Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan:DOS/Alureon.A [Solved]

Started by gg101 , Oct 29 2012 12:29 AM

  • This topic is locked This topic is locked

#31
gg101
Posted 04 November 2012 - 04:24 PM

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
hi, well this is what happens when I tried running it on repair your computer, it asked me to pick the language and I did. then it asked me to type my log in password so that I may us as administartor. then the SYSTEM RECOVERY OPTION menu opened and I clicked on COMMAND PROMPT, then I typed NOTEPAD, and when it opened up I clicked on FILE, then OPEN, the I went to my I: drive and found I:\FRST64.exe then I clicked on that and hit ENTER. after that a whole bunch of weird symbols (in the open page it said it was in ANSI format)and letters opened on the notepad and the only thing I was able to read on there was on the second line and it said this program cannot run in DOS mode. Do you think the virus is preventing me from running these programs?
  • 0

Advertisements

#32
maliprog
Posted 05 November 2012 - 12:39 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi gg101,

You must use Notepad only to find your drive letter. And you did it. It's I. After that close Notepad and do all the rest steps back in Command Prompt:

  • In the command window type i:\frst.exe (for x64 bit version type i:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive (in your case it's I).
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  • 0

#33
gg101
Posted 05 November 2012 - 04:07 PM

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi, Here is the log.


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-10-2012 (ATTENTION: FRST version is 6 days old)
Ran by SYSTEM at 05-11-2012 15:54:47
Running from I:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6160928 2010-01-29] (Realtek Semiconductor)
HKLM\...\Run: [RtkOSD] C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe [995840 2010-01-12] (Realtek Semiconductor Corp.)
HKLM\...\Run: [HP Quick Launch] C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [451072 2010-01-18] (Hewlett-Packard Company)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [172032 2010-05-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [600936 2009-06-29] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [397992 2011-07-26] (Ask)
HKLM-x32\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [981656 2012-09-29] (Malwarebytes Corporation)
HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [82792 2012-09-26] (Sendori, Inc.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [947808 2012-09-16] ()
HKLM-x32\...\Run: [ROC_ROC_NT] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT [856160 2012-09-16] ()
HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4297136 2012-10-30] (AVAST Software)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Glory\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Glory\...\Run: [cdloader] "C:\Users\Glory\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK [50592 2010-10-08] (magicJack L.P.)
HKU\Glory\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671904 2012-08-28] (DT Soft Ltd)
HKU\Glory\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-09-16] (Google Inc.)
HKU\Mcx1-GLORY-PC\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\PictureMover.lnk
ShortcutTarget: PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)

==================== Services (Whitelisted) ===================

2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [118632 2012-09-26] (Sendori, Inc.)
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-10-30] (AVAST Software)
2 Browser Manager; C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe [2309656 2012-10-10] ()
2 HPWMISVC; C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [20480 2010-01-18] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
2 NovacomD; C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe [71168 2011-03-15] (Palm)
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-07-06] ()
2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [15208 2012-09-26] (sendori)
2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3569512 2012-09-26] (Sendori)
2 vToolbarUpdater12.2.6; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [722528 2012-09-16] ()

==================== Drivers (Whitelisted) =====================

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-10-30] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71600 2012-10-30] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-10-15] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [984144 2012-10-30] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [370288 2012-10-30] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-10-30] (AVAST Software)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [31080 2012-09-16] (AVG Technologies)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-09-16] (DT Soft Ltd)
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
0 hsyf; C:\Windows\System32\drivers\pmehele.sys [x]
0 hwcurcc; C:\Windows\System32\drivers\hlpbggxt.sys [x]
0 qtgj; C:\Windows\System32\drivers\nrolf.sys [x]
0 shep; C:\Windows\System32\drivers\dkauii.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-03 13:14 - 2012-11-03 13:14 - 00002289 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-11-03 13:08 - 2012-11-03 13:26 - 00002111 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-11-03 13:08 - 2012-10-30 14:51 - 00370288 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-11-03 13:08 - 2012-10-30 14:51 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-11-03 13:07 - 2012-11-03 13:07 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-11-03 13:07 - 2012-11-03 13:07 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-11-03 13:07 - 2012-11-03 13:07 - 00000000 ____D C:\Program Files\AVAST Software
2012-11-03 13:07 - 2012-11-03 13:07 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-11-03 13:07 - 2012-10-30 14:51 - 00984144 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-11-03 13:07 - 2012-10-30 14:51 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-11-03 13:07 - 2012-10-30 14:51 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-11-03 13:07 - 2012-10-30 14:51 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-11-03 13:07 - 2012-10-30 14:50 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-11-03 13:07 - 2012-10-30 14:50 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-11-03 13:07 - 2012-10-15 07:59 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-11-03 06:33 - 2012-11-03 06:33 - 00061440 ____A C:\Windows\SysWOW64\Drivers\pmehele.sys
2012-11-03 06:33 - 2012-11-03 06:33 - 00000084 ____A C:\mmgk.txt
2012-11-03 06:20 - 2012-11-03 06:20 - 00061440 ____A C:\Windows\SysWOW64\Drivers\hlpbggxt.sys
2012-11-03 06:20 - 2012-11-03 06:20 - 00000084 ____A C:\Program Files (x86)\pwwuc.txt
2012-11-03 06:18 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-02 08:32 - 2012-11-02 08:32 - 00061440 ____A C:\Windows\SysWOW64\Drivers\nrolf.sys
2012-11-02 08:32 - 2012-11-02 08:32 - 00000084 ____A C:\oacux.txt
2012-11-02 08:30 - 2008-05-30 20:09 - 00731136 ____A C:\Users\Glory\Desktop\avenger.exe
2012-11-02 07:46 - 2012-11-02 07:46 - 00061440 ____A C:\Windows\SysWOW64\Drivers\dkauii.sys
2012-11-02 07:46 - 2012-11-02 07:46 - 00000084 ____A C:\Windows\SysWOW64\axjguo.txt
2012-11-02 07:29 - 2012-11-02 07:29 - 00724952 ____A C:\Users\Glory\Desktop\avenger.zip
2012-11-01 20:30 - 2012-11-01 20:30 - 00000000 ___SD C:\ComboFix
2012-10-29 09:44 - 2012-10-29 09:44 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-10-29 09:12 - 2012-10-29 09:28 - 141930336 ____A C:\Users\Glory\Desktop\Rkill.exe
2012-10-28 23:31 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-10-28 23:31 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-10-28 23:31 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-10-28 23:31 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-10-28 23:31 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-10-28 23:31 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-10-28 23:31 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-10-28 23:31 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-10-28 23:30 - 2012-11-01 20:30 - 00000000 ____D C:\Qoobox
2012-10-28 23:20 - 2012-10-28 23:20 - 00000575 ____A C:\Users\Glory\Desktop\OTL.exe - Shortcut.lnk
2012-10-28 22:53 - 2012-10-28 22:53 - 00000616 ____A C:\Users\Glory\Desktop\ComboFix - Shortcut.lnk
2012-10-28 22:46 - 2012-10-28 23:51 - 00000000 ____D C:\Windows\erdnt
2012-10-27 20:22 - 2012-10-27 20:22 - 00003352 ____N C:\bootsqm.dat
2012-10-27 20:21 - 2012-10-27 20:21 - 00000000 ____D C:\found.000
2012-10-26 19:08 - 2012-10-26 19:08 - 00000000 ____D C:\Windows\Sun
2012-10-11 10:45 - 2012-08-31 10:02 - 01656688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-10-11 10:44 - 2012-09-14 11:23 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-10-11 10:44 - 2012-09-14 10:30 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-10-11 10:43 - 2012-08-30 10:11 - 05505904 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-10-11 10:43 - 2012-08-30 09:18 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-10-11 10:43 - 2012-08-30 09:18 - 03902832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-10-11 10:43 - 2012-08-18 07:42 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-10-11 10:43 - 2012-08-18 07:37 - 01162240 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-10-11 10:43 - 2012-08-18 07:37 - 00425984 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-10-11 10:43 - 2012-08-18 07:34 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-10-11 10:43 - 2012-08-18 03:17 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2012-10-11 10:43 - 2012-08-18 03:17 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2012-10-11 10:42 - 2012-08-18 07:43 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2012-10-11 10:42 - 2012-08-18 07:43 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2012-10-11 10:42 - 2012-08-18 07:43 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2012-10-11 10:42 - 2012-08-18 07:40 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 07:22 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:22 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2012-10-11 10:42 - 2012-08-18 03:19 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2012-10-11 10:42 - 2012-08-18 03:17 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 03:09 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 01:12 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2012-10-11 10:42 - 2012-08-18 01:12 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2012-10-11 10:42 - 2012-08-18 01:07 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 01:07 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 01:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-10-11 10:42 - 2012-08-18 01:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2012-10-11 10:41 - 2012-08-24 10:05 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-10-11 10:41 - 2012-08-24 09:10 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-10-11 10:41 - 2012-08-10 16:53 - 00714752 ____A (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2012-10-11 10:41 - 2012-08-10 15:54 - 00541184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2012-10-11 10:41 - 2012-06-01 21:25 - 01462784 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-10-11 10:41 - 2012-06-01 21:25 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-10-11 10:41 - 2012-06-01 21:25 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-10-11 10:41 - 2012-06-01 20:45 - 01157632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-10-11 10:41 - 2012-06-01 20:45 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-10-11 10:41 - 2012-06-01 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll


==================== 3 Months Modified Files ==================

2012-11-04 13:55 - 2010-07-08 00:29 - 01703552 ____A C:\Windows\WindowsUpdate.log
2012-11-04 13:49 - 2009-07-13 21:13 - 00791694 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-03 17:23 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-03 17:23 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-03 17:19 - 2012-09-16 10:21 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-03 17:16 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-03 17:16 - 2009-07-13 20:51 - 00078635 ____A C:\Windows\setupact.log
2012-11-03 14:04 - 2012-09-16 10:21 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-03 13:26 - 2012-11-03 13:08 - 00002111 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-11-03 13:21 - 2010-11-26 10:58 - 00259746 ____A C:\Windows\PFRO.log
2012-11-03 13:14 - 2012-11-03 13:14 - 00002289 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-11-03 13:07 - 2012-11-03 13:07 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-11-03 13:07 - 2012-11-03 13:07 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-11-03 06:33 - 2012-11-03 06:33 - 00061440 ____A C:\Windows\SysWOW64\Drivers\pmehele.sys
2012-11-03 06:33 - 2012-11-03 06:33 - 00000084 ____A C:\mmgk.txt
2012-11-03 06:20 - 2012-11-03 06:20 - 00061440 ____A C:\Windows\SysWOW64\Drivers\hlpbggxt.sys
2012-11-03 06:20 - 2012-11-03 06:20 - 00000084 ____A C:\Program Files (x86)\pwwuc.txt
2012-11-02 08:32 - 2012-11-02 08:32 - 00061440 ____A C:\Windows\SysWOW64\Drivers\nrolf.sys
2012-11-02 08:32 - 2012-11-02 08:32 - 00000084 ____A C:\oacux.txt
2012-11-02 07:46 - 2012-11-02 07:46 - 00061440 ____A C:\Windows\SysWOW64\Drivers\dkauii.sys
2012-11-02 07:46 - 2012-11-02 07:46 - 00000084 ____A C:\Windows\SysWOW64\axjguo.txt
2012-11-02 07:29 - 2012-11-02 07:29 - 00724952 ____A C:\Users\Glory\Desktop\avenger.zip
2012-11-01 08:01 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-10-30 14:51 - 2012-11-03 13:08 - 00370288 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-10-30 14:51 - 2012-11-03 13:08 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-10-30 14:51 - 2012-11-03 13:07 - 00984144 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-10-30 14:51 - 2012-11-03 13:07 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-10-30 14:51 - 2012-11-03 13:07 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-10-30 14:51 - 2012-11-03 13:07 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-10-30 14:50 - 2012-11-03 13:07 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-10-30 14:50 - 2012-11-03 13:07 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-10-29 09:28 - 2012-10-29 09:12 - 141930336 ____A C:\Users\Glory\Desktop\Rkill.exe
2012-10-28 23:20 - 2012-10-28 23:20 - 00000575 ____A C:\Users\Glory\Desktop\OTL.exe - Shortcut.lnk
2012-10-28 22:53 - 2012-10-28 22:53 - 00000616 ____A C:\Users\Glory\Desktop\ComboFix - Shortcut.lnk
2012-10-28 11:24 - 2011-12-21 21:53 - 00000400 ____A C:\rkill.log
2012-10-27 20:22 - 2012-10-27 20:22 - 00003352 ____N C:\bootsqm.dat
2012-10-26 21:35 - 2012-02-27 22:02 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-15 07:59 - 2012-11-03 13:07 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-10-03 10:20 - 2012-05-02 12:34 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-29 16:54 - 2011-02-08 15:12 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-26 16:49 - 2009-07-13 21:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-26 09:00 - 2012-09-16 20:46 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
2012-09-24 16:42 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-09-17 08:19 - 2010-11-26 04:09 - 00113912 ____A C:\Users\Glory\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-17 08:15 - 2009-07-13 20:45 - 00425784 ____A C:\Windows\System32\FNTCACHE.DAT
2012-09-16 20:49 - 2012-09-16 20:49 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-09-16 20:47 - 2012-09-16 20:47 - 00001950 ____A C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
2012-09-16 20:46 - 2012-09-16 20:46 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-09-16 11:30 - 2012-09-16 09:51 - 1466226688 ____A C:\Users\Glory\Downloads\SW_DVD5_Office_Professional_Plus_2010w_SP1_64Bit_English_CORE_MLF_X17-76756.ISO
2012-09-16 07:30 - 2010-11-26 13:02 - 00790236 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-09-14 11:23 - 2012-10-11 10:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-09-14 10:30 - 2012-10-11 10:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-09-06 17:54 - 2012-09-06 17:49 - 00000912 ____A C:\user.js
2012-09-06 15:15 - 2012-09-06 15:15 - 00000185 ____A C:\Users\Glory\Desktop\Microsoft Outlook Web Access - XIL003 Gateway.url
2012-09-05 19:40 - 2012-09-05 19:40 - 00000943 ____A C:\Users\Public\Desktop\µTorrent.lnk
2012-08-31 10:02 - 2012-10-11 10:45 - 01656688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-08-30 19:03 - 2012-08-30 19:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-08-30 19:03 - 2011-04-27 12:25 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-08-30 10:11 - 2012-10-11 10:43 - 05505904 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-08-30 09:18 - 2012-10-11 10:43 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-08-30 09:18 - 2012-10-11 10:43 - 03902832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-08-24 10:05 - 2012-10-11 10:41 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-08-24 09:10 - 2012-10-11 10:41 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-08-24 03:15 - 2012-09-24 16:39 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 02:39 - 2012-09-24 16:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 02:31 - 2012-09-24 16:39 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 02:22 - 2012-09-24 16:39 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 02:21 - 2012-09-24 16:39 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 02:20 - 2012-09-24 16:39 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 02:18 - 2012-09-24 16:39 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 02:17 - 2012-09-24 16:39 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 02:14 - 2012-09-24 16:39 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 02:14 - 2012-09-24 16:39 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 02:13 - 2012-09-24 16:39 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 02:12 - 2012-09-24 16:39 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 02:11 - 2012-09-24 16:39 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 02:10 - 2012-09-24 16:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 02:09 - 2012-09-24 16:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 02:04 - 2012-09-24 16:39 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-23 23:27 - 2012-09-24 16:39 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-23 23:03 - 2012-09-24 16:39 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-23 22:59 - 2012-09-24 16:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-23 22:51 - 2012-09-24 16:39 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-23 22:51 - 2012-09-24 16:39 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-23 22:51 - 2012-09-24 16:39 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-23 22:49 - 2012-09-24 16:39 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-23 22:48 - 2012-09-24 16:39 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-23 22:47 - 2012-09-24 16:39 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-23 22:47 - 2012-09-24 16:39 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-23 22:47 - 2012-09-24 16:39 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-23 22:45 - 2012-09-24 16:39 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-23 22:44 - 2012-09-24 16:40 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-23 22:44 - 2012-09-24 16:39 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-23 22:43 - 2012-09-24 16:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-23 22:40 - 2012-09-24 16:39 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-18 07:43 - 2012-10-11 10:42 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2012-08-18 07:43 - 2012-10-11 10:42 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2012-08-18 07:43 - 2012-10-11 10:42 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2012-08-18 07:42 - 2012-10-11 10:43 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-08-18 07:40 - 2012-10-11 10:42 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2012-08-18 07:37 - 2012-10-11 10:43 - 01162240 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-08-18 07:37 - 2012-10-11 10:43 - 00425984 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-08-18 07:34 - 2012-10-11 10:43 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-08-18 07:22 - 2012-10-11 10:42 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-08-18 07:22 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-08-18 03:22 - 2012-10-11 10:42 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2012-08-18 03:19 - 2012-10-11 10:42 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2012-08-18 03:17 - 2012-10-11 10:43 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2012-08-18 03:17 - 2012-10-11 10:43 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2012-08-18 03:17 - 2012-10-11 10:42 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-08-18 03:09 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-08-18 01:12 - 2012-10-11 10:42 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2012-08-18 01:12 - 2012-10-11 10:42 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2012-08-18 01:07 - 2012-10-11 10:42 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-08-18 01:07 - 2012-10-11 10:42 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-18 01:07 - 2012-10-11 10:42 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-18 01:07 - 2012-10-11 10:42 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2012-08-10 16:53 - 2012-10-11 10:41 - 00714752 ____A (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2012-08-10 15:54 - 2012-10-11 10:41 - 00541184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-24 16:17:09
Restore point made on: 2012-09-26 16:33:25
Restore point made on: 2012-09-27 17:03:49
Restore point made on: 2012-10-02 12:39:04
Restore point made on: 2012-10-03 10:18:58
Restore point made on: 2012-10-06 11:50:45
Restore point made on: 2012-10-11 10:45:50
Restore point made on: 2012-10-12 17:57:20
Restore point made on: 2012-10-17 13:39:13
Restore point made on: 2012-10-22 11:02:12
Restore point made on: 2012-10-25 12:15:19
Restore point made on: 2012-10-26 20:18:37
Restore point made on: 2012-11-03 06:45:54

==================== Memory info ===========================

Percentage of memory in use: 22%
Total physical RAM: 3002.92 MB
Available physical RAM: 2341.33 MB
Total Pagefile: 3001.07 MB
Available Pagefile: 2332.87 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:283.49 GB) (Free:192.15 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:14.31 GB) (Free:2.36 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive i: () (Removable) (Total:3.74 GB) (Free:2.53 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 103 MB
Disk 1 No Media 0 B 0 B
Disk 2 Online 3839 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 283 GB 200 MB
Partition 3 Primary 14 GB 283 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 283 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3827 MB 19 KB

==================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 I FAT32 Removable 3827 MB Healthy

=========================================================

Last Boot: 2012-10-23 08:26

==================== End Of Log =============================

Edited by gg101, 05 November 2012 - 04:08 PM.

  • 0

#34
maliprog
Posted 06 November 2012 - 12:30 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi gg101,

Step 1

  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the flashdrive as fixlist.txt

start
C:\Windows\svchost.exe
0 hsyf; C:\Windows\System32\drivers\pmehele.sys [x]
0 hwcurcc; C:\Windows\System32\drivers\hlpbggxt.sys [x]
0 qtgj; C:\Windows\System32\drivers\nrolf.sys [x]
0 shep; C:\Windows\System32\drivers\dkauii.sys [x]
C:\Windows\System32\drivers\pmehele.sys
C:\Windows\System32\drivers\hlpbggxt.sys
C:\Windows\System32\drivers\dkauii.sys
C:\Windows\System32\drivers\nrolf.sys
end


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

Step 2

  • On your desktop should be a file:

    C:\Users\Glory\Desktop\MBR.dat
  • Right-click that file, point to Send To, and then click Compressed (zipped) Folder.
  • A new compressed file is created.
  • Please attach that file in your next reply.
How to add an attachment to a new topic or reply

Step 3

Please don't forget to include these items in your reply:

  • FRST fix log
  • MBR.zip attached
It would be helpful if you could post each log in separate post using "Add Reply" button
  • 0

#35
gg101
Posted 06 November 2012 - 09:18 PM

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi, here is the frst log for you.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-11-2012
Ran by SYSTEM at 2012-11-06 21:09:38 Run:1
Running from G:\

==============================================

C:\Windows\svchost.exe moved successfully.
hsyf service deleted successfully.
hwcurcc service deleted successfully.
qtgj service deleted successfully.
shep service deleted successfully.
C:\Windows\System32\drivers\pmehele.sys not found.
C:\Windows\System32\drivers\hlpbggxt.sys not found.
C:\Windows\System32\drivers\dkauii.sys not found.
C:\Windows\System32\drivers\nrolf.sys not found.

==== End of Fixlog ====
  • 0

#36
gg101
Posted 06 November 2012 - 09:26 PM

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
hi, as far as the mbrzip, that file is not on my desktop at all. I did a search for it and that only thing I found was an mbr file and when I clicked on it the command prompt opened up and closed immediately.
  • 0

#37
maliprog
Posted 07 November 2012 - 12:12 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts

hi, as far as the mbrzip, that file is not on my desktop at all. I did a search for it and that only thing I found was an mbr file and when I clicked on it the command prompt opened up and closed immediately.


OK. We'll come back to MBR.dat later.

Before we continue can you test your system now. Looks like FRST manage to remove infection.
  • 0

#38
gg101
Posted 07 November 2012 - 06:19 AM

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hello, well After I ran frst and searched for the mrbzip I had decided to run a malwarebyte scan and the two trojans were still there. I will copy/paste the log for you to see.
  • 0

#39
maliprog
Posted 07 November 2012 - 06:48 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
We still have work to do then. I need MBR.dat. Please run aswMBR.exe one more time and at the and of the scan you will have MBR.dat at the same folder from where you run aswMBR.exe. Please don't post it this time but attach it to your post.


How to add an attachment to a new topic or reply

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post aswMBR.txt in your next reply
  • Also, aswMBR will save additional file named MBR.dat. Attach it to your next reply

  • 0

#40
gg101
Posted 07 November 2012 - 03:48 PM

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi, here is the file along with the txt.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-11-07 15:36:40
-----------------------------
15:36:40.420 OS Version: Windows x64 6.1.7600
15:36:40.420 Number of processors: 2 586 0x170A
15:36:40.420 ComputerName: GLORY-PC UserName: Glory
15:36:41.153 Initialize success
15:36:42.775 AVAST engine defs: 12110301
15:38:15.923 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:38:15.939 Disk 0 Vendor: SAMSUNG_ 2AJ1 Size: 305245MB BusType: 3
15:38:15.939 Device \Driver\iaStor -> MajorFunction fffffa80041255e8
15:38:15.939 Disk 0 MBR read successfully
15:38:15.939 Disk 0 MBR scan
15:38:16.407 Disk 0 unknown MBR code
15:38:16.438 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
15:38:17.093 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 290292 MB offset 409600
15:38:17.156 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14649 MB offset 594927616
15:38:17.202 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 624928768
15:38:17.717 Disk 0 scanning C:\Windows\system32\drivers
15:38:32.693 Service scanning
15:38:53.660 Modules scanning
15:38:53.660 Disk 0 trace - called modules:
15:38:53.675 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80041255e8]<<
15:38:53.675 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003e0f420]
15:38:53.691 3 CLASSPNP.SYS[fffff880015d043f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8002406050]
15:38:53.691 \Driver\iaStor[0xfffffa800409d380] -> IRP_MJ_CREATE -> 0xfffffa80041255e8
15:38:54.050 AVAST engine scan C:\Windows
15:38:56.686 AVAST engine scan C:\Windows\system32
15:41:13.670 AVAST engine scan C:\Windows\system32\drivers
15:41:22.172 AVAST engine scan C:\Users\Glory
15:43:39.998 Disk 0 MBR has been saved successfully to "C:\Users\Glory\Desktop\MBR.dat"
15:43:40.014 The log file has been saved successfully to "C:\Users\Glory\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.dat   512bytes   182 downloads

Edited by gg101, 07 November 2012 - 03:50 PM.

  • 0

Advertisements

#41
maliprog
Posted 08 November 2012 - 12:34 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
After this step check your system with Malwarebytes again and tell me is infection gone.


  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the flashdrive as fixlist.txt

start
C:\Windows\svchost.exe
CMD: bootrec /FixMBR
end


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.
  • 0

#42
gg101
Posted 08 November 2012 - 03:39 PM

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi, I ran frst and here is the log.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-10-2012
Ran by SYSTEM at 2012-11-08 15:31:10 Run:2
Running from H:\

==============================================

C:\Windows\svchost.exe moved successfully.

========= bootrec /FixMBR =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


==== End of Fixlog ====
  • 0

#43
gg101
Posted 08 November 2012 - 03:46 PM

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi, I ran the scan for malwarebyte and the virus is still there. Here is the log for you to see... :(

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.07.09

Windows 7 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Glory :: GLORY-PC [administrator]

11/8/2012 3:38:22 PM
mbam-log-2012-11-08 (15-38-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224720
Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 2560 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)
  • 0

#44
maliprog
Posted 09 November 2012 - 12:37 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi gg101,

Step 1

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :processes
    killallprocesses

    :OTL
    SRV - [2012/10/10 06:24:19 | 002,309,656 | ---- | M] () [Auto | Stopped] -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -- (Browser Manager)
    IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...0001c659d04b37f
    IE - HKCU\..\SearchScopes\{F1235FA0-589A-44FE-AD28-937A270EC3C0}: "URL" = http://websearch.ask...7F-68AB53308F31
    O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found.
    O2 - BHO: (Support.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O3 - HKLM\..\Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Support.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O20 - AppInit_DLLs: (c:\PROGRA~3\BROWSE~1\23787~1.43\{16CDF~1\browsemngr.dll) - c:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll ()
    O32 - AutoRun File - [2008/05/06 07:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
    [2012/09/06 20:49:24 | 000,000,000 | ---D | M] -- C:\Users\Glory\AppData\Roaming\Babylon

    :Files
    C:\Windows\svchost.exe

    :Commands
    [purity]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Please delete your version of combofix and download new version as you did first time.

Run scan and post log here for me.

Step 3

Please start your windows in Normal mode and do this OTL scan.

  • Run OTL.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open notepad window. OTL.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file, and post it with your next reply.

Step 4

Please don't forget to include these items in your reply:

  • OTL fix log
  • Combofix log
  • New OTL scan log
It would be helpful if you could post each log in separate post using "Add Reply" button
  • 0

#45
gg101
Posted 09 November 2012 - 08:33 AM

gg101

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Morning, here is the OTL, I will run combofix next.

========== PROCESSES ==========
All processes killed
========== OTL ==========
Service Browser Manager stopped successfully!
Service Browser Manager deleted successfully!
C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F1235FA0-589A-44FE-AD28-937A270EC3C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1235FA0-589A-44FE-AD28-937A270EC3C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{98889811-442D-49dd-99D7-DC866BE87DBC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\PROGRA~3\BROWSE~1\23787~1.43\{16CDF~1\browsemngr.dll deleted successfully.
c:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll moved successfully.
File move failed. E:\autorun.inf scheduled to be moved on reboot.
C:\Users\Glory\AppData\Roaming\Babylon folder moved successfully.
========== FILES ==========
File move failed. C:\Windows\svchost.exe scheduled to be moved on reboot.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 11092012_071728
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP