Windows could not automatically detect this n
Closed
Renken
Posts
12
Registration date
Wednesday February 1, 2012
Status
Member
Last seen
August 11, 2012
-
Feb 23, 2012 at 10:02 AM
Anonymous User - Mar 8, 2012 at 05:00 AM
Anonymous User - Mar 8, 2012 at 05:00 AM
Related:
- Edxsilkroadloader
- Kmspico windows 10 - Download - Other
- Windows 10 iso download 64-bit - Download - Windows
- Gta 5 download apk pc windows 10 - Download - Action and adventure
- Blackmagic disk speed test windows - Download - Diagnosis and monitoring
- Nvidia drivers auto detect - Guide
9 responses
Anonymous User
Feb 23, 2012 at 11:42 AM
Feb 23, 2012 at 11:42 AM
It should have cured zero access rootkit.You may still be infected.We need more scans to make sure you''re clean.Its upto you to decide
Anonymous User
Feb 23, 2012 at 10:10 AM
Feb 23, 2012 at 10:10 AM
I'm not sure if your PC is clean,lets try to fix your Internet connection and then scan for any remaining infections
Download(copy from another PC)
https://download.bleepingcomputer.com/farbar/FSS.exe
Checkmark
Internet Services
Click on Scan.
Please copy and paste the log to your reply.
Download(copy from another PC)
https://download.bleepingcomputer.com/farbar/FSS.exe
Checkmark
Internet Services
Click on Scan.
Please copy and paste the log to your reply.
Renken
Posts
12
Registration date
Wednesday February 1, 2012
Status
Member
Last seen
August 11, 2012
1
Feb 23, 2012 at 10:24 AM
Feb 23, 2012 at 10:24 AM
hey these are the results of the internet services
Farbar Service Scanner Version: 22-02-2012
Ran by user (administrator) on 23-02-2012 at 18:20:11
Running from "J:\"
Microsoft Windows 7 Ultimate (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2009-07-14 01:12] - [2009-07-14 01:12] - 0338944 ____A () 091116EB35DD3AF55CB74193D49006CB
C:\Windows\system32\Drivers\tdx.sys
[2009-07-14 01:12] - [2009-07-14 01:12] - 0074240 ____A () 2CBC60D6AE6F3597561FE78C6551F0A7
C:\Windows\system32\Drivers\tcpip.sys
[2012-02-02 20:23] - [2010-04-09 09:24] - 1285000 ____A (Microsoft Corporation) 63170B9EE1D0EF0032F0408605671D1A
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Farbar Service Scanner Version: 22-02-2012
Ran by user (administrator) on 23-02-2012 at 18:20:11
Running from "J:\"
Microsoft Windows 7 Ultimate (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2009-07-14 01:12] - [2009-07-14 01:12] - 0338944 ____A () 091116EB35DD3AF55CB74193D49006CB
C:\Windows\system32\Drivers\tdx.sys
[2009-07-14 01:12] - [2009-07-14 01:12] - 0074240 ____A () 2CBC60D6AE6F3597561FE78C6551F0A7
C:\Windows\system32\Drivers\tcpip.sys
[2012-02-02 20:23] - [2010-04-09 09:24] - 1285000 ____A (Microsoft Corporation) 63170B9EE1D0EF0032F0408605671D1A
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Anonymous User
Feb 23, 2012 at 10:48 AM
Feb 23, 2012 at 10:48 AM
From your log i can guess that you're still infected
Download
https://support.kaspersky.com/downloads/utils/tdsskiller.exe
Launch it.Click on change parameters-Select TDLFS file system
Click on "Scan".Please post the LOG report(log file should be in your C drive)
Restart the PC
Launch FSS again and type
afd.sys;tdx.sys in search BOX
click on search files
Post the generated log
Download
https://support.kaspersky.com/downloads/utils/tdsskiller.exe
Launch it.Click on change parameters-Select TDLFS file system
Click on "Scan".Please post the LOG report(log file should be in your C drive)
Restart the PC
Launch FSS again and type
afd.sys;tdx.sys in search BOX
click on search files
Post the generated log
Didn't find the answer you are looking for?
Ask a question
Renken
Posts
12
Registration date
Wednesday February 1, 2012
Status
Member
Last seen
August 11, 2012
1
Feb 23, 2012 at 11:38 AM
Feb 23, 2012 at 11:38 AM
I Cured the 2 Viruses i had ;( Then rebooted it worked lol Maybe i need to replace Mse Antivirus Thanks Alot Man Appreciate Your Help
Anonymous User
Feb 24, 2012 at 05:28 AM
Feb 24, 2012 at 05:28 AM
Download
https://download.bleepingcomputer.com/sUBs/ComboFix.exe
Close any open browsers or any other programs that are open.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on combofix.exe & follow the prompts.
You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so(in your case you do not have internet to download it,then ignore it)
When finished, it will produce a report for you.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
In your next post I need the following
* Log from Combofix
* How is the computer doing now?
https://download.bleepingcomputer.com/sUBs/ComboFix.exe
Close any open browsers or any other programs that are open.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on combofix.exe & follow the prompts.
You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so(in your case you do not have internet to download it,then ignore it)
When finished, it will produce a report for you.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
In your next post I need the following
* Log from Combofix
* How is the computer doing now?
Renken
Posts
12
Registration date
Wednesday February 1, 2012
Status
Member
Last seen
August 11, 2012
1
Feb 24, 2012 at 06:32 AM
Feb 24, 2012 at 06:32 AM
So Its working Now
Renken
Posts
12
Registration date
Wednesday February 1, 2012
Status
Member
Last seen
August 11, 2012
1
Feb 24, 2012 at 06:33 AM
Feb 24, 2012 at 06:33 AM
The Log
ComboFix 12-02-24.01 - user 02/24/2012 14:05:47.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2266 [GMT 2:00]
Running from: J:\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\user\10.mid
c:\users\user\11.mid
c:\users\user\12.mid
c:\users\user\AppData\Roaming\edxLabs
c:\users\user\AppData\Roaming\edxLabs\edxSilkroadLoader\edxSilkroadLoader.ini
c:\users\user\AppData\Roaming\edxLabs\edxSilkroadLoader\ISRO.ini
c:\users\user\AppData\Roaming\searchqutb
c:\users\user\AppData\Roaming\searchqutb\dtx.ini
c:\users\user\AppData\Roaming\searchqutb\games\00d2dfc64c07a4f32824abac1d6f735b
c:\users\user\AppData\Roaming\searchqutb\games\3e4265e00cbc4a9cf22a105046a46d8a
c:\users\user\AppData\Roaming\searchqutb\games\44a5d79f5451d3036ba3986425e234c8
c:\users\user\AppData\Roaming\searchqutb\games\GameCategories.xml
c:\users\user\AppData\Roaming\searchqutb\games\GameTypes.xml
c:\users\user\AppData\Roaming\searchqutb\guid.dat
c:\users\user\AppData\Roaming\searchqutb\log.txt
c:\users\user\AppData\Roaming\searchqutb\preferences.dat
c:\users\user\AppData\Roaming\searchqutb\search\searchqutb-search-history.xml
c:\users\user\AppData\Roaming\searchqutb\stats.dat
c:\users\user\AppData\Roaming\searchqutb\uninstallIE.dat
c:\users\user\AppData\Roaming\searchqutb\version.xml
c:\users\user\AppData\Roaming\searchqutb\weather\82bb45b86eb89c373ef13dd8182681f5
c:\users\user\AppData\Roaming\searchqutb\weather\cf20402416da416ce79b0d111d58d5f8
c:\users\user\AppData\Roaming\searchqutb\weather\dbd93ddf7839cb82ce4cc5c492bb5b36
c:\users\user\AppData\Roaming\searchqutb\weather\forecasts_cache.xml
c:\users\user\AppData\Roaming\searchqutb\weather\observations_cache.xml
c:\users\user\AppData\Roaming\searchqutb\weatherbutton_prefs.xml
c:\users\user\AppData\Roaming\searchqutb\widgets_cache\84b70525cff6359fdeca553342c23e4c
c:\users\user\AppData\Roaming\searchqutb\widgets_cache\bf5b6317ae07da699882fc948f22eda4
c:\users\user\AppData\Roaming\searchqutb\widgets_cache\category_cache.xml
c:\users\user\AppData\Roaming\searchqutb\widgets_cache\widget_cache.xml
c:\users\user\WINDOWS
c:\windows\$NtUninstallKB54681$\3644581569
c:\windows\$NtUninstallKB54681$\4223938141\Desktop.ini
c:\windows\system32\1.txt
c:\windows\system32\jlrinlax.dll
c:\windows\system32\kernel32new.dll
c:\windows\system32\msvcrtnew.dll
c:\windows\Tasks\At1.job
D:\install.exe
.
Infected copy of c:\windows\system32\drivers\csc.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\SoftwareDistribution\Download\919003e3012e674674fc2a83c2329826\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_jofaiffg
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-24 12:09 . 2012-02-24 12:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-24 12:09 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-23 17:47 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A88CFAC8-6F1B-485D-9CEA-DBFD1828283D}\mpengine.dll
2012-02-23 17:32 . 2012-02-24 09:18 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-22 18:42 . 2012-02-22 18:42 -------- d-----w- c:\programdata\Local Settings
2012-02-22 10:32 . 2012-02-22 10:32 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-22 10:10 . 2012-02-22 10:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-11 11:22 . 2012-02-02 20:47 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-02-11 11:22 . 2012-02-11 11:22 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BB73CCD8-EBDB-4DBC-979B-37AFA2517136}\gapaengine.dll
2012-02-05 14:52 . 2010-06-02 02:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2012-02-05 14:52 . 2010-06-02 02:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2012-02-05 14:52 . 2010-06-02 02:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2012-02-05 14:52 . 2010-05-26 09:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2012-02-05 14:52 . 2010-05-26 09:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2012-02-05 14:52 . 2010-05-26 09:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2012-02-05 14:52 . 2010-05-26 09:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2012-02-05 14:52 . 2010-05-26 09:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2012-02-04 20:11 . 2012-02-04 20:11 -------- d-----w- c:\windows\system32\xlive
2012-02-04 20:11 . 2012-02-04 20:11 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2012-02-03 22:50 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 22:34 . 2012-02-03 22:35 -------- d-----w- c:\program files\ComicRack
2012-02-03 22:21 . 2009-11-25 19:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2012-02-03 22:21 . 2009-11-25 19:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2012-02-03 22:21 . 2009-11-25 19:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2012-02-03 22:21 . 2009-11-25 19:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2012-02-03 22:21 . 2009-11-25 19:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-02-03 00:20 . 2012-02-11 11:06 -------- d-----w- c:\program files\BitTorrent
2012-02-02 23:08 . 2012-02-02 23:08 -------- d-----w- c:\program files\SystemRequirementsLab
2012-02-02 23:06 . 2012-02-02 23:06 -------- d-----w- c:\program files\Common Files\Java
2012-02-02 23:06 . 2012-02-02 23:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-02 23:06 . 2012-02-02 23:06 -------- d-----w- c:\program files\Java
2012-02-02 20:17 . 2012-02-02 20:17 -------- d-----w- c:\programdata\NFS Underground
2012-02-02 19:26 . 2012-02-02 19:26 -------- d-----w- c:\program files\Common Files\Steam
2012-02-02 19:21 . 2012-02-02 19:21 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-02 19:21 . 2012-02-02 19:21 -------- d-----w- c:\program files\DAEMON Tools Lite
2012-02-02 19:20 . 2012-02-02 19:21 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-02 19:03 . 2012-02-02 19:03 -------- d-----w- c:\program files\Internet Download Manager
2012-02-02 18:30 . 2012-02-02 18:32 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-02-02 18:23 . 2012-02-02 18:23 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-02 18:23 . 2010-04-09 07:24 1285000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-02-02 18:23 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-02 17:55 . 2012-02-05 14:53 -------- d-----w- c:\programdata\Ubisoft
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-----w- c:\users\UpdatusUser
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-sh--w- c:\users\NetworkService
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-sh--w- c:\users\LocalService
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-----w- c:\users\Default\AppData\Roaming\IObit
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-----w- c:\users\Default\AppData\Local\{3248F0A6-6813-11D6-A77B-00B0D0150060}
2012-02-02 17:13 . 2012-02-02 17:13 -------- d-----w- c:\programdata\ATI
2012-02-02 17:13 . 2012-02-02 17:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2012-02-02 17:13 . 2012-02-02 17:13 0 ----a-w- c:\windows\ativpsrm.bin
2012-02-02 17:12 . 2012-02-02 17:12 -------- d-----w- c:\program files\AMD APP
2012-02-02 17:12 . 2012-02-02 17:12 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-02-02 17:10 . 2012-02-02 17:10 -------- d-----w- C:\AMD
2012-02-02 16:51 . 2006-10-26 17:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2012-02-02 16:51 . 2006-10-26 17:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2012-02-02 16:50 . 2012-02-02 16:50 -------- d-----w- c:\program files\Microsoft Works
2012-02-02 16:50 . 2012-02-03 22:31 -------- d-----w- c:\program files\Microsoft.NET
2012-02-02 16:50 . 2012-02-02 16:50 -------- d-----w- c:\windows\PCHEALTH
2012-02-02 16:49 . 2012-02-02 16:49 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-02 16:48 . 2012-02-02 16:51 -------- d-----w- c:\programdata\Microsoft Help
2012-02-02 16:48 . 2012-02-02 16:48 -------- d-----r- C:\MSOCache
2012-02-02 16:44 . 2012-02-02 16:44 -------- d-----w- c:\programdata\Yahoo!
2012-02-02 16:44 . 2012-02-02 16:44 -------- d-----w- c:\program files\Yahoo!
2012-02-02 16:41 . 2012-02-02 16:41 -------- d-----w- c:\program files\Common Files\Adobe
2012-02-02 16:40 . 2012-02-02 16:40 -------- d-----w- c:\programdata\Apple Computer
2012-02-02 16:40 . 2012-02-02 16:40 -------- d-----w- c:\windows\system32\Macromed
2012-02-02 16:40 . 2012-02-02 16:40 -------- d-----w- c:\program files\Pure Codec
2012-02-02 16:29 . 2008-12-07 18:08 795648 ----a-w- c:\windows\system32\xvidcore.dll
2012-02-02 16:29 . 2007-09-21 00:52 118784 ----a-w- c:\windows\system32\ac3acm.acm
2012-02-02 16:29 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2012-02-02 16:29 . 2009-04-02 13:21 84480 ----a-w- c:\windows\system32\ff_vfw.dll
2012-02-02 16:29 . 2012-02-02 16:29 -------- d-----w- c:\program files\K-Lite Codec Pack
2012-02-02 16:29 . 2004-01-11 22:00 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-02-02 16:28 . 2012-02-15 18:16 -------- d-sh--w- c:\windows\Installer
2012-02-02 16:27 . 2012-02-02 17:12 -------- d-----w- c:\program files\ATI Technologies
2012-02-02 16:27 . 2012-02-02 16:27 -------- d-----w- c:\program files\ATI
2012-02-02 16:27 . 2012-02-02 16:27 -------- d-----w- C:\swsetup
2012-02-02 16:17 . 2012-02-24 12:10 -------- d-----w- c:\windows\system32\wbem\Performance
2012-02-02 16:10 . 2012-02-24 12:09 -------- d-----w- c:\users\user
2012-01-26 13:42 . 2012-01-27 00:48 91936 ----a-w- c:\windows\system32\drivers\idmwfp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-24 12:04 . 2009-07-13 23:15 387584 ----a-w- c:\windows\system32\drivers\csc.sys
2012-02-24 09:09 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-24 09:03 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-23 17:33 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-01-31 12:44 . 2009-10-14 09:58 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-06 03:44 . 2011-12-06 03:44 9067008 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-12-06 03:17 . 2011-12-06 03:17 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-12-06 03:17 . 2011-12-06 03:17 778752 ----a-w- c:\windows\system32\aticfx32.dll
2011-12-06 03:12 . 2011-12-06 03:12 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-12-06 03:12 . 2011-12-06 03:12 404992 ----a-w- c:\windows\system32\atieclxx.exe
2011-12-06 03:11 . 2011-12-06 03:11 163328 ----a-w- c:\windows\system32\atiesrxx.exe
2011-12-06 03:10 . 2011-12-06 03:10 163840 ----a-w- c:\windows\system32\atitmmxx.dll
2011-12-06 03:10 . 2011-12-06 03:10 360448 ----a-w- c:\windows\system32\atipdlxx.dll
2011-12-06 03:10 . 2011-12-06 03:10 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-12-06 03:09 . 2011-12-06 03:09 20992 ----a-w- c:\windows\system32\atimuixx.dll
2011-12-06 03:09 . 2011-12-06 03:09 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-12-06 03:06 . 2011-12-06 03:06 6159872 ----a-w- c:\windows\system32\atidxx32.dll
2011-12-06 02:56 . 2011-12-06 02:56 19125760 ----a-w- c:\windows\system32\atioglxx.dll
2011-12-06 02:39 . 2011-12-06 02:39 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2011-12-06 02:34 . 2011-12-06 02:34 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-12-06 02:34 . 2011-12-06 02:34 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-12-06 02:33 . 2011-12-06 02:33 5919232 ----a-w- c:\windows\system32\atiumdag.dll
2011-12-06 02:29 . 2011-12-06 02:29 11484672 ----a-w- c:\windows\system32\aticaldd.dll
2011-12-06 02:28 . 2011-12-06 02:28 4206592 ----a-w- c:\windows\system32\atiumdva.dll
2011-12-06 02:18 . 2011-12-06 02:18 51200 ----a-w- c:\windows\system32\coinst.dll
2011-12-06 02:12 . 2011-12-06 02:12 356352 ----a-w- c:\windows\system32\atiadlxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 33280 ----a-w- c:\windows\system32\atigktxx.dll
2011-12-06 02:11 . 2011-12-06 02:11 264192 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-12-06 02:11 . 2011-12-06 02:11 33280 ----a-w- c:\windows\system32\atiuxpag.dll
2011-12-06 02:11 . 2011-12-06 02:11 29696 ----a-w- c:\windows\system32\atiu9pag.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\system32\atimpc32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\system32\amdpcom32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-12-05 20:04 . 2011-12-05 20:04 59904 ----a-w- c:\windows\system32\OpenVideo.dll
2011-12-05 20:03 . 2011-12-05 20:03 54784 ----a-w- c:\windows\system32\OVDecode.dll
2011-12-05 20:03 . 2011-12-05 20:03 14499328 ----a-w- c:\windows\system32\amdocl.dll
2011-12-05 20:02 . 2011-12-05 20:02 44032 ----a-w- c:\windows\system32\OpenCL.dll
2012-01-29 15:55 . 2012-02-02 19:55 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-12-19 19:46 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2011-06-16 6276408]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-01-26 3462552]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-05 343168]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"54129"="c:\progra~2\LOCALS~1\Temp\msuruzh.com" [2009-07-14 42656]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2012-02-02 685816]
R1 MpKslded30e9d;MpKslded30e9d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A0E63C6A-4F67-40DC-B828-E04914CAC5B1}\MpKslded30e9d.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-02 242240]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-06 163328]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2012-01-27 91936]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-12-06 9067008]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-12-06 264192]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
plscsi
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3549545748-2438407172-3875115488-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-02 17:26]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3549545748-2438407172-3875115488-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-02 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.eg/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\9rp4903e.default\
FF - prefs.js: browser.startup.homepage - hxxp://mp3tubetoolbar.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtbfour04ff&clid=206cdeca43b941bb99291237ff2157b7&subid=
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{91E24A22-4F46-E5C1-9522-CE2940F86582} - c:\windows\system32\jlrinlax.dll
HKCU-Run-Steam - d:\skyrim\Skyrim\Steam.exe
SafeBoot-36802418.sys
SafeBoot-48447865.sys
SafeBoot-63365364.sys
SafeBoot-81961895.sys
HKLM_ActiveSetup-{FBC2368E-BF02-AC48-7A8B-8AB8BDBBF9D3} - c:\windows\system32\config\systemprofile\AppData\Roaming\svchost.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.tdx]
"ImagePath"="\?"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3549545748-2438407172-3875115488-1000_Classes\CLSID\{47cd1e50-069a-46c2-9f08-3e55a980cad2}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000036
"Therad"=dword:00000017
.
[HKEY_USERS\S-1-5-21-3549545748-2438407172-3875115488-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):34,32,61,01,b1,61,b5,8c,9f,6e,16,e3,31,39,84,79,c4,47,a6,7b,13,
b2,a1,4e,03,e5,8f,cc,67,d9,81,51,8a,90,93,7c,7c,b8,c6,2a,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\mswsock.dll
mswsock.dll 75440000 245760 \\.\globalroot\systemroot\system32\mswsock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-02-24 14:13:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-24 12:13
.
Pre-Run: 23,204,638,720 bytes free
Post-Run: 23,333,314,560 bytes free
.
- - End Of File - - 0E0BD682FDB933D3C03953F222BFB2A9
Thanks For Helping
ComboFix 12-02-24.01 - user 02/24/2012 14:05:47.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2266 [GMT 2:00]
Running from: J:\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\user\10.mid
c:\users\user\11.mid
c:\users\user\12.mid
c:\users\user\AppData\Roaming\edxLabs
c:\users\user\AppData\Roaming\edxLabs\edxSilkroadLoader\edxSilkroadLoader.ini
c:\users\user\AppData\Roaming\edxLabs\edxSilkroadLoader\ISRO.ini
c:\users\user\AppData\Roaming\searchqutb
c:\users\user\AppData\Roaming\searchqutb\dtx.ini
c:\users\user\AppData\Roaming\searchqutb\games\00d2dfc64c07a4f32824abac1d6f735b
c:\users\user\AppData\Roaming\searchqutb\games\3e4265e00cbc4a9cf22a105046a46d8a
c:\users\user\AppData\Roaming\searchqutb\games\44a5d79f5451d3036ba3986425e234c8
c:\users\user\AppData\Roaming\searchqutb\games\GameCategories.xml
c:\users\user\AppData\Roaming\searchqutb\games\GameTypes.xml
c:\users\user\AppData\Roaming\searchqutb\guid.dat
c:\users\user\AppData\Roaming\searchqutb\log.txt
c:\users\user\AppData\Roaming\searchqutb\preferences.dat
c:\users\user\AppData\Roaming\searchqutb\search\searchqutb-search-history.xml
c:\users\user\AppData\Roaming\searchqutb\stats.dat
c:\users\user\AppData\Roaming\searchqutb\uninstallIE.dat
c:\users\user\AppData\Roaming\searchqutb\version.xml
c:\users\user\AppData\Roaming\searchqutb\weather\82bb45b86eb89c373ef13dd8182681f5
c:\users\user\AppData\Roaming\searchqutb\weather\cf20402416da416ce79b0d111d58d5f8
c:\users\user\AppData\Roaming\searchqutb\weather\dbd93ddf7839cb82ce4cc5c492bb5b36
c:\users\user\AppData\Roaming\searchqutb\weather\forecasts_cache.xml
c:\users\user\AppData\Roaming\searchqutb\weather\observations_cache.xml
c:\users\user\AppData\Roaming\searchqutb\weatherbutton_prefs.xml
c:\users\user\AppData\Roaming\searchqutb\widgets_cache\84b70525cff6359fdeca553342c23e4c
c:\users\user\AppData\Roaming\searchqutb\widgets_cache\bf5b6317ae07da699882fc948f22eda4
c:\users\user\AppData\Roaming\searchqutb\widgets_cache\category_cache.xml
c:\users\user\AppData\Roaming\searchqutb\widgets_cache\widget_cache.xml
c:\users\user\WINDOWS
c:\windows\$NtUninstallKB54681$\3644581569
c:\windows\$NtUninstallKB54681$\4223938141\Desktop.ini
c:\windows\system32\1.txt
c:\windows\system32\jlrinlax.dll
c:\windows\system32\kernel32new.dll
c:\windows\system32\msvcrtnew.dll
c:\windows\Tasks\At1.job
D:\install.exe
.
Infected copy of c:\windows\system32\drivers\csc.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\SoftwareDistribution\Download\919003e3012e674674fc2a83c2329826\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_jofaiffg
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-24 12:09 . 2012-02-24 12:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-24 12:09 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-23 17:47 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A88CFAC8-6F1B-485D-9CEA-DBFD1828283D}\mpengine.dll
2012-02-23 17:32 . 2012-02-24 09:18 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-22 18:42 . 2012-02-22 18:42 -------- d-----w- c:\programdata\Local Settings
2012-02-22 10:32 . 2012-02-22 10:32 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-22 10:10 . 2012-02-22 10:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-11 11:22 . 2012-02-02 20:47 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-02-11 11:22 . 2012-02-11 11:22 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BB73CCD8-EBDB-4DBC-979B-37AFA2517136}\gapaengine.dll
2012-02-05 14:52 . 2010-06-02 02:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2012-02-05 14:52 . 2010-06-02 02:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2012-02-05 14:52 . 2010-06-02 02:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2012-02-05 14:52 . 2010-05-26 09:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2012-02-05 14:52 . 2010-05-26 09:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2012-02-05 14:52 . 2010-05-26 09:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2012-02-05 14:52 . 2010-05-26 09:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2012-02-05 14:52 . 2010-05-26 09:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2012-02-04 20:11 . 2012-02-04 20:11 -------- d-----w- c:\windows\system32\xlive
2012-02-04 20:11 . 2012-02-04 20:11 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2012-02-03 22:50 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 22:34 . 2012-02-03 22:35 -------- d-----w- c:\program files\ComicRack
2012-02-03 22:21 . 2009-11-25 19:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2012-02-03 22:21 . 2009-11-25 19:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2012-02-03 22:21 . 2009-11-25 19:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2012-02-03 22:21 . 2009-11-25 19:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2012-02-03 22:21 . 2009-11-25 19:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-02-03 00:20 . 2012-02-11 11:06 -------- d-----w- c:\program files\BitTorrent
2012-02-02 23:08 . 2012-02-02 23:08 -------- d-----w- c:\program files\SystemRequirementsLab
2012-02-02 23:06 . 2012-02-02 23:06 -------- d-----w- c:\program files\Common Files\Java
2012-02-02 23:06 . 2012-02-02 23:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-02 23:06 . 2012-02-02 23:06 -------- d-----w- c:\program files\Java
2012-02-02 20:17 . 2012-02-02 20:17 -------- d-----w- c:\programdata\NFS Underground
2012-02-02 19:26 . 2012-02-02 19:26 -------- d-----w- c:\program files\Common Files\Steam
2012-02-02 19:21 . 2012-02-02 19:21 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-02 19:21 . 2012-02-02 19:21 -------- d-----w- c:\program files\DAEMON Tools Lite
2012-02-02 19:20 . 2012-02-02 19:21 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-02 19:03 . 2012-02-02 19:03 -------- d-----w- c:\program files\Internet Download Manager
2012-02-02 18:30 . 2012-02-02 18:32 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-02-02 18:23 . 2012-02-02 18:23 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-02 18:23 . 2010-04-09 07:24 1285000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-02-02 18:23 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-02 17:55 . 2012-02-05 14:53 -------- d-----w- c:\programdata\Ubisoft
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-----w- c:\users\UpdatusUser
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-sh--w- c:\users\NetworkService
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-sh--w- c:\users\LocalService
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-----w- c:\users\Default\AppData\Roaming\IObit
2012-02-02 17:29 . 2012-02-02 17:29 -------- d-----w- c:\users\Default\AppData\Local\{3248F0A6-6813-11D6-A77B-00B0D0150060}
2012-02-02 17:13 . 2012-02-02 17:13 -------- d-----w- c:\programdata\ATI
2012-02-02 17:13 . 2012-02-02 17:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2012-02-02 17:13 . 2012-02-02 17:13 0 ----a-w- c:\windows\ativpsrm.bin
2012-02-02 17:12 . 2012-02-02 17:12 -------- d-----w- c:\program files\AMD APP
2012-02-02 17:12 . 2012-02-02 17:12 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-02-02 17:10 . 2012-02-02 17:10 -------- d-----w- C:\AMD
2012-02-02 16:51 . 2006-10-26 17:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2012-02-02 16:51 . 2006-10-26 17:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2012-02-02 16:50 . 2012-02-02 16:50 -------- d-----w- c:\program files\Microsoft Works
2012-02-02 16:50 . 2012-02-03 22:31 -------- d-----w- c:\program files\Microsoft.NET
2012-02-02 16:50 . 2012-02-02 16:50 -------- d-----w- c:\windows\PCHEALTH
2012-02-02 16:49 . 2012-02-02 16:49 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-02 16:48 . 2012-02-02 16:51 -------- d-----w- c:\programdata\Microsoft Help
2012-02-02 16:48 . 2012-02-02 16:48 -------- d-----r- C:\MSOCache
2012-02-02 16:44 . 2012-02-02 16:44 -------- d-----w- c:\programdata\Yahoo!
2012-02-02 16:44 . 2012-02-02 16:44 -------- d-----w- c:\program files\Yahoo!
2012-02-02 16:41 . 2012-02-02 16:41 -------- d-----w- c:\program files\Common Files\Adobe
2012-02-02 16:40 . 2012-02-02 16:40 -------- d-----w- c:\programdata\Apple Computer
2012-02-02 16:40 . 2012-02-02 16:40 -------- d-----w- c:\windows\system32\Macromed
2012-02-02 16:40 . 2012-02-02 16:40 -------- d-----w- c:\program files\Pure Codec
2012-02-02 16:29 . 2008-12-07 18:08 795648 ----a-w- c:\windows\system32\xvidcore.dll
2012-02-02 16:29 . 2007-09-21 00:52 118784 ----a-w- c:\windows\system32\ac3acm.acm
2012-02-02 16:29 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2012-02-02 16:29 . 2009-04-02 13:21 84480 ----a-w- c:\windows\system32\ff_vfw.dll
2012-02-02 16:29 . 2012-02-02 16:29 -------- d-----w- c:\program files\K-Lite Codec Pack
2012-02-02 16:29 . 2004-01-11 22:00 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-02-02 16:28 . 2012-02-15 18:16 -------- d-sh--w- c:\windows\Installer
2012-02-02 16:27 . 2012-02-02 17:12 -------- d-----w- c:\program files\ATI Technologies
2012-02-02 16:27 . 2012-02-02 16:27 -------- d-----w- c:\program files\ATI
2012-02-02 16:27 . 2012-02-02 16:27 -------- d-----w- C:\swsetup
2012-02-02 16:17 . 2012-02-24 12:10 -------- d-----w- c:\windows\system32\wbem\Performance
2012-02-02 16:10 . 2012-02-24 12:09 -------- d-----w- c:\users\user
2012-01-26 13:42 . 2012-01-27 00:48 91936 ----a-w- c:\windows\system32\drivers\idmwfp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-24 12:04 . 2009-07-13 23:15 387584 ----a-w- c:\windows\system32\drivers\csc.sys
2012-02-24 09:09 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-24 09:03 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-23 17:33 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-01-31 12:44 . 2009-10-14 09:58 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-06 03:44 . 2011-12-06 03:44 9067008 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-12-06 03:17 . 2011-12-06 03:17 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-12-06 03:17 . 2011-12-06 03:17 778752 ----a-w- c:\windows\system32\aticfx32.dll
2011-12-06 03:12 . 2011-12-06 03:12 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-12-06 03:12 . 2011-12-06 03:12 404992 ----a-w- c:\windows\system32\atieclxx.exe
2011-12-06 03:11 . 2011-12-06 03:11 163328 ----a-w- c:\windows\system32\atiesrxx.exe
2011-12-06 03:10 . 2011-12-06 03:10 163840 ----a-w- c:\windows\system32\atitmmxx.dll
2011-12-06 03:10 . 2011-12-06 03:10 360448 ----a-w- c:\windows\system32\atipdlxx.dll
2011-12-06 03:10 . 2011-12-06 03:10 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-12-06 03:09 . 2011-12-06 03:09 20992 ----a-w- c:\windows\system32\atimuixx.dll
2011-12-06 03:09 . 2011-12-06 03:09 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-12-06 03:06 . 2011-12-06 03:06 6159872 ----a-w- c:\windows\system32\atidxx32.dll
2011-12-06 02:56 . 2011-12-06 02:56 19125760 ----a-w- c:\windows\system32\atioglxx.dll
2011-12-06 02:39 . 2011-12-06 02:39 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2011-12-06 02:34 . 2011-12-06 02:34 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-12-06 02:34 . 2011-12-06 02:34 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-12-06 02:33 . 2011-12-06 02:33 5919232 ----a-w- c:\windows\system32\atiumdag.dll
2011-12-06 02:29 . 2011-12-06 02:29 11484672 ----a-w- c:\windows\system32\aticaldd.dll
2011-12-06 02:28 . 2011-12-06 02:28 4206592 ----a-w- c:\windows\system32\atiumdva.dll
2011-12-06 02:18 . 2011-12-06 02:18 51200 ----a-w- c:\windows\system32\coinst.dll
2011-12-06 02:12 . 2011-12-06 02:12 356352 ----a-w- c:\windows\system32\atiadlxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 33280 ----a-w- c:\windows\system32\atigktxx.dll
2011-12-06 02:11 . 2011-12-06 02:11 264192 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-12-06 02:11 . 2011-12-06 02:11 33280 ----a-w- c:\windows\system32\atiuxpag.dll
2011-12-06 02:11 . 2011-12-06 02:11 29696 ----a-w- c:\windows\system32\atiu9pag.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\system32\atimpc32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\system32\amdpcom32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-12-05 20:04 . 2011-12-05 20:04 59904 ----a-w- c:\windows\system32\OpenVideo.dll
2011-12-05 20:03 . 2011-12-05 20:03 54784 ----a-w- c:\windows\system32\OVDecode.dll
2011-12-05 20:03 . 2011-12-05 20:03 14499328 ----a-w- c:\windows\system32\amdocl.dll
2011-12-05 20:02 . 2011-12-05 20:02 44032 ----a-w- c:\windows\system32\OpenCL.dll
2012-01-29 15:55 . 2012-02-02 19:55 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-12-19 19:46 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2011-06-16 6276408]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-01-26 3462552]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-05 343168]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"54129"="c:\progra~2\LOCALS~1\Temp\msuruzh.com" [2009-07-14 42656]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2012-02-02 685816]
R1 MpKslded30e9d;MpKslded30e9d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A0E63C6A-4F67-40DC-B828-E04914CAC5B1}\MpKslded30e9d.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-02 242240]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-06 163328]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2012-01-27 91936]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-12-06 9067008]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-12-06 264192]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
plscsi
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3549545748-2438407172-3875115488-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-02 17:26]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3549545748-2438407172-3875115488-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-02 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.eg/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\9rp4903e.default\
FF - prefs.js: browser.startup.homepage - hxxp://mp3tubetoolbar.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtbfour04ff&clid=206cdeca43b941bb99291237ff2157b7&subid=
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{91E24A22-4F46-E5C1-9522-CE2940F86582} - c:\windows\system32\jlrinlax.dll
HKCU-Run-Steam - d:\skyrim\Skyrim\Steam.exe
SafeBoot-36802418.sys
SafeBoot-48447865.sys
SafeBoot-63365364.sys
SafeBoot-81961895.sys
HKLM_ActiveSetup-{FBC2368E-BF02-AC48-7A8B-8AB8BDBBF9D3} - c:\windows\system32\config\systemprofile\AppData\Roaming\svchost.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.tdx]
"ImagePath"="\?"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3549545748-2438407172-3875115488-1000_Classes\CLSID\{47cd1e50-069a-46c2-9f08-3e55a980cad2}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000036
"Therad"=dword:00000017
.
[HKEY_USERS\S-1-5-21-3549545748-2438407172-3875115488-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):34,32,61,01,b1,61,b5,8c,9f,6e,16,e3,31,39,84,79,c4,47,a6,7b,13,
b2,a1,4e,03,e5,8f,cc,67,d9,81,51,8a,90,93,7c,7c,b8,c6,2a,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\mswsock.dll
mswsock.dll 75440000 245760 \\.\globalroot\systemroot\system32\mswsock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-02-24 14:13:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-24 12:13
.
Pre-Run: 23,204,638,720 bytes free
Post-Run: 23,333,314,560 bytes free
.
- - End Of File - - 0E0BD682FDB933D3C03953F222BFB2A9
Thanks For Helping
Renken
Posts
12
Registration date
Wednesday February 1, 2012
Status
Member
Last seen
August 11, 2012
1
Feb 24, 2012 at 06:35 AM
Feb 24, 2012 at 06:35 AM
I dont Know why but I Cant Post The Log But Thanks Alot For Helping
Anonymous User
Feb 24, 2012 at 06:58 AM
Feb 24, 2012 at 06:58 AM
Upload the log to
https://authentification.site
and post the link here
https://authentification.site
and post the link here
Hi Guys,
I am having the same problem. I have download the the utility from
http://download.bleepingcomputer.com/farbar/FSS.exe and the log is below.
Can anybody advise please?
Many Thanks,
Rod
Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 07-03-2012 at 16:42:03
Running from "D:\"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.
afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-03-18 11:57] - [2010-11-20 08:40] - 0338944 ____A () 2639EDA7B2D1B54AC99BDF35A4DDD151
C:\Windows\system32\Drivers\tdx.sys
[2011-03-18 11:57] - [2010-11-20 08:39] - 0074752 ____A () 8E38DC51666F97100024BF2B5B8DA437
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll
[2011-03-18 11:58] - [2010-11-20 12:18] - 0132608 ____N (Microsoft Corporation) 2FE30D71919C51131405797620E0A714
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
I am having the same problem. I have download the the utility from
http://download.bleepingcomputer.com/farbar/FSS.exe and the log is below.
Can anybody advise please?
Many Thanks,
Rod
Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 07-03-2012 at 16:42:03
Running from "D:\"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.
afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-03-18 11:57] - [2010-11-20 08:40] - 0338944 ____A () 2639EDA7B2D1B54AC99BDF35A4DDD151
C:\Windows\system32\Drivers\tdx.sys
[2011-03-18 11:57] - [2010-11-20 08:39] - 0074752 ____A () 8E38DC51666F97100024BF2B5B8DA437
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll
[2011-03-18 11:58] - [2010-11-20 12:18] - 0132608 ____N (Microsoft Corporation) 2FE30D71919C51131405797620E0A714
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Anonymous User
Mar 8, 2012 at 05:00 AM
Mar 8, 2012 at 05:00 AM
Download
https://support.kaspersky.com/downloads/utils/tdsskiller.exe
Launch it.Click on change parameters-Select TDLFS file system
Click on Scan".Please post the LOG report(log file should be in your C drive)
https://support.kaspersky.com/downloads/utils/tdsskiller.exe
Launch it.Click on change parameters-Select TDLFS file system
Click on Scan".Please post the LOG report(log file should be in your C drive)
Feb 24, 2012 at 03:29 AM
Scan With The Tdsskiller I find A Malware then Reboot And Scan Again And Still the Same Malware So Can You Please Tell Me What To try Now ?
Thanks