I Hate Trojan.Trancur.Gen

DjinniGenie · August 23, 2011

I keep trying to delete these with Malware Bytes, but they don't delete. When I try to restart the computer in normal mode, the virus/malware gives me a blue screen before full shutdown. This thing is highly annoying. I've been fighting it for about 12 hours now and gave up to come here for help.

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7544

Windows 6.1.7601 Service Pack 1 (Safe Mode)

Internet Explorer 9.0.8112.16421

8/23/2011 8:49:56 AM

mbam-log-2011-08-23 (08-49-56).txt

Scan type: Quick scan

Objects scanned: 174579

Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.Gen) -> Bad: (C:\ProgramData\api-ms-win-core-heap-l1-1-032.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\0200000004e9790f1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\programdata\api-ms-win-core-heap-l1-1-032.dll (Trojan.Tracur.Gen) -> Quarantined and deleted successfully.

.

DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_21

Run by Eugenia Burton at 9:13:05 on 2011-08-23

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1791.1274 [GMT -5:00]

.

AV: System Shield *Enabled/Updated* {C132074B-BF68-2E15-D4FD-E242EED15F18}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: System Shield *Enabled/Updated* {7A53E6AF-9952-219B-EE4D-D930955615A5}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe

C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe

C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://mail.newwavecom.com/exchange/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [iolo Startup] "c:\program files\iolo\common\lib\ioloLManager.exe"

mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\iavlsp.dll

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{700ED210-788A-4EE6-BE04-66545B5B7A40} : DhcpNameServer = 192.168.1.254

AppInit_DLLs: c:\programdata\api-ms-win-core-misc-l1-1-032.dll

Hosts: 127.0.0.1 www.spywareinfo.com

Hosts: 80.79.117.219 www.google.com

Hosts: 80.79.117.220 search.yahoo.com

Hosts: 80.79.117.220 www.bing.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\eugenia burton\appdata\roaming\mozilla\firefox\profiles\aw421xx1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\windows\system32\wat\npWatWeb.dll

.

============= SERVICES / DRIVERS ===============

.

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-8-22 722616]

R2 vseamps;vseamps;c:\program files\common files\authentium\antivirus5\vseamps.exe [2011-1-21 97088]

R2 vsedsps;vsedsps;c:\program files\common files\authentium\antivirus5\vsedsps.exe [2011-1-21 97088]

R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2008-4-4 136832]

S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2011-5-15 20392]

S2 AMP;AMP;c:\windows\system32\drivers\amp.sys [2011-1-21 138048]

S2 AMPSE;AMPSE;c:\windows\system32\drivers\ampse.sys [2010-9-23 1171776]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-22 366640]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-22 2214504]

S2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2010-9-16 80896]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-8-23 1153368]

S2 TrkWks32;Distributed Link Tracking Client ;c:\windows\system32\uxtheme32.exe [2011-8-21 713728]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]

S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-22 22712]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-22 41272]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-13 52224]

S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]

S3 vseqrts;vseqrts;c:\program files\common files\authentium\antivirus5\vseqrts.exe [2011-1-21 142144]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-23 1343400]

.

=============== File Associations ===============

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2011-08-23 11:58:49 54016 ----a-w- c:\windows\system32\drivers\ynjrpsw.sys

2011-08-23 11:22:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2011-08-23 11:22:48 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-08-23 11:07:29 54016 ----a-w- c:\windows\system32\drivers\jcaetd.sys

2011-08-23 07:31:31 -------- d-----w- c:\program files\PC Tools Security

2011-08-23 07:31:31 -------- d-----w- c:\program files\common files\PC Tools

2011-08-23 07:29:42 -------- d-----w- c:\programdata\PC Tools

2011-08-23 04:59:27 54016 ----a-w- c:\windows\system32\drivers\lfviyjjc.sys

2011-08-23 04:32:07 -------- d-----w- c:\users\eugenia burton\appdata\roaming\Malwarebytes

2011-08-23 04:32:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-23 04:32:03 -------- d-----w- c:\programdata\Malwarebytes

2011-08-23 04:32:00 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 04:32:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-23 02:16:24 2560616 ----a-w- c:\windows\system32\nvsvcr.dll

2011-08-23 00:34:45 -------- d-----w- c:\programdata\nD01604CaLpL01604

2011-08-23 00:03:16 0 ----a-w- c:\users\eugenia burton\appdata\local\yfug.exe

2011-08-23 00:03:16 0 ----a-w- c:\users\eugenia burton\appdata\local\hlwh.exe

2011-08-23 00:03:16 0 ----a-w- c:\users\eugenia burton\appdata\local\ekgh.exe

2011-08-23 00:03:16 0 ----a-w- c:\programdata\qxej.exe

2011-08-23 00:03:16 0 ----a-w- c:\programdata\ovsj.exe

2011-08-23 00:03:16 0 ----a-w- c:\programdata\magc.exe

2011-08-23 00:03:15 0 ----a-w- c:\users\eugenia burton\appdata\local\rnvf.exe

2011-08-23 00:03:15 0 ----a-w- c:\programdata\jyfr.exe

2011-08-21 18:24:29 713728 ----a-w- c:\programdata\api-ms-win-core-namedpipe-l1-1-032.exe

2011-08-21 18:24:28 713728 ----a-w- c:\windows\system32\uxtheme32.exe

2011-08-19 14:22:52 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{aa6dae7e-ecea-472e-9744-9e5aedf3c35f}\mpengine.dll

2011-08-16 22:10:31 -------- d-----w- c:\users\eugenia burton\appdata\local\Deployment

2011-08-16 22:10:31 -------- d-----w- c:\users\eugenia burton\appdata\local\Apps

2011-08-14 06:01:26 -------- d-----w- c:\users\eugenia burton\appdata\local\http_www.flickr.com_0

2011-08-14 00:46:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-08-14 00:46:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-08-14 00:46:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-08-14 00:46:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-08-14 00:46:02 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-08-14 00:46:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-08-14 00:46:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-08-14 00:46:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll

2011-08-14 00:46:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll

2011-08-14 00:45:59 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll

2011-08-14 00:45:59 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll

2011-08-14 00:45:58 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll

2011-08-14 00:45:58 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll

2011-08-14 00:45:57 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll

2011-08-14 00:29:23 -------- d-----w- c:\program files\iPod

2011-08-14 00:29:19 -------- d-----w- c:\program files\iTunes

2011-08-14 00:24:37 -------- d-----w- c:\program files\Bonjour

2011-07-27 16:04:20 748336 ----a-w- c:\program files\internet explorer\iexplore.exe

2011-07-25 05:11:23 -------- d-----w- c:\users\eugenia burton\appdata\local\My Games

2011-07-25 05:06:25 452440 ----a-w- c:\windows\system32\d3dx10_40.dll

2011-07-25 05:06:25 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll

2011-07-25 05:06:23 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2011-07-25 02:20:39 -------- d-----w- c:\program files\common files\Steam

2011-07-25 02:20:34 -------- d-----w- c:\program files\Steam

2011-07-24 15:14:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-08-08 20:01:38 11776 ----a-w- c:\windows\system32\smrgdf.exe

2011-08-08 20:01:28 29696 ----a-w- c:\windows\system32\iolobtdfg.exe

2011-08-08 19:18:16 2083464 ----a-w- c:\windows\system32\Incinerator32.dll

2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll

2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-16 04:27:30 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 02:17:19 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 02:17:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:17:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:17:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-12 16:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-07-12 16:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll

2011-07-09 02:30:00 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-24 04:27:01 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-06-24 04:22:20 271360 ----a-w- c:\windows\system32\conhost.exe

2011-06-23 04:33:57 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-06-23 04:33:57 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-06-21 05:34:23 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-06-15 08:55:19 86016 ----a-w- c:\windows\system32\odbccu32.dll

2011-06-15 08:55:19 81920 ----a-w- c:\windows\system32\odbccr32.dll

2011-06-15 08:55:19 319488 ----a-w- c:\windows\system32\odbcjt32.dll

2011-06-15 08:55:19 163840 ----a-w- c:\windows\system32\odbctrac.dll

2011-06-15 08:55:19 122880 ----a-w- c:\windows\system32\odbccp32.dll

2011-06-14 03:00:10 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-06-11 02:29:25 2334208 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 9:14:10.33 ===============

Attach.zip

ark (2).zip

DjinniGenie · August 23, 2011

I have thrown Iolo System Mechanic, Malware Bytes, and Spybot - S&D at this thing and I am still having issues. After reading some solved issues, I ran a TDSSKiller. It found one object and cured it, but I inadvertantly forgot to save the log. Then, I ran the Malwarebytes below and it looked clean. See this and then the next post.
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7544
Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421
8/23/2011 6:16:14 PM
mbam-log-2011-08-23 (18-16-14).txt
Scan type: Flash scan
Objects scanned: 129704
Time elapsed: 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

DjinniGenie · August 23, 2011

Then, I restarted and ran another MBAM scan in the regular mode instead of safe mode. It came back.

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7544

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

8/23/2011 6:37:59 PM

mbam-log-2011-08-23 (18-37-59).txt

Scan type: Flash scan

Objects scanned: 131162

Time elapsed: 1 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\programdata\api-ms-win-core-heap-l1-1-032.dll (Trojan.Tracur.Gen) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.Gen) -> Bad: (C:\ProgramData\api-ms-win-core-heap-l1-1-032.dll) Good: () -> Delete on reboot.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\0200000004e9790f1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\programdata\api-ms-win-core-heap-l1-1-032.dll (Trojan.Tracur.Gen) -> Delete on reboot.

Whenever I login to the regular Windows instead of safe mode, I get a MBAM pop-up that tells me it has blocked a malicious program: c:\programdata\api-ms-win-core-heap-l1-1-032.dll (Trojan.Tracur.Gen)

When I quarantine it, I get a blue screen in less than 15 seconds.

I cannot make these seven things go away. Every time I restart in regular mode, it is back. Any ideas?

DjinniGenie · August 25, 2011

My browser still gets redirected, but I can avoid that by going to the 'Cached' page or typing the URL directly into the address bar. Still getting the MBAM pop-up that tells me it has blocked a malicious program: c:\programdata\api-ms-win-core-heap-l1-1-032.dll (Trojan.Tracur.Gen). However, when I quarantine it, it doesn't bluescreen me anymore.

I'm not sure what this malware does, so I'm not comfortable using my computer in regular mode. I'm still operating in safe mode.

Would it cause harm for me to use regular mode and actually play something like WoW?

LDTate · August 25, 2011

Sorry about the delay in responding

We look for post with 0 replies, so when you posted to your own log, we assumed you were being helped.

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
It doesn't take long to run, once it is finished move onto the next step

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

DjinniGenie · August 26, 2011

I ran everything as you said to do. Here is my TDSSKiller log - it didn't find anything.

2011/08/25 19:59:42.0432 2296 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57

2011/08/25 19:59:42.0853 2296 ================================================================================

2011/08/25 19:59:42.0853 2296 SystemInfo:

2011/08/25 19:59:42.0853 2296

2011/08/25 19:59:42.0853 2296 OS Version: 6.1.7601 ServicePack: 1.0

2011/08/25 19:59:42.0853 2296 Product type: Workstation

2011/08/25 19:59:42.0853 2296 ComputerName: EUGENIABURTON

2011/08/25 19:59:42.0853 2296 UserName: Eugenia Burton

2011/08/25 19:59:42.0853 2296 Windows directory: C:\Windows

2011/08/25 19:59:42.0853 2296 System windows directory: C:\Windows

2011/08/25 19:59:42.0853 2296 Processor architecture: Intel x86

2011/08/25 19:59:42.0853 2296 Number of processors: 1

2011/08/25 19:59:42.0853 2296 Page size: 0x1000

2011/08/25 19:59:42.0853 2296 Boot type: Normal boot

2011/08/25 19:59:42.0853 2296 ================================================================================

2011/08/25 19:59:43.0992 2296 Initialize success

2011/08/25 19:59:47.0564 3148 ================================================================================

2011/08/25 19:59:47.0564 3148 Scan started

2011/08/25 19:59:47.0564 3148 Mode: Manual;

2011/08/25 19:59:47.0564 3148 ================================================================================

2011/08/25 19:59:48.0952 3148 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys

2011/08/25 19:59:49.0015 3148 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys

2011/08/25 19:59:49.0062 3148 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys

2011/08/25 19:59:49.0108 3148 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys

2011/08/25 19:59:49.0155 3148 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys

2011/08/25 19:59:49.0249 3148 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys

2011/08/25 19:59:49.0436 3148 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys

2011/08/25 19:59:49.0592 3148 AGERESoftModem (c6fa08a8cca9001f3197525b07331715) C:\Windows\system32\DRIVERS\AGRSM.sys

2011/08/25 19:59:49.0686 3148 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys

2011/08/25 19:59:49.0779 3148 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys

2011/08/25 19:59:49.0920 3148 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys

2011/08/25 19:59:50.0013 3148 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys

2011/08/25 19:59:50.0169 3148 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys

2011/08/25 19:59:50.0232 3148 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys

2011/08/25 19:59:50.0341 3148 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys

2011/08/25 19:59:50.0403 3148 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys

2011/08/25 19:59:50.0575 3148 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys

2011/08/25 19:59:50.0715 3148 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys

2011/08/25 19:59:50.0778 3148 AMP (cb21d653faf607a0509e80edf3dfcb28) C:\Windows\system32\DRIVERS\amp.sys

2011/08/25 19:59:50.0871 3148 AMPSE (b63192b0cf2281defb8c1cab0274c371) C:\Windows\system32\DRIVERS\ampse.sys

2011/08/25 19:59:50.0996 3148 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys

2011/08/25 19:59:51.0183 3148 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys

2011/08/25 19:59:51.0292 3148 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys

2011/08/25 19:59:51.0464 3148 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys

2011/08/25 19:59:51.0495 3148 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys

2011/08/25 19:59:51.0636 3148 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys

2011/08/25 19:59:51.0854 3148 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys

2011/08/25 19:59:51.0979 3148 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys

2011/08/25 19:59:52.0072 3148 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys

2011/08/25 19:59:52.0119 3148 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys

2011/08/25 19:59:52.0400 3148 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys

2011/08/25 19:59:52.0525 3148 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys

2011/08/25 19:59:52.0681 3148 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys

2011/08/25 19:59:52.0837 3148 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys

2011/08/25 19:59:52.0946 3148 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys

2011/08/25 19:59:53.0071 3148 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys

2011/08/25 19:59:53.0149 3148 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys

2011/08/25 19:59:53.0289 3148 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys

2011/08/25 19:59:53.0367 3148 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys

2011/08/25 19:59:53.0539 3148 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys

2011/08/25 19:59:53.0632 3148 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys

2011/08/25 19:59:53.0788 3148 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys

2011/08/25 19:59:53.0851 3148 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys

2011/08/25 19:59:53.0960 3148 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys

2011/08/25 19:59:54.0038 3148 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys

2011/08/25 19:59:54.0116 3148 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys

2011/08/25 19:59:54.0241 3148 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys

2011/08/25 19:59:54.0350 3148 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys

2011/08/25 19:59:54.0412 3148 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys

2011/08/25 19:59:54.0506 3148 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys

2011/08/25 19:59:54.0631 3148 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys

2011/08/25 19:59:54.0943 3148 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys

2011/08/25 19:59:55.0161 3148 ElRawDisk (9c64c2a950195f9bc3a09a499648b01c) C:\Windows\system32\drivers\ElRawDsk.sys

2011/08/25 19:59:55.0302 3148 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys

2011/08/25 19:59:55.0442 3148 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys

2011/08/25 19:59:55.0598 3148 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys

2011/08/25 19:59:55.0676 3148 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys

2011/08/25 19:59:55.0801 3148 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys

2011/08/25 19:59:55.0926 3148 FileDisk (0694585d54bf46379ce41aee2b6864aa) C:\Windows\system32\drivers\FileDisk.sys

2011/08/25 19:59:55.0988 3148 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys

2011/08/25 19:59:56.0050 3148 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys

2011/08/25 19:59:56.0128 3148 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys

2011/08/25 19:59:56.0253 3148 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys

2011/08/25 19:59:56.0440 3148 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys

2011/08/25 19:59:56.0518 3148 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys

2011/08/25 19:59:56.0596 3148 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys

2011/08/25 19:59:56.0706 3148 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys

2011/08/25 19:59:56.0830 3148 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys

2011/08/25 19:59:56.0893 3148 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys

2011/08/25 19:59:57.0018 3148 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys

2011/08/25 19:59:57.0127 3148 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys

2011/08/25 19:59:57.0267 3148 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys

2011/08/25 19:59:57.0361 3148 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys

2011/08/25 19:59:57.0501 3148 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys

2011/08/25 19:59:57.0548 3148 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys

2011/08/25 19:59:57.0735 3148 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys

2011/08/25 19:59:57.0891 3148 HTCAND32 (950cc1e6ae3a6cd23e0945cde089b02c) C:\Windows\system32\Drivers\ANDROIDUSB.sys

2011/08/25 19:59:57.0985 3148 htcnprot (339adefad60353f960e3ca67ce468c24) C:\Windows\system32\DRIVERS\htcnprot.sys

2011/08/25 19:59:58.0110 3148 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys

2011/08/25 19:59:58.0281 3148 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys

2011/08/25 19:59:58.0328 3148 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys

2011/08/25 19:59:58.0390 3148 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys

2011/08/25 19:59:58.0468 3148 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys

2011/08/25 19:59:58.0609 3148 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys

2011/08/25 19:59:58.0687 3148 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys

2011/08/25 19:59:58.0780 3148 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2011/08/25 19:59:58.0858 3148 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys

2011/08/25 19:59:58.0983 3148 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys

2011/08/25 19:59:59.0046 3148 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys

2011/08/25 19:59:59.0170 3148 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys

2011/08/25 19:59:59.0311 3148 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys

2011/08/25 19:59:59.0389 3148 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys

2011/08/25 19:59:59.0467 3148 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys

2011/08/25 19:59:59.0560 3148 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys

2011/08/25 19:59:59.0654 3148 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys

2011/08/25 19:59:59.0857 3148 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys

2011/08/25 19:59:59.0966 3148 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys

2011/08/25 20:00:00.0013 3148 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys

2011/08/25 20:00:00.0169 3148 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys

2011/08/25 20:00:00.0262 3148 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys

2011/08/25 20:00:00.0418 3148 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys

2011/08/25 20:00:00.0528 3148 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\Windows\system32\drivers\mbam.sys

2011/08/25 20:00:00.0621 3148 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\Windows\system32\drivers\mbamswissarmy.sys

2011/08/25 20:00:00.0762 3148 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys

2011/08/25 20:00:00.0808 3148 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys

2011/08/25 20:00:00.0964 3148 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys

2011/08/25 20:00:01.0011 3148 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys

2011/08/25 20:00:01.0136 3148 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys

2011/08/25 20:00:01.0214 3148 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys

2011/08/25 20:00:01.0323 3148 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys

2011/08/25 20:00:01.0386 3148 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys

2011/08/25 20:00:01.0526 3148 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys

2011/08/25 20:00:01.0635 3148 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys

2011/08/25 20:00:01.0713 3148 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys

2011/08/25 20:00:01.0807 3148 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2011/08/25 20:00:01.0916 3148 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2011/08/25 20:00:01.0978 3148 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys

2011/08/25 20:00:02.0041 3148 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys

2011/08/25 20:00:02.0212 3148 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys

2011/08/25 20:00:02.0290 3148 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys

2011/08/25 20:00:02.0337 3148 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys

2011/08/25 20:00:02.0493 3148 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys

2011/08/25 20:00:02.0556 3148 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys

2011/08/25 20:00:02.0696 3148 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys

2011/08/25 20:00:02.0868 3148 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys

2011/08/25 20:00:02.0930 3148 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys

2011/08/25 20:00:03.0086 3148 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys

2011/08/25 20:00:03.0211 3148 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys

2011/08/25 20:00:03.0336 3148 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys

2011/08/25 20:00:03.0414 3148 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys

2011/08/25 20:00:03.0492 3148 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys

2011/08/25 20:00:03.0663 3148 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys

2011/08/25 20:00:03.0726 3148 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys

2011/08/25 20:00:03.0850 3148 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys

2011/08/25 20:00:03.0913 3148 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys

2011/08/25 20:00:04.0038 3148 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys

2011/08/25 20:00:04.0116 3148 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys

2011/08/25 20:00:04.0272 3148 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys

2011/08/25 20:00:04.0428 3148 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys

2011/08/25 20:00:04.0552 3148 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys

2011/08/25 20:00:04.0911 3148 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys

2011/08/25 20:00:05.0083 3148 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys

2011/08/25 20:00:05.0270 3148 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys

2011/08/25 20:00:05.0332 3148 NVENETFD (b5e37e31c053bc9950455a257526514b) C:\Windows\system32\DRIVERS\nvm62x32.sys

2011/08/25 20:00:05.0754 3148 nvlddmkm (6ef47521dce982602a25afb41dd13d4f) C:\Windows\system32\DRIVERS\nvlddmkm.sys

2011/08/25 20:00:06.0487 3148 NVNET (1de923088878b495cd4219e47ba34eb8) C:\Windows\system32\DRIVERS\nvmf6232.sys

2011/08/25 20:00:06.0674 3148 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys

2011/08/25 20:00:06.0768 3148 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys

2011/08/25 20:00:06.0939 3148 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys

2011/08/25 20:00:07.0033 3148 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys

2011/08/25 20:00:07.0220 3148 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys

2011/08/25 20:00:07.0298 3148 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys

2011/08/25 20:00:07.0438 3148 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys

2011/08/25 20:00:07.0610 3148 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys

2011/08/25 20:00:07.0704 3148 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys

2011/08/25 20:00:07.0782 3148 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys

2011/08/25 20:00:07.0891 3148 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys

2011/08/25 20:00:07.0969 3148 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys

2011/08/25 20:00:08.0328 3148 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys

2011/08/25 20:00:08.0452 3148 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys

2011/08/25 20:00:08.0530 3148 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys

2011/08/25 20:00:08.0702 3148 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys

2011/08/25 20:00:08.0889 3148 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys

2011/08/25 20:00:09.0030 3148 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys

2011/08/25 20:00:09.0092 3148 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys

2011/08/25 20:00:09.0232 3148 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys

2011/08/25 20:00:09.0357 3148 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys

2011/08/25 20:00:09.0420 3148 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys

2011/08/25 20:00:09.0466 3148 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys

2011/08/25 20:00:09.0669 3148 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys

2011/08/25 20:00:09.0810 3148 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys

2011/08/25 20:00:09.0888 3148 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys

2011/08/25 20:00:09.0966 3148 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys

2011/08/25 20:00:10.0028 3148 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys

2011/08/25 20:00:10.0090 3148 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys

2011/08/25 20:00:10.0215 3148 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys

2011/08/25 20:00:10.0465 3148 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys

2011/08/25 20:00:10.0527 3148 SaiH8000 (34ea7d80b2e7899b99bd525428cdce94) C:\Windows\system32\DRIVERS\SaiH8000.sys

2011/08/25 20:00:10.0590 3148 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys

2011/08/25 20:00:10.0761 3148 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys

2011/08/25 20:00:10.0964 3148 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

2011/08/25 20:00:11.0042 3148 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys

2011/08/25 20:00:11.0073 3148 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys

2011/08/25 20:00:11.0198 3148 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys

2011/08/25 20:00:11.0276 3148 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys

2011/08/25 20:00:11.0416 3148 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys

2011/08/25 20:00:11.0541 3148 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys

2011/08/25 20:00:11.0650 3148 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys

2011/08/25 20:00:11.0775 3148 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys

2011/08/25 20:00:11.0838 3148 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys

2011/08/25 20:00:11.0931 3148 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys

2011/08/25 20:00:12.0056 3148 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys

2011/08/25 20:00:12.0212 3148 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys

2011/08/25 20:00:12.0321 3148 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys

2011/08/25 20:00:12.0462 3148 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys

2011/08/25 20:00:12.0586 3148 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys

2011/08/25 20:00:12.0774 3148 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys

2011/08/25 20:00:12.0836 3148 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys

2011/08/25 20:00:13.0086 3148 Tcpip (04e4a7d53a7ace02e8c55b17a498f631) C:\Windows\system32\drivers\tcpip.sys

2011/08/25 20:00:13.0257 3148 TCPIP6 (04e4a7d53a7ace02e8c55b17a498f631) C:\Windows\system32\DRIVERS\tcpip.sys

2011/08/25 20:00:13.0335 3148 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys

2011/08/25 20:00:13.0476 3148 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys

2011/08/25 20:00:13.0678 3148 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys

2011/08/25 20:00:13.0772 3148 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys

2011/08/25 20:00:13.0850 3148 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys

2011/08/25 20:00:14.0037 3148 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys

2011/08/25 20:00:14.0131 3148 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys

2011/08/25 20:00:14.0271 3148 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys

2011/08/25 20:00:14.0365 3148 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys

2011/08/25 20:00:14.0443 3148 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys

2011/08/25 20:00:14.0630 3148 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys

2011/08/25 20:00:14.0755 3148 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys

2011/08/25 20:00:14.0833 3148 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys

2011/08/25 20:00:14.0958 3148 usbaudio (1d9f2bd026e8e2d45033a4df3f16b78c) C:\Windows\system32\drivers\usbaudio.sys

2011/08/25 20:00:15.0036 3148 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys

2011/08/25 20:00:15.0192 3148 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys

2011/08/25 20:00:15.0301 3148 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys

2011/08/25 20:00:15.0379 3148 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys

2011/08/25 20:00:15.0488 3148 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\DRIVERS\usbohci.sys

2011/08/25 20:00:15.0644 3148 USBPNPA (41b758cff0a3c10a69e088f440677399) C:\Windows\system32\drivers\CM108.sys

2011/08/25 20:00:15.0831 3148 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys

2011/08/25 20:00:15.0909 3148 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\drivers\USBSTOR.SYS

2011/08/25 20:00:15.0972 3148 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys

2011/08/25 20:00:16.0034 3148 usb_rndisx (d82f43d15fdaa666856c0190cb73e7c9) C:\Windows\system32\DRIVERS\usb8023x.sys

2011/08/25 20:00:16.0206 3148 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys

2011/08/25 20:00:16.0346 3148 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys

2011/08/25 20:00:16.0408 3148 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys

2011/08/25 20:00:16.0471 3148 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys

2011/08/25 20:00:16.0627 3148 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys

2011/08/25 20:00:16.0767 3148 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys

2011/08/25 20:00:16.0830 3148 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys

2011/08/25 20:00:16.0939 3148 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys

2011/08/25 20:00:17.0017 3148 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys

2011/08/25 20:00:17.0064 3148 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys

2011/08/25 20:00:17.0220 3148 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys

2011/08/25 20:00:17.0391 3148 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys

2011/08/25 20:00:17.0469 3148 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys

2011/08/25 20:00:17.0610 3148 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys

2011/08/25 20:00:17.0641 3148 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys

2011/08/25 20:00:17.0797 3148 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys

2011/08/25 20:00:17.0890 3148 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys

2011/08/25 20:00:18.0062 3148 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys

2011/08/25 20:00:18.0124 3148 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys

2011/08/25 20:00:18.0327 3148 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys

2011/08/25 20:00:18.0436 3148 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys

2011/08/25 20:00:18.0514 3148 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys

2011/08/25 20:00:18.0577 3148 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys

2011/08/25 20:00:18.0639 3148 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0

2011/08/25 20:00:18.0702 3148 Boot (0x1200) (4c317818b9959dbe014b0338083ba59b) \Device\Harddisk0\DR0\Partition0

2011/08/25 20:00:18.0748 3148 Boot (0x1200) (298496fc1b47da006bb26dff9a7162f6) \Device\Harddisk0\DR0\Partition1

2011/08/25 20:00:18.0748 3148 ================================================================================

2011/08/25 20:00:18.0748 3148 Scan finished

2011/08/25 20:00:18.0748 3148 ================================================================================

2011/08/25 20:00:18.0780 1656 Detected object count: 0

2011/08/25 20:00:18.0780 1656 Actual detected object count: 0

DjinniGenie · August 26, 2011

Browser is no longer being redirected! That's one good thing. Let me restart and see if I get that thing that MBAM has to always quarantine.

DjinniGenie · August 26, 2011

I did get the MBAM popup window that said it had blocked a malicious program: c:\programdata\api-ms-win-core-heap-l1-1-032.dll (Trojan.Tracur.Gen)

I hope it is alright, but I ran another MBAM scan. It found several items. I deleted/quarantined them, and then restarted. Ran another MBAM scan and everything is now gone. So far, no popup about that Tracur.Gen trojan being blocked, so I am assuming that is a good thing. It usually happens within less than four minutes of booting.

Maybe I'm all fixed now?

FIRST MBAM SCAN:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7562

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

8/25/2011 8:11:24 PM

mbam-log-2011-08-25 (20-11-24).txt

Scan type: Flash scan

Objects scanned: 131994

Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

c:\Windows\System32\uxtheme32.exe (Trojan.Tracur) -> 1524 -> Unloaded process successfully.

c:\programdata\api-ms-win-core-namedpipe-l1-1-032.exe (Trojan.Tracur) -> 1844 -> Unloaded process successfully.

Memory Modules Infected:

c:\programdata\api-ms-win-core-heap-l1-1-032.dll (Trojan.Tracur) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks32 (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Bad: (C:\ProgramData\api-ms-win-core-heap-l1-1-032.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\uxtheme32.exe (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\programdata\api-ms-win-core-heap-l1-1-032.dll (Trojan.Tracur) -> Delete on reboot.

c:\programdata\api-ms-win-core-namedpipe-l1-1-032.exe (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\0200000004e9790f1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

SECOND MBAM SCAN AFTER RESTARTING:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7562

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

8/25/2011 8:15:58 PM

mbam-log-2011-08-25 (20-15-58).txt

Scan type: Flash scan

Objects scanned: 131562

Time elapsed: 1 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

LDTate · August 26, 2011

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have XP SP3, use the XP SP2 package.
If Vista or Windows 7, skip the Recovery Console part
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

DjinniGenie · August 26, 2011

ComboFix 11-08-26.01 - Eugenia Burton 08/26/2011 9:05.1.1 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1791.972 [GMT -5:00]

Running from: c:\users\Eugenia Burton\Desktop\ComboFix.exe

AV: System Shield *Enabled/Updated* {C132074B-BF68-2E15-D4FD-E242EED15F18}

SP: System Shield *Enabled/Updated* {7A53E6AF-9952-219B-EE4D-D930955615A5}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\bsyl.exe

c:\programdata\iyco.exe

c:\programdata\jyfr.exe

c:\programdata\magc.exe

c:\programdata\ojbi.exe

c:\programdata\ovsj.exe

c:\programdata\qxej.exe

c:\programdata\vvdd.exe

c:\users\Eugenia Burton\AppData\Local\ekgh.exe

c:\users\Eugenia Burton\AppData\Local\hlwh.exe

c:\users\Eugenia Burton\AppData\Local\rnvf.exe

c:\users\Eugenia Burton\AppData\Local\yfug.exe

c:\users\Eugenia Burton\AppData\Roaming\Microsoft\Windows\Templates\cyqh.exe

c:\users\Eugenia Burton\AppData\Roaming\Microsoft\Windows\Templates\ebpn.exe

c:\users\Eugenia Burton\AppData\Roaming\Microsoft\Windows\Templates\raxg.exe

c:\users\Eugenia Burton\AppData\Roaming\Microsoft\Windows\Templates\uh8btmba1127wq01h7o13odtoc8xr655m32537j453vs

c:\users\Eugenia Burton\AppData\Roaming\Microsoft\Windows\Templates\wgdt.exe

c:\windows\$NtUninstallKB54461$

c:\windows\$NtUninstallKB54461$\253941873

.

((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))

.

2011-08-26 14:10 . 2011-08-26 14:10 -------- d-----w- c:\users\Eugenia Burton\AppData\Local\temp

2011-08-26 14:10 . 2011-08-26 14:10 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-25 08:02 . 2011-08-25 08:02 -------- d-----w- c:\program files\ESET

2011-08-24 16:14 . 2011-07-09 04:29 2048 ----a-w- c:\windows\system32\tzres.dll

2011-08-23 11:58 . 2011-08-23 11:58 54016 ----a-w- c:\windows\system32\drivers\ynjrpsw.sys

2011-08-23 11:22 . 2011-08-23 11:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2011-08-23 11:22 . 2011-08-23 11:26 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-08-23 11:07 . 2011-08-23 11:07 54016 ----a-w- c:\windows\system32\drivers\jcaetd.sys

2011-08-23 07:31 . 2011-08-23 10:35 -------- d-----w- c:\program files\PC Tools Security

2011-08-23 07:31 . 2011-08-23 10:35 -------- d-----w- c:\program files\Common Files\PC Tools

2011-08-23 07:29 . 2011-08-23 10:34 -------- d-----w- c:\programdata\PC Tools

2011-08-23 04:59 . 2011-08-23 04:59 54016 ----a-w- c:\windows\system32\drivers\lfviyjjc.sys

2011-08-23 04:32 . 2011-08-23 04:32 -------- d-----w- c:\users\Eugenia Burton\AppData\Roaming\Malwarebytes

2011-08-23 04:32 . 2011-08-23 04:32 -------- d-----w- c:\programdata\Malwarebytes

2011-08-23 04:32 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-23 04:32 . 2011-08-23 13:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-23 04:32 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 02:17 . 2011-08-23 02:18 -------- d-----w- c:\users\UpdatusUser

2011-08-23 02:16 . 2011-05-21 11:01 2560616 ----a-w- c:\windows\system32\nvsvcr.dll

2011-08-23 02:16 . 2011-08-23 02:16 -------- d-----w- c:\windows\Sun

2011-08-23 00:34 . 2011-08-23 04:51 -------- d-----w- c:\programdata\nD01604CaLpL01604

2011-08-19 14:22 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AA6DAE7E-ECEA-472E-9744-9E5AEDF3C35F}\mpengine.dll

2011-08-16 22:10 . 2011-08-22 10:39 -------- d-----w- c:\users\Eugenia Burton\AppData\Local\Deployment

2011-08-16 22:10 . 2011-08-16 22:10 -------- d-----w- c:\users\Eugenia Burton\AppData\Local\Apps

2011-08-14 06:01 . 2011-08-14 06:30 -------- d-----w- c:\users\Eugenia Burton\AppData\Local\http_www.flickr.com_0

2011-08-14 00:46 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll

2011-08-14 00:46 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll

2011-08-14 00:46 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll

2011-08-14 00:46 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll

2011-08-14 00:46 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll

2011-08-14 00:46 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll

2011-08-14 00:46 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll

2011-08-14 00:46 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll

2011-08-14 00:46 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll

2011-08-14 00:45 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll

2011-08-14 00:45 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll

2011-08-14 00:45 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll

2011-08-14 00:45 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll

2011-08-14 00:45 . 2011-08-14 00:45 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

2011-08-14 00:43 . 2011-08-14 00:45 -------- d-----w- c:\program files\QuickTime

2011-08-14 00:29 . 2011-08-14 00:29 -------- d-----w- c:\program files\iPod

2011-08-14 00:29 . 2011-08-14 00:30 -------- d-----w- c:\program files\iTunes

2011-08-14 00:24 . 2011-08-14 00:24 -------- d-----w- c:\program files\Bonjour

2011-08-14 00:13 . 2011-08-14 00:13 -------- d-----w- c:\program files\Apple Software Update

2011-07-27 16:04 . 2011-07-27 16:04 748336 ----a-w- c:\program files\Internet Explorer\iexplore.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-14 16:52 . 2011-07-24 15:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-08 20:01 . 2010-09-23 21:51 11776 ----a-w- c:\windows\system32\smrgdf.exe

2011-08-08 20:01 . 2010-09-23 21:51 29696 ----a-w- c:\windows\system32\iolobtdfg.exe

2011-08-08 19:18 . 2011-07-23 17:24 2083464 ----a-w- c:\windows\system32\Incinerator32.dll

2011-07-12 16:20 . 2011-07-12 16:20 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 16:20 . 2011-07-12 16:20 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-12 16:20 . 2011-07-12 16:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-07-12 16:20 . 2011-07-12 16:20 178536 ----a-w- c:\windows\system32\dnssdX.dll

2011-07-05 23:37 . 2011-07-05 23:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 23:37 . 2011-07-05 23:37 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-14 03:00 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-06-11 02:29 . 2011-07-14 06:23 2334208 ----a-w- c:\windows\system32\win32k.sys

2011-08-17 15:30 . 2011-04-12 03:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-24 2969496]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2011-08-08 606392]

"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-01-27 585728]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-07-14 8704]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"HideSCAHealth"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventSystem]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseamps]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vsedsps]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseqrts]

@="Service"

.

R0 hhsv;hhsv;c:\windows\System32\drivers\kgxhde.sys [x]

R0 mcbd;mcbd;c:\windows\System32\drivers\wojvisc.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]

R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-23 23040]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]

R3 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2011-01-21 142144]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-23 1343400]

S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2009-11-12 20392]

S2 AMP;AMP;c:\windows\system32\DRIVERS\amp.sys [2011-01-21 138048]

S2 AMPSE;AMPSE;c:\windows\system32\DRIVERS\ampse.sys [2011-01-21 1171776]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2011-08-08 722616]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-07 366640]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]

S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [2010-09-16 80896]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2011-01-21 97088]

S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2011-01-21 97088]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-07 22712]

S3 SaiH8000;SaiH8000;c:\windows\system32\DRIVERS\SaiH8000.sys [2008-04-04 136832]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mail.newwavecom.com/exchange/

uInternet Settings,ProxyOverride = *.local

LSP: c:\windows\system32\iavlsp.dll

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\users\Eugenia Burton\AppData\Roaming\Mozilla\Firefox\Profiles\aw421xx1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-AMP

SafeBoot-AMPSE

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.dfsc]

"ImagePath"="\*"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-08-26 09:13:38

ComboFix-quarantined-files.txt 2011-08-26 14:13

.

Pre-Run: 38,783,279,104 bytes free

Post-Run: 38,513,111,040 bytes free

.

- - End Of File - - 1B279C329364A3B21DA198B5DD182CA1

So far, everything seems to be running fine now.

LDTate · August 26, 2011

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\windows\system32\drivers\ynjrpsw.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

DjinniGenie · August 26, 2011

Antivirus Version Last Update Result

AhnLab-V3 2011.08.26.01 2011.08.26 -

AntiVir 7.11.14.0 2011.08.26 -

Antiy-AVL 2.0.3.7 2011.08.26 -

Avast 4.8.1351.0 2011.08.26 -

Avast5 5.0.677.0 2011.08.26 -

AVG 10.0.0.1190 2011.08.26 -

BitDefender 7.2 2011.08.26 -

ByteHero 1.0.0.1 2011.08.22 -

CAT-QuickHeal 11.00 2011.08.26 -

ClamAV 0.97.0.0 2011.08.26 BC.Heuristics.Rootkit.B-11.MV

Commtouch 5.3.2.6 2011.08.26 -

Comodo 9882 2011.08.26 -

DrWeb 5.0.2.03300 2011.08.26 -

Emsisoft 5.1.0.10 2011.08.26 -

eSafe 7.0.17.0 2011.08.25 Win32.TrojanHorse

eTrust-Vet 36.1.8524 2011.08.26 -

F-Prot 4.6.2.117 2011.08.26 -

F-Secure 9.0.16440.0 2011.08.26 -

Fortinet 4.2.257.0 2011.08.25 -

GData 22 2011.08.26 -

Ikarus T3.1.1.107.0 2011.08.26 -

Jiangmin 13.0.900 2011.08.26 -

K7AntiVirus 9.111.5060 2011.08.26 -

Kaspersky 9.0.0.837 2011.08.26 -

McAfee 5.400.0.1158 2011.08.26 -

McAfee-GW-Edition 2010.1D 2011.08.26 -

Microsoft 1.7604 2011.08.26 -

NOD32 6413 2011.08.26 -

Norman 6.07.10 2011.08.26 -

nProtect 2011-08-26.02 2011.08.26 -

Panda 10.0.3.5 2011.08.26 Trj/Hupigon.BDH

PCTools 8.0.0.5 2011.08.26 -

Prevx 3.0 2011.08.26 -

Rising 23.72.04.03 2011.08.26 -

Sophos 4.68.0 2011.08.26 -

SUPERAntiSpyware 4.40.0.1006 2011.08.26 -

Symantec 20111.2.0.82 2011.08.26 -

TheHacker 6.7.0.1.284 2011.08.26 -

TrendMicro 9.500.0.1008 2011.08.25 -

TrendMicro-HouseCall 9.500.0.1008 2011.08.26 -

VBA32 3.12.16.4 2011.08.26 -

VIPRE 10274 2011.08.26 -

ViRobot 2011.8.26.4641 2011.08.26 -

VirusBuster 14.0.186.0 2011.08.26 -

Additional information

MD5 : e6d35f3aa51a65eb35c1f2340154a25e

SHA1 : aabbd57e20d2e7041f9e7abce6cfd8a53c366537

SHA256: 3da4f51682e7d42c5569f1fb1adc6295182962e36f748219e1d0c8f2389ba516

ssdeep: 768:Bosx0q2ph6P2Jpz8ftoSUiJP7hYTCMrhwYKUzY4q:j076P2Jpz8ftBUMPaCMrhwY

File size : 54016 bytes

First seen: 2009-09-18 00:44:25

Last seen : 2011-08-26 16:28:29

TrID:

Clipper DOS Executable (33.3%)

Generic Win/DOS Executable (33.0%)

DOS Executable Generic (33.0%)

VXD Driver (0.5%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0xC505

timedatestamp....: 0x4A9EE5B5 (Wed Sep 02 21:37:57 2009)

machinetype......: 0x14c (I386)

[[ 5 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x480, 0xBD9F, 0xBE00, 5.83, 9474f39576a0e15bdbaa2ea3355f0a4a

.rdata, 0xC280, 0x126, 0x180, 3.78, 375b710d9f213cfced30e9fdb29567e1

.data, 0xC400, 0xC0, 0x100, 0.33, 786971ca2b109729eda604b44d6c72ad

INIT, 0xC500, 0x3C8, 0x400, 5.20, eea49a93a73afb6afc178455582133c6

.reloc, 0xC900, 0x9EC, 0xA00, 6.62, bddd5a40c508bfc84ec87de5f8e6a5d3

[[ 1 import(s) ]]

ntoskrnl.exe: ZwWriteFile, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePool, RtlPrefixUnicodeString, memcpy, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwSetInformationFile, ZwQueryInformationFile, ZwQueryDirectoryFile, ZwOpenFile, KeTickCount, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion, KeBugCheckEx

LDTate · August 26, 2011

You have some files we need to collect.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

http://forums.malwarebytes.org/index.php?showtopic=93425

Collect::
c:\windows\system32\drivers\ynjrpsw.sys
c:\windows\system32\drivers\jcaetd.sys
c:\windows\system32\drivers\lfviyjjc.sys

Driver::
ynjrpsw
jcaetd
lfviyjjc

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

DjinniGenie · August 26, 2011

ComboFix 11-08-26.04 - Eugenia Burton 08/26/2011 11:54:40.2.1 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1791.1093 [GMT -5:00]

Running from: c:\users\Eugenia Burton\Desktop\ComboFix.exe

Command switches used :: c:\users\Eugenia Burton\Desktop\CFScript.txt

AV: System Shield *Enabled/Updated* {C132074B-BF68-2E15-D4FD-E242EED15F18}

SP: System Shield *Enabled/Updated* {7A53E6AF-9952-219B-EE4D-D930955615A5}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

file zipped: c:\windows\system32\drivers\jcaetd.sys

file zipped: c:\windows\system32\drivers\lfviyjjc.sys

file zipped: c:\windows\system32\drivers\ynjrpsw.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\jcaetd.sys

c:\windows\system32\drivers\lfviyjjc.sys

c:\windows\system32\drivers\ynjrpsw.sys

.

((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))

.

2011-08-26 17:00 . 2011-08-26 17:01 -------- d-----w- c:\users\Eugenia Burton\AppData\Local\temp