stupid FBI virus.

driveblock · June 14, 2013

i cant start it in safemode with networking. i need help. tried running hitman pro from command promt in system restore but no connectivity to the internet so it aborts

D-FRED-BROWN · June 14, 2013

Hello driveblock and welcome to Malwarebytes!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select English as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select English as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Let me know how things go. If you at any point have trouble using FRST, please stop and post back here to let me know.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

driveblock · June 14, 2013

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-06-2013

Ran by SYSTEM on 14-06-2013 13:18:07

Running from H:\

Windows 7 Professional (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM\...\Run: [Dell MFP Color Laser Printer 3115cn Launcher] "C:\Program Files\Dell Printers\Dell MFP Color Laser Printer 3115cn\Address Book Editor\Launcher.exe" /s [639896 2007-05-09] (Dell Inc.)

HKLM\...\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)

HKLM\...\Run: [PaperPort PTD] "C:\Program Files\Dell Printers\paperport\pptd40nt.exe" [29984 2008-04-02] (Nuance Communications, Inc.)

HKLM\...\Run: [indexSearch] "C:\Program Files\Dell Printers\paperport\IndexSearch.exe" [46368 2008-04-02] (Nuance Communications, Inc.)

HKLM\...\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [393944 2007-07-25] (Dell Inc.)

HKLM\...\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide [205336 2011-11-11] (Logitech Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)

HKLM\...\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)

HKLM\...\Run: [TkBellExe] "C:\Program Files\real\realplayer\update\realsched.exe" -osboot [296056 2012-05-30] (RealNetworks, Inc.)

HKLM\...\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PlayMemories Home\PMBVolumeWatcher.exe [724576 2012-08-20] (Sony Corporation)

HKLM\...\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)

HKLM\...\Run: [speetItUpFree] "C:\Program Files\SpeedItup Free\speeditupfree.exe" [x]

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-18] (Adobe Systems Incorporated)

HKLM\...\Winlogon: [shell] regsvr32 /n /i /s "C:\Users\Cornelius\AppData\Local\puhoej.eoz" [x ] () <=== ATTENTION

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess

HKU\Cornelius\...\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode [ 2011-01-12] (Logitech Inc.)

HKU\Cornelius\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]

HKU\Cornelius\...\Run: [DW7] "C:\Program Files\The Weather Channel\The Weather Channel App\TWCApp.exe" [x]

HKU\Cornelius\...\Command Processor: regsvr32 /n /i /s "C:\Users\Cornelius\AppData\Local\puhoej.eoz" <===== ATTENTION!

Startup: C:\ProgramData\Start Menu\Programs\Startup\ctfmon.lnk

ShortcutTarget: ctfmon.lnk -> C:\Windows\System32\regsvr32.exe (Microsoft Corporation)

Startup: C:\Users\Cornelius\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [5814904 2012-11-15] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)

S2 PMBDeviceInfoProvider; C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [474208 2012-08-20] (Sony Corporation)

S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3289208 2013-05-14] (Skype Technologies S.A.)

S2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2011-08-19] (Logitech Inc.)

S3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]

==================== Drivers (Whitelisted) ====================

S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [179936 2012-10-22] (AVG Technologies CZ, s.r.o. )

S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [55776 2012-10-15] (AVG Technologies CZ, s.r.o. )

S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [19936 2012-09-20] (AVG Technologies CZ, s.r.o. )

S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [159712 2012-10-01] (AVG Technologies CZ, s.r.o.)

S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [177376 2012-09-20] (AVG Technologies CZ, s.r.o.)

S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [94048 2012-11-15] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35552 2012-09-13] (AVG Technologies CZ, s.r.o.)

S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [164832 2012-09-20] (AVG Technologies CZ, s.r.o.)

S2 DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-14 12:49 - 2013-06-14 12:49 - 00000000 ____D C:\FRST

2013-06-07 12:13 - 2013-06-07 12:13 - 00100352 ____A (G<o) C:\Users\Cornelius\AppData\Local\puhoej.eoz

2013-06-07 12:13 - 2013-06-07 12:13 - 00100352 ____A (G<o) C:\ProgramData\oirdcd.alm

2013-06-03 04:43 - 2013-06-03 04:43 - 00001989 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk

2013-06-03 04:43 - 2013-06-03 04:43 - 00000000 ____D C:\Program Files\Common Files\Adobe

2013-05-15 23:09 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 23:09 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 23:09 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 23:08 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 23:08 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 23:08 - 2013-04-04 21:28 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-15 23:08 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 23:08 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 23:08 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 23:08 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 23:08 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 23:08 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-15 23:08 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-15 23:08 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 23:08 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-15 23:08 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-15 17:35 - 2013-05-15 17:35 - 00000216 ____A C:\Users\Cornelius\Downloads\ATT00001 (1).htm

2013-05-15 14:37 - 2013-05-15 14:37 - 00000216 ____A C:\Users\Cornelius\Downloads\ATT00001.htm

2013-05-15 01:49 - 2013-04-09 21:18 - 00728424 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 01:49 - 2013-04-09 21:18 - 00218984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 01:49 - 2013-04-09 19:14 - 02347520 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 01:49 - 2013-03-18 20:53 - 00186368 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 01:49 - 2013-03-18 19:33 - 00040960 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-15 01:49 - 2013-02-26 21:05 - 00101720 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 01:49 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 01:49 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 01:49 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 01:49 - 2013-02-26 20:49 - 00047104 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

==================== One Month Modified Files and Folders ========

2013-06-14 12:49 - 2013-06-14 12:49 - 00000000 ____D C:\FRST

2013-06-11 04:35 - 2012-07-04 03:14 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-06-11 04:35 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-11 04:35 - 2009-07-13 20:39 - 00033598 ____A C:\Windows\setupact.log

2013-06-11 04:27 - 2010-01-25 07:32 - 00783310 ____A C:\Windows\System32\PerfStringBackup.INI

2013-06-11 04:18 - 2010-01-25 07:25 - 01865156 ____A C:\Windows\WindowsUpdate.log

2013-06-11 03:58 - 2012-05-02 10:26 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-11 03:39 - 2012-07-04 03:14 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-06-11 02:01 - 2009-07-13 20:34 - 00013472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-06-11 02:01 - 2009-07-13 20:34 - 00013472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-06-11 01:59 - 2010-10-21 03:29 - 00000000 ____D C:\ProgramData\MFAData

2013-06-11 01:54 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles

2013-06-09 05:36 - 2009-07-13 20:53 - 00032632 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-06-07 12:13 - 2013-06-07 12:13 - 00100352 ____A (G<o) C:\Users\Cornelius\AppData\Local\puhoej.eoz

2013-06-07 12:13 - 2013-06-07 12:13 - 00100352 ____A (G<o) C:\ProgramData\oirdcd.alm

2013-06-04 15:28 - 2013-02-28 15:50 - 00036864 ____A C:\Users\Cornelius\Desktop\Budget(2) (Autosaved).xls

2013-06-04 10:44 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\LiveKernelReports

2013-06-04 06:22 - 2011-07-06 11:54 - 00000000 ____D C:\Users\Cornelius\AppData\Roaming\Skype

2013-06-03 17:02 - 2010-02-02 16:06 - 00000000 ____D C:\Users\Cornelius\AppData\Roaming\Adobe

2013-06-03 04:45 - 2010-02-11 00:17 - 00047404 ____A C:\Windows\PFRO.log

2013-06-03 04:43 - 2013-06-03 04:43 - 00001989 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk

2013-06-03 04:43 - 2013-06-03 04:43 - 00000000 ____D C:\Program Files\Common Files\Adobe

2013-06-03 04:43 - 2010-02-02 16:15 - 00000000 ____D C:\Program Files\Adobe

2013-06-03 04:43 - 2010-02-02 16:14 - 00000000 ____D C:\ProgramData\Adobe

2013-06-03 04:42 - 2010-02-02 16:07 - 00000000 ____D C:\Users\Cornelius\AppData\Local\Adobe

2013-05-23 17:00 - 2012-08-13 07:24 - 00001289 ____A C:\Users\Cornelius\Desktop\ROBLOX Player.lnk

2013-05-22 11:29 - 2011-07-06 11:53 - 00000000 ___RD C:\Program Files\Skype

2013-05-22 11:29 - 2011-07-06 11:53 - 00000000 ____D C:\ProgramData\Skype

2013-05-16 00:04 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache

2013-05-15 23:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET

2013-05-15 23:28 - 2009-07-13 20:33 - 00412720 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 23:10 - 2010-02-02 16:47 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-15 23:01 - 2010-02-02 15:58 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-15 17:35 - 2013-05-15 17:35 - 00000216 ____A C:\Users\Cornelius\Downloads\ATT00001 (1).htm

2013-05-15 14:37 - 2013-05-15 14:37 - 00000216 ____A C:\Users\Cornelius\Downloads\ATT00001.htm

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-3320149171-3297367744-2534044832-1000\$a9fde30ceb64b337d579f4400d9d7a5e

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$a9fde30ceb64b337d579f4400d9d7a5e

Files to move or delete:

====================

C:\Users\Cornelius\SkypeSetup.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-15 23:00:30

Restore point made on: 2013-05-19 15:00:42

Restore point made on: 2013-05-26 20:00:21

Restore point made on: 2013-06-03 05:23:09

Restore point made on: 2013-06-11 02:05:03

==================== Memory info ===========================

Percentage of memory in use: 17%

Total physical RAM: 3070.16 MB

Available physical RAM: 2539.56 MB

Total Pagefile: 3068.44 MB

Available Pagefile: 2554.47 MB

Total Virtual: 2047.88 MB

Available Virtual: 1936.25 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:540.89 GB) (Free:447.71 GB) NTFS

Drive d: () (Fixed) (Total:390.53 GB) (Free:205.96 GB) NTFS

Drive h: () (Removable) (Total:1.87 GB) (Free:1.82 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.02 GB) (Free:0.01 GB) NTFS

Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 7839E565)

Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=391 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=541 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 2 GB) (Disk ID: 00818DC5)

Partition 1: (Active) - (Size=2 GB) - (Type=0B)

LastRegBack: 2013-06-02 20:38

==================== End Of Log ============================

D-FRED-BROWN · June 14, 2013

On the clean computer,

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
Right-click in the open notepad and select Paste).
Save it on the flashdrive as fixlist.txt

C:\Users\Cornelius\SkypeSetup.exe
C:\$Recycle.Bin\S-1-5-18\$a9fde30ceb64b337d579f4400d9d7a5e
C:\$Recycle.Bin\S-1-5-21-3320149171-3297367744-2534044832-1000\$a9fde30ceb64b337d579f4400d9d7a5e
HKLM\...\Winlogon: [shell] regsvr32 /n /i /s "C:\Users\Cornelius\AppData\Local\puhoej.eoz" [x ] () <=== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess
HKU\Cornelius\...\Command Processor: regsvr32 /n /i /s "C:\Users\Cornelius\AppData\Local\puhoej.eoz" <===== ATTENTION!
2013-06-11 04:35 - 2012-07-04 03:14 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-11 04:35 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-11 03:58 - 2012-05-02 10:26 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-11 03:39 - 2012-07-04 03:14 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7

Now please enter System Recovery Options on the infected computer.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply. Afterwards, are you able to boot into Normal Mode now?

driveblock · June 14, 2013

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-06-2013

Ran by SYSTEM at 2013-06-14 13:36:47 Run:1

Running from H:\

Boot Mode: Recovery

==============================================

C:\Users\Cornelius\SkypeSetup.exe => Moved successfully.

C:\$Recycle.Bin\S-1-5-18\$a9fde30ceb64b337d579f4400d9d7a5e => Moved successfully.

C:\$Recycle.Bin\S-1-5-21-3320149171-3297367744-2534044832-1000\$a9fde30ceb64b337d579f4400d9d7a5e => Moved successfully.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.

HKU\Cornelius\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.

C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.

C:\Windows\Tasks\SA.DAT => Moved successfully.

C:\Windows\Tasks\Adobe Flash Player Updater.job => Moved successfully.

C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.

==== End of Fixlog ====

**Yes, i was able to boot into normal mode.**

D-FRED-BROWN · June 14, 2013

Glad to hear you're able to boot. Let's start cleaning up the rest:

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------

In your next reply, please include the following:

TDSSKiller's logfile
MBAR mbar-log.txt and system-log.txt
ComboFix's report (C:\ComboFix.txt)
Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask.

driveblock · June 14, 2013

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

www.malwarebytes.org

Database version: v2013.06.14.06

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 10.0.9200.16576

Cornelius :: CORNELIUS-PC [administrator]

6/14/2013 2:14:42 PM

mbar-log-2013-06-14 (14-14-42).txt

Scan type: Quick scan

Scan options disabled: Deep Anti-Rootkit Scan | PUP

Objects scanned: 214903

Time elapsed: 34 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 2

HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.

HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 (Trojan.Zaccess) -> Delete on reboot.

Registry Values Detected: 1

HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Trojan.Zaccess) -> Data: C:\$Recycle.Bin\S-1-5-21-3320149171-3297367744-2534044832-1000\$a9fde30ceb64b337d579f4400d9d7a5e\n. -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

c:\Users\Cornelius\AppData\Local\Temp\0.9543645824184025 (Trojan.Happili) -> Delete on reboot.

c:\Users\Cornelius\AppData\Local\Temp\hwxjgqkoepqocejjxcg.bfg (Trojan.Zbot.FV) -> Delete on reboot.

c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Delete on reboot.

Physical Sectors Detected: 0

(No malicious items detected)

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 10.0.9200.16576

Java version: 1.6.0_26

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.992000 GHz

Memory total: 3219300352, free: 1576087552

Downloaded database version: v2013.06.14.06

Downloaded database version: v2013.05.22.01

Initializing...

------------ Kernel report ------------

06/14/2013 14:14:33

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\halmacpi.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\intelide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\msahci.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\avgrkx86.sys

\SystemRoot\system32\DRIVERS\avglogx.sys

\SystemRoot\system32\DRIVERS\avgmfx86.sys

\SystemRoot\system32\DRIVERS\avgidshx.sys

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\avgtdix.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\avgldx86.sys

\SystemRoot\system32\DRIVERS\avgidsshimx.sys

\SystemRoot\system32\DRIVERS\avgidsdriverx.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\drivers\atikmdag.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\b57nd60x.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\VSTBS23.SYS

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\VSTDPV3.SYS

\SystemRoot\system32\DRIVERS\VSTCNXT3.SYS

\SystemRoot\system32\drivers\modem.sys

\SystemRoot\system32\drivers\smwdm.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\drivers\i8042prt.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\usbscan.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_msahci.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\parvdm.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\drivers\rdpdr.sys

\SystemRoot\system32\drivers\tdtcp.sys

\SystemRoot\System32\DRIVERS\tssecsrv.sys

\SystemRoot\System32\Drivers\RDPWD.SYS

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff858bd4a8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000006e\

Lower Device Object: 0xffffffff85273ca8

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff85d6ea00

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-2\

Lower Device Object: 0xffffffff85caf030

Lower Device Driver Name: \Driver\atapi\

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff85d6ea00, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff85d6e638, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff85d6ea00, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff85caf030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-2\, DriverName: \Driver\atapi\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 7839E565

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 818995200

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 819202048 Numsec = 1134319616

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...

Done!

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xffffffff858bd4a8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff856bf020, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff858bd4a8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff85273ca8, DeviceName: \Device\0000006e\, DriverName: \Driver\USBSTOR\

------------ End ----------

Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 818DC5

Partition information:

Partition 0 type is Other (0xb)

Partition is ACTIVE.

Partition starts at LBA: 64 Numsec = 3919808

Partition file system is FAT32

Partition is not bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 2006974464 bytes

Sector size: 512 bytes

Done!

Read File: File "c:\programdata\avg2013\chjw\521e7ece1e7eaa9d.dat:24aded3a-0e42-4071-bcc6-ba549b2f9325" is sparse (flags = 32768)

Infected: c:\Users\Cornelius\AppData\Local\Temp\0.9543645824184025 --> [Trojan.Happili]

Infected: c:\Users\Cornelius\AppData\Local\Temp\hwxjgqkoepqocejjxcg.bfg --> [Trojan.Zbot.FV]

Infected: c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk --> [Trojan.Ransom.Gen]

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C]

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| --> [Trojan.Zaccess]

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 --> [Trojan.Zaccess]

Scan finished

Creating System Restore point...

Cleaning up...

Executing an action fixdamage.exe...

Success!

Queuing an action fixdamage.exe

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

Removal queue found; removal started

Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_i.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_1_0_64_i.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_r.mbam...

Removal finished

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 10.0.9200.16576

Java version: 1.6.0_26

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.992000 GHz

Memory total: 3219300352, free: 2095919104

Initializing...

------------ Kernel report ------------

06/14/2013 15:28:11

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\halmacpi.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\System32\drivers\imofugc.sys

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\intelide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\msahci.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\avgrkx86.sys

\SystemRoot\system32\DRIVERS\avglogx.sys

\SystemRoot\system32\DRIVERS\avgmfx86.sys

\SystemRoot\system32\DRIVERS\avgidshx.sys

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\avgtdix.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\avgldx86.sys

\SystemRoot\system32\DRIVERS\avgidsshimx.sys

\SystemRoot\system32\DRIVERS\avgidsdriverx.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\drivers\atikmdag.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\b57nd60x.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\VSTBS23.SYS

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\VSTDPV3.SYS

\SystemRoot\system32\DRIVERS\VSTCNXT3.SYS

\SystemRoot\system32\drivers\modem.sys

\SystemRoot\system32\drivers\smwdm.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\drivers\i8042prt.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\usbscan.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_msahci.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\parvdm.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\drivers\rdpdr.sys

\SystemRoot\system32\drivers\tdtcp.sys

\SystemRoot\System32\DRIVERS\tssecsrv.sys

\SystemRoot\System32\Drivers\RDPWD.SYS

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff86f91ac8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000068\

Lower Device Object: 0xffffffff86e16718

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff86171638

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-2\

Lower Device Object: 0xffffffff860a5340

Lower Device Driver Name: \Driver\atapi\

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff86171638, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86171270, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86171638, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff860a5340, DeviceName: \Device\Ide\IdeDeviceP1T0L0-2\, DriverName: \Driver\atapi\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 7839E565

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 818995200

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 819202048 Numsec = 1134319616

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...

Done!

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xffffffff86f91ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86f917a8, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86f91ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86e16718, DeviceName: \Device\00000068\, DriverName: \Driver\USBSTOR\

------------ End ----------

Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 818DC5

Partition information:

Partition 0 type is Other (0xb)

Partition is ACTIVE.

Partition starts at LBA: 64 Numsec = 3919808

Partition file system is FAT32

Partition is not bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 2006974464 bytes

Sector size: 512 bytes

Done!

Read File: File "c:\programdata\avg2013\chjw\521e7ece1e7eaa9d.dat:24aded3a-0e42-4071-bcc6-ba549b2f9325" is sparse (flags = 32768)

Scan finished

=======================================

Removal queue found; removal started

Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_i.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_1_0_64_i.mbam...

Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_r.mbam...

Removal finished

D-FRED-BROWN · June 14, 2013

Please post the other logs as well

driveblock · June 14, 2013

still trying to get the combofix to run all the way through.

D-FRED-BROWN · June 15, 2013

Try running it in Safe Mode.

If you still can't get it to run just skip it and move onto the next steps.

driveblock · June 16, 2013

ComboFix 13-06-15.01 - Cornelius 06/16/2013 7:27.4.1 - x86 NETWORK

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3070.2594 [GMT -4:00]

Running from: c:\users\Cornelius\Desktop\ComboFix.exe

AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2013-05-16 to 2013-06-16 )))))))))))))))))))))))))))))))

.

2013-06-16 11:36 . 2013-06-16 11:36 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-06-14 21:08 . 2013-06-08 11:41 218112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll

2013-06-14 21:08 . 2013-06-08 11:13 2706432 ----a-w- c:\windows\system32\mshtml.tlb

2013-06-14 20:49 . 2013-06-14 20:49 -------- d-----w- C:\FRST

2013-06-14 18:13 . 2013-06-14 18:13 -------- d-----w- c:\programdata\Malwarebytes

2013-06-14 17:46 . 2013-04-25 23:30 1505280 ----a-w- c:\windows\system32\d3d11.dll

2013-06-14 17:46 . 2013-05-10 03:20 24576 ----a-w- c:\windows\system32\cryptdlg.dll

2013-06-14 17:45 . 2013-04-26 04:55 492544 ----a-w- c:\windows\system32\win32spl.dll

2013-06-14 17:45 . 2013-05-13 04:45 1160192 ----a-w- c:\windows\system32\crypt32.dll

2013-06-14 17:45 . 2013-05-13 04:45 103936 ----a-w- c:\windows\system32\cryptnet.dll

2013-06-14 17:45 . 2013-05-13 03:08 903168 ----a-w- c:\windows\system32\certutil.exe

2013-06-14 17:45 . 2013-05-13 04:45 140288 ----a-w- c:\windows\system32\cryptsvc.dll

2013-06-14 17:45 . 2013-05-13 03:08 43008 ----a-w- c:\windows\system32\certenc.dll

2013-06-14 17:45 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll

2013-06-14 17:45 . 2013-05-06 05:06 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-06-14 17:45 . 2013-05-06 05:06 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-06-14 17:45 . 2013-05-08 05:38 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-06-03 12:43 . 2013-06-03 12:43 -------- d-----w- c:\program files\Common Files\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-06-14 17:58 . 2012-05-02 18:26 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-06-14 17:58 . 2011-06-16 19:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-05-17 10:21 . 2011-03-28 22:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2013-04-13 04:45 . 2013-05-15 09:49 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45 . 2013-05-15 09:49 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-04-12 13:45 . 2013-04-24 08:12 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-10 05:18 . 2013-05-15 09:49 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-04-10 05:18 . 2013-05-15 09:49 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2013-04-10 03:14 . 2013-05-15 09:49 2347520 ----a-w- c:\windows\system32\win32k.sys

2013-03-19 07:02 . 2013-03-19 07:02 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe

2013-03-19 07:02 . 2013-03-19 07:02 185344 ----a-w- c:\windows\system32\elshyph.dll

2013-03-19 07:02 . 2013-03-19 07:02 158720 ----a-w- c:\windows\system32\msls31.dll

2013-03-19 07:02 . 2013-03-19 07:02 523264 ----a-w- c:\windows\system32\vbscript.dll

2013-03-19 07:02 . 2013-03-19 07:02 150528 ----a-w- c:\windows\system32\iexpress.exe

2013-03-19 07:02 . 2013-03-19 07:02 138752 ----a-w- c:\windows\system32\wextract.exe

2013-03-19 07:02 . 2013-03-19 07:02 137216 ----a-w- c:\windows\system32\ieUnatt.exe

2013-03-19 07:02 . 2013-03-19 07:02 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2013-03-19 07:02 . 2013-03-19 07:02 38400 ----a-w- c:\windows\system32\imgutil.dll

2013-03-19 07:02 . 2013-03-19 07:02 12800 ----a-w- c:\windows\system32\mshta.exe

2013-03-19 07:02 . 2013-03-19 07:02 110592 ----a-w- c:\windows\system32\IEAdvpack.dll

2013-03-19 07:02 . 2013-03-19 07:02 61952 ----a-w- c:\windows\system32\tdc.ocx

2013-03-19 07:02 . 2013-03-19 07:02 48640 ----a-w- c:\windows\system32\mshtmler.dll

2013-03-19 07:02 . 2013-03-19 07:02 361984 ----a-w- c:\windows\system32\html.iec

2013-03-19 07:02 . 2013-03-19 07:02 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll

2013-03-19 07:02 . 2013-03-19 07:02 23040 ----a-w- c:\windows\system32\licmgr10.dll

2013-03-19 07:02 . 2013-03-19 07:02 1441280 ----a-w- c:\windows\system32\inetcpl.cpl

2013-03-19 04:53 . 2013-05-15 09:49 186368 ----a-w- c:\windows\system32\wwansvc.dll

2013-03-19 04:48 . 2013-04-10 18:47 38912 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 03:33 . 2013-05-15 09:49 40960 ----a-w- c:\windows\system32\wwanprotdim.dll

2013-03-19 02:49 . 2013-04-10 18:47 69632 ----a-w- c:\windows\system32\smss.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"Dell MFP Color Laser Printer 3115cn Launcher"="c:\program files\Dell Printers\Dell MFP Color Laser Printer 3115cn\Address Book Editor\Launcher.exe" [2007-05-10 639896]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\Dell Printers\paperport\pptd40nt.exe" [2008-04-02 29984]

"IndexSearch"="c:\program files\Dell Printers\paperport\IndexSearch.exe" [2008-04-02 46368]

"DLPSP"="c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2007-07-25 393944]

"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-05-30 296056]

"PMBVolumeWatcher"="c:\program files\Sony\PlayMemories Home\PMBVolumeWatcher.exe" [2012-08-20 724576]

"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

.

c:\users\Cornelius\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

.

R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2012-10-22 179936]

R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2012-09-21 19936]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2012-10-02 159712]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [2012-11-16 5814904]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]

R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]

R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [2012-08-20 474208]

R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-05-14 3289208]

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-11-09 160944]

R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848]

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2012-10-15 55776]

S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2012-09-21 177376]

S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2012-09-14 35552]

S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2012-09-21 164832]

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-15 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 17:58]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=W3i_SP,204,0_0,StartPage,20130310,17117,0,18,0

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: {9E8EBAA8-573C-45D2-A64C-DD93489744DE} - hxxps://secure.gotobilling.com/os/documents/99510058-105.CAB

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-06-16 07:38:43

ComboFix-quarantined-files.txt 2013-06-16 11:38

ComboFix2.txt 2013-06-15 00:30

.

Pre-Run: 499,521,507,328 bytes free

Post-Run: 499,431,436,288 bytes free

.

- - End Of File - - B34B74EEBDE262C565C11DCFF75EF9D4

A36C5E4F47E84449FF07ED3517B43A31

running last 2 steps now...

driveblock · June 16, 2013

^{Results of screen317's Security Check version 0.99.64}

^{Windows 7 Service Pack 1 x86 (UAC is enabled)}

^{Internet Explorer 10}

^{``````````````Antivirus/Firewall Check:``````````````}

^{Windows Security Center service is not running! This report may not be accurate!}

^{Windows Firewall Enabled!}

^{AVG AntiVirus Free Edition 2013}

^{Antivirus out of date!}

^{`````````Anti-malware/Other Utilities Check:`````````}

^{Java 6 Update 26}

^{Java version out of Date!}

^{Adobe Reader XI}

^{````````Process Check: objlist.exe by Laurent````````}

^{`````````````````System Health check`````````````````}

^{Total Fragmentation on Drive C:}

^{````````````````````End of Log``````````````````````}

driveblock · June 16, 2013

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

www.malwarebytes.org

Database version: v2013.06.14.06

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 10.0.9200.16576

Cornelius :: CORNELIUS-PC [administrator]

6/14/2013 2:14:42 PM

mbar-log-2013-06-14 (14-14-42).txt

Scan type: Quick scan

Scan options disabled: Deep Anti-Rootkit Scan | PUP

Objects scanned: 214903

Time elapsed: 34 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 2

HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.

HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 (Trojan.Zaccess) -> Delete on reboot.

Registry Values Detected: 1

HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Trojan.Zaccess) -> Data: C:\$Recycle.Bin\S-1-5-21-3320149171-3297367744-2534044832-1000\$a9fde30ceb64b337d579f4400d9d7a5e\n. -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

c:\Users\Cornelius\AppData\Local\Temp\0.9543645824184025 (Trojan.Happili) -> Delete on reboot.

c:\Users\Cornelius\AppData\Local\Temp\hwxjgqkoepqocejjxcg.bfg (Trojan.Zbot.FV) -> Delete on reboot.

c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Delete on reboot.

Physical Sectors Detected: 0

(No malicious items detected)

(end)---------------------------------------