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)
  • 0

#25
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi gg101,

Looks like The Avanger didn't do his job right. Can you please try to run it one more time the same way. Maybe he will manage to remove it this time.

You must get c:\avenger.txt. If you didn't get it then it didn't work right and you don't have to do Malwarebytes scan.
  • 0

Advertisements


#26
gg101

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
hi, I ran it again and nothing happened. I also tried running it without using safe mode and when it restarted I saw the command promt screen briefly and when I searched for the file the only thing I found was...

the name of the txt was:

mmgk.txt
and this was on the tx:

Files to delete:
C:\Windows\svchost.exe

Im not sure why this virus is so difficult to remove but its really working my nerves now...

Edited by gg101, 03 November 2012 - 09:22 AM.

  • 0

#27
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts

Im not sure why this virus is so difficult to remove but its really working my nerves now...


Don't worry. We'll remove it. One way or the other :)

Let's install the free Avast:

AVAST Free

Once you have it installed and it has updated, right click on it and select Open Avast! User Interface then click on Scan Computer, then on
Boot-Time Scan then Schedule Now.

Reboot and let it run a scan. It will take many hours (like overnight) and unfortunately you may need to check back with it once in a while to see if it needs an input from you. If the scan hangs that may indicate a hardware problem.
  • 0

#28
gg101

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi, So I downloaded avast and ran a quick scan as well as the boot-time scan. I am not able to copy and paste the log but on the quick scan it found one virus and the action taken was successful and on the boot-time scan it found 4 viruses, one being a trojan on my rossetta stone program and the others were malware and a pup. the actions taken there were successful as well. The labtop restarted and so I decided to run a scan with malwarebytes and the scan still showed the two trojans:

C:\Windows\svchost.exe (Trojan.Agent) -> 2220 -> Delete on reboot
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot

also, even if I am not on the web the avast program keeps beeping saying it blocked a virus and it shows it being insurance websites and stuff like that under mal category. So what shall we try next?
  • 0

#29
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
  • 0

#30
gg101

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi, I followed the instructions and the scan did not run while it was under the repair your computer safe mode. I followed the directions to a T so I am not sure why the scan did not pop up in in the mode it was suppose to. I will try it again and if it does not work I do not know what to do. I ended up running it on regular safe mode and this is what I got.



Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-10-2012
Ran by Glory at 04-11-2012 15:49:12
Running from I:\
(X64) OS Language: English(US)
Attention: Could not load system hive.ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-11-03 15:14 - 2012-11-03 15:14 - 00002289 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-11-03 15:08 - 2012-11-03 15:26 - 00002111 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-11-03 15:08 - 2012-10-30 16:51 - 00370288 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-11-03 15:08 - 2012-10-30 16:51 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-11-03 15:07 - 2012-11-03 15:07 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-11-03 15:07 - 2012-11-03 15:07 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-11-03 15:07 - 2012-11-03 15:07 - 00000000 ____D C:\Program Files\AVAST Software
2012-11-03 15:07 - 2012-11-03 15:07 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-11-03 15:07 - 2012-10-30 16:51 - 00984144 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-11-03 15:07 - 2012-10-30 16:51 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-11-03 15:07 - 2012-10-30 16:51 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-11-03 15:07 - 2012-10-30 16:51 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-11-03 15:07 - 2012-10-30 16:50 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-11-03 15:07 - 2012-10-30 16:50 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-11-03 15:07 - 2012-10-15 09:59 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-11-03 08:33 - 2012-11-03 08:33 - 00061440 ____A C:\Windows\SysWOW64\Drivers\pmehele.sys
2012-11-03 08:33 - 2012-11-03 08:33 - 00000084 ____A C:\mmgk.txt
2012-11-03 08:20 - 2012-11-03 08:20 - 00061440 ____A C:\Windows\SysWOW64\Drivers\hlpbggxt.sys
2012-11-03 08:20 - 2012-11-03 08:20 - 00000084 ____A C:\Program Files (x86)\pwwuc.txt
2012-11-03 08:18 - 2009-07-13 19:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-02 10:32 - 2012-11-02 10:32 - 00061440 ____A C:\Windows\SysWOW64\Drivers\nrolf.sys
2012-11-02 10:32 - 2012-11-02 10:32 - 00000084 ____A C:\oacux.txt
2012-11-02 10:30 - 2008-05-30 22:09 - 00731136 ____A C:\Users\Glory\Desktop\avenger.exe
2012-11-02 09:46 - 2012-11-02 09:46 - 00061440 ____A C:\Windows\SysWOW64\Drivers\dkauii.sys
2012-11-02 09:46 - 2012-11-02 09:46 - 00000084 ____A C:\Windows\SysWOW64\axjguo.txt
2012-11-02 09:29 - 2012-11-02 09:29 - 00724952 ____A C:\Users\Glory\Desktop\avenger.zip
2012-11-01 22:30 - 2012-11-01 22:30 - 00000000 ___SD C:\ComboFix
2012-10-29 11:44 - 2012-10-29 11:44 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-10-29 11:12 - 2012-10-29 11:28 - 141930336 ____A C:\Users\Glory\Desktop\Rkill.exe
2012-10-29 01:31 - 2011-06-26 00:45 - 00256000 ____A C:\Windows\PEV.exe
2012-10-29 01:31 - 2010-11-07 11:20 - 00208896 ____A C:\Windows\MBR.exe
2012-10-29 01:31 - 2009-04-19 22:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-10-29 01:31 - 2000-08-30 18:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-10-29 01:31 - 2000-08-30 18:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-10-29 01:31 - 2000-08-30 18:00 - 00098816 ____A C:\Windows\sed.exe
2012-10-29 01:31 - 2000-08-30 18:00 - 00080412 ____A C:\Windows\grep.exe
2012-10-29 01:31 - 2000-08-30 18:00 - 00068096 ____A C:\Windows\zip.exe
2012-10-29 01:30 - 2012-11-01 22:30 - 00000000 ____D C:\Qoobox
2012-10-29 01:20 - 2012-10-29 01:20 - 00000575 ____A C:\Users\Glory\Desktop\OTL.exe - Shortcut.lnk
2012-10-29 00:53 - 2012-10-29 00:53 - 00000616 ____A C:\Users\Glory\Desktop\ComboFix - Shortcut.lnk
2012-10-29 00:46 - 2012-10-29 01:51 - 00000000 ____D C:\Windows\erdnt
2012-10-27 22:22 - 2012-10-27 22:22 - 00003352 ____N C:\bootsqm.dat
2012-10-27 22:21 - 2012-10-27 22:21 - 00000000 ____D C:\found.000
2012-10-26 21:08 - 2012-10-26 21:08 - 00000000 ____D C:\Windows\Sun
2012-10-11 12:45 - 2012-08-31 12:02 - 01656688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-10-11 12:44 - 2012-09-14 13:23 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-10-11 12:44 - 2012-09-14 12:30 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-10-11 12:43 - 2012-08-30 12:11 - 05505904 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-10-11 12:43 - 2012-08-30 11:18 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-10-11 12:43 - 2012-08-30 11:18 - 03902832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-10-11 12:43 - 2012-08-18 09:42 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-10-11 12:43 - 2012-08-18 09:37 - 01162240 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-10-11 12:43 - 2012-08-18 09:37 - 00425984 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-10-11 12:43 - 2012-08-18 09:34 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-10-11 12:43 - 2012-08-18 05:17 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2012-10-11 12:43 - 2012-08-18 05:17 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2012-10-11 12:42 - 2012-08-18 09:43 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2012-10-11 12:42 - 2012-08-18 09:43 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2012-10-11 12:42 - 2012-08-18 09:43 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2012-10-11 12:42 - 2012-08-18 09:40 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 09:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:22 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2012-10-11 12:42 - 2012-08-18 05:19 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2012-10-11 12:42 - 2012-08-18 05:17 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 05:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 03:12 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2012-10-11 12:42 - 2012-08-18 03:12 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2012-10-11 12:42 - 2012-08-18 03:07 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 03:07 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 03:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-10-11 12:42 - 2012-08-18 03:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2012-10-11 12:41 - 2012-08-24 12:05 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-10-11 12:41 - 2012-08-24 11:10 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-10-11 12:41 - 2012-08-10 18:53 - 00714752 ____A (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2012-10-11 12:41 - 2012-08-10 17:54 - 00541184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2012-10-11 12:41 - 2012-06-01 23:25 - 01462784 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-10-11 12:41 - 2012-06-01 23:25 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-10-11 12:41 - 2012-06-01 23:25 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-10-11 12:41 - 2012-06-01 22:45 - 01157632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-10-11 12:41 - 2012-06-01 22:45 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-10-11 12:41 - 2012-06-01 22:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll


==================== 3 Months Modified Files ==================

2012-11-03 19:29 - 2010-07-08 02:29 - 01702204 ____A C:\Windows\WindowsUpdate.log
2012-11-03 19:25 - 2009-07-13 23:13 - 00791694 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-03 19:23 - 2009-07-13 22:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-03 19:23 - 2009-07-13 22:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-03 19:19 - 2012-09-16 12:21 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-03 19:16 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-03 19:16 - 2009-07-13 22:51 - 00078635 ____A C:\Windows\setupact.log
2012-11-03 16:04 - 2012-09-16 12:21 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-03 15:26 - 2012-11-03 15:08 - 00002111 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-11-03 15:21 - 2010-11-26 12:58 - 00259746 ____A C:\Windows\PFRO.log
2012-11-03 15:14 - 2012-11-03 15:14 - 00002289 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-11-03 15:07 - 2012-11-03 15:07 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-11-03 15:07 - 2012-11-03 15:07 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-11-03 08:33 - 2012-11-03 08:33 - 00061440 ____A C:\Windows\SysWOW64\Drivers\pmehele.sys
2012-11-03 08:33 - 2012-11-03 08:33 - 00000084 ____A C:\mmgk.txt
2012-11-03 08:20 - 2012-11-03 08:20 - 00061440 ____A C:\Windows\SysWOW64\Drivers\hlpbggxt.sys
2012-11-03 08:20 - 2012-11-03 08:20 - 00000084 ____A C:\Program Files (x86)\pwwuc.txt
2012-11-02 10:32 - 2012-11-02 10:32 - 00061440 ____A C:\Windows\SysWOW64\Drivers\nrolf.sys
2012-11-02 10:32 - 2012-11-02 10:32 - 00000084 ____A C:\oacux.txt
2012-11-02 09:46 - 2012-11-02 09:46 - 00061440 ____A C:\Windows\SysWOW64\Drivers\dkauii.sys
2012-11-02 09:46 - 2012-11-02 09:46 - 00000084 ____A C:\Windows\SysWOW64\axjguo.txt
2012-11-02 09:29 - 2012-11-02 09:29 - 00724952 ____A C:\Users\Glory\Desktop\avenger.zip
2012-11-01 10:01 - 2009-07-13 20:34 - 00000215 ____A C:\Windows\system.ini
2012-10-30 16:51 - 2012-11-03 15:08 - 00370288 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-10-30 16:51 - 2012-11-03 15:08 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-10-30 16:51 - 2012-11-03 15:07 - 00984144 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-10-30 16:51 - 2012-11-03 15:07 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-10-30 16:51 - 2012-11-03 15:07 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-10-30 16:51 - 2012-11-03 15:07 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-10-30 16:50 - 2012-11-03 15:07 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-10-30 16:50 - 2012-11-03 15:07 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-10-29 11:28 - 2012-10-29 11:12 - 141930336 ____A C:\Users\Glory\Desktop\Rkill.exe
2012-10-29 01:20 - 2012-10-29 01:20 - 00000575 ____A C:\Users\Glory\Desktop\OTL.exe - Shortcut.lnk
2012-10-29 00:53 - 2012-10-29 00:53 - 00000616 ____A C:\Users\Glory\Desktop\ComboFix - Shortcut.lnk
2012-10-28 13:24 - 2011-12-21 23:53 - 00000400 ____A C:\rkill.log
2012-10-27 22:22 - 2012-10-27 22:22 - 00003352 ____N C:\bootsqm.dat
2012-10-26 23:35 - 2012-02-28 00:02 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-15 09:59 - 2012-11-03 15:07 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-10-03 12:20 - 2012-05-02 14:34 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-29 18:54 - 2011-02-08 17:12 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-26 18:49 - 2009-07-13 23:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-26 11:00 - 2012-09-16 22:46 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
2012-09-24 18:42 - 2009-07-13 20:34 - 00000478 ____A C:\Windows\win.ini
2012-09-17 10:19 - 2010-11-26 06:09 - 00113912 ____A C:\Users\Glory\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-17 10:15 - 2009-07-13 22:45 - 00425784 ____A C:\Windows\System32\FNTCACHE.DAT
2012-09-16 22:49 - 2012-09-16 22:49 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-09-16 22:47 - 2012-09-16 22:47 - 00001950 ____A C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
2012-09-16 22:46 - 2012-09-16 22:46 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-09-16 13:30 - 2012-09-16 11:51 - 1466226688 ____A C:\Users\Glory\Downloads\SW_DVD5_Office_Professional_Plus_2010w_SP1_64Bit_English_CORE_MLF_X17-76756.ISO
2012-09-16 09:30 - 2010-11-26 15:02 - 00790236 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-09-14 13:23 - 2012-10-11 12:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-09-14 12:30 - 2012-10-11 12:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-09-06 19:54 - 2012-09-06 19:49 - 00000912 ____A C:\user.js
2012-09-06 17:15 - 2012-09-06 17:15 - 00000185 ____A C:\Users\Glory\Desktop\Microsoft Outlook Web Access - XIL003 Gateway.url
2012-09-05 21:40 - 2012-09-05 21:40 - 00000943 ____A C:\Users\Public\Desktop\µTorrent.lnk
2012-08-31 12:02 - 2012-10-11 12:45 - 01656688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-08-30 21:03 - 2012-08-30 21:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-08-30 21:03 - 2011-04-27 14:25 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-08-30 12:11 - 2012-10-11 12:43 - 05505904 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-08-30 11:18 - 2012-10-11 12:43 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-08-30 11:18 - 2012-10-11 12:43 - 03902832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-08-24 12:05 - 2012-10-11 12:41 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-08-24 11:10 - 2012-10-11 12:41 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-08-24 05:15 - 2012-09-24 18:39 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 04:39 - 2012-09-24 18:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 04:31 - 2012-09-24 18:39 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 04:22 - 2012-09-24 18:39 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 04:21 - 2012-09-24 18:39 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 04:20 - 2012-09-24 18:39 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 04:18 - 2012-09-24 18:39 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 04:17 - 2012-09-24 18:39 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 04:14 - 2012-09-24 18:39 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 04:14 - 2012-09-24 18:39 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 04:13 - 2012-09-24 18:39 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 04:12 - 2012-09-24 18:39 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 04:11 - 2012-09-24 18:39 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 04:10 - 2012-09-24 18:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 04:09 - 2012-09-24 18:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 04:04 - 2012-09-24 18:39 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-24 01:27 - 2012-09-24 18:39 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-24 01:03 - 2012-09-24 18:39 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-24 00:59 - 2012-09-24 18:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-24 00:51 - 2012-09-24 18:39 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-24 00:51 - 2012-09-24 18:39 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-24 00:51 - 2012-09-24 18:39 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-24 00:49 - 2012-09-24 18:39 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-24 00:48 - 2012-09-24 18:39 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-24 00:47 - 2012-09-24 18:39 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-24 00:47 - 2012-09-24 18:39 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-24 00:47 - 2012-09-24 18:39 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-24 00:45 - 2012-09-24 18:39 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-24 00:44 - 2012-09-24 18:40 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-24 00:44 - 2012-09-24 18:39 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-24 00:43 - 2012-09-24 18:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-24 00:40 - 2012-09-24 18:39 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-18 09:43 - 2012-10-11 12:42 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2012-08-18 09:43 - 2012-10-11 12:42 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2012-08-18 09:43 - 2012-10-11 12:42 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2012-08-18 09:42 - 2012-10-11 12:43 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-08-18 09:40 - 2012-10-11 12:42 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2012-08-18 09:37 - 2012-10-11 12:43 - 01162240 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-08-18 09:37 - 2012-10-11 12:43 - 00425984 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-08-18 09:34 - 2012-10-11 12:43 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-08-18 09:22 - 2012-10-11 12:42 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-08-18 09:22 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-08-18 05:22 - 2012-10-11 12:42 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2012-08-18 05:19 - 2012-10-11 12:42 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2012-08-18 05:17 - 2012-10-11 12:43 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2012-08-18 05:17 - 2012-10-11 12:43 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2012-08-18 05:17 - 2012-10-11 12:42 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-08-18 05:09 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-08-18 03:12 - 2012-10-11 12:42 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2012-08-18 03:12 - 2012-10-11 12:42 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2012-08-18 03:07 - 2012-10-11 12:42 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-08-18 03:07 - 2012-10-11 12:42 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-18 03:07 - 2012-10-11 12:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-18 03:07 - 2012-10-11 12:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2012-08-10 18:53 - 2012-10-11 12:41 - 00714752 ____A (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2012-08-10 17:54 - 2012-10-11 12:41 - 00541184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point made on: 2012-09-24 18:17:09
Restore point made on: 2012-09-26 18:33:25
Restore point made on: 2012-09-27 19:03:49
Restore point made on: 2012-10-02 14:39:04
Restore point made on: 2012-10-03 12:18:58
Restore point made on: 2012-10-06 13:50:45
Restore point made on: 2012-10-11 12:45:50
Restore point made on: 2012-10-12 19:57:20
Restore point made on: 2012-10-17 15:39:13
Restore point made on: 2012-10-22 13:02:12
Restore point made on: 2012-10-25 14:15:19
Restore point made on: 2012-10-26 22:18:37
Restore point made on: 2012-11-03 08:45:54

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 3002.92 MB
Available physical RAM: 2377.72 MB
Total Pagefile: 6003.99 MB
Available Pagefile: 5393.1 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:283.49 GB) (Free:192.2 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:14.31 GB) (Free:2.36 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
7 Drive i: () (Removable) (Total:3.74 GB) (Free:2.05 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 103 MB
Disk 1 Online 3839 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 283 GB 200 MB
Partition 3 Primary 14 GB 283 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 C NTFS Partition 283 GB Healthy Boot

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 D RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3827 MB 19 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 I FAT32 Removable 3827 MB Healthy

=========================================================

Last Boot: 2012-10-23 10:26

==================== End Of Log =============================
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP