Random Redirects and Strange Pop-up Window

[Altorio]

So yesterday while reseaching load cells for a DIY electronics project I somehow got infected with something that hid all my desktop and startup icons. I was able to clean the infection with Malwarebytes (so I thought) and unhide the icons. I used Unhide.exe and GooredFix. All seemed well last night but now this morning I am again getting random redirects and IE 8 seems a bit slow. I found my Windows Defender is turned off and it won't turn on. Also, every 20 minutes or so a dark blue window pops open with the command promtp in the title bar at the top and it says "Administrator". I've tried several fixes but to no avail. Things I've tried:

Combofix

CWShredder

Malwarebytes

Gooredfix

CCleaner - Used it to clean the registry and also to stop some start up programs that were eating memory and I didn't need them running all the time.

Roguecleaner (ran it but did not attempt to clean or fix anything)

aswMBR - Won't run. Click on it and get the small wircle icon indicating it is busy, but then it stops and aswMBR never runs)

tdskiller - Also won't run, same issue as aswMBR.

I'll be gone for part of the day today so if I am a bit slow to respond that is why. Thank you for your assitance.

Here's my logs:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514

Run by Brent at 7:57:19 on 2012-03-25

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8160.6461 [GMT -7:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\iRacing\iRacingService.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files (x86)\SimracewayUpdater\SRWUpdate.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\WMPSideShowGadget.exe

C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\DllHost.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\REGSVR32.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uSearch Bar = Preserve

uURLSearchHooks: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - C:\Program Files (x86)\Shareaza\RazaWebHook32.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File

BHO: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [EADM] "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart

mRun: [Reader Library Launcher] C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [sPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry

mRun: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r

mRun: [Live Update 5] C:\Program Files (x86)\MSI\Live Update 5\LU5.exe /reminder

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

StartupFolder: C:\Users\Brent\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip

StartupFolder: C:\Users\Brent\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab

DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{435FE150-C4AE-46FA-879C-27705E65D246} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{4C7CD283-F217-4D84-B6F5-B622E423E351} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{658D6FB5-78DD-42CE-99BA-D384461D981C} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{698F4C70-A05E-4B52-9E83-CD6806E0FEB3} : DhcpNameServer = 192.168.0.1

mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache

BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO-X64: 0x1 - No File

BHO-X64: Shareaza Web Download Hook: {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files (x86)\Shareaza\RazaWebHook32.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File

BHO-X64: NetAssistant: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll

BHO-X64: NetAssistantBHO - No File

TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

mRun-x64: [Reader Library Launcher] C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [sPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry

mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r

mRun-x64: [Live Update 5] C:\Program Files (x86)\MSI\Live Update 5\LU5.exe /reminder

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

.

============= SERVICES / DRIVERS ===============

.

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]

R2 iRacingService;iRacing.com Helper Service;C:\Program Files (x86)\iRacing\iRacingService.exe [2011-7-26 473768]

R2 Simraceway Update Service;Simraceway Update Service;C:\Program Files (x86)\SimracewayUpdater\SRWUpdate.exe [2012-2-10 405504]

R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]

R3 FanatecWheelFilterUsb;FanatecWheelFilterUsb;C:\Windows\system32\DRIVERS\FWFilterUsb.sys --> C:\Windows\system32\DRIVERS\FWFilterUsb.sys [?]

R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]

R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]

R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]

R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;C:\Program Files (x86)\MSI\Live Update 5\msibios64_100507.sys [2011-12-23 33592]

R3 NTIOLib_1_0_4;NTIOLib_1_0_4;C:\Program Files (x86)\MSI\Live Update 5\NTIOLib_X64.sys [2011-12-23 14136]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

R3 t3;Sound Blaster X-Fi Xtreme Audio;C:\Windows\system32\drivers\t3.sys --> C:\Windows\system32\drivers\t3.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-11-9 79360]

S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\system32\Drivers\EtronHub3.sys --> C:\Windows\system32\Drivers\EtronHub3.sys [?]

S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\system32\Drivers\EtronXHCI.sys --> C:\Windows\system32\Drivers\EtronXHCI.sys [?]

S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2012-2-11 135584]

S3 iDispService;iDispService;C:\Windows\system32\DRIVERS\idisplayminiport.sys --> C:\Windows\system32\DRIVERS\idisplayminiport.sys [?]

S3 JmtFltr;n52te;C:\Windows\system32\drivers\JmtFltr.sys --> C:\Windows\system32\drivers\JmtFltr.sys [?]

S3 LADF_BakerCOnly;BakerC Filter Driver;C:\Windows\system32\DRIVERS\ladfBakerCamd64.sys --> C:\Windows\system32\DRIVERS\ladfBakerCamd64.sys [?]

S3 LADF_BakerROnly;BakerR Filter Driver;C:\Windows\system32\DRIVERS\ladfBakerRamd64.sys --> C:\Windows\system32\DRIVERS\ladfBakerRamd64.sys [?]

S3 NTIOLib_1_0_6;NTIOLib_1_0_6;C:\Program Files (x86)\Setup Files\Ms7681v1G0\NTIOLib_X64.sys [2011-1-6 11888]

S3 SaiH0762;SaiH0762;C:\Windows\system32\DRIVERS\SaiH0762.sys --> C:\Windows\system32\DRIVERS\SaiH0762.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 VJoystick;Virtual JoyStick KMDF HID Minidriver;C:\Windows\system32\DRIVERS\VJoystick.sys --> C:\Windows\system32\DRIVERS\VJoystick.sys [?]

S3 VKbms;Virtual HID Minidriver;C:\Windows\system32\DRIVERS\VKbms.sys --> C:\Windows\system32\DRIVERS\VKbms.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2012-03-25 14:29:35 -------- d-----w- C:\ComboFix

2012-03-25 04:49:19 -------- d-----w- C:\Program Files\CCleaner

2012-03-24 21:03:58 525544 ----a-w- C:\Windows\System32\deployJava1.dll

2012-03-23 11:38:31 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FED5FB29-A476-4B77-B113-F670D6C23545}\mpengine.dll

2012-03-14 10:01:59 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-03-14 10:01:59 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-03-14 10:01:59 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-03-14 05:42:35 3145728 ----a-w- C:\Windows\System32\win32k.sys

2012-03-14 05:42:34 1544192 ----a-w- C:\Windows\System32\DWrite.dll

2012-03-14 05:42:34 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll

2012-03-14 05:42:23 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-03-14 05:42:23 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-03-14 05:42:23 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-03-14 05:42:18 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2012-03-14 05:42:18 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys

2012-03-14 05:42:18 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-03-14 05:42:18 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2012-03-07 17:43:29 -------- d-----w- C:\Users\Brent\AppData\Local\SimCommander3

2012-03-07 06:21:01 -------- d-----w- C:\Users\Brent\AppData\Local\SimXperience

2012-03-07 06:16:45 -------- d-----w- C:\Users\Brent\AppData\Roaming\SimXperience

2012-03-07 06:16:33 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin

2012-03-07 06:16:31 -------- d-----w- C:\Program Files (x86)\SimXperience

2012-03-07 06:12:03 -------- d-----w- C:\Users\Brent\AppData\Local\AuthenticatedWpfApp

2012-03-07 06:07:30 -------- d-----w- C:\Program Files\Microsoft Synchronization Services

2012-03-07 06:07:29 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition

2012-03-07 06:07:26 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services

2012-03-07 06:07:26 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition

2012-03-06 20:42:38 -------- d-----w- C:\Program Files (x86)\NoLimits Coasters v1.8

2012-03-04 22:30:20 162664 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin

2012-03-04 04:42:49 20688 ----a-w- C:\Windows\System32\idisplay.dll

2012-03-04 04:42:49 15568 ----a-w- C:\Windows\System32\drivers\idisplayminiport.sys

2012-03-04 04:42:49 -------- d-----w- C:\Users\Brent\AppData\Roaming\SHAPE Services

2012-02-29 01:09:05 -------- d-----w- C:\Users\Brent\AppData\Roaming\.rFactor

2012-02-29 01:01:59 -------- d-----w- C:\Program Files (x86)\rFactor2

2012-02-29 00:33:37 -------- d-----w- C:\Users\Brent\AppData\Local\ShiftTone

.

==================== Find3M ====================

.

2012-03-24 21:02:51 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-02-23 16:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe

2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll

2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll

2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl

2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl

2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys

.

============= FINISH: 8:04:24.53 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 2/24/2011 4:01:34 AM

System Uptime: 3/25/2012 7:44:59 AM (1 hours ago)

.

Motherboard: MSI | | P67A-GD65 (MS-7681)

Processor: Intel® Core™ i5-2500K CPU @ 3.30GHz | SOCKET 0 | 3292/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 298 GiB total, 115.419 GiB free.

D: is CDROM (UDF)

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: Universal Serial Bus (USB) Controller

Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_76811462&REV_04\FFFFFFFFFFFFFFFF00

Manufacturer:

Name: Universal Serial Bus (USB) Controller

PNP Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_76811462&REV_04\FFFFFFFFFFFFFFFF00

Service:

.

Class GUID:

Description: Universal Serial Bus (USB) Controller

Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_76811462&REV_04\4&9154DF2&0&FFFFFFFFFFFFFFFF00

Manufacturer:

Name: Universal Serial Bus (USB) Controller

PNP Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_76811462&REV_04\4&9154DF2&0&FFFFFFFFFFFFFFFF00

Service:

.

==== System Restore Points ===================

.

RP222: 3/3/2012 8:47:23 PM - Device Driver Package Install: SHAPE Services Display adapters

RP223: 3/3/2012 9:10:19 PM - Removed Bonjour

RP224: 3/6/2012 6:29:56 AM - Windows Update

RP225: 3/13/2012 1:05:06 AM - Windows Update

RP226: 3/14/2012 3:00:10 AM - Windows Update

RP227: 3/18/2012 11:06:20 AM - Installed Fanatec Wheel

RP228: 3/20/2012 4:16:25 AM - Windows Update

RP229: 3/23/2012 4:38:09 AM - Windows Update

RP230: 3/24/2012 2:02:14 PM - Installed Java™ 6 Update 31

RP231: 3/24/2012 2:03:28 PM - Installed Java™ 6 Update 31 (64-bit)

RP232: 3/24/2012 10:47:28 PM - Removed Java™ 6 Update 31

.

==== Installed Programs ======================

.

3DMark 11

7-Zip 9.20

Adobe AIR

Adobe Digital Editions

Adobe Reader X (10.1.2)

Advanced Combat Tracker (remove only)

Age of Conan - Hyborian Adventures

Catalyst Control Center

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Colin McRae Rally 2005

Compatibility Pack for the 2007 Office system

DiRT2

erLT

ERUNT 1.1j

Etron USB3.0 Host Controller

EVE Online (remove only)

EverQuest II

Freeze.com NetAssistant

Futuremark SystemInfo

Geeks3D.com FurMark 1.9.2

GIMP 2.6.10

Hid FootSwitch V4.0

Host OpenAL

HydraVision

iRacing.com Race Simulation

iRSetupManager

iSpeed 3.1.1.0

Jimmie Johnson Spotter Pack v5.10

Live Update 5

Malwarebytes' Anti-Malware version 1.51.2.1300

merhaut.co.at telemetry app

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Office Converter Pack

Microsoft Office File Validation Add-In

Microsoft Office Professional Edition 2003

Microsoft Organization Chart 2.0

Microsoft Silverlight

Microsoft SQL Server Compact 3.5 SP1 English

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Need for Speed™ Hot Pursuit

NetAssistant

NoLimits Coasters 1.8 (remove only)

NoLimits Coasters Demo 1.8 (remove only)

OpenAL

Origin

PDFCreator

Rapture3D 2.3.22 Game

Reader Library by Sony

Realtek Ethernet Controller Driver

Realtek High Definition Audio Driver

rFactor2

RIFT

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Shareaza 2.5.4.0

Shockwave

SimDash

Simraceway 0.28.57

SimXperience Commander for X-Sim Beta

SIW version 2010.07.14

Sound Blaster X-Fi

Star Wars: The Old Republic

Team MPR Pit Commander

Team MPR Setup Analyzer

TradingPaints Downloader

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

X-Sim Installer Version 2.0.8.9b beta

.

==== Event Viewer Messages From Past Week ========

.

3/25/2012 8:00:45 AM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.

3/25/2012 7:46:19 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .

3/25/2012 7:45:38 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: hwinterface

3/25/2012 7:44:59 AM, Error: Application Popup [56] - Driver PCI returned invalid ID for a child device (FFFFFFFFFFFFFFFF00).

3/25/2012 7:41:59 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

3/25/2012 7:41:57 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

3/25/2012 7:41:57 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

3/25/2012 7:41:57 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

3/25/2012 7:41:52 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/25/2012 7:41:45 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

3/25/2012 7:41:40 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache hwinterface spldr Wanarpv6

3/25/2012 6:58:39 AM, Error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

3/24/2012 10:26:16 AM, Error: Service Control Manager [7000] - The AMD FUEL Service service failed to start due to the following error: The system cannot find the file specified.

.

==== End Of File ===========================

RogueKiller V7.3.2 [03/20/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo...13-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Brent [Admin rights]

Mode: Scan -- Date: 03/25/2012 07:13:20

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 13 ¤¤¤

[sUSP PATH] {3A48ADC5-9290-4E9F-81AD-6A830AF983E8}.job @ : C:\Users\Brent\Desktop\KeyboardOptimizer.exe -> FOUND

[sUSP PATH] {C5D78C36-881D-4D71-914A-318697BA3168}.job @ : C:\Users\Brent\Desktop\KeyboardOptimizer.exe -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowDownloads (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAKS-00L9A0 ATA Device +++++

--- User ---

[MBR] 92685b4bfaadb2ba1fe8cb51ab551937

[bSP] c77f9df55b86806ca102ead22684e851 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305235 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] 7ad6c4ea83cf9e061a11ea04104ce9ef

[bSP] c77f9df55b86806ca102ead22684e851 : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305235 Mo

1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625137345 | Size: 2 Mo

Finished : << RKreport[1].txt >>

RKreport[1].txt

[CatByte]

Hi

Please run the following:

Please download Listparts64

Run the tool,

check the "list BCD" box

click "Scan" and post the log (Result.txt) it makes.

[Altorio]

Here the log. Thanks for your help.

========================= Memory info ======================

Percentage of memory in use: 35%

Total physical RAM: 8159.92 MB

Available physical RAM: 5278.7 MB

Total Pagefile: 16318.04 MB

Available Pagefile: 12878.7 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:118.43 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive d: (SimXperienceV1.2) (CDROM) (Total:0.24 GB) (Free:0 GB) UDF

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 6144 KB

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 298 GB 31 KB

Partition 2 Primary 2543 KB 298 GB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C NTFS Partition 298 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 2

Type : 17 (Suspicious Type)

Hidden: Yes

Active: Yes

There is no volume associated with this partition.

======================================================================================================

The boot configuration data store could not be opened.

The system cannot find the file specified.

****** End Of Log ******

[CatByte]

Hi,

You may have the newest variant of TDL4 that hides a partition on your hard drive.

I need to unhide the partition to see exactly what it is, if it is created by malware, then we will need to delete it

It is always a good idea to backup your data, as suggested here

You will need a USB flash drive for this next procedure:

Save ListParts64.exe (which should still be on the Desktop) to the USB flash drive.

Next, open Notepad (Press 'Start' orb 'R', and in the search box, type: notepad)

Copy/paste the following information inside the code box to Notepad:

Disk=0 Partition=2 type=07

In Notepad, go to File > Save as...

Save to: the USB flash drive

In File name use: fix.txt

Click: Save

Now, save the fix.txt file onto the USB flash drive, so that you have both ListParts64.exe, and, fix.txt on it.

Restart the computer.

• As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select your language settings, and click: Next
  
• Select your User account and click: OK (If you did not set a password, leave blank.)
  

On the System Recovery Options menu you get the following options:

•Startup Repair

•System Restore

•Windows Complete PC Restore

•Windows Memory Diagnostic Tool

•Scan your computer's memory for errors.

•Command Prompt

• Select Command Prompt
  
• In the Command window, at the blinking cursor, type notepad and press: Enter
  
• In Notepad, under the File menu select: Open
  
• Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
  
• With the flash drive and Notepad open, click the Command window
  
• Type e:\listparts64.exe, and press: Enter
  Note: Replace the drive letter e with the drive letter of your flash drive!
  
• ListParts64 now shows on the screen.
  
• Press the Fix button.
  
• When the fix is done, check the List BCD option on the ListParts64 screen, and click: Scan
  
• If successful, the following appears: "Scan completed. Result.txt was saved in the same directory the tool is run.", click: OK
  
• The program saves the Result.txt, on the flash drive.
  
• Click the Command prompt window, type exit, and press: Enter
  
• Close out of everything else.
  
• Back at the System Recovery Options, press: Restart, and boot normally into Windows.
  

Once back in Windows, open the USB flash drive, copy/paste the Result.txt that was run during the procedure above, and provide it in your reply.

Then, run a new Scan with ListParts64 in normal Windows, and also post the new Result.txt in your reply.

If you encounter any obstacles, go to your other computer and post what is happening, any error messages, etc., so we can work out the issue.

[Altorio]

Thanks very much for your help. Unfortunately I think I may have to resort to a full re-format and install of Win7. At this point it won't even let me use the "Repaiur your Computer" option. When I select that I get a screen that says "Windows is loading files..." and nothing ever loads anything. It just sits there "forever". First time I've ever ran into a Malware that I have not been able to fix. Bummer but it's probably time I reformat anyway since it's been a few years. But I do hate letting the bad guys win!

[CatByte]

well, we could try a different approach

try this

Download GETxPUD.exe to the desktop of your clean computer

Run GETxPUD.exe

A new folder will appear on the desktop.

Open the GETxPUD folder and click on the get&burn.bat

The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.

Click on Start and follow the prompts to burn the image to a CD.

　

Now prepare a USB stick

Download tdl_fix.sh and save it to the USB flash drive.

Remove the USB & CD and insert them into the infected computer

Boot the infected computer with the CD

The computer must be set to boot from the CD

Gently tap F12 and choose to boot from the CD

Follow the prompts

A Welcome to xPUD screen will appear, choose your language and allow it to load

Once loaded, Press the File tab

Expand mnt

Click on the folder under mnt that represents your USB drive (sdb1 ?)

You should see the tdl_fix.sh file in the main window.

Select Tool from the Menu

Choose Open Terminal

Type bash tdl_fix.sh then press Enter.

Read the warning then type y and press Enter to continue.

Type sda then press Enter when prompted.

You will be shown a list of partitions to choose marking active.

Type 1 then press Enter.

If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.

When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.

The script will complete and prompt you to reboot the computer.

Close the Terminal window and restart back into Windows.

Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.

[CatByte]

do you still need help with your machine?

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!