Jump to content

Win32/Olmarik.TDL4 trojan Win 7 64 bit. From system restore virus.


tashana

Recommended Posts

OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit

Processor: Intel® Core i7 CPU 920 @ 2.67GHz, Intel64 Family 6 Model 26 Stepping 5

Processor Count: 8

RAM: 6135 Mb

Graphics Card: NVIDIA GeForce GTX 580, 1536 Mb

Hard Drives: C: Total - 125367 MB, Free - 17926 MB; D: Total - 485001 MB, Free - 202038 MB; F: Total - 95385 MB, Free - 51863 MB;

Motherboard: ASUSTeK Computer INC., Rampage II Extreme

Antivirus: Lavasoft Ad-Watch Live! Anti-Virus, Updated and Enabled

I can take hard drive f out if it would help things.

nod32 gives Operating memory - Win32/Olmarik.TDL4 trojan - unable to clean

Customer built pc.

I used to work in a IT dept of a call center but its all self taught. Im not the smartest but i do understand i dont know it all hehe or i wouldn't need help

it all started when wife got a Virus called System restore so i followed the guide at http://www.bleepingcomputer.com/viru...system-restore

started on the 8th but could have been 7th not sure. but my TDSSKiller log was ran on the 8th. i can rerun this if you think i should.

I think i have removed everything with the system restore virus but this part but im not sure.

symptoms

1. on start up iexplore.exe will open and run but on the taskbar i dont see it open or cant never see the page so i close it in task manager. it will run ad's in the background so.

1a. i use peerblock to keep those sites from doin things while i am doin scan's and such so i dont know if this will effect the out come.

2. search's are redirected when clicked.

3. load time of pages has slowed down like the network cant get the page too fast. but opening and closing programs seems to be about the same in speed.

4. nod32 gives Operating memory - Win32/Olmarik.TDL4 trojan - unable to clean

4a. nod32 is the only one out of about 5 that i have ran that see's this file.

I have ran multi virus programs and such superantispyware will show some cookies up each time it scans but i lost the free trail to it last night i think. i have removed AVG and kaspersky trails as i switch from one to the other at this time i do have adaware and nod32 on the pc also maleware bytes still on the pc. i havn't removed superantispyware yet.

I dont know if this will effect the outcome for combofix but i totally over looked where i need to put it on the desktop so i ran it from the firefox download folder it was saved. if this needs to be rescaned from the desktop i can redo this. but i will include that with my post here as i see it needed everywhere i read about it.

--------------------------

combofix log let me know if i need to do it from the desktop in the future im sure i will.

ComboFix 11-11-25.01 - Dustin 11/25/2011 0:41.2.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.4159 [GMT -5:00]

Running from: c:\users\Dustin\Downloads\ComboFix.exe

AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-10-25 to 2011-11-25 )))))))))))))))))))))))))))))))

.

.

2011-11-25 06:18 . 2011-11-25 06:18 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9F6F1FED-D398-40B9-B443-AE4EB60D1F90}\offreg.dll

2011-11-25 06:13 . 2011-11-25 06:13 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2011-11-25 06:13 . 2011-11-25 06:13 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2011-11-25 06:13 . 2011-11-25 06:13 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-25 02:52 . 2011-11-25 02:52 -------- d-----w- c:\program files\ESET

2011-11-24 09:56 . 2011-11-24 09:56 88 --sh--r- c:\programdata\D1E4B4E609.sys

2011-11-23 02:41 . 2011-11-23 02:42 -------- d-----w- c:\program files (x86)\FileZilla Server

2011-11-21 06:52 . 2011-11-21 06:52 -------- d-----w- c:\windows\system32\ioncube

2011-11-21 02:34 . 2011-11-21 02:34 388096 ----a-r- c:\users\Dustin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-11-21 02:34 . 2011-11-21 02:34 -------- d-----w- c:\program files (x86)\Trend Micro

2011-11-20 05:09 . 2009-12-14 17:44 85048 ----a-w- c:\windows\system32\drivers\CSCrySec.sys

2011-11-20 05:09 . 2009-12-14 17:44 66104 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys

2011-11-17 06:54 . 2011-11-17 05:11 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-11-17 05:12 . 2011-11-17 05:12 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-11-17 05:06 . 2011-11-03 17:06 69376 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-11-17 05:06 . 2011-11-17 05:06 -------- d-----w- c:\programdata\Lavasoft

2011-11-17 05:06 . 2011-11-17 05:06 -------- d-----w- c:\program files (x86)\Lavasoft

2011-11-16 19:19 . 2011-11-16 19:19 -------- d-----w- C:\$AVG

2011-11-16 18:29 . 2011-11-16 18:29 -------- d--h--w- c:\programdata\Common Files

2011-11-16 18:15 . 2011-11-17 00:31 -------- d-----w- c:\programdata\MFAData

2011-11-10 21:34 . 2011-11-05 06:53 134104 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll

2011-11-10 21:34 . 2011-11-05 06:53 89048 ----a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll

2011-11-10 21:34 . 2011-11-05 06:53 801752 ----a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll

2011-11-10 21:34 . 2011-11-05 06:53 478168 ----a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll

2011-11-10 21:34 . 2011-11-05 06:53 1989592 ----a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll

2011-11-10 21:34 . 2011-11-05 06:53 15832 ----a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll

2011-11-10 21:34 . 2011-11-05 03:21 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll

2011-11-10 21:34 . 2011-11-05 03:21 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll

2011-11-10 04:31 . 2011-11-10 04:31 -------- d-----w- c:\users\Dustin\AppData\Roaming\SUPERAntiSpyware.com

2011-11-10 04:31 . 2011-11-10 04:31 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-11-10 04:31 . 2011-11-10 04:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-11-09 19:43 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-09 19:43 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll

2011-11-09 19:43 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-09 19:43 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys

2011-11-09 01:51 . 2011-11-09 01:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-11-08 02:18 . 2011-11-08 02:18 -------- d-----r- c:\program files (x86)\Skype

2011-11-04 22:01 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9F6F1FED-D398-40B9-B443-AE4EB60D1F90}\mpengine.dll

2011-11-04 03:46 . 2011-11-04 03:46 -------- d-----w- c:\windows\CheckSur

2011-11-01 04:48 . 2011-11-01 04:48 -------- d-----w- c:\program files (x86)\Safari

2011-10-28 22:24 . 2011-11-11 20:48 -------- d-----w- c:\users\Dustin\AppData\Roaming\mIRC

2011-10-28 22:24 . 2011-10-28 22:24 -------- d-----w- c:\program files (x86)\mIRC

2011-10-28 02:01 . 2011-10-28 02:01 -------- d-----w- c:\users\Dustin\AppData\Roaming\Realtime Soft

2011-10-28 02:01 . 2011-10-28 02:01 -------- d-----w- c:\programdata\Realtime Soft

2011-10-28 02:01 . 2011-10-28 02:01 -------- d-----w- c:\program files\UltraMon

2011-10-28 02:01 . 2011-10-28 02:01 -------- d-----w- c:\program files (x86)\Common Files\Realtime Soft

2011-10-27 02:04 . 2011-10-27 07:08 -------- d-----w- c:\users\Dustin\AppData\Local\ESN Sonar

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-24 09:56 . 2011-02-13 06:39 4598 --sha-w- c:\programdata\KGyGaAvL.sys

2011-11-07 10:28 . 2011-09-24 05:45 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr

2011-11-07 10:28 . 2011-04-25 02:22 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe

2011-11-07 10:17 . 2011-04-25 02:22 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0

2011-10-26 00:15 . 2011-05-19 01:04 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-25 14:25 . 2011-04-25 02:22 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe

2011-10-15 08:53 . 2011-10-26 00:08 7581504 ----a-w- c:\windows\system32\nvcuda.dll

2011-10-15 08:53 . 2011-10-26 00:08 68928 ----a-w- c:\windows\system32\OpenCL.dll

2011-10-15 08:53 . 2011-10-26 00:08 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll

2011-10-15 08:53 . 2011-10-26 00:08 5578560 ----a-w- c:\windows\SysWow64\nvcuda.dll

2011-10-15 08:53 . 2011-10-26 00:08 2542912 ----a-w- c:\windows\system32\nvcuvid.dll

2011-10-15 08:53 . 2011-10-26 00:08 24796992 ----a-w- c:\windows\system32\nvcompiler.dll

2011-10-15 08:53 . 2011-10-26 00:08 24742720 ----a-w- c:\windows\system32\nvoglv64.dll

2011-10-15 08:53 . 2011-10-26 00:08 2401088 ----a-w- c:\windows\SysWow64\nvcuvid.dll

2011-10-15 08:53 . 2011-10-26 00:08 2232128 ----a-w- c:\windows\system32\nvcuvenc.dll

2011-10-15 08:53 . 2011-10-26 00:08 2099520 ----a-w- c:\windows\SysWow64\nvcuvenc.dll

2011-10-15 08:53 . 2011-10-26 00:08 18871616 ----a-w- c:\windows\SysWow64\nvoglv32.dll

2011-10-15 08:53 . 2011-10-26 00:08 17248576 ----a-w- c:\windows\SysWow64\nvcompiler.dll

2011-10-15 08:53 . 2011-10-26 00:08 15693120 ----a-w- c:\windows\system32\nvd3dumx.dll

2011-10-15 08:53 . 2011-10-26 00:08 1533248 ----a-w- c:\windows\system32\nvdispco64.dll

2011-10-15 08:53 . 2011-10-26 00:08 1454400 ----a-w- c:\windows\system32\nvgenco64.dll

2011-10-15 08:53 . 2011-10-26 00:08 12971840 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2011-10-15 08:53 . 2011-08-06 13:11 8791360 ----a-w- c:\windows\system32\nvwgf2umx.dll

2011-10-15 08:53 . 2011-08-06 13:11 7041856 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2011-10-15 08:53 . 2011-08-06 13:11 2808128 ----a-w- c:\windows\system32\nvapi64.dll

2011-10-15 08:53 . 2011-08-06 13:11 2458432 ----a-w- c:\windows\SysWow64\nvapi.dll

2011-10-15 08:53 . 2011-08-06 13:11 13205312 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2011-10-15 08:53 . 2011-01-08 00:50 837952 ----a-w- c:\windows\system32\easyUpdatusAPIU64.dll

2011-10-15 08:53 . 2011-01-08 00:50 10406208 ----a-w- c:\windows\system32\nvcpl.dll

2011-10-15 08:53 . 2011-01-08 00:49 5067584 ----a-w- c:\windows\system32\nvsvc64.dll

2011-10-15 08:53 . 2011-01-08 00:49 222528 ----a-w- c:\windows\system32\nvmctray.dll

2011-10-15 08:53 . 2011-01-08 00:49 1640768 ----a-w- c:\windows\system32\nvvsvc.exe

2011-10-15 08:53 . 2010-07-09 20:27 137536 ----a-w- c:\windows\system32\nvshext.dll

2011-10-15 04:54 . 2011-10-15 04:54 321856 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2011-09-01 05:24 . 2011-10-13 07:00 2309120 ----a-w- c:\windows\system32\jscript9.dll

2011-09-01 05:17 . 2011-10-13 07:00 1389056 ----a-w- c:\windows\system32\wininet.dll

2011-09-01 05:12 . 2011-10-13 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-09-01 02:35 . 2011-10-13 07:00 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll

2011-09-01 02:28 . 2011-10-13 07:00 1126912 ----a-w- c:\windows\SysWow64\wininet.dll

2011-09-01 02:22 . 2011-10-13 07:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-08-31 03:05 . 2011-08-31 03:05 96104 ----a-w- c:\windows\system32\dns-sd.exe

2011-08-31 03:05 . 2011-08-31 03:05 85864 ----a-w- c:\windows\system32\dnssd.dll

2011-08-31 03:05 . 2011-08-31 03:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll

2011-08-31 03:05 . 2011-08-31 03:05 212840 ----a-w- c:\windows\system32\dnssdX.dll

2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe

2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll

2011-08-31 03:05 . 2011-08-31 03:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll

2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-11-17_04.00.07 )))))))))))))))))))))))))))))))))))))))))

.

- 2011-11-17 03:07 . 2011-11-17 03:07 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat

+ 2011-11-25 06:18 . 2011-11-25 06:16 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat

- 2011-11-17 03:07 . 2011-11-17 03:07 16384 c:\windows\temp\History\History.IE5\index.dat

+ 2011-11-25 06:18 . 2011-11-25 06:16 16384 c:\windows\temp\History\History.IE5\index.dat

- 2011-11-17 03:07 . 2011-11-17 03:07 16384 c:\windows\temp\Cookies\index.dat

+ 2011-11-25 06:18 . 2011-11-25 06:16 16384 c:\windows\temp\Cookies\index.dat

+ 2010-10-13 01:20 . 2011-11-25 06:18 92234 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2011-11-25 06:18 39470 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2010-10-13 00:52 . 2011-11-25 06:18 25532 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-39059309-325787191-288141660-1001_UserData.bin

+ 2011-11-17 05:06 . 2011-11-03 17:06 69376 c:\windows\system32\DRVSTORE\lbd_483F0BF7A3AD4ED71EB7FC6065CFD6B9C37DEB69\L bd.sys

- 2009-07-14 05:30 . 2011-11-16 18:28 86016 c:\windows\system32\DriverStore\infpub.dat

+ 2009-07-14 05:30 . 2011-11-25 02:53 86016 c:\windows\system32\DriverStore\infpub.dat

+ 2009-07-14 04:46 . 2011-11-20 11:10 92448 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Softwar eProtectionPlatform\Cache\cache.dat

+ 2011-11-25 02:52 . 2011-11-25 02:52 10134 c:\windows\Installer\{10E5F3FF-AD93-40C5-A0F5-13B9185DBB12}\callmsi.exe

+ 2011-11-23 09:44 . 2011-11-23 09:44 9560 c:\windows\system32\NetworkList\Icons\{98BF7480-CD53-4388-A1E5-2B6A8E05A5ED}_48.bin

+ 2011-11-23 09:44 . 2011-11-23 09:44 4280 c:\windows\system32\NetworkList\Icons\{98BF7480-CD53-4388-A1E5-2B6A8E05A5ED}_32.bin

+ 2011-11-23 09:44 . 2011-11-23 09:44 2456 c:\windows\system32\NetworkList\Icons\{98BF7480-CD53-4388-A1E5-2B6A8E05A5ED}_24.bin

+ 2011-11-25 06:16 . 2011-11-25 06:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2011-11-17 02:46 . 2011-11-17 02:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2011-11-17 02:46 . 2011-11-17 02:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2011-11-25 06:16 . 2011-11-25 06:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2009-07-14 02:36 . 2011-11-25 02:47 669534 c:\windows\system32\perfh009.dat

+ 2009-07-14 02:36 . 2011-11-25 02:47 125616 c:\windows\system32\perfc009.dat

+ 2011-11-21 06:52 . 2011-11-20 05:46 545792 c:\windows\system32\ioncube\ioncube_loader_win_5.3.dll

+ 2011-11-21 06:52 . 2011-11-20 05:46 448512 c:\windows\system32\ioncube\ioncube_loader_win_5.2.dll

+ 2011-11-21 06:52 . 2011-11-20 05:46 440832 c:\windows\system32\ioncube\ioncube_loader_win_5.1.dll

- 2009-07-14 05:30 . 2011-11-16 18:28 143360 c:\windows\system32\DriverStore\infstrng.dat

+ 2009-07-14 05:30 . 2011-11-25 02:53 143360 c:\windows\system32\DriverStore\infstrng.dat

- 2009-07-14 05:30 . 2011-11-16 18:28 143360 c:\windows\system32\DriverStore\infstor.dat

+ 2009-07-14 05:30 . 2011-11-25 02:53 143360 c:\windows\system32\DriverStore\infstor.dat

+ 2009-09-01 20:29 . 2009-09-01 20:29 157712 c:\windows\system32\drivers\kl1.sys

+ 2011-08-04 14:20 . 2011-08-04 14:20 137144 c:\windows\system32\drivers\epfwwfpr.sys

+ 2011-08-04 14:20 . 2011-08-04 14:20 146432 c:\windows\system32\drivers\ehdrv.sys

+ 2011-08-09 19:24 . 2011-08-09 19:24 202576 c:\windows\system32\drivers\eamonm.sys

- 2009-07-14 05:01 . 2011-11-17 00:36 348112 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 05:01 . 2011-11-25 06:15 348112 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2011-11-25 02:52 . 2011-11-25 02:52 105624 c:\windows\Installer\{10E5F3FF-AD93-40C5-A0F5-13B9185DBB12}\egui.exe

+ 2009-07-14 04:45 . 2011-11-20 04:30 7150424 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Softwar eProtectionPlatform\tokens.dat

- 2009-07-14 04:45 . 2011-11-16 18:36 7150424 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Softwar eProtectionPlatform\tokens.dat

+ 2011-04-24 07:06 . 2011-11-24 07:53 5579660 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-39059309-325787191-288141660-1001-12288.dat

- 2011-04-24 07:06 . 2011-11-17 00:36 5579660 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-39059309-325787191-288141660-1001-12288.dat

+ 2011-11-21 02:29 . 2011-11-21 02:29 1402880 c:\windows\Installer\21bfb.msi

+ 2011-04-22 09:12 . 2011-11-25 06:15 12137064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-39059309-325787191-288141660-1001-8192.dat

+ 2011-11-03 17:08 . 2011-11-03 17:08 15544320 c:\windows\Installer\80bb99.msi

+ 2011-11-25 02:51 . 2011-11-25 02:51 57035776 c:\windows\Installer\1ee4a.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\ConduitEngine\prxConduitEngin.dll

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTor.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-03-28 176936]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\prxConduitEngin.dll" [2011-03-28 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCO RE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntd rv]

@=""

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-28 136176]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

R3 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2009-04-02 90112]

R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-10-14 79360]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-10-14 79360]

R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-03-24 16776]

R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-03-24 9096]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-28 136176]

R3 lvpopf64;Logitech POP Suppression Filter;c:\windows\system32\DRIVERS\lvpopf64.sys [x]

R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]

R3 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 197976]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 prwntdrv;prwntdrv;c:\windows\system32\prwntdrv.sys [2010-08-25 16776]

R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 PCPitstop Scheduling;PCPitstop Scheduling;d:\programs\PCPitstopScheduleService.exe [2009-09-09 90296]

S0 AiCharger;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiCharger.sys [x]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]

S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]

S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]

S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [x]

S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]

S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]

S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-11-03 2152152]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]

S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]

S2 UltraMonUtility;UltraMon Utility Driver;c:\program files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]

S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-04-01 428640]

S3 hcw89;hcw89 service;c:\windows\system32\DRIVERS\hcw89.sys [x]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-11-17 17152]

S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]

S3 LVUVC64;Logitech Webcam C260(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]

S3 MCfilt;MCfilt;c:\windows\system32\drivers\MCfilt64.sys [x]

S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - LAVASOFT_KERNEXPLORER

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-28 06:55]

.

2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-28 06:55]

.

2011-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-39059309-325787191-288141660-1001Core.job

- c:\users\Dustin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 06:55]

.

2011-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-39059309-325787191-288141660-1001UA.job

- c:\users\Dustin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 06:55]

.

2011-11-25 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 65f9d942-7001-48b4-aef6-fe3b848deb51.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]

.

2011-11-24 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 9cd972a8-0bc5-4eff-859b-2c5ad42063c2.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_Dlls"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.1.1

DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab

FF - ProfilePath - c:\users\Dustin\AppData\Roaming\Mozilla\Firefox\Profiles\w2kzzu7o.default\

FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - (no file)

WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-39059309-325787191-288141660-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:31,13,57,39,65,8a,f8,01,67,a2,5c,ff,ed,97,4d,ed,2e,e1,35,6a,34,29, e0,

91,78,f3,f1,11,07,a7,f1,a0,33,0d,52,03,ab,9d,8c,62,e5,b8,9e,c8,68,52,bc,6e, \

"??"=hex:3a,c9,c7,fc,42,6f,da,f1,19,0e,d5,bc,c5,21,93,da

.

[HKEY_USERS\S-1-5-21-39059309-325787191-288141660-1001\Software\SecuROM\License information*]

"datasecu"=hex:50,d5,68,2d,5a,b1,9b,cf,8d,f6,a6,5f,32,a0,58,54,23,4f,a1,e7, 6d,

ed,7e,35,55,3d,2d,ed,79,17,04,e4,1d,2e,8b,80,41,46,c8,b8,75,6d,1d,a8,d3,1d, \

"rkeysecu"=hex:99,68,e4,28,e4,04,d5,40,17,3a,08,6e,7c,7b,35,53

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_Ac tiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\FileZilla Server\FileZilla Server.exe

c:\windows\SysWOW64\PnkBstrA.exe

c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE

c:\program files (x86)\ASUS\EPU-6 Engine\SixEngine.exe

d:\programs\Asus\AsCmd.exe

d:\programs\Asus\AsShare.exe

c:\program files (x86)\Internet Explorer\iexplore.exe

c:\program files (x86)\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2011-11-25 01:37:21 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-25 06:37

ComboFix2.txt 2011-11-17 04:19

.

Pre-Run: 18,336,628,736 bytes free

Post-Run: 18,723,151,872 bytes free

.

- - End Of File - - E109322CA7DDAEE4272CECF49908A70C

-------------------------

mbrcheck gave me this and it says MBR code faked. i hope this might help as well.

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows 7 Home Premium Edition

Windows Information: Service Pack 1 (build 7601), 64-bit

Base Board Manufacturer: ASUSTeK Computer INC.

BIOS Manufacturer: American Megatrends Inc.

System Manufacturer: System manufacturer

System Product Name: System Product Name

Logical Drives Mask: 0x00000efd

Kernel Drivers (total 181):

0x03209000 \SystemRoot\system32\ntoskrnl.exe

0x037F2000 \SystemRoot\system32\hal.dll

0x00BB2000 \SystemRoot\system32\kdcom.dll

0x00C9A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x00CE9000 \SystemRoot\system32\PSHED.dll

0x00CFD000 \SystemRoot\system32\CLFS.SYS

0x00EBE000 \SystemRoot\system32\CI.dll

0x00E00000 \SystemRoot\system32\drivers\Wdf01000.sys

0x00EA4000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x01060000 \SystemRoot\System32\Drivers\sptd.sys

0x011BD000 \SystemRoot\System32\Drivers\WMILIB.SYS

0x011C6000 \SystemRoot\System32\Drivers\SCSIPORT.SYS

0x01000000 \SystemRoot\system32\drivers\ACPI.sys

0x011F5000 \SystemRoot\system32\drivers\msisadrv.sys

0x00F7E000 \SystemRoot\system32\drivers\vdrvroot.sys

0x00F8B000 \SystemRoot\system32\drivers\pci.sys

0x00FBE000 \SystemRoot\System32\drivers\partmgr.sys

0x00FD3000 \SystemRoot\system32\drivers\volmgr.sys

0x00D5B000 \SystemRoot\System32\drivers\volmgrx.sys

0x01057000 \SystemRoot\system32\drivers\pciide.sys

0x00FE8000 \SystemRoot\system32\drivers\PCIIDEX.SYS

0x0105E000 \SystemRoot\system32\DRIVERS\AiCharger.sys

0x00DB7000 \SystemRoot\System32\drivers\mountmgr.sys

0x00EB3000 \SystemRoot\system32\drivers\atapi.sys

0x00DD1000 \SystemRoot\system32\drivers\ataport.SYS

0x00C00000 \SystemRoot\system32\DRIVERS\jraid.sys

0x00C1D000 \SystemRoot\system32\drivers\amdxata.sys

0x00C28000 \SystemRoot\system32\drivers\fltmgr.sys

0x00C74000 \SystemRoot\system32\drivers\fileinfo.sys

0x012B7000 \SystemRoot\system32\DRIVERS\Lbd.sys

0x01413000 \SystemRoot\System32\Drivers\Ntfs.sys

0x012CC000 \SystemRoot\System32\Drivers\msrpc.sys

0x015B6000 \SystemRoot\System32\Drivers\ksecdd.sys

0x0132A000 \SystemRoot\System32\Drivers\cng.sys

0x015D1000 \SystemRoot\System32\drivers\pcw.sys

0x015E2000 \SystemRoot\System32\Drivers\Fs_Rec.sys

0x01675000 \SystemRoot\system32\drivers\ndis.sys

0x01768000 \SystemRoot\system32\drivers\NETIO.SYS

0x017C8000 \SystemRoot\System32\Drivers\ksecpkg.sys

0x01807000 \SystemRoot\System32\drivers\tcpip.sys

0x01A0B000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x01A55000 \SystemRoot\system32\drivers\volsnap.sys

0x01AA1000 \SystemRoot\System32\Drivers\spldr.sys

0x01AA9000 \SystemRoot\System32\drivers\rdyboost.sys

0x01AE3000 \SystemRoot\System32\Drivers\mup.sys

0x01AF5000 \SystemRoot\System32\drivers\hwpolicy.sys

0x01AFE000 \SystemRoot\System32\DRIVERS\fvevol.sys

0x01B38000 \SystemRoot\system32\DRIVERS\disk.sys

0x01B4E000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS

0x01BB4000 \SystemRoot\system32\drivers\cdrom.sys

0x01BDE000 \SystemRoot\System32\Drivers\Null.SYS

0x01BE7000 \SystemRoot\System32\Drivers\Beep.SYS

0x01600000 \SystemRoot\system32\DRIVERS\ehdrv.sys

0x01BEE000 \SystemRoot\System32\drivers\vga.sys

0x01627000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x0164C000 \SystemRoot\System32\drivers\watchdog.sys

0x0165C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x01665000 \SystemRoot\system32\drivers\rdpencdd.sys

0x017F3000 \SystemRoot\system32\drivers\rdprefmp.sys

0x015EC000 \SystemRoot\System32\Drivers\Msfs.SYS

0x01400000 \SystemRoot\System32\Drivers\Npfs.SYS

0x0139C000 \SystemRoot\system32\DRIVERS\tdx.sys

0x013BE000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x01200000 \SystemRoot\System32\DRIVERS\netbt.sys

0x04AC7000 \SystemRoot\system32\DRIVERS\kl1.sys

0x04A00000 \SystemRoot\system32\drivers\afd.sys

0x04A89000 \SystemRoot\system32\DRIVERS\wfplwf.sys

0x04A92000 \SystemRoot\system32\DRIVERS\pacer.sys

0x01245000 \SystemRoot\system32\DRIVERS\vwififlt.sys

0x04AB8000 \SystemRoot\system32\DRIVERS\netbios.sys

0x0125B000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x01276000 \SystemRoot\system32\drivers\termdd.sys

0x04FF0000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS

0x0128A000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS

0x044EB000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x0453C000 \SystemRoot\system32\drivers\nsiproxy.sys

0x04548000 \SystemRoot\system32\drivers\mssmbios.sys

0x04553000 \SystemRoot\System32\drivers\discache.sys

0x04562000 \SystemRoot\System32\Drivers\dfsc.sys

0x04580000 \SystemRoot\system32\DRIVERS\blbdrive.sys

0x04591000 \SystemRoot\SysWow64\drivers\AsUpIO.sys

0x04597000 \SystemRoot\SysWow64\drivers\AsIO.sys

0x0459D000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x045C3000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x0F2B2000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys

0x0FF29000 \SystemRoot\System32\Drivers\nvBridge.kmd

0x03EE3000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x03E00000 \SystemRoot\System32\drivers\dxgmms1.sys

0x03E46000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x03E6A000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0x03E77000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x03ECD000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x0FF2B000 \SystemRoot\system32\DRIVERS\yk62x64.sys

0x0503E000 \SystemRoot\system32\DRIVERS\hcw89.sys

0x051BC000 \SystemRoot\system32\DRIVERS\ks.sys

0x05000000 \SystemRoot\system32\DRIVERS\BdaSup.SYS

0x05004000 \SystemRoot\system32\drivers\ksthunk.sys

0x0500A000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

0x05207000 \SystemRoot\system32\DRIVERS\netr28x.sys

0x05357000 \SystemRoot\system32\DRIVERS\vwifibus.sys

0x05364000 \SystemRoot\system32\drivers\1394ohci.sys

0x053A2000 \SystemRoot\system32\DRIVERS\fdc.sys

0x053AF000 \SystemRoot\system32\DRIVERS\ASACPI.sys

0x053B7000 \SystemRoot\system32\drivers\i8042prt.sys

0x053D5000 \SystemRoot\system32\drivers\kbdclass.sys

0x053E4000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x0FF90000 \SystemRoot\System32\Drivers\ay6idbub.SYS

0x053F3000 \SystemRoot\system32\drivers\wmiacpi.sys

0x05017000 \SystemRoot\system32\drivers\CompositeBus.sys

0x05027000 \SystemRoot\system32\DRIVERS\AgileVpn.sys

0x03FD7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x0FFD4000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x0F200000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x0F22F000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x0F24A000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x0F26B000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x053FC000 \SystemRoot\system32\drivers\swenum.sys

0x0F285000 \SystemRoot\system32\DRIVERS\circlass.sys

0x0F297000 \SystemRoot\system32\drivers\umbus.sys

0x04400000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x0FFE0000 \SystemRoot\system32\DRIVERS\flpydisk.sys

0x0FFEB000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x0445A000 \SystemRoot\system32\drivers\nvhda64v.sys

0x04487000 \SystemRoot\system32\drivers\portcls.sys

0x044C4000 \SystemRoot\system32\drivers\drmk.sys

0x06C68000 \SystemRoot\system32\drivers\ADIHdAud.sys

0x06CE1000 \SystemRoot\system32\drivers\MCfilt64.sys

0x06CEF000 \SystemRoot\system32\DRIVERS\hidir.sys

0x06D00000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x06D19000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x06D22000 \SystemRoot\system32\drivers\kbdhid.sys

0x06D30000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x06D3D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0x06D58000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x06D5A000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x07403000 \SystemRoot\system32\DRIVERS\lvuvc64.sys

0x06D77000 \SystemRoot\system32\drivers\usbaudio.sys

0x06D92000 \SystemRoot\system32\DRIVERS\lvrs64.sys

0x06DE4000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x06DF2000 \SystemRoot\System32\Drivers\crashdmp.sys

0x06C00000 \SystemRoot\System32\Drivers\dump_dumpata.sys

0x06C0C000 \SystemRoot\System32\Drivers\dump_atapi.sys

0x06C15000 \SystemRoot\System32\Drivers\dump_dumpfve.sys

0x00050000 \SystemRoot\System32\win32k.sys

0x06C28000 \SystemRoot\System32\drivers\Dxapi.sys

0x06C34000 \SystemRoot\system32\DRIVERS\monitor.sys

0x00430000 \SystemRoot\System32\TSDDD.dll

0x00690000 \SystemRoot\System32\cdd.dll

0x06C42000 \SystemRoot\system32\drivers\luafv.sys

0x02A8D000 \SystemRoot\system32\DRIVERS\eamonm.sys

0x02B6F000 \SystemRoot\system32\drivers\WudfPf.sys

0x02B90000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x02BA5000 \SystemRoot\system32\DRIVERS\nwifi.sys

0x02A00000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x02A13000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x02A2B000 \SystemRoot\system32\DRIVERS\vwifimp.sys

0x09271000 \SystemRoot\system32\drivers\HTTP.sys

0x0933A000 \SystemRoot\system32\DRIVERS\bowser.sys

0x09358000 \SystemRoot\System32\drivers\mpsdrv.sys

0x09370000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x0939D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x09200000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x09224000 \??\C:\Windows\system32\drivers\cpuz134_x64.sys

0x0922D000 \SystemRoot\system32\DRIVERS\epfwwfpr.sys

0x0981C000 \SystemRoot\system32\drivers\peauth.sys

0x098C2000 \SystemRoot\System32\Drivers\secdrv.SYS

0x098CD000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x098FE000 \SystemRoot\System32\drivers\tcpipreg.sys

0x09910000 \??\C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys

0x09919000 \SystemRoot\System32\DRIVERS\srv2.sys

0x09E15000 \SystemRoot\System32\DRIVERS\srv.sys

0x09EAD000 \SystemRoot\system32\DRIVERS\WUDFRd.sys

0x09EED000 \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys

0x09F65000 \SystemRoot\system32\DRIVERS\asyncmac.sys

0x00880000 \SystemRoot\System32\ATMFD.DLL

0x09F70000 \??\C:\Program Files\PeerBlock\pbfilter.sys

0x09F7B000 \SystemRoot\System32\Drivers\fastfat.SYS

0x09EF4000 \SystemRoot\system32\DRIVERS\udfs.sys

0x77120000 \Windows\System32\ntdll.dll

0x482E0000 \Windows\System32\smss.exe

0xFF440000 \Windows\System32\apisetschema.dll

Processes (total 70):

0 System Idle Process

4 System

312 C:\Windows\System32\smss.exe

468 csrss.exe

532 C:\Windows\System32\wininit.exe

560 csrss.exe

592 C:\Windows\System32\services.exe

612 C:\Windows\System32\lsass.exe

620 C:\Windows\System32\lsm.exe

728 C:\Windows\System32\svchost.exe

800 C:\Windows\System32\nvvsvc.exe

824 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

868 C:\Windows\System32\svchost.exe

932 C:\Windows\System32\svchost.exe

964 C:\Windows\System32\svchost.exe

996 C:\Windows\System32\svchost.exe

156 C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

272 C:\Windows\System32\winlogon.exe

1076 C:\Windows\System32\svchost.exe

1188 C:\Windows\System32\svchost.exe

1312 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe

1324 C:\Windows\System32\nvvsvc.exe

1348 C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe

1640 C:\Windows\System32\spoolsv.exe

1676 C:\Windows\System32\svchost.exe

1772 C:\Program Files\SUPERAntiSpyware\SASCore64.exe

1792 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

1820 C:\Program Files\Bonjour\mDNSResponder.exe

1896 C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

1928 C:\Windows\System32\svchost.exe

1952 C:\Program Files (x86)\FileZilla Server\FileZilla server.exe

1996 C:\Program Files\Microsoft LifeCam\MSCamS64.exe

1288 C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

1516 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

1596 C:\Windows\System32\svchost.exe

2056 C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe

2640 unsecapp.exe

2708 WmiPrvSE.exe

2912 C:\Windows\System32\svchost.exe

2976 WUDFHost.exe

3240 C:\Windows\System32\taskhost.exe

3316 C:\Windows\System32\taskeng.exe

3392 C:\Windows\System32\dwm.exe

3476 C:\Windows\explorer.exe

3496 C:\Program Files (x86)\ASUS\EPU-6 Engine\SixEngine.exe

3532 D:\Programs\Asus\AsCmd.exe

3896 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

3960 D:\Programs\Asus\AsShare.exe

4052 C:\Windows\System32\SearchIndexer.exe

3692 C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

744 C:\Program Files\Windows Media Player\wmpnetwk.exe

1808 C:\Windows\System32\svchost.exe

4464 C:\Windows\System32\taskmgr.exe

4700 C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe

4940 C:\Program Files (x86)\Mozilla Firefox\firefox.exe

3604 C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

1648 C:\Windows\System32\svchost.exe

3308 C:\Windows\SysWOW64\PnkBstrA.exe

3744 C:\Program Files\PeerBlock\peerblock.exe

5240 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

4436 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

1200 C:\Program Files (x86)\Internet Explorer\iexplore.exe

2884 C:\Program Files (x86)\Internet Explorer\iexplore.exe

3416 C:\Windows\System32\SearchProtocolHost.exe

4776 C:\Windows\System32\SearchFilterHost.exe

1084 C:\Windows\System32\SearchProtocolHost.exe

1500 C:\Windows\System32\audiodg.exe

5368 C:\Users\Dustin\Downloads\MBRCheck.exe

2784 C:\Windows\System32\conhost.exe

3176 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001e`a246f000 (NTFS)

\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD6401AALS-00L3B2, Rev: 01.03B01

PhysicalDrive1 Model Number: ST3100011A, Rev: 3.02

Size Device Name MBR Status

--------------------------------------------

596 GB \\.\PhysicalDrive0 MBR Code Faked!

SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

93 GB \\.\PhysicalDrive1 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): 0Dumping \\.\PhysicalDisk0...

Enter filename to dump to:

Attach.txt

hijackthis.log

DDS.txt

TDSSKiller.2.6.16.0_08.11.2011_20.24.08_log.txt

Link to post
Share on other sites

when i first got the virus this was my malware bytes scan now it comes back with nothing found...

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8111

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

11/7/2011 11:44:34 PM

mbam-log-2011-11-07 (23-44-34).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 459519

Time elapsed: 32 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hello and :welcome:

Most likely this is the latest TDL4 variant, which no longer patches the MBR, but instead alters the partition table. To confirm this, lets get an offline MBR dump.

If you dumped the MBR with MBRcheck as well, please attach that dump as well (out of my head I think it should be called mbr.dat).

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:
    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Link to post
Share on other sites

well after trying this it doesn't seem to work not sure why but i looked it up to see and not sure but i will post the link in ref..

i installed it made the disk and booted and the screen loads and ask's me to pick a lang once i pick english it goes to a black screen with a bunch off stuff wrote on it but i cant scroll up to see the start but this is about what i could get from it.

http://code.google.com/p/xpud/issues/detail?id=131

Link to post
Share on other sites

Most likely your display drivers are not supported.

Lets try a Ubuntu disk. Go here: http://www.ubuntu.com/download/ubuntu/download

Under Step 2 tick USB stick and click Start Download (follow the steps on that page on how to create a bootable USB drive).

Boot your computer from the Ubuntu disk. When asked Try Ubuntu/Install, select Try Ubuntu.

Once loaded, in the left panel click the option representing your USB (removable) device. Once open, right click and select Open Terminal.

Execute the DD command there and see if mbr.bin gets created on your USB drive.

Link to post
Share on other sites

Thanks you so much for you help but it looks like i fixed it last night when i was up still trying a few things. heres what happened.

Reading more into it and seeing it was inside the MBR i ran the aswmbr.exe and i did a fix mbr then i ran mbrcheck to see if it was still faked and it wasn't so i reran tdsskiller and it actully showed up 5 things this time one give me the option to cure the others i had to pick so i deleted them.. now this is where it got tricky but stuff that i have done before.

I must have messed the MBR up by doin those step's or it could have been something tdss deleted so i would start the pc up and it would not boot at all black screen with a blinking line. so i tryed the win 7 disk to run the bootrec /fixboot and the other options but wouldn't fix it at all. so i went to my pc at the office where i have my copy of Partition manager by easus and created a bootable usb drive but you can only do this with the paid version not the free trail incase others read this.

So i pluged it in and booted to the USB drive and i rebuilt the mbr from there again just to make sure then i had to set the system reserve partition as active applyed the settings and i was all ready to go no tdss comes back clear and nod32 doesn't show anything in the memory running so im running a full scan now. and checkmbr doesn't show faked anymore as well.

After the nod32 i will rescan with malewarebytes to finish testing but is there anything else i need to do now. and thank you so much for all the help so far. If anyone else has this and reads this please confirm your reports when you are getting help because you dont want to have the black screen like i did because the avg user will have a hard time figuring it out. because you cant just search for the fix.

Link to post
Share on other sites

Could you please post me the TDSSkiller log (not because I think there is still stuff left, but to see what was deleted, so I can confirm it was indeed the latest TDL4 rootkit variant).

Lets also see what other malware might still be there.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

thanks i was on my way out when i checked here but i will get those logs once i get back and posted. everything seems ok but my peerblock is still blocking a severbeach emule servers p2p fake files. so there still might be something there adware found some cookie's looked like i will try to post some logs when i get home

Link to post
Share on other sites

I think this is the TDSS file that removed things.. i will add my last scan as well just incase it will be the one that shows nothing found.

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Dustin at 17:58:04 on 2011-11-28

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.4422 [GMT -5:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe

C:\Program Files\Microsoft LifeCam\MSCamS64.exe

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\ASUS\EPU-6 Engine\SixEngine.exe

D:\Programs\Asus\AsCmd.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

D:\Programs\Asus\AsShare.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe

C:\Windows\system32\taskmgr.exe

C:\Program Files\PeerBlock\peerblock.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll

TB: {C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - No File

uRun: [spyware Doctor] C:\Users\Dustin\Desktop\sdsetup_revwire207.exe -min

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - D:\Programs\OFFICE11\REFIEBAR.DLL

DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.64.2.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{98FBB101-8425-4607-803C-FAA5B82C146F} : DhcpNameServer = 192.168.4.1 192.168.1.1

TCP: Interfaces\{F3AEDA78-FAB9-4937-A503-A55E65E46330} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{F47BD68F-59AC-41C4-95CB-E7E6EB8F415A} : DhcpNameServer = 192.168.4.1 192.168.137.1

TCP: Interfaces\{F47BD68F-59AC-41C4-95CB-E7E6EB8F415A}\449425452494B45483F5E4564777F627B6 : DhcpNameServer = 192.168.1.1

BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll

BHO-X64: 0x1 - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll

BHO-X64: Conduit Engine - No File

BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO-X64: Increase performance and video formats for your HTML5 <video> - No File

BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

BHO-X64: uTorrentBar - No File

BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll

TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

TB-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll

TB-X64: {C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - No File

IE-X64: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Dustin\AppData\Roaming\Mozilla\Firefox\Profiles\w2kzzu7o.default\

FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties

FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.102.0\npesnlaunch.dll

FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll

FF - plugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Users\Dustin\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Users\Dustin\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AiCharger;ASUS Charger Driver;C:\Windows\system32\DRIVERS\AiCharger.sys --> C:\Windows\system32\DRIVERS\AiCharger.sys [?]

R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]

R2 cpuz134;cpuz134;\??\C:\Windows\system32\drivers\cpuz134_x64.sys --> C:\Windows\system32\drivers\cpuz134_x64.sys [?]

R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]

R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-9-22 974944]

R2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfwwfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-11-3 2152152]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-25 2253120]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-14 381248]

R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-1-27 2337144]

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]

R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-4-1 428640]

R3 hcw89;hcw89 service;C:\Windows\system32\DRIVERS\hcw89.sys --> C:\Windows\system32\DRIVERS\hcw89.sys [?]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-11-17 17152]

R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]

R3 LVUVC64;Logitech Webcam C260(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]

R3 MCfilt;MCfilt;C:\Windows\system32\drivers\MCfilt64.sys --> C:\Windows\system32\drivers\MCfilt64.sys [?]

R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]

R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2011-2-8 24176]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-28 136176]

S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-11-8 366152]

S3 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2010-10-14 90112]

S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]

S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-10-14 79360]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-10-14 79360]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-28 136176]

S3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~2\WinTV\TVServer\HAUPPA~1.EXE [2010-10-13 602624]

S3 lvpopf64;Logitech POP Suppression Filter;C:\Windows\system32\DRIVERS\lvpopf64.sys --> C:\Windows\system32\DRIVERS\lvpopf64.sys [?]

S3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]

S3 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]

S3 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [2009-12-23 370688]

S3 teamviewervpn;TeamViewer VPN Adapter;C:\Windows\system32\DRIVERS\teamviewervpn.sys --> C:\Windows\system32\DRIVERS\teamviewervpn.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 VX6000;Microsoft LifeCam VX-6000;C:\Windows\system32\DRIVERS\VX6000Xp.sys --> C:\Windows\system32\DRIVERS\VX6000Xp.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 PCPitstop Scheduling;PCPitstop Scheduling;D:\Programs\PCPitstopScheduleService.exe [2010-10-14 90296]

.

=============== Created Last 30 ================

.

2011-11-28 03:52:40 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{98CFD779-8985-4EDC-A036-40AF2792F904}\offreg.dll

2011-11-26 08:35:57 235352 ----a-w- C:\Windows\SysWow64\xactengine3_4.dll

2011-11-26 00:38:34 -------- d-sh--w- C:\$RECYCLE.BIN

2011-11-25 22:06:01 -------- d-----w- C:\ProgramData\PC Tools

2011-11-25 07:12:42 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{98CFD779-8985-4EDC-A036-40AF2792F904}\mpengine.dll

2011-11-25 05:35:31 -------- d-----w- C:\ComboFix

2011-11-25 02:52:36 -------- d-----w- C:\Program Files\ESET

2011-11-24 09:56:23 88 --sh--r- C:\ProgramData\D1E4B4E609.sys

2011-11-23 02:41:03 -------- d-----w- C:\Program Files (x86)\FileZilla Server

2011-11-21 06:52:46 -------- d-----w- C:\Windows\System32\ioncube

2011-11-21 02:34:26 388096 ----a-r- C:\Users\Dustin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-11-21 02:34:26 -------- d-----w- C:\Program Files (x86)\Trend Micro

2011-11-20 05:09:14 85048 ----a-w- C:\Windows\System32\drivers\CSCrySec.sys

2011-11-20 05:09:14 66104 ----a-w- C:\Windows\System32\drivers\CSVirtualDiskDrv.sys

2011-11-17 06:54:26 16432 ----a-w- C:\Windows\System32\lsdelete.exe

2011-11-17 05:12:01 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys

2011-11-17 05:06:46 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys

2011-11-17 05:06:40 -------- d-----w- C:\Program Files (x86)\Lavasoft

2011-11-17 02:03:26 98816 ----a-w- C:\Windows\sed.exe

2011-11-17 02:03:26 518144 ----a-w- C:\Windows\SWREG.exe

2011-11-17 02:03:26 256000 ----a-w- C:\Windows\PEV.exe

2011-11-17 02:03:26 208896 ----a-w- C:\Windows\MBR.exe

2011-11-16 19:19:20 -------- d-----w- C:\$AVG

2011-11-16 18:29:12 -------- d--h--w- C:\ProgramData\Common Files

2011-11-16 18:15:56 -------- d-----w- C:\ProgramData\MFAData

2011-11-10 21:34:55 134104 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll

2011-11-10 21:34:53 89048 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll

2011-11-10 21:34:53 801752 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll

2011-11-10 21:34:53 478168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll

2011-11-10 21:34:53 1989592 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

2011-11-10 21:34:53 15832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll

2011-11-10 21:34:52 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll

2011-11-10 21:34:52 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll

2011-11-10 04:31:43 -------- d-----w- C:\Users\Dustin\AppData\Roaming\SUPERAntiSpyware.com

2011-11-10 04:31:18 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com

2011-11-10 04:31:18 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-11-09 19:43:26 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll

2011-11-09 19:43:26 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll

2011-11-09 19:43:22 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-11-09 19:43:21 3144704 ----a-w- C:\Windows\System32\win32k.sys

2011-11-09 01:51:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-11-08 02:18:39 -------- d-----r- C:\Program Files (x86)\Skype

2011-11-04 03:46:50 -------- d-----w- C:\Windows\CheckSur

.

==================== Find3M ====================

.

2011-11-28 08:14:21 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr

2011-11-28 08:14:21 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe

2011-11-26 08:53:03 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0

2011-11-24 09:56:44 4598 --sha-w- C:\ProgramData\KGyGaAvL.sys

2011-10-26 00:15:28 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-25 14:25:02 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe

2011-10-15 04:54:52 321856 ----a-w- C:\Windows\SysWow64\nvStreaming.exe

2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll

2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll

2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll

2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe

2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll

2011-08-31 03:05:32 61288 ----a-w- C:\Windows\System32\jdns_sd.dll

2011-08-31 03:05:32 212840 ----a-w- C:\Windows\System32\dnssdX.dll

2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe

2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll

2011-08-31 03:05:04 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll

2011-08-31 03:05:04 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll

.

============= FINISH: 17:58:30.64 ===============

Attach.txt

TDSSKiller.2.6.21.0_27.11.2011_07.48.51_log.txt

TDSSKiller.2.6.21.0_28.11.2011_02.51.23_log.txt

Link to post
Share on other sites

The rootkit was indeed detected and removed by TDSSkiller. :)

TWO ANTIVIRUS PROGRAMS

---------------------------------------

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Lavasoft AdAware or ESET.

P2P WARNING

-------------------

Going over your logs I noticed that you have uTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7u1.
  • Look for "JDK 7u1 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

on start up nothing running i will get a few of Time Warner Telcom in my peerblock my ip as the sorce trying to connect to these 2 ips. i also did a scan with hitman pro and it seemed to remove some cookies and most of those time warner's have stoped but not all, i only get a few at start up now so not really sure what it is or if its anything.

64.132.49.139

64.132.49.152

I found out that peerblock is catching severbeach emule servers p2p fake files only when i start my ventrilo server that i talk with a friend from canada with. So im not sure if that is natural for Vent to do this but i cant find much about it only.

i uninstalled the java and i installed the Windows x64. i didn't see the Windows x86 Offline there was a Windows x86 but should i do the 32bit one or just keep the 64bit one with 64bit 7? I can redo this if needed.

Hitman pro doesn't see anything anymore and adware has been removed.

Scan logs for malewarebytes.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8275

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

11/29/2011 11:13:41 PM

mbam-log-2011-11-29 (23-13-41).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 453848

Time elapsed: 51 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

These IPs are legit and belong to tw telecom.

If you use a 32 bit browser, you need the 32 bit (or x86) Java update, if you use a 64 bit browser you need the 64 bit version (IE has a 64 bit version, other browsers are only 32 bit as far as I know).

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

I forgot to include the severbeach emule servers p2p fake files ip that was being block when i start up ventrilo so here that one is.

64.34.178.178

I ran the ESET OnlineScan but at the end of it all i didnt see this

When the scan completes, click List Threats

Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

Click the Back button.

Click the Finish button.

I only see the results which scanned over 200k files and said infected 0 and cleaned 0 and the finish i looked for other things to click on but finish was the only thing other than clicking to uninstall when closed check box. But it didn't find anything with this scan..

i use about 4 different browsers so i will install the 32bit java to be sure. hehe.. do the same method as above.

Link to post
Share on other sites

That sounds good. :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.