Jump to content

FBI Virus white screen no safe mode. FRST scan already run and attached.


Recommended Posts

Hello,

I am getting an FBI Virus and the Safe Mode shuts down immediately and does not work.

I already ran the FRST64 scan tool and the results are listed below.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-06-2013 02

Ran by SYSTEM on 04-06-2013 11:23:46

Running from G:\

Windows 7 Professional (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10135584 2010-05-27] (Realtek Semiconductor)

HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2010-09-17] (LogMeIn, Inc.)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1931024 2010-07-19] (Intel® Corporation)

Winlogon\Notify\psfus: C:\Program Files\Protector Suite\psqlpwd.dll (UPEK Inc.)

HKLM-x32\...\Run: [sHTtray.exe] C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe [99696 2010-06-20] (Sony Corporation)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [AirPort Base Station Agent] "C:\Program Files (x86)\AirPort\APAgent.exe" [771360 2009-11-11] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKU\Lee\...\Run: [Elbserver] C:\Program Files (x86)\Sony\Media Gallery\ElbServer.exe /Stay [81264 2010-11-18] (Sony Corporation)

HKU\Lee\...\Run: [Google Update] "C:\Users\Lee\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-12-13] (Google Inc.)

HKU\Lee\...\Winlogon: [shell] explorer.exe,C:\Users\Lee\AppData\Roaming\skype.dat [90624 2011-11-16] (EA TechBuilder Labs) <==== ATTENTION

Lsa: [Notification Packages] scecli C:\Program Files\Protector Suite\psqlpwd.dll

Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk

ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

Startup: C:\Users\Lee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

Startup: C:\Users\Lee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) =================

S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2013-05-26] (LogMeIn, Inc.)

S2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2013-05-26] (LogMeIn, Inc.)

S2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2010-11-08] (LogMeIn, Inc.)

S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-07-19] ()

S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

S2 NovaPACS ClientSync; C:\Program Files\Novarad\NovaPacs\Viewer\NRClientSyncService.exe [45056 2011-09-21] (NovaRad Corporation)

S2 Novarad Installation Manager; C:\Program Files\Novarad\Site Management\InstallationManager\Novarad.InstallationManager.exe [95744 2012-06-26] (NovaRad Corporation)

S2 SampleCollector; C:\Program Files\Sony\VAIO Care\VCPerfService.exe [252416 2010-05-25] (Sony Corporation)

S2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)

S3 VUAgent; C:\Program Files\Sony\VAIO Update\VUAgent.exe [1286784 2012-10-26] (Sony Corporation)

S3 aspnet_state;

==================== Drivers (Whitelisted) ====================

S3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.)

S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-26] (LogMeIn, Inc.)

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

S2 gupdate;

S4 LMIRfsClientNP; No ImagePath

S2 MSSQL$DDNI;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-04 11:16 - 2013-06-04 11:16 - 00000000 ____D C:\FRST

2013-05-20 07:49 - 2013-06-04 06:56 - 00000004 ____A C:\Users\Lee\AppData\Roaming\skype.ini

2013-05-20 05:50 - 2013-05-20 05:50 - 01132254 ____A C:\Users\Lee\Desktop\preferences may 2013.xml

2013-05-20 05:25 - 2013-05-20 05:25 - 17613192 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2013-05-20 04:26 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-20 04:26 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-20 04:26 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-20 04:26 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-20 04:26 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-20 04:25 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-20 04:25 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-20 04:25 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-20 04:25 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-20 04:25 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-20 04:25 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-05-20 04:25 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-20 04:25 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-05-16 06:26 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-16 06:26 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-16 06:26 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-16 06:25 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-16 06:25 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-16 06:25 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-16 06:25 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-16 06:25 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-16 06:25 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-16 06:25 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-16 06:25 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-16 06:24 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-16 06:24 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-16 06:24 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

==================== One Month Modified Files and Folders =======

2013-06-04 11:16 - 2013-06-04 11:16 - 00000000 ____D C:\FRST

2013-06-04 10:32 - 2011-01-22 19:06 - 00000000 ____D C:\users\boinc_master

2013-06-04 10:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-06-04 10:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-06-04 07:09 - 2009-07-13 21:13 - 00740226 ____A C:\Windows\System32\PerfStringBackup.INI

2013-06-04 07:08 - 2012-12-10 17:26 - 00007258 ____A C:\Windows\setupact.log

2013-06-04 07:08 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-04 06:56 - 2013-05-20 07:49 - 00000004 ____A C:\Users\Lee\AppData\Roaming\skype.ini

2013-06-04 06:55 - 2011-12-13 08:59 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2796174722-2918102768-875530044-1005UA.job

2013-06-04 06:54 - 2011-05-26 05:11 - 00000000 ____D C:\Users\Lee\AppData\Roaming\Dropbox

2013-06-04 06:54 - 2011-05-09 20:10 - 00000000 ____D C:\users\Lee

2013-06-04 06:53 - 2011-05-25 07:42 - 00000000 ____D C:\ProgramData\LogMeIn

2013-05-30 04:06 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV

2013-05-27 18:06 - 2012-12-10 20:51 - 00000000 ____D C:\Users\Lee\Desktop\MARU DIAGNOSTIC

2013-05-26 18:53 - 2011-03-28 06:24 - 01960332 ____A C:\Windows\WindowsUpdate.log

2013-05-26 18:43 - 2011-05-25 07:42 - 00107368 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll

2013-05-26 18:43 - 2011-05-25 07:42 - 00100680 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll

2013-05-26 18:43 - 2011-05-25 07:42 - 00035656 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll

2013-05-26 18:43 - 2011-05-25 07:42 - 00000000 ____D C:\Program Files (x86)\LogMeIn

2013-05-26 18:25 - 2012-10-01 04:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-26 17:29 - 2009-07-13 20:45 - 00013888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-26 17:29 - 2009-07-13 20:45 - 00013888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-26 17:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-05-26 17:20 - 2011-05-22 19:47 - 00000000 ____D C:\Users\Lee\AppData\Local\CrashDumps

2013-05-26 04:55 - 2011-12-13 08:59 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2796174722-2918102768-875530044-1005Core.job

2013-05-25 23:00 - 2011-05-25 07:19 - 00000522 ____A C:\Windows\Tasks\NatSpeak Periodic Language Model Optimization.job

2013-05-23 17:16 - 2012-11-16 05:33 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-05-23 17:16 - 2012-06-13 03:22 - 00000000 ____D C:\7291356fc7f79458aabff3

2013-05-23 17:16 - 2012-05-23 08:34 - 00000000 ____D C:\Users\Lee\Desktop\ON LINE CME

2013-05-23 17:16 - 2012-05-23 07:27 - 00000000 ____D C:\Windows\13th Annual International Symposium on Multidetector-Row CT

2013-05-23 17:16 - 2012-05-23 07:27 - 00000000 ____D C:\Program Files (x86)\MDCT 2011

2013-05-23 17:16 - 2011-06-28 16:53 - 00000000 ____D C:\Program Files (x86)\Microsoft Works

2013-05-23 17:16 - 2011-06-28 16:48 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-23 17:16 - 2011-06-15 11:11 - 00000000 ____D C:\fcbfd3790a2b709a0ebfec7c90

2013-05-23 17:16 - 2011-05-26 05:08 - 00000000 ____D C:\Users\Lee\AppData\Roaming\ArcSoft

2013-05-23 17:16 - 2011-05-10 19:15 - 00000000 ____D C:\Update

2013-05-23 17:16 - 2011-05-10 18:08 - 00000000 ____D C:\Program Files\Microsoft Security Client

2013-05-23 17:16 - 2011-05-10 08:15 - 00000000 ___RD C:\Users\Lee\Virtual Machines

2013-05-23 17:16 - 2011-01-22 19:43 - 00000000 ____D C:\ProgramData\Norton

2013-05-23 17:16 - 2011-01-22 19:21 - 00000000 ____D C:\Program Files\Protector Suite

2013-05-23 17:16 - 2011-01-10 00:15 - 00000000 ____D C:\Intel

2013-05-23 17:16 - 2011-01-09 23:27 - 00000000 ____D C:\Windows\InstDrvs

2013-05-23 17:16 - 2009-07-13 23:45 - 00000000 ____D C:\Windows\ShellNew

2013-05-23 17:16 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\addins

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices

2013-05-23 17:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer

2013-05-23 17:16 - 2009-07-13 20:45 - 00000000 ____D C:\Windows\Setup

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\IME

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Cursors

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Branding

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Services

2013-05-23 17:16 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2013-05-23 17:15 - 2012-10-01 04:42 - 00000000 ____D C:\Windows\System32\Macromed

2013-05-23 17:15 - 2011-01-22 18:39 - 00000000 ____D C:\Windows\SysWOW64\Macromed

2013-05-23 17:15 - 2011-01-22 18:27 - 00000000 ____D C:\Windows\SysWOW64\RTCOM

2013-05-23 17:15 - 2011-01-22 18:18 - 00000000 ____D C:\Windows\System32\Drivers\tr-TR

2013-05-23 17:15 - 2011-01-22 18:18 - 00000000 ____D C:\Windows\System32\Drivers\th-TH

2013-05-23 17:15 - 2011-01-22 18:18 - 00000000 ____D C:\Windows\System32\Drivers\ro-RO

2013-05-23 17:15 - 2011-01-22 18:18 - 00000000 ____D C:\Windows\System32\Drivers\he-IL

2013-05-23 17:15 - 2011-01-22 18:18 - 00000000 ____D C:\Windows\System32\Drivers\ar-SA

2013-05-23 17:15 - 2011-01-22 18:16 - 00000000 ____D C:\Windows\System32\winrm

2013-05-23 17:15 - 2011-01-22 18:16 - 00000000 ____D C:\Windows\System32\slmgr

2013-05-23 17:15 - 2011-01-10 11:56 - 00000000 ____D C:\Windows\SysWOW64\SDA

2013-05-23 17:15 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\WinBioPlugIns

2013-05-23 17:15 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\WinBioDatabase

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\TAPI

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\th-TH

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sppui

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sk-SK

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ro-RO

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Recovery

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ras

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lv-LV

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lt-LT

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\hr-HR

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\he-IL

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\com

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\bg-BG

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ar-SA

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\uk-UA

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\th-TH

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sr-Latn-CS

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sppui

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\spp

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Speech

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\SMI

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sl-SI

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sk-SK

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ro-RO

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ras

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\MUI

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lv-LV

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lt-LT

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\hr-HR

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\he-IL

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\et-EE

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\com

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\bg-BG

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ar-SA

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system

2013-05-23 17:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Speech

2013-05-23 12:32 - 2009-07-13 20:45 - 00440392 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-21 22:00 - 2011-05-25 07:19 - 00000498 ____A C:\Windows\Tasks\NatSpeak Periodic Acoustic Optimization.job

2013-05-20 06:48 - 2011-06-09 04:59 - 00407336 ____A C:\test.xml

2013-05-20 05:50 - 2013-05-20 05:50 - 01132254 ____A C:\Users\Lee\Desktop\preferences may 2013.xml

2013-05-20 05:48 - 2011-05-12 09:52 - 00000000 ____D C:\Users\Lee\AppData\Local\Deployment

2013-05-20 05:41 - 2011-05-26 05:12 - 00000000 ___RD C:\Users\Lee\Dropbox

2013-05-20 05:25 - 2013-05-20 05:25 - 17613192 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2013-05-20 05:25 - 2012-10-01 04:42 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-20 05:25 - 2011-06-09 03:54 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-20 04:28 - 2011-05-25 07:20 - 00001875 ____A C:\Users\Lee\AppData\Roaming\SAS7_000.DAT

2013-05-09 21:00 - 2013-02-19 20:50 - 00000414 ____A C:\Windows\Tasks\NatSpeak Periodic Data Collection.job

Files to move or delete:

====================

C:\Users\Lee\AppData\Roaming\skype.dat

C:\Users\Lee\AppData\Roaming\skype.ini

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-01 03:22:23

Restore point made on: 2013-05-05 18:47:06

Restore point made on: 2013-05-09 07:21:55

Restore point made on: 2013-05-16 06:29:57

Restore point made on: 2013-05-20 04:23:57

Restore point made on: 2013-05-26 18:53:25

==================== Memory info ===========================

Percentage of memory in use: 16%

Total physical RAM: 3766.88 MB

Available physical RAM: 3131.62 MB

Total Pagefile: 3765.03 MB

Available Pagefile: 3150.28 MB

Total Virtual: 8192 MB

Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:584.37 GB) (Free:446.13 GB) NTFS (Disk=0 Partition=3)

Drive e: (Recovery) (Fixed) (Total:11.7 GB) (Free:0.76 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

Drive g: (KINGSTON) (Removable) (Total:7.26 GB) (Free:5.72 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: 2E95C83C)

Partition 1: (Not Active) - (Size=12 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=584 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)

Partition 1: (Active) - (Size=7 GB) - (Type=0C)

Last Boot: 2013-05-25 19:12

==================== End Of Log ============================

Link to post
Share on other sites

Hi there,

my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Fix with FRST

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
    HKU\Lee\...\Winlogon: [Shell] explorer.exe,C:\Users\Lee\AppData\Roaming\skype.dat [90624 2011-11-16] (EA TechBuilder Labs)
    C:\Users\Lee\AppData\Roaming\skype.dat
    C:\Users\Lee\AppData\Roaming\skype.ini


    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Start your System in normal mode now.

Gmer

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

]Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

Pleae attach the gmer.txt to your reply:

  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
  2. Click Upload.

Link to post
Share on other sites

OK all steps followed. Logs below.

Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-06-2013 02

Ran by SYSTEM at 2013-06-04 12:24:17 Run:1

Running from G:\

Boot Mode: Recovery

==============================================

HKEY_USERS\Lee\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\Users\Lee\AppData\Roaming\skype.dat => Moved successfully.

C:\Users\Lee\AppData\Roaming\skype.ini => Moved successfully.

==== End of Fixlog ====

Gmer log

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-06-04 12:38:26

Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 596.17GB

Running: gmer.exe; Driver: C:\Users\Lee\AppData\Local\Temp\pwldapow.sys

---- User code sections - GMER 2.1 ----

.text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761e1465 2 bytes [1E, 76]

.text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761e14bb 2 bytes [1E, 76]

.text ... * 2

.text C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe[3036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761e1465 2 bytes [1E, 76]

.text C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe[3036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761e14bb 2 bytes [1E, 76]

.text ... * 2

.text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761e1465 2 bytes [1E, 76]

.text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761e14bb 2 bytes [1E, 76]

.text ... * 2

.text C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe[3160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761e1465 2 bytes [1E, 76]

.text C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe[3160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761e14bb 2 bytes [1E, 76]

.text ... * 2

.text C:\Users\Lee\AppData\Roaming\Dropbox\bin\Dropbox.exe[4648] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 00000000761e1465 2 bytes [1E, 76]

.text C:\Users\Lee\AppData\Roaming\Dropbox\bin\Dropbox.exe[4648] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000761e14bb 2 bytes [1E, 76]

.text ... * 2

.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761e1465 2 bytes [1E, 76]

.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761e14bb 2 bytes [1E, 76]

.text ... * 2

.text C:\Windows\SysWOW64\RunDll32.exe[5136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761e1465 2 bytes [1E, 76]

.text C:\Windows\SysWOW64\RunDll32.exe[5136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761e14bb 2 bytes [1E, 76]

.text ... * 2

---- User IAT/EAT - GMER 2.1 ----

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!memset] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??2@YAPEAX_K@Z] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!wcscat_s] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_purecall] [4ce79c9900000000]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??_V@YAXPEAX@Z] [200000000]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!malloc] [1b0c00000025]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!free] [110c]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??_U@YAPEAX_K@Z] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_XcptFilter] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_initterm] [69007400730045]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_amsg_exit] [6500740061006d]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_unlock] [61006200200064]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!__dllonexit] [6900770064006e]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_lock] [20006800740064]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_onexit] [69006100760061]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!realloc] [6c00620061006c]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_errno] [6f007400200065]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [65006800740020]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!memcpy_s] [6d006500720020]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??3@YAXPEAX@Z] [2000650074006f]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_CxxThrowException] [74007300790073]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[ADVAPI32.dll!RegSetValueExW] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[ADVAPI32.dll!RegEnumKeyExW] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[ADVAPI32.dll!RegCreateKeyExW] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!GetVersionExA] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!TerminateProcess] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!RtlVirtualUnwind] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!FindResourceW] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!LoadResource] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!SizeofResource] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!lstrlenW] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoTaskMemFree] [73007400690042]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!StringFromGUID2] [6300650073002f]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoTaskMemRealloc] [29]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoCreateInstance] [53005400490042]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoTaskMemAlloc] [5400530045005f]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z] [46000000000000c0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!malloc] [43196f72adda3d55]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!memcpy_s] [109b530a6018f9bf]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ] [488998c93d44d0d1]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??1exception@@UEAA@XZ] [2122bf74d6f9d1ac]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBD@Z] [404afeb7e2085f28]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!realloc] [2aaeabd59e6e7b8]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!memmove_s] [1da]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??0exception@@QEAA@XZ] [46000000000000c0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_CxxThrowException] [46000000000000c0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_callnewh] [146]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!__CxxFrameHandler3] [46000000000000c0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_XcptFilter] [650065006c0053]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_initterm] [43007400410070]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_amsg_exit] [62006c006c0061]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [74006100720075]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_unlock] [6e006f0069]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!__dllonexit] [650065006c0053]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_lock] [43007400410070]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_onexit] [62006c006c0061]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!memset] [45006b00630061]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_vsnwprintf] [64006e]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!free] [650065006c0053]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!memcpy] [43007400410070]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ntdll.dll!RtlGetNtProductType] [42006b00630061]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ntdll.dll!VerSetConditionMask] [6e006900670065]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ntdll.dll!RtlVirtualUnwind] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ntdll.dll!RtlCaptureContext] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ntdll.dll!RtlLookupFunctionEntry] [540046004f0053]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!UnhandledExceptionFilter] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!DisableThreadLibraryCalls] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ADVAPI32.dll!RegQueryValueExA] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoTaskMemRealloc] [630069004d005c]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoTaskMemAlloc] [6f0073006f0072]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoTaskMemFree] [57005c00740066]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoUninitialize] [6f0064006e0069]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoInitializeEx] [43005c00730077]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[sETUPAPI.dll!SetupOpenInfFileW] [642e32335f325357]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[sETUPAPI.dll!SetupFindFirstLineW] [6c6c]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[sETUPAPI.dll!SetupGetIntField] [495041504c485049]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[sETUPAPI.dll!SetupGetMultiSzFieldW] [4c4c442e]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[sETUPAPI.dll!SetupDiEnumDeviceInfo] [6c642e3233656c6f]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[sETUPAPI.dll!SetupDiOpenDevRegKey] [6c]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[sETUPAPI.dll!SetupDiGetClassDevsW] [3233545541454c4f]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[sETUPAPI.dll!SetupCloseInfFile] [6c6c642e]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[sETUPAPI.dll!SetupGetStringFieldW] [2e505454484e4957]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[uSER32.dll!CharNextW] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[uSER32.dll!LoadStringW] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[rtutils.dll!RouterLogDeregisterW] [6500560074006e]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[rtutils.dll!RouterLogRegisterW] [6f006900730072]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[rtutils.dll!RouterLogEventW] [490042005c006e]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigServerConnect] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceCreate] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceTransportEnum] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceGetHandle] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceTransportGetHandle] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigTransportCreate] [0]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigTransportDelete] [4a5bc73900000000]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigTransportGetHandle] [200000000]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigTransportGetInfo] [22d800000024]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigBufferFree] [16d8]

IAT C:\Windows\system32\svchost.exe[388] @ C:\Windows\system32\rascfg.dll[slc.dll!SLGetWindowsInformationDWORD] [6f6c6c6120646162]

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004ef76f91

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ec55f9d4beb7

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbcbb6f8

Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 11523

Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 5273

Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{894FAFB0-938A-44CB-AC00-C69B4934E9D2}@EnableDHCP 0

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004ef76f91 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ec55f9d4beb7 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbcbb6f8 (not active ControlSet)

---- EOF - GMER 2.1 ----

Mbam log

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.06.04.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16576

Lee :: LEE-VAIO [administrator]

6/4/2013 12:42:34 PM

mbam-log-2013-06-04 (12-42-34).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 434352

Time elapsed: 1 hour(s), 8 minute(s), 6 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\FRST\Quarantine\skype.dat (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Users\Lee\AppData\Local\Temp\2056404708635739550299.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

Looks good - let´s check:

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

We´re not finished yet.

Scan with adwCleaner

Please download AdwCleaner to your desktop.

  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[s1].txt also.

SecurityCheck

Please download SecurityCheck from one of the following mirrors: LINK1 LINK2

  • Save the file to your desktop.
  • Run Securitycheck.exe and follow the instructions within the DOS-Box.
  • When the scan is finished it will open up a text file (checkup.txt).

Post its content within your next reply.

Link to post
Share on other sites

Due to the lack of response, this topic is closed.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.