Jump to content
Sign in to follow this  
Lianabanana7

Random Invisible Ads/Sounds/Commercials and Redirection

Recommended Posts

Hi guys!

For the past few days, I’ve been hearing commercials at random intervals on my laptop, and have also been experiencing redirection when clicking on search engine results. Nothing appears in task manager, so I’m not missing a pop up window or something. I’m using the latest version of Firefox, which has become periodically slow. My operating system is Windows 7.

Scans with Norton and Malwarebytes have both come up empty handed—so I’m at a loss! I saw a similar topic, but the solution was taylor fit to that person’s unique situation, so I figured I’d ask for help myself.

I tried to run Rootkit Unhooker and got this error:

Exception code : 0xC0000005

Instruction address : 0x00402EAA

Attempt to read at address : 0xFFFFFFFF

Here is my dds scan:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29

Run by Liana at 18:47:35 on 2012-09-06

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8099.6043 [GMT -4:00]

.

AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV64.exe

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\WLANExt.exe

C:\windows\system32\conhost.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\IDT\WDM\AESTSr64.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe

C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files (x86)\ShadowExplorer\sesvc.exe

C:\windows\system32\taskhost.exe

C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

c:\program files (x86)\dell datasafe local backup\sftservice.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

c:\program files (x86)\dell datasafe local backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\windows\system32\wbem\unsecapp.exe

C:\windows\system32\svchost.exe -k bthsvcs

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\System32\rundll32.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\IDT\WDM\sttray64.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Windows\System32\rundll32.exe

C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\DellTPad\HidFind.exe

C:\windows\system32\conhost.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\windows\system32\SearchIndexer.exe

C:\windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe

C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\windows\system32\DllHost.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe

C:\windows\system32\taskeng.exe

C:\windows\system32\vssvc.exe

C:\windows\System32\svchost.exe -k swprv

C:\windows\system32\notepad.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\REGSVR32.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Wondershare YouTube Downloader: {133232d2-dae3-4b6f-aac2-17cd87495682} - C:\Program Files\AllMyTube\SVRIEPlugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\IPS\IPSBHO.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll"

mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"

mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: DhcpNameServer = 167.206.245.129 167.206.245.130

TCP: Interfaces\{89D89B70-CA6A-485E-A5E9-291BED65C9C8} : DhcpNameServer = 167.206.245.129 167.206.245.130

TCP: Interfaces\{89D89B70-CA6A-485E-A5E9-291BED65C9C8}\84F4D454D254837383 : DhcpNameServer = 75.75.75.75 75.75.76.76

Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Wondershare YouTube Downloader: {133232D2-DAE3-4B6F-AAC2-17CD87495682} - C:\Program Files\AllMyTube\SVRIEPlugin.dll

BHO-X64: WsSVRIEHelper - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File

BHO-X64: McAfee Phishing Filter - No File

BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO-X64: Increase performance and video formats for your HTML5 <video> - No File

BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\IPS\IPSBHO.DLL

BHO-X64: Norton Vulnerability Protection - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll"

mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun-x64: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

mRun-x64: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"

mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun-x64: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Liana\AppData\Roaming\Mozilla\Firefox\Profiles\dlrx3ic8.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.optimum.net/

FF - prefs.js: network.proxy.type - 0

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]

R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS --> C:\windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS --> C:\windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.7.1.5\Definitions\BASHDefs\20120402.001\BHDrvx64.sys [2012-9-6 1160824]

R1 ccSet_NAV;Norton AntiVirus Settings Manager;C:\windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys --> C:\windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys [?]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.7.1.5\Definitions\IPSDefs\20120202.002\IDSviA64.sys [2012-9-6 488568]

R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS --> C:\windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS [?]

R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\drivers\NAVx64\1307010.005\SYMNETS.SYS --> C:\windows\system32\drivers\NAVx64\1307010.005\SYMNETS.SYS [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]

R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-7-21 89600]

R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2010-11-3 897088]

R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-7-21 13336]

R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe [2012-9-6 138232]

R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]

R2 sesvc;ShadowExplorer Service;C:\Program Files (x86)\ShadowExplorer\sesvc.exe [2012-9-4 9216]

R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]

R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-7-21 1688384]

R2 TurboB;Turbo Boost UI Monitor driver;C:\windows\system32\DRIVERS\TurboB.sys --> C:\windows\system32\DRIVERS\TurboB.sys [?]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-21 2655768]

R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]

R3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2010-11-3 1298496]

R3 btmaux;Intel Bluetooth Auxiliary Service;C:\windows\system32\DRIVERS\btmaux.sys --> C:\windows\system32\DRIVERS\btmaux.sys [?]

R3 btmhsf;btmhsf;C:\windows\system32\DRIVERS\btmhsf.sys --> C:\windows\system32\DRIVERS\btmhsf.sys [?]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\system32\DRIVERS\CtClsFlt.sys --> C:\windows\system32\DRIVERS\CtClsFlt.sys [?]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-9-6 138912]

R3 iBtFltCoex;iBtFltCoex;C:\windows\system32\DRIVERS\iBtFltCoex.sys --> C:\windows\system32\DRIVERS\iBtFltCoex.sys [?]

R3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]

R3 iwdbus;IWD Bus Enumerator;C:\windows\system32\DRIVERS\iwdbus.sys --> C:\windows\system32\DRIVERS\iwdbus.sys [?]

R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]

R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETwNs64.sys --> C:\windows\system32\DRIVERS\NETwNs64.sys [?]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\system32\DRIVERS\nusb3hub.sys --> C:\windows\system32\DRIVERS\nusb3hub.sys [?]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\system32\DRIVERS\nusb3xhc.sys --> C:\windows\system32\DRIVERS\nusb3xhc.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]

R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]

R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]

R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]

R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]

R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]

S2 0077361346964773mcinstcleanup;McAfee Application Installer Cleanup (0077361346964773);C:\Users\Liana\AppData\Local\Temp\007736~1.EXE -cleanup -nolog --> C:\Users\Liana\AppData\Local\Temp\007736~1.EXE -cleanup -nolog [?]

S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-30 655944]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-5 250056]

S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\windows\system32\DRIVERS\ssudbus.sys --> C:\windows\system32\DRIVERS\ssudbus.sys [?]

S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\windows\system32\drivers\intelaud.sys --> C:\windows\system32\drivers\intelaud.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-9-5 114144]

S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-12-17 340240]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]

S3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2010-11-29 149504]

S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-09-06 22:23:31 -------- d-----w- C:\$RECYCLE.BIN

2012-09-06 21:09:18 98816 ----a-w- C:\windows\sed.exe

2012-09-06 21:09:18 518144 ----a-w- C:\windows\SWREG.exe

2012-09-06 21:09:18 256000 ----a-w- C:\windows\PEV.exe

2012-09-06 21:09:18 208896 ----a-w- C:\windows\MBR.exe

2012-09-06 21:09:16 35712 ----a-w- C:\windows\SysWow64\drivers\BlackBox.sys

2012-09-06 21:08:16 -------- d-----w- C:\ComboFix

2012-09-06 21:00:04 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared

2012-09-06 20:58:03 175736 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS

2012-09-06 20:58:03 -------- d-----w- C:\Program Files\Symantec

2012-09-06 20:58:03 -------- d-----w- C:\Program Files\Common Files\Symantec Shared

2012-09-06 20:57:51 737912 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\srtsp64.sys

2012-09-06 20:57:51 451192 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\SymDS64.sys

2012-09-06 20:57:51 405624 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\symnets.sys

2012-09-06 20:57:51 37496 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\srtspx64.sys

2012-09-06 20:57:51 190072 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\Ironx64.sys

2012-09-06 20:57:51 1092728 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\SymEFA64.sys

2012-09-06 20:57:50 167048 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\ccSetx64.sys

2012-09-06 20:57:47 -------- d-----w- C:\windows\System32\drivers\NAVx64\1307010.005

2012-09-06 20:57:47 -------- d-----w- C:\windows\System32\drivers\NAVx64

2012-09-06 20:57:47 -------- d-----w- C:\Program Files (x86)\Norton AntiVirus

2012-09-06 20:57:32 -------- d-----w- C:\Program Files (x86)\NortonInstaller

2012-09-06 18:43:04 -------- d-----w- C:\Program Files\CCleaner

2012-09-05 01:35:09 -------- d-----w- C:\Program Files (x86)\ShadowExplorer

2012-09-05 01:29:11 -------- d-----w- C:\Users\Liana\AppData\Roaming\www.shadowexplorer.com

2012-08-30 22:39:33 -------- d-----w- C:\Temp

2012-08-30 21:31:52 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-30 20:51:16 -------- d-----w- C:\Users\Liana\AppData\Local\{765E1A92-F2E4-11E1-8270-B8AC6F996F26}

2012-08-28 19:42:44 -------- d-----w- C:\Program Files (x86)\McAfee.com

2012-08-28 19:42:30 -------- d-----w- C:\Program Files (x86)\Common Files\McAfee

2012-08-28 19:42:11 -------- d-----w- C:\Program Files\McAfee.com

2012-08-28 19:42:11 -------- d-----w- C:\Program Files\McAfee

2012-08-28 19:42:11 -------- d-----w- C:\Program Files\Common Files\McAfee

2012-08-28 19:42:09 -------- d-----w- C:\Program Files (x86)\McAfee

2012-08-28 18:50:28 16200 ----a-w- C:\windows\stinger.sys

2012-08-28 18:50:04 -------- d-----w- C:\Program Files (x86)\stinger

2012-08-23 17:03:55 -------- d-----w- C:\ProgramData\PC-Doctor for Windows

2012-08-15 11:53:04 503808 ----a-w- C:\windows\System32\srcore.dll

2012-08-15 11:53:04 43008 ----a-w- C:\windows\SysWow64\srclient.dll

2012-08-15 11:53:01 751104 ----a-w- C:\windows\System32\win32spl.dll

2012-08-15 11:53:00 67072 ----a-w- C:\windows\splwow64.exe

2012-08-15 11:53:00 559104 ----a-w- C:\windows\System32\spoolsv.exe

2012-08-15 11:53:00 492032 ----a-w- C:\windows\SysWow64\win32spl.dll

2012-08-15 11:52:58 59392 ----a-w- C:\windows\System32\browcli.dll

2012-08-15 11:52:58 41984 ----a-w- C:\windows\SysWow64\browcli.dll

2012-08-15 11:52:58 136704 ----a-w- C:\windows\System32\browser.dll

2012-08-15 11:52:56 3148800 ----a-w- C:\windows\System32\win32k.sys

2012-08-15 11:52:55 956928 ----a-w- C:\windows\System32\localspl.dll

2012-08-09 14:31:13 -------- d--h--w- C:\ProgramData\NortonInstaller

.

==================== Find3M ====================

.

2012-08-15 15:43:20 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-15 15:43:20 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe

2012-07-06 20:07:42 552960 ----a-w- C:\windows\System32\drivers\bthport.sys

2012-06-29 03:56:34 2312704 ----a-w- C:\windows\System32\jscript9.dll

2012-06-29 03:49:11 1392128 ----a-w- C:\windows\System32\wininet.dll

2012-06-29 03:48:07 1494528 ----a-w- C:\windows\System32\inetcpl.cpl

2012-06-29 03:43:49 173056 ----a-w- C:\windows\System32\ieUnatt.exe

2012-06-29 03:39:48 2382848 ----a-w- C:\windows\System32\mshtml.tlb

2012-06-29 00:16:58 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll

2012-06-29 00:09:01 1129472 ----a-w- C:\windows\SysWow64\wininet.dll

2012-06-29 00:08:59 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl

2012-06-29 00:04:43 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe

2012-06-29 00:00:45 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb

.

============= FINISH: 18:55:40.22 ===============

I’d appreciate any help! Thank you for your time!

--Liana

Share this post


Link to post
Share on other sites

Please run the following:

Please download TDSSKiller.zip

  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System/TDSS File system is found then ensure Cure is selected (if cure is not available, choose skip)
    • Then click Continue > Reboot now

    [*]Copy and paste the log in your next reply

    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Share this post


Link to post
Share on other sites

try it from the MBAM chameleon folder:

Move tdsskiller.exe to this folder:

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

Install the Chameleon driver by doing the following:

Press the Windows key + R and in the Run box, copy and paste the following command then press Enter.

"C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o

A black DOS prompt will appear with a prompt to press any key to continue, please do so.

Now see if tdsskiller.exe will run from the Chameleon folder.

you will have to navigate to it's new location to run it. Let me know if you have trouble.

If it still will not run,

then please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]now press the search button

[*]when the search is complete, search.txt will also be written to your USB

[*]type exit and reboot the computer normally

[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)

Share this post


Link to post
Share on other sites

The program would still not run in the chameleon folder after following the directions, so I'm attempting to open repair computer from the F8 startup screen. Is it normal for it to take forever to load files before you're able to move to the next step of choosing a language, choose the operating system and so on? I'm sorry to be so much trouble--I didn't anticipate this! Thank you for all your help so far.

Share this post


Link to post
Share on other sites

Once I choose the option to 'Repair Computer', it says 'Windows is Loading Files...' and nothing changes. I've been giving it about ten minutes, but the screen hasn't changed. Maybe I'll try again...

Share this post


Link to post
Share on other sites

yes, try it again

if it still wont load, then run the following:

  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    RGKRScan.png
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    RGKRDelete.png
  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Share this post


Link to post
Share on other sites

I was able to run Farbar Tool without entering the startup 'repair computer' option. Here's the log:

Scan result of Farbar Recovery Scan Tool (x64) Version: 05-09-2012

Ran by Liana at 06-09-2012 20:38:08

Running from C:\Users\Liana\Desktop

Service Pack 1 (X64) OS Language: English(US)

Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==================== One Month Created Files and Folders ======================

2012-09-06 19:33 - 2012-09-06 20:38 - 00000000 ____D C:\FRST

2012-09-06 19:32 - 2012-09-06 19:32 - 01453069 ____A (Farbar) C:\Users\Liana\Desktop\FRST64.exe

2012-09-06 19:09 - 2012-09-06 19:11 - 00000000 ____D C:\Users\Liana\Desktop\tdsskiller

2012-09-06 19:01 - 2012-09-06 19:01 - 00014079 ____A C:\Users\Liana\Desktop\Attach.txt

2012-09-06 19:00 - 2012-09-06 19:00 - 00026237 ____A C:\Users\Liana\Desktop\DDS.txt

2012-09-06 18:45 - 2012-09-06 18:45 - 00027047 ____A C:\ComboFix.txt

2012-09-06 18:25 - 2012-09-06 20:30 - 00031011 ____A C:\Windows\WindowsUpdate.log

2012-09-06 18:21 - 2012-09-06 18:21 - 00002982 ____A C:\Windows\PFRO.log

2012-09-06 18:17 - 2012-09-06 18:17 - 00007602 ____A C:\Users\Liana\AppData\Local\Resmon.ResmonCfg

2012-09-06 17:09 - 2012-09-06 17:29 - 00035712 ____A C:\Windows\SysWOW64\Drivers\BlackBox.sys

2012-09-06 17:09 - 2012-09-06 17:09 - 00139264 ____A () C:\Users\Liana\Desktop\RKUnhookerLE.EXE

2012-09-06 17:09 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe

2012-09-06 17:09 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe

2012-09-06 17:09 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2012-09-06 17:09 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2012-09-06 17:09 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2012-09-06 17:09 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe

2012-09-06 17:09 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe

2012-09-06 17:09 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe

2012-09-06 17:08 - 2012-09-06 18:46 - 00000000 ____D C:\ComboFix

2012-09-06 17:07 - 2012-09-06 17:07 - 00607260 ____R (Swearware) C:\Users\Liana\Desktop\dds.scr

2012-09-06 17:05 - 2012-09-06 17:05 - 00187464 ____A (Webroot) C:\Users\Liana\Downloads\antizeroaccess.exe

2012-09-06 16:59 - 2012-09-06 16:59 - 00000000 ____D C:\Users\Liana\Documents\Symantec

2012-09-06 16:58 - 2012-09-06 16:58 - 00175736 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS

2012-09-06 16:58 - 2012-09-06 16:58 - 00007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT

2012-09-06 16:58 - 2012-09-06 16:58 - 00002466 ____A C:\Users\Public\Desktop\Norton AntiVirus.lnk

2012-09-06 16:58 - 2012-09-06 16:58 - 00000000 ____D C:\Program Files\Symantec

2012-09-06 16:58 - 2012-09-06 16:58 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared

2012-09-06 16:57 - 2012-09-06 16:57 - 00000000 ____D C:\Windows\System32\Drivers\NAVx64

2012-09-06 16:57 - 2012-09-06 16:57 - 00000000 ____D C:\Program Files (x86)\Norton AntiVirus

2012-09-06 16:40 - 2012-09-06 18:46 - 00000000 ____D C:\Qoobox

2012-09-06 16:39 - 2012-09-06 18:29 - 00000000 ____D C:\Windows\erdnt

2012-09-06 16:38 - 2012-09-06 16:38 - 04745369 ____R (Swearware) C:\Users\Liana\Downloads\ComboFix.exe

2012-09-06 16:30 - 2012-09-06 16:31 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Liana\Downloads\tdsskiller.exe

2012-09-06 15:09 - 2012-09-06 20:35 - 00000336 ____A C:\Windows\setupact.log

2012-09-06 15:09 - 2012-09-06 15:09 - 00000000 ____A C:\Windows\setuperr.log

2012-09-06 14:43 - 2012-09-06 14:43 - 00000000 ____D C:\Program Files\CCleaner

2012-09-06 14:41 - 2012-09-06 14:41 - 03927560 ____A (Piriform Ltd) C:\Users\Liana\Downloads\ccsetup322.exe

2012-09-06 13:42 - 2012-09-06 13:42 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk

2012-09-06 09:10 - 2012-09-06 09:10 - 00003288 ____N C:\bootsqm.dat

2012-09-05 08:30 - 2012-09-05 08:30 - 00001136 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-09-05 08:30 - 2012-09-05 08:30 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2012-09-05 08:29 - 2012-09-05 08:29 - 17789456 ____A (Mozilla) C:\Users\Liana\Downloads\Firefox Setup 15.0.exe

2012-09-04 21:35 - 2012-09-04 21:42 - 00000000 ____D C:\Program Files (x86)\ShadowExplorer

2012-09-04 21:29 - 2012-09-04 21:29 - 00000000 ____D C:\Users\Liana\AppData\Roaming\www.shadowexplorer.com

2012-09-04 21:28 - 2012-09-04 21:28 - 00937024 ____A (ShadowExplorer.com ) C:\Users\Liana\Downloads\ShadowExplorer-0.8-setup.exe

2012-09-04 20:49 - 2012-09-04 20:49 - 00000184 ___AH C:\Users\All Users\-IRUPS7cECpP8k3r

2012-09-04 20:49 - 2012-09-04 20:49 - 00000160 ___AH C:\Users\All Users\-IRUPS7cECpP8k3

2012-08-30 17:31 - 2012-08-30 17:31 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Liana\Downloads\mbam-setup-1.62.0.1300.exe

2012-08-30 17:31 - 2012-08-30 17:31 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-30 17:31 - 2012-08-30 17:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-30 16:51 - 2012-09-06 17:47 - 00000000 ___AH C:\Users\Liana\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞÿ

2012-08-30 16:51 - 2012-09-04 21:05 - 00000000 ____D C:\Users\Liana\AppData\Local\{765E1A92-F2E4-11E1-8270-B8AC6F996F26}

2012-08-28 15:42 - 2012-09-06 18:21 - 00000000 ____D C:\Program Files\Common Files\McAfee

2012-08-28 15:42 - 2012-09-05 18:45 - 00000000 ____D C:\Program Files (x86)\McAfee

2012-08-28 15:42 - 2012-08-28 15:42 - 00000000 ____D C:\Program Files\McAfee.com

2012-08-28 15:42 - 2012-08-28 15:42 - 00000000 ____D C:\Program Files\McAfee

2012-08-28 15:42 - 2012-08-28 15:42 - 00000000 ____D C:\Program Files (x86)\McAfee.com

2012-08-28 15:28 - 2012-09-04 21:04 - 00000000 ____D C:\Users\All Users\McAfee

2012-08-28 15:28 - 2012-08-28 15:28 - 04840424 ____A (McAfee, Inc.) C:\Users\Liana\Downloads\McAfeeSetup.exe

2012-08-28 15:11 - 2012-08-28 15:11 - 00000041 ___RH C:\Users\Liana\Downloads\stinger.opt

2012-08-28 15:10 - 2012-08-28 15:10 - 03178400 ____A (McAfee, Inc.) C:\Users\Liana\Desktop\MCPR.exe

2012-08-28 15:02 - 2012-08-28 15:02 - 00475752 ____A (McAfee, Inc.) C:\Users\Liana\Downloads\rootkitremover.exe

2012-08-28 14:50 - 2012-08-28 15:11 - 00000000 ____D C:\Program Files (x86)\stinger

2012-08-28 14:50 - 2012-08-28 14:50 - 00016200 ____A (McAfee, Inc.) C:\Windows\stinger.sys

2012-08-28 14:49 - 2012-08-28 14:49 - 09925224 ____A (McAfee Inc.) C:\Users\Liana\Downloads\stinger.exe

2012-08-24 18:33 - 2012-08-24 18:33 - 00176940 ____A C:\Users\Liana\Downloads\BFE.reg

2012-08-24 18:33 - 2012-08-24 18:33 - 00006396 ____A C:\Users\Liana\Downloads\MpsSvc.reg

2012-08-24 17:25 - 2012-08-24 17:25 - 01010176 ____A C:\Users\Liana\Downloads\MicrosoftFixit50884.msi

2012-08-16 03:07 - 2012-07-06 16:07 - 00552960 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys

2012-08-16 03:07 - 2012-06-29 00:55 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-08-16 03:07 - 2012-06-29 00:09 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-08-16 03:07 - 2012-06-28 23:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-08-16 03:07 - 2012-06-28 23:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-08-16 03:07 - 2012-06-28 23:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-08-16 03:07 - 2012-06-28 23:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-08-16 03:07 - 2012-06-28 23:47 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-08-16 03:07 - 2012-06-28 23:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-08-16 03:07 - 2012-06-28 23:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-08-16 03:07 - 2012-06-28 23:43 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-08-16 03:07 - 2012-06-28 23:42 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-08-16 03:07 - 2012-06-28 23:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-08-16 03:07 - 2012-06-28 23:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-08-16 03:07 - 2012-06-28 23:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-08-16 03:07 - 2012-06-28 20:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-08-16 03:07 - 2012-06-28 20:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-08-16 03:07 - 2012-06-28 20:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-08-16 03:07 - 2012-06-28 20:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-08-16 03:07 - 2012-06-28 20:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-08-16 03:07 - 2012-06-28 20:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-08-16 03:07 - 2012-06-28 20:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-08-16 03:07 - 2012-06-28 20:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-08-16 03:07 - 2012-06-28 20:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-08-16 03:07 - 2012-06-28 20:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-08-16 03:07 - 2012-06-28 20:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-08-16 03:07 - 2012-06-28 20:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-08-16 03:07 - 2012-06-28 20:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-08-16 03:07 - 2012-06-28 19:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-08-15 07:53 - 2012-05-05 04:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll

2012-08-15 07:53 - 2012-05-05 03:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll

2012-08-15 07:53 - 2012-02-11 02:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2012-08-15 07:53 - 2012-02-11 02:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe

2012-08-15 07:53 - 2012-02-11 02:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe

2012-08-15 07:53 - 2012-02-11 01:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2012-08-15 07:52 - 2012-07-18 14:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-08-15 07:52 - 2012-07-04 18:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-08-15 07:52 - 2012-07-04 18:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-08-15 07:52 - 2012-07-04 18:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-08-15 07:52 - 2012-07-04 17:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-08-15 07:52 - 2012-07-04 17:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

2012-08-15 07:52 - 2012-05-14 01:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

2012-08-14 14:30 - 2012-08-24 20:45 - 00000000 ____D C:\Users\Liana\Desktop\Marketing

2012-08-09 08:13 - 2012-08-09 08:18 - 00829280 ____A (Symantec Corporation) C:\Users\Liana\Downloads\NAVDownloader(1).exe

==================== 3 Months Modified Files ================================

2012-09-06 20:36 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-09-06 20:35 - 2012-09-06 15:09 - 00000336 ____A C:\Windows\setupact.log

2012-09-06 20:30 - 2012-09-06 18:25 - 00031011 ____A C:\Windows\WindowsUpdate.log

2012-09-06 20:17 - 2009-07-14 00:45 - 00020928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-09-06 20:17 - 2009-07-14 00:45 - 00020928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-09-06 20:16 - 2009-07-14 01:13 - 00780046 ____A C:\Windows\System32\PerfStringBackup.INI

2012-09-06 19:43 - 2012-08-05 21:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-09-06 19:32 - 2012-09-06 19:32 - 01453069 ____A (Farbar) C:\Users\Liana\Desktop\FRST64.exe

2012-09-06 19:01 - 2012-09-06 19:01 - 00014079 ____A C:\Users\Liana\Desktop\Attach.txt

2012-09-06 19:00 - 2012-09-06 19:00 - 00026237 ____A C:\Users\Liana\Desktop\DDS.txt

2012-09-06 18:45 - 2012-09-06 18:45 - 00027047 ____A C:\ComboFix.txt

2012-09-06 18:24 - 2009-07-13 22:34 - 00000215 ____A C:\Windows\system.ini

2012-09-06 18:21 - 2012-09-06 18:21 - 00002982 ____A C:\Windows\PFRO.log

2012-09-06 18:17 - 2012-09-06 18:17 - 00007602 ____A C:\Users\Liana\AppData\Local\Resmon.ResmonCfg

2012-09-06 17:47 - 2012-08-30 16:51 - 00000000 ___AH C:\Users\Liana\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞÿ

2012-09-06 17:29 - 2012-09-06 17:09 - 00035712 ____A C:\Windows\SysWOW64\Drivers\BlackBox.sys

2012-09-06 17:09 - 2012-09-06 17:09 - 00139264 ____A () C:\Users\Liana\Desktop\RKUnhookerLE.EXE

2012-09-06 17:07 - 2012-09-06 17:07 - 00607260 ____R (Swearware) C:\Users\Liana\Desktop\dds.scr

2012-09-06 17:05 - 2012-09-06 17:05 - 00187464 ____A (Webroot) C:\Users\Liana\Downloads\antizeroaccess.exe

2012-09-06 16:58 - 2012-09-06 16:58 - 00175736 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS

2012-09-06 16:58 - 2012-09-06 16:58 - 00007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT

2012-09-06 16:58 - 2012-09-06 16:58 - 00002466 ____A C:\Users\Public\Desktop\Norton AntiVirus.lnk

2012-09-06 16:38 - 2012-09-06 16:38 - 04745369 ____R (Swearware) C:\Users\Liana\Downloads\ComboFix.exe

2012-09-06 16:31 - 2012-09-06 16:30 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Liana\Downloads\tdsskiller.exe

2012-09-06 15:09 - 2012-09-06 15:09 - 00000000 ____A C:\Windows\setuperr.log

2012-09-06 14:41 - 2012-09-06 14:41 - 03927560 ____A (Piriform Ltd) C:\Users\Liana\Downloads\ccsetup322.exe

2012-09-06 13:42 - 2012-09-06 13:42 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk

2012-09-06 09:10 - 2012-09-06 09:10 - 00003288 ____N C:\bootsqm.dat

2012-09-05 08:30 - 2012-09-05 08:30 - 00001136 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-09-05 08:29 - 2012-09-05 08:29 - 17789456 ____A (Mozilla) C:\Users\Liana\Downloads\Firefox Setup 15.0.exe

2012-09-04 21:28 - 2012-09-04 21:28 - 00937024 ____A (ShadowExplorer.com ) C:\Users\Liana\Downloads\ShadowExplorer-0.8-setup.exe

2012-09-04 20:49 - 2012-09-04 20:49 - 00000184 ___AH C:\Users\All Users\-IRUPS7cECpP8k3r

2012-09-04 20:49 - 2012-09-04 20:49 - 00000160 ___AH C:\Users\All Users\-IRUPS7cECpP8k3

2012-08-30 17:31 - 2012-08-30 17:31 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Liana\Downloads\mbam-setup-1.62.0.1300.exe

2012-08-30 17:31 - 2012-08-30 17:31 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-28 15:28 - 2012-08-28 15:28 - 04840424 ____A (McAfee, Inc.) C:\Users\Liana\Downloads\McAfeeSetup.exe

2012-08-28 15:11 - 2012-08-28 15:11 - 00000041 ___RH C:\Users\Liana\Downloads\stinger.opt

2012-08-28 15:10 - 2012-08-28 15:10 - 03178400 ____A (McAfee, Inc.) C:\Users\Liana\Desktop\MCPR.exe

2012-08-28 15:02 - 2012-08-28 15:02 - 00475752 ____A (McAfee, Inc.) C:\Users\Liana\Downloads\rootkitremover.exe

2012-08-28 14:50 - 2012-08-28 14:50 - 00016200 ____A (McAfee, Inc.) C:\Windows\stinger.sys

2012-08-28 14:49 - 2012-08-28 14:49 - 09925224 ____A (McAfee Inc.) C:\Users\Liana\Downloads\stinger.exe

2012-08-24 18:33 - 2012-08-24 18:33 - 00176940 ____A C:\Users\Liana\Downloads\BFE.reg

2012-08-24 18:33 - 2012-08-24 18:33 - 00006396 ____A C:\Users\Liana\Downloads\MpsSvc.reg

2012-08-24 17:25 - 2012-08-24 17:25 - 01010176 ____A C:\Users\Liana\Downloads\MicrosoftFixit50884.msi

2012-08-16 03:25 - 2009-07-14 00:45 - 00319000 ____A C:\Windows\System32\FNTCACHE.DAT

2012-08-16 03:03 - 2012-06-12 17:21 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-08-15 11:43 - 2012-08-05 21:20 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-08-15 11:43 - 2011-07-21 02:11 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-08-09 08:18 - 2012-08-09 08:13 - 00829280 ____A (Symantec Corporation) C:\Users\Liana\Downloads\NAVDownloader(1).exe

2012-08-05 22:29 - 2012-08-05 22:29 - 00829280 ____A (Symantec Corporation) C:\Users\Liana\Downloads\NAVDownloader.exe

2012-07-18 14:15 - 2012-08-15 07:52 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-16 10:15 - 2012-07-16 10:15 - 00000790 ____A C:\Users\Public\Desktop\Wondershare AllMyTube.lnk

2012-07-16 10:13 - 2012-07-16 10:13 - 19419512 ____A (Wondershare Software Co.,Ltd. ) C:\Users\Liana\Downloads\youtube-downloader_full235.exe

2012-07-12 14:15 - 2012-07-12 14:15 - 00000154 ____A C:\Users\Liana\Documents\bronxzoo.txt

2012-07-09 18:38 - 2012-07-09 18:38 - 05850752 ___AH C:\Users\Liana\Downloads\CAMERA! 004.avi

2012-07-06 16:07 - 2012-08-16 03:07 - 00552960 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys

2012-07-04 18:16 - 2012-08-15 07:52 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-07-04 18:13 - 2012-08-15 07:52 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-07-04 18:13 - 2012-08-15 07:52 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-07-04 17:16 - 2012-08-15 07:52 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-07-04 17:14 - 2012-08-15 07:52 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

2012-06-29 00:55 - 2012-08-16 03:07 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-29 00:09 - 2012-08-16 03:07 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-28 23:56 - 2012-08-16 03:07 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-28 23:49 - 2012-08-16 03:07 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-28 23:49 - 2012-08-16 03:07 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-28 23:48 - 2012-08-16 03:07 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-28 23:47 - 2012-08-16 03:07 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-28 23:45 - 2012-08-16 03:07 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-28 23:44 - 2012-08-16 03:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-28 23:43 - 2012-08-16 03:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-28 23:42 - 2012-08-16 03:07 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-28 23:40 - 2012-08-16 03:07 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-28 23:39 - 2012-08-16 03:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-28 23:35 - 2012-08-16 03:07 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-28 20:52 - 2012-08-16 03:07 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-28 20:27 - 2012-08-16 03:07 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-28 20:16 - 2012-08-16 03:07 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-28 20:09 - 2012-08-16 03:07 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-28 20:09 - 2012-08-16 03:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-28 20:08 - 2012-08-16 03:07 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-28 20:07 - 2012-08-16 03:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-28 20:06 - 2012-08-16 03:07 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-28 20:04 - 2012-08-16 03:07 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-28 20:04 - 2012-08-16 03:07 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-28 20:01 - 2012-08-16 03:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-28 20:01 - 2012-08-16 03:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-28 20:00 - 2012-08-16 03:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-28 19:57 - 2012-08-16 03:07 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-21 13:50 - 2012-06-21 13:50 - 00443089 ___AH C:\Users\Liana\Downloads\attachments(6).zip

2012-06-21 13:49 - 2012-06-21 13:49 - 00443089 ___AH C:\Users\Liana\Downloads\attachments(5).zip

2012-06-21 13:49 - 2012-06-21 13:49 - 00443089 ___AH C:\Users\Liana\Downloads\attachments(4).zip

2012-06-21 13:47 - 2012-06-21 13:47 - 00402572 ___AH C:\Users\Liana\Downloads\attachments(3).zip

2012-06-14 07:39 - 2012-06-14 07:39 - 00000219 ___AH C:\Users\Liana\Downloads\Bird_Watcher's_General_Store_(2).url

2012-06-12 17:21 - 2012-06-12 17:21 - 00000527 ____A C:\Users\Liana\Documents\wedding.txt

2012-06-09 01:43 - 2012-07-11 08:21 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-09 00:41 - 2012-07-11 08:21 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

ZeroAccess:

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\00000004.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\201d3dde

ZeroAccess:

C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}

C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@

C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L

C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point made on: 2012-08-16 03:02:31

Restore point made on: 2012-08-23 13:32:37

Restore point made on: 2012-08-24 17:26:16

Restore point made on: 2012-09-04 10:51:58

Restore point made on: 2012-09-04 21:09:37

==================== Memory info ===========================

Percentage of memory in use: 23%

Total physical RAM: 8099.18 MB

Available physical RAM: 6210.37 MB

Total Pagefile: 16196.54 MB

Available Pagefile: 14057.47 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

==================== Partitions ============================

1 Drive c: (OS) (Fixed) (Total:683.88 GB) (Free:626.03 GB) NTFS

3 Drive e: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 698 GB 0 B

Disk 1 Online 244 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 100 MB 1024 KB

Partition 2 Primary 14 GB 101 MB

Partition 3 Primary 683 GB 14 GB

Partition 4 Primary 10 MB 698 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

There is no volume associated with this partition.

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Recovery NTFS Partition 14 GB Healthy System (partition with boot components)

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 683 GB Healthy Boot

==================================================================================

Disk: 0

Partition 4

Type : 17 (Suspicious Type)

Hidden: Yes

Active: Yes

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 244 MB 49 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E FAT Removable 244 MB Healthy

==================================================================================

Last Boot: 2012-08-30 10:59

==================== End Of Log =============================

I'm going to try Rouge Killer now! :)

Share this post


Link to post
Share on other sites

Here's the first Rouge Killer log:

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Liana [Admin rights]

Mode : Scan -- Date : 09/06/2012 20:50:25

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> FOUND

[ZeroAccess][FILE] @ : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD7500BPVT-75HXZT1 +++++

--- User ---

[MBR] 53f0d6e6dfbe15f916b755cb47c4560e

[bSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo

User != LL1 ... KO!

--- LL1 ---

[MBR] a72c6556107abb7a85fbc4c592fed7fa

[bSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo

3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1465118720 | Size: 10 Mo

User != LL2 ... KO!

--- LL2 ---

[MBR] a72c6556107abb7a85fbc4c592fed7fa

[bSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo

3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1465118720 | Size: 10 Mo

+++++ PhysicalDrive1: SanDisk Cruzer Micro USB Device +++++

--- User ---

[MBR] 8a2877c45c9e97842276805a0759d0ba

[bSP] 7208b105e661849d4a48c279d3177d8d : Standard MBR Code

Partition table:

0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 99 | Size: 244 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

And here's the second:

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Liana [Admin rights]

Mode : Remove -- Date : 09/06/2012 20:53:35

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@ --> REMOVED

[ZeroAccess][FOLDER] ROOT : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> REMOVED

[Del.Parent][FILE] 00000004.@ : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\00000004.@ --> REMOVED

[Del.Parent][FILE] 201d3dde : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\201d3dde --> REMOVED

[ZeroAccess][FOLDER] ROOT : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> REMOVED

[ZeroAccess][FILE] @ : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@ --> REMOVED

[ZeroAccess][FOLDER] ROOT : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> REMOVED

[ZeroAccess][FOLDER] ROOT : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD7500BPVT-75HXZT1 +++++

--- User ---

[MBR] 53f0d6e6dfbe15f916b755cb47c4560e

[bSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo

User != LL1 ... KO!

--- LL1 ---

[MBR] a72c6556107abb7a85fbc4c592fed7fa

[bSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo

3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1465118720 | Size: 10 Mo

User != LL2 ... KO!

--- LL2 ---

[MBR] a72c6556107abb7a85fbc4c592fed7fa

[bSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo

3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1465118720 | Size: 10 Mo

+++++ PhysicalDrive1: SanDisk Cruzer Micro USB Device +++++

--- User ---

[MBR] 8a2877c45c9e97842276805a0759d0ba

[bSP] 7208b105e661849d4a48c279d3177d8d : Standard MBR Code

Partition table:

0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 99 | Size: 244 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

Share this post


Link to post
Share on other sites

After I clicked Fix Shortcuts, Rogue Killer gave me a third log:

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Liana [Admin rights]

Mode : Shortcuts HJfix -- Date : 09/06/2012 20:56:24

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤

Desktop: Success 2 / Fail 0

Quick launch: Success 2 / Fail 0

Programs: Success 36 / Fail 0

Start menu: Success 2 / Fail 0

User folder: Success 1303 / Fail 0

My documents: Success 13 / Fail 13

My favorites: Success 13 / Fail 0

My pictures: Success 0 / Fail 0

My music: Success 1747 / Fail 0

My videos: Success 0 / Fail 0

Local drives: Success 576 / Fail 12

Backup: [NOT FOUND]

Drives:

[C:] \Device\HarddiskVolume3 -- 0x3 --> Restored

[D:] \Device\CdRom0 -- 0x5 --> Skipped

[E:] \Device\HarddiskVolume5 -- 0x2 --> Restored

[Q:] \Device\SftVol -- 0x3 --> Restored

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Share this post


Link to post
Share on other sites

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

As well as being infected with a nasty rootkit called Zero Access, malware has created a hidden rogue partition on your computer

It does appear as though RogueKiller has removed the Zero Access rootkit successfully,

We need to remove the hidden partition (which is currently active)

Please do the following:

You will need a USB drive and a CD.

Download GETxPUD.exe to your desktop

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
    NEXT
  • Download tdl_fix.sh and save it to your USB flash drive.
  • Boot into xPUD using the xPud CD, then click the File tab.
  • Press File
  • Expand mnt
  • Click on the folder under mnt that represents your USB drive (it's probably sdb1 ?)
  • You should see the tdl_fix.sh file in the main window.
  • Select Tool from the Menu
  • Choose Open Terminal
  • Type bash tdl_fix.sh then press Enter.
  • Read the warning then type y and press Enter to continue.
  • Type sda then press Enter when prompted.
  • You will be shown a list of partitions to choose marking active.
  • Type 3 then press Enter.
  • If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
  • When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter
  • The script will complete and prompt you to reboot the computer.
  • Close the Terminal window and restart back into Windows.
  • Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.

Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.

This will prompt you to use the file tdl_mbr_sda.bin on drive sda.

Ok the procedure then restart when complete.

This is a backup of the original mbr and will restore it to it's current state.

Share this post


Link to post
Share on other sites

I've burned XPUD to a CD, and have downloaded tdl_fix.sh to a flash drive. When trying to boot into XPUD using the CD, I get an error saying: 'The file is invalid for use as the following: Security Catalog.' Figuring I clicked the wrong option, I clicked into the boot folder, then clicked on XPUD, but it can't find a program to run it. Am I doing something wrong here?

Share this post


Link to post
Share on other sites

no, not necessarily, there is the odd occasion that a machine just will not boot to xPud

fortunately, we have several options available to us to remove this malware partition

Let's try List Parts

we need to get a scan first

Please do the following:

  • Download ListParts64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

W7InstallDisk2.png

  • Select the Command Prompt option.
  • A command window will open.
    • Type notepad then hit Enter.
    • Notepad will open.
      • Click File > Open then select Computer.
      • Note down the drive letter for your USB Drive.
      • Close Notepad.

    [*]Back in the command window ....

    • Type e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • ListParts will start to run.
      • Press the Scan button.
      • When finished scanning it will make a log Result.txt on the flash drive.

    [*]Close the command window.

    [*]Boot back into normal mode and post me the Result.txt log please.

Share this post


Link to post
Share on other sites

Since my system seems to freeze while loading files when entering 'repair your computer' from the startup screen, I ran ListParts from Safe Mode with Command Prompt. I hope that's okay! Here's the result:

ListParts by Farbar Version: 10-08-2012

Ran by Liana (administrator) on 07-09-2012 at 20:19:37

Windows 7 (X64)

Running From: E:\

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 16%

Total physical RAM: 8099.18 MB

Available physical RAM: 6794.21 MB

Total Pagefile: 16196.54 MB

Available Pagefile: 14884.77 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:683.88 GB) (Free:620.36 GB) NTFS

2 Drive d: (xPUD) (CDROM) (Total:0.06 GB) (Free:0 GB) CDFS

3 Drive e: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 698 GB 0 B

Disk 1 Online 244 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 100 MB 1024 KB

Partition 2 Primary 14 GB 101 MB

Partition 3 Primary 683 GB 14 GB

Partition 4 Primary 10 MB 698 GB

======================================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Recovery NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 683 GB Healthy Boot

======================================================================================================

Disk: 0

Partition 4

Type : 17 (Suspicious Type)

Hidden: Yes

Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 244 MB 49 KB

======================================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E FAT Removable 244 MB Healthy

======================================================================================================

****** End Of Log ******

Share this post


Link to post
Share on other sites

we can try the fix in normal mode, but it may not be successful

First we need to make your boot partition active and then we will delete the malware partition (which is currently active)

Please try and enter the recovery environment, if you are unable to do so, try it in normal mode, if it is still unsuccessful, we do have another option.

Please run the following:

  • Click Start and in the Search Programs and files box type Notepad.exe then hit Enter.
  • An empty Notepad file will open.
  • Copy and paste the contents of the quote box below into Notepad.

Disk=0 Partition=2 active

bcdedit

Disk=0 Partition=4 type=07

  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fix.txt to the flash drive where ListParts is located.

Next

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

W7InstallDisk2.png

  • Select the Command Prompt option.
  • A command window will open.
    • Type notepad then hit Enter.
    • Notepad will open.
      • Click File > Open then select Computer.
      • Note down the drive letter for your USB Drive.
      • Close Notepad.

    [*]Back in the command window ....

    • Type e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • ListParts will start to run.
      • Press the Fix button.
      • ListParts will process the script in Fix.txt
      • When finished please press the Scan button.
      • A log Result.txt will be saved to the flash drive.

    [*]Close the command window.

    [*]Boot back into normal mode and post me the Result.txt log please.

Share this post


Link to post
Share on other sites

Ran again in safe mode--could not open computer in recovery environment:

ListParts by Farbar Version: 10-08-2012

Ran by Liana (administrator) on 07-09-2012 at 20:50:24

Windows 7 (X64)

Running From: E:\

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 7%

Total physical RAM: 8099.18 MB

Available physical RAM: 7504.68 MB

Total Pagefile: 16196.54 MB

Available Pagefile: 15596.9 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:683.88 GB) (Free:620.36 GB) NTFS

2 Drive d: (xPUD) (CDROM) (Total:0.06 GB) (Free:0 GB) CDFS

3 Drive e: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 698 GB 0 B

Disk 1 Online 244 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 100 MB 1024 KB

Partition 2 Primary 14 GB 101 MB

Partition 3 Primary 683 GB 14 GB

Partition 4 Primary 10 MB 698 GB

======================================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Recovery NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 683 GB Healthy Boot

======================================================================================================

Disk: 0

Partition 4

Type : 17 (Suspicious Type)

Hidden: Yes

Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 244 MB 49 KB

======================================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E FAT Removable 244 MB Healthy

======================================================================================================

****** End Of Log ******

Share this post


Link to post
Share on other sites

ok

it didn't work in normal mode, but it was worth a try

what exactly happens when you try to boot to the recovery environment?

We will try with gparted

please do the following:

Please download:

gparted-live.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD. (your computer needs to be set to boot from CD in the BIOS)

You should be here... Press ENTER

Gpart-Start.GIF

By default, "do not touch keymap" is highlighted.

Gpart-keyselect.GIF

Leave this setting alone and just press ENTER.

Gpart-continue.GIF

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below

Gpart-partitions.GIF

According to your logs, the partition that you want to delete is 10 MB (it should show partition #4, if you have any doubts at all, stop and report back with what you see)

Right click this partition and select delete .

GPart-delete.GIF

The Partition has gone

Now select Apply

Now you should be here:

Areyousure.GIF

Select Apply after double checking that the right partition was deleted

Is "boot" next to your 14GB system drive?

If "boot" is not next to your 14GB System drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

GPart-flags.GIF

In the menu that pops up, place a checkmark in boot like the picture below, then close:

GPart-bootflag.GIF

Under File select Quit

Gpart-quit.GIF

You will see this small Popup

Gpart-reboot.GIF

Choose reboot and then press OK.

Share this post


Link to post
Share on other sites

Hey there!

I've put the program on a CD, but I can't get it to boot from BIOS, even after changing the Bios settings to boot from CD first. When I choose the option to boot from CD, windows opens as normal. I don't think this is correct. Have I done something incorrectly?

Share this post


Link to post
Share on other sites

are you using a PS2 or USB keyboard?

see if you find/borrow a PS2 keyboard if you are not using one, as the machine may not recognize your keyboard strokes prior to windows loading?

that could be the reason you are not able to boot to the recovery environment also

Share this post


Link to post
Share on other sites

This is on my laptop, but I do have access to a USB keyboard if you think it'd be a good idea to give that one a try! The machine seems to be recognizing my key strokes, because I'm able to access advanced startup options when I tap F8 and was able to access BIOS options in order to put request it to boot from the CD.

If this worked correctly, I should see the program on the CD appear and windows would not start like normal, right?

Sheesh! I'm sorry everything has turned into a problem--thank you for sticking with me through this! I really appreciate it!

Share this post


Link to post
Share on other sites

ok, scratch that idea then,

yes, if your laptop is set in the BIOS to boot from CD first, then you should hear the CD start when you boot up, is there any "noise" coming from it at all when you boot up....do you get any tpe of message to press <insert name of key here> to boot from CD?

What happens when you try to boot to the recovery environment? How far is the progression? How long have you waited for the files to load?

Share this post


Link to post
Share on other sites

Hello,

Sorry for the delay! I still cannot boot from the CD, even though I'm given the option to do so at startup. When I press the appropriate key, I don't hear the CD starting up and the computer just starts up normally. When trying to enter repair mode, I've waited for about three hours with no progress at all with the progress bar. I wonder if this has something to do with the Malware?

I'm still trying to get TDSS Killer to run, but have had no luck. So I I ran RKIll, then I scanned with Super AntiSpyware twice, here are the logs:

RKill:

Rkill 2.3.11 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/10/2012 08:14:05 PM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* COM+ Event System (EventSystem) is not Running.

Startup Type set to: Automatic

* Windows Defender (WinDefend) is not Running.

Startup Type set to: Manual

* Security Center (wscsvc) is not Running.

Startup Type set to: Automatic (Delayed Start)

* Windows Update (wuauserv) is not Running.

Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/10/2012 08:14:06 PM

Execution time: 0 hours(s), 0 minute(s), and 1 seconds(s)

Super AntiSpyware Scan 1:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 09/10/2012 at 09:13 PM

Application Version : 5.5.1016

Core Rules Database Version : 9203

Trace Rules Database Version: 7015

Scan type : Complete Scan

Total Scan Time : 00:49:29

Operating System Information

Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)

UAC Off - Administrator

Memory items scanned : 430

Memory threats detected : 0

Registry items scanned : 66055

Registry threats detected : 0

File items scanned : 132344

File threats detected : 119

Adware.Tracking Cookie

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\ZQTQ9RS3.txt [ /questionmarket.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\J9PC8Y6L.txt [ /interclick.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\BGW9DDY1.txt [ /adxpose.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\Z6IPBD34.txt [ /collective-media.net ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\LSY96Z7Y.txt [ /ads.pointroll.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\6D1K2Q6Q.txt [ /marchex.bafind.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\80VRXBJH.txt [ /media6degrees.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\609ELLGE.txt [ /at.atwola.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\1YJBRLVH.txt [ /atdmt.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\VG8HT3JV.txt [ /burstnet.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\7RP818K1.txt [ /mediaservices-d.openxenterprise.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\X5S5SHP7.txt [ /enhance.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\KEIMAJR9.txt [ /1sadx.net ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\SO2T3JF6.txt [ /bizzclick.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\7H9L4JUP.txt [ /adbrite.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\TW8TDKPJ.txt [ /serving-sys.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\IK66TN0Y.txt [ /bs.serving-sys.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\RV39GIJE.txt [ /ru4.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\87I6JBE4.txt [ /statcounter.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\47LUZB6Y.txt [ /findology.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\3P7YXK3R.txt [ /gsimedia.net ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\2G8UEJHU.txt [ /pro-market.net ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\5HC29GP1.txt [ /ads.pubmatic.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\LP2B9COW.txt [ /apmebf.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\I9NPDTUP.txt [ /media.adfrontiers.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\SW506NPA.txt [ /dc.tremormedia.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\XTRGAXS7.txt [ /adup.rotator.hadj7.adjuggler.net ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\13EJINAN.txt [ /www.burstnet.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\BY8XLHRI.txt [ /mediaplex.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\18LPOBBK.txt [ /advertising.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\1ELIX6PG.txt [ /casalemedia.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\BY43B5V5.txt [ /revsci.net ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\FCAW6QGT.txt [ /fastclick.net ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\7LIRBOUJ.txt [ /tribalfusion.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\FXN7ZMB8.txt [ /ad.mlnadvertising.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\XA2E89CZ.txt [ /micklemedia.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\LNGMQJYN.txt [ /zedo.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\7Y6UJHGY.txt [ /ads.financialcontent.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\H3YYZQJ2.txt [ /tradedoubler.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\VFVSWQ4S.txt [ /imrworldwide.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\TMWVCJME.txt [ /uiadserver.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\1NIRAVP4.txt [ /pointroll.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\MJWNH8HH.txt [ /ad.cratenetwork.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\J0JPHNJ6.txt [ /lucidmedia.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\I22ZYS5R.txt [ /miva.cinomedia.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\ATFEMAIQ.txt [ /specificclick.net ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\9UVVJM18.txt [ /ads.footar.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\8A2EIAZ2.txt [ /invitemedia.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\P9P0O4HQ.txt [ /ad.yieldmanager.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\R07DTYEF.txt [ /doubleclick.net ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\J2KFRQC9.txt [ /ads.undertone.com ]

C:\USERS\LIANA\AppData\Roaming\Microsoft\Windows\Cookies\FSIWHZAK.txt [ Cookie:liana@greatestsearchresults.com/click/ ]

C:\USERS\LIANA\AppData\Roaming\Microsoft\Windows\Cookies\O64RMU26.txt [ Cookie:liana@adsonar.com/adserving ]

C:\USERS\LIANA\Cookies\ZQTQ9RS3.txt [ Cookie:liana@questionmarket.com/ ]

C:\USERS\LIANA\Cookies\J9PC8Y6L.txt [ Cookie:liana@interclick.com/ ]

C:\USERS\LIANA\Cookies\Z6IPBD34.txt [ Cookie:liana@collective-media.net/ ]

C:\USERS\LIANA\Cookies\6D1K2Q6Q.txt [ Cookie:liana@marchex.bafind.com/ ]

C:\USERS\LIANA\Cookies\609ELLGE.txt [ Cookie:liana@at.atwola.com/ ]

C:\USERS\LIANA\Cookies\1YJBRLVH.txt [ Cookie:liana@atdmt.com/ ]

C:\USERS\LIANA\Cookies\7RP818K1.txt [ Cookie:liana@mediaservices-d.openxenterprise.com/ ]

C:\USERS\LIANA\Cookies\X5S5SHP7.txt [ Cookie:liana@enhance.com/ ]

C:\USERS\LIANA\Cookies\KEIMAJR9.txt [ Cookie:liana@1sadx.net/ ]

C:\USERS\LIANA\Cookies\SO2T3JF6.txt [ Cookie:liana@bizzclick.com/ ]

C:\USERS\LIANA\Cookies\TW8TDKPJ.txt [ Cookie:liana@serving-sys.com/ ]

C:\USERS\LIANA\Cookies\IK66TN0Y.txt [ Cookie:liana@bs.serving-sys.com/ ]

C:\USERS\LIANA\Cookies\RV39GIJE.txt [ Cookie:liana@ru4.com/ ]

C:\USERS\LIANA\Cookies\87I6JBE4.txt [ Cookie:liana@statcounter.com/ ]

C:\USERS\LIANA\Cookies\LP2B9COW.txt [ Cookie:liana@apmebf.com/ ]

C:\USERS\LIANA\Cookies\I9NPDTUP.txt [ Cookie:liana@media.adfrontiers.com/ ]

C:\USERS\LIANA\Cookies\SW506NPA.txt [ Cookie:liana@dc.tremormedia.com/ ]

C:\USERS\LIANA\Cookies\FSIWHZAK.txt [ Cookie:liana@greatestsearchresults.com/click/ ]

C:\USERS\LIANA\Cookies\XTRGAXS7.txt [ Cookie:liana@adup.rotator.hadj7.adjuggler.net/ ]

C:\USERS\LIANA\Cookies\13EJINAN.txt [ Cookie:liana@www.burstnet.com/ ]

C:\USERS\LIANA\Cookies\BY8XLHRI.txt [ Cookie:liana@mediaplex.com/ ]

C:\USERS\LIANA\Cookies\18LPOBBK.txt [ Cookie:liana@advertising.com/ ]

C:\USERS\LIANA\Cookies\BY43B5V5.txt [ Cookie:liana@revsci.net/ ]

C:\USERS\LIANA\Cookies\7LIRBOUJ.txt [ Cookie:liana@tribalfusion.com/ ]

C:\USERS\LIANA\Cookies\FXN7ZMB8.txt [ Cookie:liana@ad.mlnadvertising.com/ ]

C:\USERS\LIANA\Cookies\LNGMQJYN.txt [ Cookie:liana@zedo.com/ ]

C:\USERS\LIANA\Cookies\H3YYZQJ2.txt [ Cookie:liana@tradedoubler.com/ ]

C:\USERS\LIANA\Cookies\VFVSWQ4S.txt [ Cookie:liana@imrworldwide.com/cgi-bin ]

C:\USERS\LIANA\Cookies\TMWVCJME.txt [ Cookie:liana@uiadserver.com/ ]

C:\USERS\LIANA\Cookies\1NIRAVP4.txt [ Cookie:liana@pointroll.com/ ]

C:\USERS\LIANA\Cookies\J0JPHNJ6.txt [ Cookie:liana@lucidmedia.com/ ]

C:\USERS\LIANA\Cookies\O64RMU26.txt [ Cookie:liana@adsonar.com/adserving ]

C:\USERS\LIANA\Cookies\ATFEMAIQ.txt [ Cookie:liana@specificclick.net/ ]

C:\USERS\LIANA\Cookies\8A2EIAZ2.txt [ Cookie:liana@invitemedia.com/ ]

C:\USERS\LIANA\Cookies\P9P0O4HQ.txt [ Cookie:liana@ad.yieldmanager.com/ ]

C:\USERS\LIANA\Cookies\R07DTYEF.txt [ Cookie:liana@doubleclick.net/ ]

media.heavy.com [ C:\USERS\LIANA\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3L5KD758 ]

media.scanscout.com [ C:\USERS\LIANA\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3L5KD758 ]

.thefind.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.thefind.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.thefind.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.thefind.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.thefind.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.thefind.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.thefind.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.caloriecount.about.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.caloriecount.about.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.caloriecount.about.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.caloriecount.about.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

click.get-amazing-results.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

click.get-amazing-results.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

bridge.sf.admarketplace.net [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.admarketplace.net [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.apmebf.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.mediaplex.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.tradedoubler.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.tradedoubler.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.mediaplex.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

click.gethotresults.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.mediacollege.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.mediacollege.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

.mediacollege.com [ C:\USERS\LIANA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DLRX3IC8.DEFAULT\COOKIES.SQLITE ]

Trace.Known Threat Sources

C:\USERS\LIANA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TNRNDWH1\59b8caa9266b8_2174314[1].flv [ cache:wista ]

C:\USERS\LIANA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZUTIMUCJ\crossdomainCAZKNYHQ.xml [ cache:wista ]

C:\USERS\LIANA\Local Settings\Temporary Internet Files\Content.IE5\TNRNDWH1\59b8caa9266b8_2174314[1].flv [ cache:wista ]

C:\USERS\LIANA\Local Settings\Temporary Internet Files\Content.IE5\ZUTIMUCJ\crossdomainCAZKNYHQ.xml [ cache:wista ]

Second Super AntiSpyware log:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 09/11/2012 at 09:24 PM

Application Version : 5.5.1016

Core Rules Database Version : 9203

Trace Rules Database Version: 7015

Scan type : Complete Scan

Total Scan Time : 15:59:33

Operating System Information

Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)

UAC On - Limited User

Memory items scanned : 622

Memory threats detected : 0

Registry items scanned : 65968

Registry threats detected : 0

File items scanned : 131830

File threats detected : 18

Adware.Tracking Cookie

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\YWSPAHWI.txt [ /atdmt.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\RUMAFJXN.txt [ /imrworldwide.com ]

C:\USERS\LIANA\Cookies\YWSPAHWI.txt [ Cookie:liana@atdmt.com/ ]

C:\USERS\LIANA\Cookies\RUMAFJXN.txt [ Cookie:liana@imrworldwide.com/cgi-bin ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\3NUW3Z2D.txt [ /media6degrees.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\DFBJL0VE.txt [ /at.atwola.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\BHOQMCIZ.txt [ /adbrite.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\6QG2XE8G.txt [ /advertising.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\JONCLJQY.txt [ /tribalfusion.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\FHH07QYX.txt [ /ad.yieldmanager.com ]

C:\Users\Liana\AppData\Roaming\Microsoft\Windows\Cookies\N6MPJHSG.txt [ /doubleclick.net ]

C:\USERS\LIANA\Cookies\DFBJL0VE.txt [ Cookie:liana@at.atwola.com/ ]

C:\USERS\LIANA\Cookies\6QG2XE8G.txt [ Cookie:liana@advertising.com/ ]

C:\USERS\LIANA\Cookies\JONCLJQY.txt [ Cookie:liana@tribalfusion.com/ ]

C:\USERS\LIANA\Cookies\FHH07QYX.txt [ Cookie:liana@ad.yieldmanager.com/ ]

C:\USERS\LIANA\Cookies\N6MPJHSG.txt [ Cookie:liana@doubleclick.net/ ]

Trace.Known Threat Sources

C:\USERS\LIANA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UZLW9AAR\crossdomain[1].xml [ cache:wista ]

C:\USERS\LIANA\Local Settings\Temporary Internet Files\Content.IE5\UZLW9AAR\crossdomain[1].xml [ cache:wista ]

After all this I still cannot get TDSS Killer to run, nor can I boot from CD/enter repair mode

Share this post


Link to post
Share on other sites

while the hidden partition is still active on your computer, your symptoms will persist and it will shut down any tool that attempts to run,

let's give AVP tool a try

is there an option in your BIOS to boot your machine from a USB?

please run the following:

icon11.gif Please click HERE to download Kaspersky Virus Removal Tool (click on the Download link for Version 11).

NOTE. This is quite large file, so be patient.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop (be patient; it may take a while).
  • Accept license agreement and click "Start" button.
  • Click on Settings button p4484522.gif
    • In Scan scope leave pre-checked items as they're and also checkmark My Computer
    • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection

    [*]Click on Automatic Scan tab and then click on Start scanning button.

    [*]Before it is done it may prompt for action regardless of the setting so choose delete if prompted.

    [*]When the scan is done NO log will be produced.

    [*]Click on Report button p4484523.gif then on Automatic Scan report tab.

    [*]Right click anywhere within right pane, click Select All then right click again and click Copy.

    [*]This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.

    [*]You can save this on the desktop.

    [*]Post the contents of the document in your next reply.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.