7 replies to this topic

[Altorio]

So yesterday while reseaching load cells for a DIY electronics project I somehow got infected with something that hid all my desktop and startup icons. I was able to clean the infection with Malwarebytes (so I thought) and unhide the icons. I used Unhide.exe and GooredFix. All seemed well last night but now this morning I am again getting random redirects and IE 8 seems a bit slow. I found my Windows Defender is turned off and it won't turn on. Also, every 20 minutes or so a dark blue window pops open with the command promtp in the title bar at the top and it says "Administrator". I've tried several fixes but to no avail. Things I've tried:

Combofix
CWShredder
Malwarebytes
Gooredfix
CCleaner - Used it to clean the registry and also to stop some start up programs that were eating memory and I didn't need them running all the time.
Roguecleaner (ran it but did not attempt to clean or fix anything)
aswMBR - Won't run. Click on it and get the small wircle icon indicating it is busy, but then it stops and aswMBR never runs)
tdskiller - Also won't run, same issue as aswMBR.



I'll be gone for part of the day today so if I am a bit slow to respond that is why. Thank you for your assitance.



Here's my logs:



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Brent at 7:57:19 on 2012-03-25
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8160.6461 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\iRacing\iRacingService.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files (x86)\SimracewayUpdater\SRWUpdate.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\DllHost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = Preserve
uURLSearchHooks: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - C:\Program Files (x86)\Shareaza\RazaWebHook32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [EADM] "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart
mRun: [Reader Library Launcher] C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun: [Live Update 5] C:\Program Files (x86)\MSI\Live Update 5\LU5.exe /reminder
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\Users\Brent\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
StartupFolder: C:\Users\Brent\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{435FE150-C4AE-46FA-879C-27705E65D246} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{4C7CD283-F217-4D84-B6F5-B622E423E351} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{658D6FB5-78DD-42CE-99BA-D384461D981C} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{698F4C70-A05E-4B52-9E83-CD6806E0FEB3} : DhcpNameServer = 192.168.0.1
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Shareaza Web Download Hook: {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files (x86)\Shareaza\RazaWebHook32.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO-X64: NetAssistant: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll
BHO-X64: NetAssistantBHO - No File
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [Reader Library Launcher] C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun-x64: [Live Update 5] C:\Program Files (x86)\MSI\Live Update 5\LU5.exe /reminder
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 iRacingService;iRacing.com Helper Service;C:\Program Files (x86)\iRacing\iRacingService.exe [2011-7-26 473768]
R2 Simraceway Update Service;Simraceway Update Service;C:\Program Files (x86)\SimracewayUpdater\SRWUpdate.exe [2012-2-10 405504]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 FanatecWheelFilterUsb;FanatecWheelFilterUsb;C:\Windows\system32\DRIVERS\FWFilterUsb.sys --> C:\Windows\system32\DRIVERS\FWFilterUsb.sys [?]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]
R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]
R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;C:\Program Files (x86)\MSI\Live Update 5\msibios64_100507.sys [2011-12-23 33592]
R3 NTIOLib_1_0_4;NTIOLib_1_0_4;C:\Program Files (x86)\MSI\Live Update 5\NTIOLib_X64.sys [2011-12-23 14136]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 t3;Sound Blaster X-Fi Xtreme Audio;C:\Windows\system32\drivers\t3.sys --> C:\Windows\system32\drivers\t3.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-11-9 79360]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\system32\Drivers\EtronHub3.sys --> C:\Windows\system32\Drivers\EtronHub3.sys [?]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\system32\Drivers\EtronXHCI.sys --> C:\Windows\system32\Drivers\EtronXHCI.sys [?]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2012-2-11 135584]
S3 iDispService;iDispService;C:\Windows\system32\DRIVERS\idisplayminiport.sys --> C:\Windows\system32\DRIVERS\idisplayminiport.sys [?]
S3 JmtFltr;n52te;C:\Windows\system32\drivers\JmtFltr.sys --> C:\Windows\system32\drivers\JmtFltr.sys [?]
S3 LADF_BakerCOnly;BakerC Filter Driver;C:\Windows\system32\DRIVERS\ladfBakerCamd64.sys --> C:\Windows\system32\DRIVERS\ladfBakerCamd64.sys [?]
S3 LADF_BakerROnly;BakerR Filter Driver;C:\Windows\system32\DRIVERS\ladfBakerRamd64.sys --> C:\Windows\system32\DRIVERS\ladfBakerRamd64.sys [?]
S3 NTIOLib_1_0_6;NTIOLib_1_0_6;C:\Program Files (x86)\Setup Files\Ms7681v1G0\NTIOLib_X64.sys [2011-1-6 11888]
S3 SaiH0762;SaiH0762;C:\Windows\system32\DRIVERS\SaiH0762.sys --> C:\Windows\system32\DRIVERS\SaiH0762.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 VJoystick;Virtual JoyStick KMDF HID Minidriver;C:\Windows\system32\DRIVERS\VJoystick.sys --> C:\Windows\system32\DRIVERS\VJoystick.sys [?]
S3 VKbms;Virtual HID Minidriver;C:\Windows\system32\DRIVERS\VKbms.sys --> C:\Windows\system32\DRIVERS\VKbms.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-25 14:29:35 -------- d-----w- C:\ComboFix
2012-03-25 04:49:19 -------- d-----w- C:\Program Files\CCleaner
2012-03-24 21:03:58 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2012-03-23 11:38:31 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FED5FB29-A476-4B77-B113-F670D6C23545}\mpengine.dll
2012-03-14 10:01:59 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-14 10:01:59 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-14 10:01:59 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-14 05:42:35 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 05:42:34 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 05:42:34 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 05:42:23 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 05:42:23 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 05:42:23 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 05:42:18 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 05:42:18 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-14 05:42:18 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-14 05:42:18 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-07 17:43:29 -------- d-----w- C:\Users\Brent\AppData\Local\SimCommander3
2012-03-07 06:21:01 -------- d-----w- C:\Users\Brent\AppData\Local\SimXperience
2012-03-07 06:16:45 -------- d-----w- C:\Users\Brent\AppData\Roaming\SimXperience
2012-03-07 06:16:33 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin
2012-03-07 06:16:31 -------- d-----w- C:\Program Files (x86)\SimXperience
2012-03-07 06:12:03 -------- d-----w- C:\Users\Brent\AppData\Local\AuthenticatedWpfApp
2012-03-07 06:07:30 -------- d-----w- C:\Program Files\Microsoft Synchronization Services
2012-03-07 06:07:29 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition
2012-03-07 06:07:26 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2012-03-07 06:07:26 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-03-06 20:42:38 -------- d-----w- C:\Program Files (x86)\NoLimits Coasters v1.8
2012-03-04 22:30:20 162664 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-03-04 04:42:49 20688 ----a-w- C:\Windows\System32\idisplay.dll
2012-03-04 04:42:49 15568 ----a-w- C:\Windows\System32\drivers\idisplayminiport.sys
2012-03-04 04:42:49 -------- d-----w- C:\Users\Brent\AppData\Roaming\SHAPE Services
2012-02-29 01:09:05 -------- d-----w- C:\Users\Brent\AppData\Roaming\.rFactor
2012-02-29 01:01:59 -------- d-----w- C:\Program Files (x86)\rFactor2
2012-02-29 00:33:37 -------- d-----w- C:\Users\Brent\AppData\Local\ShiftTone
.
==================== Find3M ====================
.
2012-03-24 21:02:51 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-23 16:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 8:04:24.53 ===============




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 2/24/2011 4:01:34 AM
System Uptime: 3/25/2012 7:44:59 AM (1 hours ago)
.
Motherboard: MSI | | P67A-GD65 (MS-7681)
Processor: Intel® Core™ i5-2500K CPU @ 3.30GHz | SOCKET 0 | 3292/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 115.419 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_76811462&REV_04\FFFFFFFFFFFFFFFF00
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_76811462&REV_04\FFFFFFFFFFFFFFFF00
Service:
.
Class GUID:
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_76811462&REV_04\4&9154DF2&0&FFFFFFFFFFFFFFFF00
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_76811462&REV_04\4&9154DF2&0&FFFFFFFFFFFFFFFF00
Service:
.
==== System Restore Points ===================
.
RP222: 3/3/2012 8:47:23 PM - Device Driver Package Install: SHAPE Services Display adapters
RP223: 3/3/2012 9:10:19 PM - Removed Bonjour
RP224: 3/6/2012 6:29:56 AM - Windows Update
RP225: 3/13/2012 1:05:06 AM - Windows Update
RP226: 3/14/2012 3:00:10 AM - Windows Update
RP227: 3/18/2012 11:06:20 AM - Installed Fanatec Wheel
RP228: 3/20/2012 4:16:25 AM - Windows Update
RP229: 3/23/2012 4:38:09 AM - Windows Update
RP230: 3/24/2012 2:02:14 PM - Installed Java™ 6 Update 31
RP231: 3/24/2012 2:03:28 PM - Installed Java™ 6 Update 31 (64-bit)
RP232: 3/24/2012 10:47:28 PM - Removed Java™ 6 Update 31
.
==== Installed Programs ======================
.
3DMark 11
7-Zip 9.20
Adobe AIR
Adobe Digital Editions
Adobe Reader X (10.1.2)
Advanced Combat Tracker (remove only)
Age of Conan - Hyborian Adventures
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Colin McRae Rally 2005
Compatibility Pack for the 2007 Office system
DiRT2
erLT
ERUNT 1.1j
Etron USB3.0 Host Controller
EVE Online (remove only)
EverQuest II
Freeze.com NetAssistant
Futuremark SystemInfo
Geeks3D.com FurMark 1.9.2
GIMP 2.6.10
Hid FootSwitch V4.0
Host OpenAL
HydraVision
iRacing.com Race Simulation
iRSetupManager
iSpeed 3.1.1.0
Jimmie Johnson Spotter Pack v5.10
Live Update 5
Malwarebytes' Anti-Malware version 1.51.2.1300
merhaut.co.at telemetry app
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Converter Pack
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Organization Chart 2.0
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Need for Speed™ Hot Pursuit
NetAssistant
NoLimits Coasters 1.8 (remove only)
NoLimits Coasters Demo 1.8 (remove only)
OpenAL
Origin
PDFCreator
Rapture3D 2.3.22 Game
Reader Library by Sony
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
rFactor2
RIFT
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Shareaza 2.5.4.0
Shockwave
SimDash
Simraceway 0.28.57
SimXperience Commander for X-Sim Beta
SIW version 2010.07.14
Sound Blaster X-Fi
Star Wars: The Old Republic
Team MPR Pit Commander
Team MPR Setup Analyzer
TradingPaints Downloader
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
X-Sim Installer Version 2.0.8.9b beta
.
==== Event Viewer Messages From Past Week ========
.
3/25/2012 8:00:45 AM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.
3/25/2012 7:46:19 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
3/25/2012 7:45:38 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: hwinterface
3/25/2012 7:44:59 AM, Error: Application Popup [56] - Driver PCI returned invalid ID for a child device (FFFFFFFFFFFFFFFF00).
3/25/2012 7:41:59 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2012 7:41:57 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2012 7:41:57 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
3/25/2012 7:41:57 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
3/25/2012 7:41:52 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/25/2012 7:41:45 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
3/25/2012 7:41:40 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache hwinterface spldr Wanarpv6
3/25/2012 6:58:39 AM, Error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
3/24/2012 10:26:16 AM, Error: Service Control Manager [7000] - The AMD FUEL Service service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================


RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Brent [Admin rights]
Mode: Scan -- Date: 03/25/2012 07:13:20
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 13 ¤¤¤
[SUSP PATH] {3A48ADC5-9290-4E9F-81AD-6A830AF983E8}.job @ : C:\Users\Brent\Desktop\KeyboardOptimizer.exe -> FOUND
[SUSP PATH] {C5D78C36-881D-4D71-914A-318697BA3168}.job @ : C:\Users\Brent\Desktop\KeyboardOptimizer.exe -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowDownloads (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : Root.MBR ¤¤¤
¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD3200AAKS-00L9A0 ATA Device +++++
--- User ---
[MBR] 92685b4bfaadb2ba1fe8cb51ab551937
[BSP] c77f9df55b86806ca102ead22684e851 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305235 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 7ad6c4ea83cf9e061a11ea04104ce9ef
[BSP] c77f9df55b86806ca102ead22684e851 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305235 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625137345 | Size: 2 Mo
Finished : << RKreport[1].txt >>
RKreport[1].txt

[CatByte]

Hi

Please run the following:


Please download Listparts64
Run the tool,
check the "list BCD" box
click "Scan" and post the log (Result.txt) it makes.

[Altorio]

Here the log. Thanks for your help.


========================= Memory info ======================
Percentage of memory in use: 35%
Total physical RAM: 8159.92 MB
Available physical RAM: 5278.7 MB
Total Pagefile: 16318.04 MB
Available Pagefile: 12878.7 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:298.08 GB) (Free:118.43 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (SimXperienceV1.2) (CDROM) (Total:0.24 GB) (Free:0 GB) UDF
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 6144 KB
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB
Partition 2 Primary 2543 KB 298 GB
======================================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 298 GB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 2
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes
There is no volume associated with this partition.
======================================================================================================
The boot configuration data store could not be opened.
The system cannot find the file specified.

****** End Of Log ******

[CatByte]

Hi,

You may have the newest variant of TDL4 that hides a partition on your hard drive.

I need to unhide the partition to see exactly what it is, if it is created by malware, then we will need to delete it


It is always a good idea to backup your data, as suggested here


You will need a USB flash drive for this next procedure:

Save ListParts64.exe (which should still be on the Desktop) to the USB flash drive.

Next, open Notepad (Press 'Start' orb 'R', and in the search box, type: notepad)

Copy/paste the following information inside the code box to Notepad:

Disk=0 Partition=2 type=07

In Notepad, go to File > Save as...
Save to: the USB flash drive
In File name use: fix.txt
Click: Save


Now, save the fix.txt file onto the USB flash drive, so that you have both ListParts64.exe, and, fix.txt on it.


Restart the computer.

• As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select your language settings, and click: Next
  
• Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:
•Startup Repair
•System Restore
•Windows Complete PC Restore
•Windows Memory Diagnostic Tool
•Scan your computer's memory for errors.
•Command Prompt

• Select Command Prompt
  
• In the Command window, at the blinking cursor, type notepad and press: Enter
  
• In Notepad, under the File menu select: Open
  
• Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
  
• With the flash drive and Notepad open, click the Command window
  
• Type e:\listparts64.exe, and press: Enter
  Note: Replace the drive letter e with the drive letter of your flash drive!
  
• ListParts64 now shows on the screen.
  
• Press the Fix button.
  
• When the fix is done, check the List BCD option on the ListParts64 screen, and click: Scan
  
• If successful, the following appears: "Scan completed. Result.txt was saved in the same directory the tool is run.", click: OK
  
• The program saves the Result.txt, on the flash drive.
  
• Click the Command prompt window, type exit, and press: Enter
  
• Close out of everything else.
  
• Back at the System Recovery Options, press: Restart, and boot normally into Windows.

Once back in Windows, open the USB flash drive, copy/paste the Result.txt that was run during the procedure above, and provide it in your reply.


Then, run a new Scan with ListParts64 in normal Windows, and also post the new Result.txt in your reply.


If you encounter any obstacles, go to your other computer and post what is happening, any error messages, etc., so we can work out the issue.

[Altorio]

Thanks very much for your help. Unfortunately I think I may have to resort to a full re-format and install of Win7. At this point it won't even let me use the "Repaiur your Computer" option. When I select that I get a screen that says "Windows is loading files..." and nothing ever loads anything. It just sits there "forever". First time I've ever ran into a Malware that I have not been able to fix. Bummer but it's probably time I reformat anyway since it's been a few years. But I do hate letting the bad guys win!

[CatByte]

well, we could try a different approach

try this

Download GETxPUD.exe to the desktop of your clean computer
Run GETxPUD.exe
A new folder will appear on the desktop.
Open the GETxPUD folder and click on the get&burn.bat
The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
Click on Start and follow the prompts to burn the image to a CD.
　
Now prepare a USB stick
Download tdl_fix.sh and save it to the USB flash drive.
Remove the USB & CD and insert them into the infected computer
Boot the infected computer with the CD
The computer must be set to boot from the CD
Gently tap F12 and choose to boot from the CD
Follow the prompts
A Welcome to xPUD screen will appear, choose your language and allow it to load
Once loaded, Press the File tab
Expand mnt
Click on the folder under mnt that represents your USB drive (sdb1 ?)
You should see the tdl_fix.sh file in the main window.
Select Tool from the Menu
Choose Open Terminal
Type bash tdl_fix.sh then press Enter.
Read the warning then type y and press Enter to continue.
Type sda then press Enter when prompted.
You will be shown a list of partitions to choose marking active.
Type 1 then press Enter.
If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
The script will complete and prompt you to reboot the computer.
Close the Terminal window and restart back into Windows.
Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.

[CatByte]

do you still need help with your machine?

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!