Author Topic: [Inactive] Trojan-Downloader.BAT Infection And Strange Behavior (Read 3779 times)

Allam · « **Reply #30 on:** July 01, 2012, 12:39:48 PM »

Running ComboFix now, but after the frst64 restart i've got a new user profiles + mine in total 3 now and 2 strange processes running without a user name and a description, once combofix is done, will post both logs and thank you so much Kevin for your continous support.

kevinf80 · « **Reply #31 on:** July 01, 2012, 12:43:36 PM »

OK, lets see how you get on, see what cf log shows us...

Allam · « **Reply #32 on:** July 01, 2012, 01:03:27 PM »

ComboFix Log

ComboFix 12-07-01.03 - CurrentLoggedUser 07/01/2012 20:36:39.5.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4060.2630 [GMT 2:00]
Running from: c:\users\CurrentLoggedUser\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\DEBUG.log
.
.
((((((((((((((((((((((((( Files Created from 2012-06-01 to 2012-07-01 )))))))))))))))))))))))))))))))
.
.
2012-07-01 18:46 . 2012-07-01 18:46   --------   d-----w-   c:\users\DefaultAppPool\AppData\Local\temp
2012-07-01 18:46 . 2012-07-01 18:46   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-07-01 18:46 . 2012-07-01 18:46   --------   d-----w-   c:\users\Classic .NET AppPool\AppData\Local\temp
2012-07-01 18:46 . 2012-07-01 18:46   --------   d-----w-   c:\users\Administrator\AppData\Local\temp
2012-07-01 06:44 . 2009-07-14 01:38   31232   ----a-w-   c:\windows\system32\wbem\we.exe
2012-07-01 06:20 . 2012-07-01 06:20   --------   d-----w-   C:\FRST
2012-07-01 01:15 . 2012-07-01 01:15   --------   d-----w-   c:\program files (x86)\ESET
2012-07-01 00:54 . 2012-05-30 19:04   9013136   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3797643E-DDBE-4C15-AC55-782EF48EE7AF}\mpengine.dll
2012-06-30 21:54 . 2012-06-30 21:54   --------   d-----w-   C:\_OTM
2012-06-30 14:17 . 2012-05-30 19:04   9013136   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-29 21:41 . 2012-06-29 21:41   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-29 21:41 . 2012-04-04 13:56   24904   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-29 18:42 . 2012-06-29 18:42   --------   d-----w-   c:\users\CurrentLoggedUser\AppData\Local\Diagnostics
2012-06-27 22:33 . 2012-06-27 22:33   --------   d-----w-   c:\users\CurrentLoggedUser\AppData\Local\bdch
2012-06-25 18:19 . 2012-06-25 18:19   --------   d-----w-   c:\programdata\BDLogging
2012-06-25 18:00 . 2012-06-25 18:00   --------   d-----w-   c:\users\CurrentLoggedUser\AppData\Roaming\QuickScan
2012-06-25 17:59 . 2012-06-28 23:14   --------   d-----w-   c:\program files\Bitdefender
2012-06-25 17:56 . 2012-06-28 23:12   --------   d-----w-   c:\program files\Common Files\Bitdefender
2012-06-24 21:23 . 2012-06-25 16:46   --------   d-----w-   c:\users\CurrentLoggedUser\AppData\Roaming\TeraCopy
2012-06-24 21:23 . 2012-06-24 21:23   --------   d-----w-   c:\program files\TeraCopy
2012-06-24 18:53 . 2012-06-24 18:53   --------   d-----w-   c:\program files\Speccy
2012-06-24 13:43 . 2012-06-24 13:43   927800   ------w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{48AFA614-34E3-4140-A84D-A69D739C682B}\gapaengine.dll
2012-06-24 13:36 . 2012-06-24 13:36   --------   d-----w-   c:\program files (x86)\Microsoft Security Client
2012-06-24 13:36 . 2012-06-24 13:36   --------   d-----w-   c:\program files\Microsoft Security Client
2012-06-23 11:16 . 2012-05-31 04:04   9013136   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{0CB7C1C4-E497-47E6-B80D-41520695542A}\mpengine.dll
2012-06-22 09:25 . 2012-06-02 22:19   2428952   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-22 09:25 . 2012-06-02 22:19   57880   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-22 09:25 . 2012-06-02 22:19   44056   ----a-w-   c:\windows\system32\wups2.dll
2012-06-22 09:25 . 2012-06-02 22:15   2622464   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-22 09:25 . 2012-06-02 22:19   38424   ----a-w-   c:\windows\system32\wups.dll
2012-06-22 09:25 . 2012-06-02 22:19   701976   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-22 09:25 . 2012-06-02 22:15   99840   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-22 09:25 . 2012-06-02 13:19   186752   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-22 09:25 . 2012-06-02 13:15   36864   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-21 17:41 . 2012-06-21 17:41   388096   ----a-r-   c:\users\CurrentLoggedUser\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-06-15 18:53 . 2012-05-04 11:00   366592   ----a-w-   c:\windows\system32\qdvd.dll
2012-06-15 18:53 . 2012-05-04 09:59   514560   ----a-w-   c:\windows\SysWow64\qdvd.dll
2012-06-13 07:52 . 2012-04-26 05:41   77312   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-06-04 23:24 . 2012-06-04 23:24   --------   d-----w-   c:\users\CurrentLoggedUser\AppData\Local\HP
2012-06-03 20:26 . 2012-06-03 20:26   --------   d-----w-   c:\program files (x86)\Enigma Software Group
2012-06-03 20:24 . 2012-06-03 20:24   --------   d-----w-   c:\program files (x86)\Common Files\Wise Installation Wizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-14 09:57 . 2012-04-01 11:59   426184   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-14 09:57 . 2011-06-20 22:27   70344   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-29 19:25 . 2012-05-29 19:25   163048   ----a-w-   c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-04 23:05 . 2012-04-01 21:04   8744608   ----a-w-   c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-30_22.39.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-06-25 17:50   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-07-01 01:08   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-06-30 23:42 . 2012-07-01 01:08   32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-25 17:50   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-01 01:08   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-06-19 00:57 . 2012-07-01 18:31   56762 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-07-01 18:31   43874 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-06-19 00:43 . 2012-07-01 18:31   18912 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-585945097-3421227394-3996423335-1000_UserData.bin
+ 2009-07-14 04:46 . 2012-07-01 01:16   88000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2012-06-30 22:37 . 2012-06-30 22:37   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-01 17:53 . 2012-07-01 17:53   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-30 22:37 . 2012-06-30 22:37   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-07-01 17:53 . 2012-07-01 17:53   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-06-30 22:36   481704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-07-01 17:50   481704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:45 . 2012-06-17 10:48   6029895 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2012-07-01 01:00   6029895 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2012-06-26 00:28 . 2012-07-01 17:50   1995100 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-585945097-3421227394-3996423335-1000-8192.dat
- 2009-07-14 02:34 . 2012-06-14 01:30   11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-07-01 00:56   11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-06-19 08:29 . 2012-07-01 00:56   29223951 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-585945097-3421227394-3996423335-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Facebook Update"="c:\users\CurrentLoggedUser\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-04-10 137536]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
"uTorrent"="e:\utorrent\uTorrent.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files (x86)\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
.
c:\users\CurrentLoggedUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\CurrentLoggedUser\AppData\Local\Facebook\Messenger\2.1.4554.0\FacebookMessenger.exe [2012-6-20 209920]
No-IP DUC.lnk - c:\program files (x86)\No-IP\DUC30.exe [2010-6-18 1423520]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-1-21 243072]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 esgiguard;esgiguard;c:\program files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys

R3 GGSAFERDriver;GGSAFER Driver;d:\games\Garena\safedrv.sys

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 51445112]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2011-03-25 13664]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-12-19 146736]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys

R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-01-18 68440]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-06-19 1255736]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 10752]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [2011-09-22 311144]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-09-22 431464]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-06-19 834544]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddskx64.sys [2009-02-12 26024]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-12-19 224048]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-12-19 130864]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2011-03-25 198496]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-01-19 3027840]
S2 VisualSVNServer;VisualSVN Server;c:\program files (x86)\VisualSVN Server\bin\VisualSVNServer.exe [2011-06-01 24424]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-02-09 325664]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-12-19 165680]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs   REG_MULTI_SZ     w3svc was
apphost   REG_MULTI_SZ     apphostsvc
hpdevmgmt   REG_MULTI_SZ     hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{7E6FA2FF-CC41-4145-9C06-19C1F78DF855}]
2009-06-23 12:35   16624   ------w-   c:\program files (x86)\Microsoft\Microsoft Maren\Bin\reg.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-585945097-3421227394-3996423335-1000Core.job
- c:\users\CurrentLoggedUser\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-10 22:26]
.
2012-07-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-585945097-3421227394-3996423335-1000UA.job
- c:\users\CurrentLoggedUser\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-10 22:26]
.
2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-585945097-3421227394-3996423335-1000Core.job
- c:\users\CurrentLoggedUser\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-04 20:03]
.
2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-585945097-3421227394-3996423335-1000UA.job
- c:\users\CurrentLoggedUser\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-04 20:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-25 10081312]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
TCP: Interfaces\{F8C25F73-90E4-470D-8D22-179E24BB5F21}: NameServer = 163.121.128.134,163.121.128.135
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-585945097-3421227394-3996423335-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-585945097-3421227394-3996423335-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\*—&]
"D3CE3EEB19C0E3A44AC267433D92864F"="22:\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQL.3\\Setup\\RSVirtualRootServerPath"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-01 20:58:20
ComboFix-quarantined-files.txt 2012-07-01 18:58
ComboFix2.txt 2012-06-30 23:48
ComboFix3.txt 2012-06-30 22:59
ComboFix4.txt 2012-06-18 17:59
.
Pre-Run: 49,124,347,904 bytes free
.
- - End Of File - - 9503A4E34D1855AFA6EB2244D97974C2

Frst LOG

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 30-06-2012 04
Ran by SYSTEM at 2012-07-01 19:52:12 Run:1
Running from G:\

==============================================

gzqrcddiut service deleted successfully.
C:\Windows\system32\hex007.exe moved successfully.
qlrzjpxiog service deleted successfully.
C:\Windows\system32\hex007.exe not found.
bdselfpr service deleted successfully.
C:\Users\CurrentLoggedUser\AppData\Local\{9E2ED6F2-DD35-4039-8B95-C601D1E717FD} moved successfully.
C:\Users\CurrentLoggedUser\AppData\Local\{7D0B537B-D37C-46F7-B1CB-A841B292ECA0} moved successfully.
C:\hex007.exe moved successfully.
C:\Windows\System32\hex007.exe not found.
C:\zy007.exe moved successfully.
C:\Windows\System32\zy007.exe moved successfully.
C:\xp007.exe moved successfully.
C:\Windows\System32\xp007.exe moved successfully.
C:\Windows\System32\p.exe moved successfully.
C:\Windows\System32\ws.exe moved successfully.
C:\Users\CurrentLoggedUser\AppData\Local\{F492182C-A698-4F1A-B1B1-597E2EBD3CA3} moved successfully.
C:\Users\CurrentLoggedUser\AppData\Local\{E07F1FA9-22AD-4927-A25B-0B02711BC027} moved successfully.
C:\Users\CurrentLoggedUser\AppData\Local\{5F46A3D2-BE2F-4817-9872-7CD7DD9E09C9} moved successfully.
C:\Users\CurrentLoggedUser\AppData\Local\{AB5F28DD-0365-4F4F-B963-767EB623740A} moved successfully.
C:\Users\CurrentLoggedUser\AppData\Local\{390440EF-BB74-461C-9900-D4847FA576D7} moved successfully.
C:\Users\CurrentLoggedUser\AppData\Local\{233990CD-A1E2-4DA0-AEE4-F22F95E35185} moved successfully.
C:\Users\CurrentLoggedUser\AppData\Local\{85DF0DC0-640F-45B9-9519-FDA91851B74A} moved successfully.

==== End of Fixlog ====

kevinf80 · « **Reply #33 on:** July 01, 2012, 01:40:37 PM »

Upload to virus total;

Please visit Virustotal

Click the Browse... button
Navigate to the file c:\windows\system32\wbem\we.exe or just copy/paste it in.
Click the Scan it tab
If you get a message saying File has already been analyzed: click Reanalyze file now
Copy and paste the results back here please.

Kevin

Allam · « **Reply #34 on:** July 01, 2012, 01:45:50 PM »

Kevin, the File We.exe does not exist

kevinf80 · « **Reply #35 on:** July 01, 2012, 02:13:44 PM »

Shows up bold a brass in the Combofix log?

2012-07-01 06:44 . 2009-07-14 01:38 31232 ----a-w- c:\windows\system32\wbem\we.exe

Read here http://www.prevx.com/filenames/156894073469133825-X1/WE.EXE.html

Allam · « **Reply #36 on:** July 01, 2012, 05:02:19 PM »

Kevin, when i went to this location "C:\Windows\System32\wbem" i found the We.exe but when i try to browse for it i cant see it under C:\Windows\System32\wbem
any advice !

kevinf80 · « **Reply #37 on:** July 01, 2012, 05:15:47 PM »

can you left click on the file and hold the mouse button down, then drag and drop the file in the recycle bin?

Allam · « **Reply #38 on:** July 01, 2012, 05:17:48 PM »

Done, it's in the recycle bin now

kevinf80 · « **Reply #39 on:** July 01, 2012, 05:24:18 PM »

Can you run FRST one more time and post the new log

Allam · « **Reply #40 on:** July 01, 2012, 05:25:50 PM »

right away :)

kevinf80 · « **Reply #41 on:** July 01, 2012, 05:30:21 PM »

Ok, i`m not stopping up much longer tonight, got early start tomorrow....

Allam · « **Reply #42 on:** July 01, 2012, 05:35:20 PM »

Kevin, Thank you so much, really really much appreciated

Scan result of Farbar Recovery Scan Tool Version: 30-06-2012 04
Ran by SYSTEM at 02-07-2012 01:26:47
Running from G:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10081312 2010-02-25] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [162328 2011-02-11] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2011-02-11] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417304 2011-02-11] (Intel Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [446392 2012-04-03] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin [1073312 2012-03-09] (Adobe Systems Incorporated)
HKU\CurrentLoggedUser\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [357696 2010-04-01] (DT Soft Ltd)
HKU\CurrentLoggedUser\...\Run: [Facebook Update] "C:\Users\CurrentLoggedUser\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [137536 2012-04-10] (Facebook Inc.)
HKU\CurrentLoggedUser\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59240 2012-02-23] (Apple Inc.)
HKU\CurrentLoggedUser\...\Run: [uTorrent] "E:\uTorrent\uTorrent.exe" /MINIMIZED

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\..\Interfaces\{F8C25F73-90E4-470D-8D22-179E24BB5F21}: [NameServer]163.121.128.134,163.121.128.135
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\CurrentLoggedUser\Start Menu\Programs\Startup\Facebook Messenger.lnk
ShortcutTarget: Facebook Messenger.lnk -> (No File)
Startup: C:\Users\CurrentLoggedUser\Start Menu\Programs\Startup\No-IP DUC.lnk
ShortcutTarget: No-IP DUC.lnk -> C:\Program Files (x86)\No-IP\DUC30.exe ()
Startup: C:\Users\CurrentLoggedUser\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Classic .NET AppPool\Start Menu\Programs\Startup\Uninstall LastPass RunOnce.lnk
ShortcutTarget: Uninstall LastPass RunOnce.lnk -> C:\Users\Classic .NET AppPool\AppData\Roaming\lpuninstall.exe (No File)
Startup: C:\Users\DefaultAppPool\Start Menu\Programs\Startup\Uninstall LastPass RunOnce.lnk
ShortcutTarget: Uninstall LastPass RunOnce.lnk -> C:\Users\DefaultAppPool\AppData\Roaming\lpuninstall.exe (No File)

==================== Services (Whitelisted) ======

2 AppHostSvc; C:\Windows\SysWow64\inetsrv\apphostsvc.dll [61440 2010-11-20] (Microsoft Corporation)
2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2011-01-26] (Microsoft Corporation)
2 Irmon; C:\Windows\System32\irmon.dll [23552 2009-07-13] (Microsoft Corporation)
2 MsDtsServer; "C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [198496 2011-03-25] (Microsoft Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 MSSQL$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [58345832 2011-09-22] (Microsoft Corporation)
2 MSSQLSERVER; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER [39670112 2011-03-25] (Microsoft Corporation)
4 MSSQLServerADHelper; "C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [63328 2010-12-10] (Microsoft Corporation)
4 MSSQLServerADHelper100; "C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [61976 2009-07-22] (Microsoft Corporation)
3 ReportServer; "C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [13664 2011-03-25] (Microsoft Corporation)
4 SQLAgent$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [431464 2011-09-22] (Microsoft Corporation)
2 SQLSERVERAGENT; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER [426336 2010-12-10] (Microsoft Corporation)
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
3 WAS; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
2 msftesql; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER

2 MSSQLServerOLAPService; "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config"

2 VisualSVNServer; "C:\Program Files (x86)\VisualSVN Server\bin\VisualSVNServer.exe" -k runservice -C "LoadModule log_visualsvn_module bin/mod_log_visualsvn.so" -E nul

========================== Drivers (Whitelisted) =============

1 ElRawDisk; \??\C:\Windows\system32\drivers\dddskx64.sys [26024 2009-02-12] (EldoS Corporation)
2 irda; C:\Windows\System32\Drivers\irda.sys [120320 2009-07-13] (Microsoft Corporation)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2011-06-18] (Duplex Secure Ltd.)
3 STIrUsb; C:\Windows\System32\DRIVERS\irstusb.sys [33792 2008-01-18] (SigmaTel, Inc.)
3 VSPerfDrv100; \??\C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [68440 2011-01-18] (Microsoft Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys

3 esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys

3 gdrv; \??\C:\Windows\gdrv.sys

3 GGSAFERDriver; \??\D:\Games\Garena\safedrv.sys

3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys

3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys

3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys

3 ZTEusbmdm6k; C:\Windows\System32\DRIVERS\ZTEusbmdm6k.sys

3 ZTEusbnmea; C:\Windows\System32\DRIVERS\ZTEusbnmea.sys

3 ZTEusbser6k; C:\Windows\System32\DRIVERS\ZTEusbser6k.sys

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-01 14:39 - 2012-07-01 14:39 - 00050176 ____A C:\hex007.exe
2012-07-01 14:38 - 2012-07-01 14:38 - 00050176 ____A C:\Windows\System32\hex007.exe
2012-07-01 14:37 - 2012-07-01 14:37 - 00000064 ____A C:\xp007.exe
2012-07-01 14:37 - 2012-07-01 14:37 - 00000061 ____A C:\Windows\System32\xp007.exe
2012-07-01 14:35 - 2010-11-20 05:24 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\p.exe
2012-07-01 14:33 - 2009-07-13 17:38 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\ws.exe
2012-07-01 10:58 - 2012-07-01 10:58 - 00022343 ____A C:\ComboFix.txt
2012-07-01 10:35 - 2012-07-01 10:35 - 04568829 ____R (Swearware) C:\Users\CurrentLoggedUser\Desktop\ComboFix.exe
2012-07-01 05:37 - 2012-07-01 05:37 - 02134616 ____A (Kaspersky Lab ZAO) C:\Users\CurrentLoggedUser\Desktop\tdsskiller.exe
2012-07-01 05:15 - 2012-07-01 05:23 - 00002893 ____A C:\Users\CurrentLoggedUser\Desktop\ThreatsESET.txt
2012-06-30 22:20 - 2012-06-30 22:20 - 00000000 ____D C:\FRST
2012-06-30 17:15 - 2012-06-30 17:15 - 00000000 ____D C:\Program Files (x86)\ESET
2012-06-30 14:24 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-30 14:24 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-30 14:24 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-30 14:24 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-30 14:24 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-30 14:24 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-30 14:24 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-30 14:24 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-30 14:22 - 2012-07-01 10:58 - 00000000 ____D C:\Qoobox
2012-06-30 13:57 - 2012-06-30 13:56 - 00023798 ____A C:\Users\CurrentLoggedUser\Desktop\06302012_235421.log
2012-06-30 13:54 - 2012-06-30 13:54 - 00000000 ____D C:\_OTM
2012-06-30 13:51 - 2012-06-30 13:51 - 00522240 ____A (OldTimer Tools) C:\Users\CurrentLoggedUser\Desktop\OTM.exe
2012-06-30 13:03 - 2012-06-30 13:03 - 00011803 ____A C:\Users\CurrentLoggedUser\Desktop\Frst.zip
2012-06-30 12:41 - 2012-06-30 12:41 - 00057191 ____A C:\Users\CurrentLoggedUser\Desktop\Frst.txt
2012-06-30 06:39 - 2012-06-30 06:39 - 00006544 ____A C:\Users\CurrentLoggedUser\Desktop\Attach.zip
2012-06-30 06:38 - 2012-06-30 06:38 - 00037494 ____A C:\Users\CurrentLoggedUser\Desktop\Attach.txt
2012-06-30 06:38 - 2012-06-30 06:38 - 00033787 ____A C:\Users\CurrentLoggedUser\Desktop\DDS.txt
2012-06-30 02:28 - 2012-06-30 04:19 - 00001898 ____A C:\KASLOG3062012
2012-06-29 13:41 - 2012-06-29 13:41 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-29 13:41 - 2012-06-29 13:41 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-29 13:41 - 2012-04-04 05:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-29 12:28 - 2012-06-29 12:13 - 02994184 ____A C:\Users\CurrentLoggedUser\Desktop\report.html
2012-06-29 12:26 - 2012-06-29 12:26 - 00026406 ____A C:\Users\CurrentLoggedUser\Desktop\DHCP.reg
2012-06-29 10:40 - 2012-06-29 10:40 - 00002545 ____A C:\Users\CurrentLoggedUser\Desktop\essam.rar
2012-06-29 10:39 - 2012-06-29 10:39 - 00069632 ____A C:\Users\CurrentLoggedUser\Desktop\essam.evtx
2012-06-29 10:39 - 2012-06-29 10:39 - 00000000 ____D C:\Users\CurrentLoggedUser\Desktop\LocaleMetaData
2012-06-28 15:14 - 2012-06-30 15:39 - 00007856 ____A C:\Windows\PFRO.log
2012-06-28 15:14 - 2012-06-28 15:14 - 00007367 ____A C:\kasLOG
2012-06-28 13:40 - 2012-06-28 13:40 - 00000385 ____A C:\Users\Default\AppData\Roaminguser_gensett.xml
2012-06-28 13:40 - 2012-06-28 13:40 - 00000385 ____A C:\Users\Default User\AppData\Roaminguser_gensett.xml
2012-06-28 09:12 - 2012-06-28 09:12 - 00003336 ____A C:\KasperskyRescuDiskResults
2012-06-27 14:33 - 2012-06-27 14:33 - 00000000 ____D C:\Users\CurrentLoggedUser\AppData\Local\bdch
2012-06-27 06:12 - 2012-06-27 06:12 - 614503865 ____A C:\Windows\MEMORY.DMP
2012-06-27 06:12 - 2012-06-27 06:12 - 00419320 ____A C:\Windows\Minidump\062712-19515-01.dmp
2012-06-25 16:23 - 2012-06-25 16:23 - 00000385 ____A C:\Windows\System32\user_gensett.xml
2012-06-25 16:23 - 2012-06-25 16:23 - 00000376 ____A C:\Users\CurrentLoggedUser\AppData\Roamingprivacy.xml
2012-06-25 10:19 - 2012-06-25 10:19 - 00000385 ____A C:\Users\CurrentLoggedUser\AppData\Roaminguser_gensett.xml
2012-06-25 10:19 - 2012-06-25 10:19 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_avchv_01009.Wdf
2012-06-25 10:19 - 2012-06-25 10:19 - 00000000 ____D C:\Users\All Users\BDLogging
2012-06-25 10:00 - 2012-06-25 10:00 - 00000000 ____D C:\Users\CurrentLoggedUser\AppData\Roaming\QuickScan
2012-06-25 09:59 - 2012-06-28 15:14 - 00000000 ____D C:\Program Files\Bitdefender
2012-06-25 09:56 - 2012-06-28 15:12 - 00000000 ____D C:\Program Files\Common Files\Bitdefender
2012-06-25 08:46 - 2012-06-30 18:31 - 00000000 ____D C:\Users\CurrentLoggedUser\Desktop\BitDefender
2012-06-24 13:23 - 2012-06-28 15:09 - 00000856 ____A C:\Users\CurrentLoggedUser\Desktop\TeraCopy.lnk
2012-06-24 13:23 - 2012-06-25 08:46 - 00000000 ____D C:\Users\CurrentLoggedUser\AppData\Roaming\TeraCopy
2012-06-24 13:23 - 2012-06-24 13:23 - 00000000 ____D C:\Program Files\TeraCopy
2012-06-24 11:40 - 2012-07-01 09:53 - 00001923 ____A C:\Windows\setupact.log
2012-06-24 11:40 - 2012-06-24 11:40 - 00000000 ____A C:\Windows\setuperr.log
2012-06-24 11:38 - 2012-06-24 11:38 - 00000508 ____A C:\Users\CurrentLoggedUser\Desktop\HSBC.txt
2012-06-24 10:58 - 2012-06-24 11:00 - 17246464 ____N (SUPERAntiSpyware.com) C:\Users\CurrentLoggedUser\Desktop\SUPERAntiSpyware.exe
2012-06-24 10:53 - 2012-06-24 13:07 - 00000840 ____N C:\Users\Public\Desktop\Speccy.lnk
2012-06-24 10:53 - 2012-06-24 10:53 - 00000000 ____D C:\Program Files\Speccy
2012-06-24 05:45 - 2012-06-24 05:45 - 03862112 ____N (Piriform Ltd) C:\Users\CurrentLoggedUser\Desktop\ccsetup319.exe
2012-06-24 05:38 - 2012-06-24 05:39 - 04485448 ____N (Piriform Ltd) C:\Users\CurrentLoggedUser\Desktop\spsetup116.exe
2012-06-24 05:36 - 2012-07-01 15:25 - 00830465 ____A C:\Windows\WindowsUpdate.log
2012-06-24 05:36 - 2012-06-24 05:36 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-24 05:36 - 2012-06-24 05:36 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-24 05:27 - 2012-06-24 05:27 - 00017992 ____N C:\Users\CurrentLoggedUser\Desktop\cc_20120624_152732.reg
2012-06-24 05:24 - 2012-06-24 05:24 - 12621696 ____A (Microsoft Corporation) C:\Users\CurrentLoggedUser\Desktop\mseinstall.exe
2012-06-22 08:19 - 2012-06-22 08:20 - 00000000 ____D C:\Users\CurrentLoggedUser\Desktop\Signatures
2012-06-22 01:25 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-22 01:25 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-22 01:25 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-22 01:25 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-22 01:25 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-22 01:25 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-22 01:25 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-22 01:25 - 2012-06-02 05:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-22 01:25 - 2012-06-02 05:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-21 09:41 - 2012-06-21 09:41 - 00013137 ____N C:\Users\CurrentLoggedUser\Desktop\hijackthis.log
2012-06-21 09:41 - 2012-06-21 09:41 - 00002997 ____N C:\Users\CurrentLoggedUser\Desktop\HiJackThis.lnk
2012-06-21 09:41 - 2012-06-21 09:41 - 00000000 ____D C:\Program Files (x86)\HiJackThis
2012-06-21 09:39 - 2012-06-21 09:40 - 01402880 ____N C:\Users\CurrentLoggedUser\Desktop\HiJackThis.msi
2012-06-19 21:36 - 2012-06-19 21:36 - 00005253 ____N C:\Users\CurrentLoggedUser\Desktop\virus.png
2012-06-17 15:12 - 2012-06-17 15:12 - 00019856 ____A C:\ComboFix1.txt
2012-06-17 14:46 - 2012-06-30 14:35 - 00000000 ____D C:\Windows\ERDNT
2012-06-17 05:00 - 2012-06-29 06:53 - 00000000 ____D C:\Users\CurrentLoggedUser\Desktop\Photography Presentation
2012-06-17 03:55 - 2012-06-17 03:55 - 00027140 ____N C:\Users\CurrentLoggedUser\Desktop\Photography.pptx
2012-06-17 03:25 - 2012-06-17 03:25 - 00154647 ____N C:\Users\CurrentLoggedUser\Desktop\1.png
2012-06-17 03:03 - 2012-06-17 03:03 - 00227393 ____A C:\Users\CurrentLoggedUser\Desktop\visuals_in_socialscience.ppt
2012-06-16 15:08 - 2011-06-06 08:31 - 637709923 ____A C:\Users\CurrentLoggedUser\Desktop\Introduction.to.the.Canon.Rebel.T3i--600D..Basic.Controls.by.Blue.Crane.mp4
2012-06-16 14:31 - 2012-06-17 08:17 - 00000829 ____A C:\Users\CurrentLoggedUser\Desktop\Mobarez.txt
2012-06-15 10:53 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-06-15 10:53 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-06-13 17:00 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 17:00 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 17:00 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 17:00 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 17:00 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 17:00 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 17:00 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 17:00 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 17:00 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 17:00 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 17:00 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 17:00 - 2012-05-17 17:51 - 02382848 ____N (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 17:00 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 17:00 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 17:00 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-13 17:00 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 17:00 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-13 17:00 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-13 17:00 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-13 17:00 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-13 17:00 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-13 17:00 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-13 17:00 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-13 17:00 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-13 17:00 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-13 17:00 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-13 17:00 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-13 17:00 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-12 23:52 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 23:52 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-12 23:52 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-12 23:52 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-12 23:52 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-12 23:52 - 2012-04-27 21:32 - 01112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-06-12 23:52 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-12 23:52 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-12 23:52 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-12 23:52 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-12 23:52 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-12 23:52 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-12 23:52 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-12 23:52 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-12 23:52 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-12 23:52 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-12 23:52 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-12 23:52 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-06 12:28 - 2012-06-06 12:28 - 00000026 ____A C:\Users\CurrentLoggedUser\Desktop\rotts mountain.txt
2012-06-05 23:29 - 2012-06-05 23:29 - 00001290 ____A C:\Users\CurrentLoggedUser\Desktop\TestDelete.reg
2012-06-05 11:20 - 2012-07-01 07:32 - 00000062 ____A C:\Windows\System32\WC.DAT
2012-06-04 15:24 - 2012-06-04 15:24 - 00000000 ____D C:\Users\CurrentLoggedUser\AppData\Local\HP
2012-06-04 15:22 - 2012-06-04 15:22 - 00017408 ____A C:\Users\CurrentLoggedUser\AppData\Local\WebpageIcons.db
2012-06-03 12:26 - 2012-06-03 12:26 - 00000000 ____D C:\Program Files (x86)\Enigma Software Group

============ 3 Months Modified Files ========================

2012-07-01 15:25 - 2012-06-24 05:36 - 00830465 ____A C:\Windows\WindowsUpdate.log
2012-07-01 15:19 - 2011-08-04 12:03 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-585945097-3421227394-3996423335-1000UA.job
2012-07-01 14:39 - 2012-07-01 14:39 - 00050176 ____A C:\hex007.exe
2012-07-01 14:38 - 2012-07-01 14:38 - 00050176 ____A C:\Windows\System32\hex007.exe
2012-07-01 14:37 - 2012-07-01 14:37 - 00000064 ____A C:\xp007.exe
2012-07-01 14:37 - 2012-07-01 14:37 - 00000061 ____A C:\Windows\System32\xp007.exe
2012-07-01 14:31 - 2012-04-10 14:26 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-585945097-3421227394-3996423335-1000UA.job
2012-07-01 14:31 - 2012-04-10 14:26 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-585945097-3421227394-3996423335-1000Core.job
2012-07-01 10:58 - 2012-07-01 10:58 - 00022343 ____A C:\ComboFix.txt
2012-07-01 10:46 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-07-01 10:35 - 2012-07-01 10:35 - 04568829 ____R (Swearware) C:\Users\CurrentLoggedUser\Desktop\ComboFix.exe
2012-07-01 10:02 - 2009-07-13 20:45 - 00015136 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-01 10:02 - 2009-07-13 20:45 - 00015136 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-01 09:53 - 2012-06-24 11:40 - 00001923 ____A C:\Windows\setupact.log
2012-07-01 09:53 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-01 07:32 - 2012-06-05 11:20 - 00000062 ____A C:\Windows\System32\WC.DAT
2012-07-01 05:37 - 2012-07-01 05:37 - 02134616 ____A (Kaspersky Lab ZAO) C:\Users\CurrentLoggedUser\Desktop\tdsskiller.exe
2012-07-01 05:23 - 2012-07-01 05:15 - 00002893 ____A C:\Users\CurrentLoggedUser\Desktop\ThreatsESET.txt
2012-07-01 05:19 - 2011-08-04 12:03 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-585945097-3421227394-3996423335-1000Core.job
2012-07-01 04:23 - 2011-08-04 12:05 - 00002359 ____A C:\Users\CurrentLoggedUser\Desktop\Google Chrome.lnk
2012-06-30 15:39 - 2012-06-28 15:14 - 00007856 ____A C:\Windows\PFRO.log
2012-06-30 14:37 - 2009-07-13 21:08 - 00032652 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-30 14:36 - 2009-07-13 18:34 - 17301504 ____A C:\Windows\System32\config\system.bak
2012-06-30 14:36 - 2009-07-13 18:34 - 123469824 ____A C:\Windows\System32\config\software.bak
2012-06-30 14:36 - 2009-07-13 18:34 - 04718592 ____A C:\Windows\System32\config\default.bak
2012-06-30 14:36 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\security.bak
2012-06-30 14:36 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\sam.bak
2012-06-30 13:56 - 2012-06-30 13:57 - 00023798 ____A C:\Users\CurrentLoggedUser\Desktop\06302012_235421.log
2012-06-30 13:51 - 2012-06-30 13:51 - 00522240 ____A (OldTimer Tools) C:\Users\CurrentLoggedUser\Desktop\OTM.exe
2012-06-30 13:03 - 2012-06-30 13:03 - 00011803 ____A C:\Users\CurrentLoggedUser\Desktop\Frst.zip
2012-06-30 12:41 - 2012-06-30 12:41 - 00057191 ____A C:\Users\CurrentLoggedUser\Desktop\Frst.txt
2012-06-30 12:01 - 2011-06-19 10:31 - 00947182 ____A C:\Windows\System32\perfh00C.dat
2012-06-30 12:01 - 2011-06-19 10:31 - 00732468 ____A C:\Windows\System32\perfh001.dat
2012-06-30 12:01 - 2011-06-19 10:31 - 00225580 ____A C:\Windows\System32\perfc00C.dat
2012-06-30 12:01 - 2011-06-19 10:31 - 00187170 ____A C:\Windows\System32\perfc001.dat
2012-06-30 12:01 - 2009-07-13 21:13 - 03216160 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-30 06:39 - 2012-06-30 06:39 - 00006544 ____A C:\Users\CurrentLoggedUser\Desktop\Attach.zip
2012-06-30 06:38 - 2012-06-30 06:38 - 00037494 ____A C:\Users\CurrentLoggedUser\Desktop\Attach.txt
2012-06-30 06:38 - 2012-06-30 06:38 - 00033787 ____A C:\Users\CurrentLoggedUser\Desktop\DDS.txt
2012-06-30 04:19 - 2012-06-30 02:28 - 00001898 ____A C:\KASLOG3062012
2012-06-30 03:18 - 2012-05-04 09:00 - 00001724 ____A C:\Users\Public\Desktop\Defraggler.lnk
2012-06-29 13:41 - 2012-06-29 13:41 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-29 12:26 - 2012-06-29 12:26 - 00026406 ____A C:\Users\CurrentLoggedUser\Desktop\DHCP.reg
2012-06-29 12:13 - 2012-06-29 12:28 - 02994184 ____A C:\Users\CurrentLoggedUser\Desktop\report.html
2012-06-29 10:40 - 2012-06-29 10:40 - 00002545 ____A C:\Users\CurrentLoggedUser\Desktop\essam.rar
2012-06-29 10:39 - 2012-06-29 10:39 - 00069632 ____A C:\Users\CurrentLoggedUser\Desktop\essam.evtx
2012-06-28 15:14 - 2012-06-28 15:14 - 00007367 ____A C:\kasLOG
2012-06-28 15:09 - 2012-06-24 13:23 - 00000856 ____A C:\Users\CurrentLoggedUser\Desktop\TeraCopy.lnk
2012-06-28 13:40 - 2012-06-28 13:40 - 00000385 ____A C:\Users\Default\AppData\Roaminguser_gensett.xml
2012-06-28 13:40 - 2012-06-28 13:40 - 00000385 ____A C:\Users\Default User\AppData\Roaminguser_gensett.xml
2012-06-28 09:12 - 2012-06-28 09:12 - 00003336 ____A C:\KasperskyRescuDiskResults
2012-06-27 06:12 - 2012-06-27 06:12 - 614503865 ____A C:\Windows\MEMORY.DMP
2012-06-27 06:12 - 2012-06-27 06:12 - 00419320 ____A C:\Windows\Minidump\062712-19515-01.dmp
2012-06-25 16:23 - 2012-06-25 16:23 - 00000385 ____A C:\Windows\System32\user_gensett.xml
2012-06-25 16:23 - 2012-06-25 16:23 - 00000376 ____A C:\Users\CurrentLoggedUser\AppData\Roamingprivacy.xml
2012-06-25 10:19 - 2012-06-25 10:19 - 00000385 ____A C:\Users\CurrentLoggedUser\AppData\Roaminguser_gensett.xml
2012-06-25 10:19 - 2012-06-25 10:19 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_avchv_01009.Wdf
2012-06-24 13:07 - 2012-06-24 10:53 - 00000840 ____N C:\Users\Public\Desktop\Speccy.lnk
2012-06-24 13:07 - 2012-05-04 09:02 - 00000866 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-24 11:40 - 2012-06-24 11:40 - 00000000 ____A C:\Windows\setuperr.log
2012-06-24 11:38 - 2012-06-24 11:38 - 00000508 ____A C:\Users\CurrentLoggedUser\Desktop\HSBC.txt
2012-06-24 11:00 - 2012-06-24 10:58 - 17246464 ____N (SUPERAntiSpyware.com) C:\Users\CurrentLoggedUser\Desktop\SUPERAntiSpyware.exe
2012-06-24 05:45 - 2012-06-24 05:45 - 03862112 ____N (Piriform Ltd) C:\Users\CurrentLoggedUser\Desktop\ccsetup319.exe
2012-06-24 05:39 - 2012-06-24 05:38 - 04485448 ____N (Piriform Ltd) C:\Users\CurrentLoggedUser\Desktop\spsetup116.exe
2012-06-24 05:37 - 2011-06-18 17:31 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-24 05:36 - 2011-06-18 17:09 - 03263836 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-24 05:27 - 2012-06-24 05:27 - 00017992 ____N C:\Users\CurrentLoggedUser\Desktop\cc_20120624_152732.reg
2012-06-24 05:24 - 2012-06-24 05:24 - 12621696 ____A (Microsoft Corporation) C:\Users\CurrentLoggedUser\Desktop\mseinstall.exe
2012-06-23 15:10 - 2009-07-13 20:45 - 05035904 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-22 13:12 - 2011-06-18 15:13 - 00110424 ____A C:\Users\CurrentLoggedUser\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-21 09:41 - 2012-06-21 09:41 - 00013137 ____N C:\Users\CurrentLoggedUser\Desktop\hijackthis.log
2012-06-21 09:41 - 2012-06-21 09:41 - 00002997 ____N C:\Users\CurrentLoggedUser\Desktop\HiJackThis.lnk
2012-06-21 09:40 - 2012-06-21 09:39 - 01402880 ____N C:\Users\CurrentLoggedUser\Desktop\HiJackThis.msi
2012-06-19 21:36 - 2012-06-19 21:36 - 00005253 ____N C:\Users\CurrentLoggedUser\Desktop\virus.png
2012-06-18 11:50 - 2012-05-06 09:11 - 00000143 ____A C:\Users\CurrentLoggedUser\Desktop\TEDATA.txt
2012-06-17 15:12 - 2012-06-17 15:12 - 00019856 ____A C:\ComboFix1.txt
2012-06-17 08:17 - 2012-06-16 14:31 - 00000829 ____A C:\Users\CurrentLoggedUser\Desktop\Mobarez.txt
2012-06-17 03:55 - 2012-06-17 03:55 - 00027140 ____N C:\Users\CurrentLoggedUser\Desktop\Photography.pptx
2012-06-17 03:25 - 2012-06-17 03:25 - 00154647 ____N C:\Users\CurrentLoggedUser\Desktop\1.png
2012-06-17 03:03 - 2012-06-17 03:03 - 00227393 ____A C:\Users\CurrentLoggedUser\Desktop\visuals_in_socialscience.ppt
2012-06-14 01:57 - 2012-04-01 03:59 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-14 01:57 - 2011-06-20 14:27 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-13 17:07 - 2011-06-19 10:13 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-06 12:28 - 2012-06-06 12:28 - 00000026 ____A C:\Users\CurrentLoggedUser\Desktop\rotts mountain.txt
2012-06-05 23:29 - 2012-06-05 23:29 - 00001290 ____A C:\Users\CurrentLoggedUser\Desktop\TestDelete.reg
2012-06-04 15:22 - 2012-06-04 15:22 - 00017408 ____A C:\Users\CurrentLoggedUser\AppData\Local\WebpageIcons.db
2012-06-02 14:19 - 2012-06-22 01:25 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 01:25 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 01:25 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 01:25 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 01:25 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-22 01:25 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-22 01:25 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 05:19 - 2012-06-22 01:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 05:15 - 2012-06-22 01:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-31 14:44 - 2012-05-31 13:12 - 00000721 ____N C:\Users\CurrentLoggedUser\Desktop\BSOD.txt
2012-05-26 05:44 - 2012-05-26 05:44 - 00045270 ____A C:\Users\CurrentLoggedUser\AppData\Roaming\room_v3.dat
2012-05-26 05:27 - 2012-05-26 05:27 - 00000156 ____N C:\Users\CurrentLoggedUser\Desktop\prepatch.log
2012-05-26 05:25 - 2012-05-26 05:19 - 58718061 ____A (Blizzard Entertainment) C:\Users\CurrentLoggedUser\Desktop\War3TFT_126a_English.exe
2012-05-26 05:13 - 2012-05-26 05:09 - 41888152 ____A C:\Users\CurrentLoggedUser\Desktop\GarenaPlus_Install.exe
2012-05-25 13:15 - 2012-05-25 13:15 - 01528448 ____A C:\Users\CurrentLoggedUser\Desktop\EasyBCD 2.1.2.exe
2012-05-25 13:15 - 2012-05-25 13:15 - 00001213 ____N C:\Users\Public\Desktop\EasyBCD 2.1.2.lnk
2012-05-24 09:57 - 2012-05-26 03:20 - 232335048 ____N C:\Users\CurrentLoggedUser\Desktop\ielts ahmed tarek.zip
2012-05-20 18:10 - 2012-05-20 18:10 - 00000062 ____A C:\Windows\System32\onfNet.dat
2012-05-19 14:17 - 2012-05-19 14:17 - 08673497 ____N C:\Users\CurrentLoggedUser\Desktop\iPhone Contacts 19-05-2012.zip
2012-05-17 18:47 - 2012-06-13 17:00 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-13 17:00 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-13 17:00 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-13 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-13 17:00 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-13 17:00 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-13 17:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-13 17:00 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-13 17:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-13 17:00 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-13 17:00 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-13 17:00 - 02382848 ____N (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-13 17:00 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-13 17:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-13 17:00 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-13 17:00 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-13 17:00 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-13 17:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-13 17:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 17:00 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-13 17:00 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-13 17:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 17:00 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-13 17:00 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 17:00 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-13 17:00 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 17:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 17:00 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 17:32 - 2012-06-12 23:52 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-12 16:43 - 2012-05-12 16:43 - 03607616 ____A (Igor Pavlov) C:\Users\CurrentLoggedUser\Desktop\GmdClientSetup.exe
2012-05-12 15:21 - 2012-05-12 15:21 - 00028016 ____N C:\Users\CurrentLoggedUser\Desktop\Waseekt Zawag.png
2012-05-07 17:51 - 2012-05-07 17:51 - 10063000 ____N (Malwarebytes Corporation ) C:\Users\CurrentLoggedUser\Desktop\mbam-setup-1.61.0.1400.exe
2012-05-04 15:05 - 2012-04-01 13:04 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-04 12:04 - 2012-05-04 12:04 - 00044539 ____N C:\Users\CurrentLoggedUser\Desktop\error.png
2012-05-04 09:11 - 2012-05-04 09:11 - 00086372 ____N C:\Users\CurrentLoggedUser\Desktop\cc_20120504_191139.reg
2012-05-04 06:47 - 2012-05-04 06:47 - 00001066 ____A C:\Users\Public\Desktop\VLC media player.lnk
2012-05-04 06:46 - 2012-05-04 06:46 - 00000027 ____N C:\Users\CurrentLoggedUser\Desktop\Egyptair Ticket.txt
2012-05-04 03:06 - 2012-06-12 23:52 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 03:00 - 2012-06-15 10:53 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-05-04 02:03 - 2012-06-12 23:52 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-12 23:52 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-04 01:59 - 2012-06-15 10:53 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-04-30 21:40 - 2012-06-12 23:52 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 21:32 - 2012-06-12 23:52 - 01112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-04-27 19:55 - 2012-06-12 23:52 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 21:41 - 2012-06-12 23:52 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-12 23:52 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-12 23:52 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 21:37 - 2012-06-12 23:52 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:37 - 2012-06-12 23:52 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:37 - 2012-06-12 23:52 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:36 - 2012-06-12 23:52 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:36 - 2012-06-12 23:52 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:36 - 2012-06-12 23:52 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-20 05:19 - 2006-03-08 23:20 - 00006422 ___AH C:\Users\CurrentLoggedUser\AppData\Roaming\CurrentLoggedUserv1.18.0 - Trial versionlog.dat
2012-04-10 09:43 - 2012-04-10 09:43 - 00001359 ____A C:\Users\Public\Desktop\EASEUS Data Recovery Wizard Professional 5.5.1.lnk
2012-04-09 13:15 - 2012-04-09 13:15 - 00001135 ____N C:\Users\Public\Desktop\Yahoo! Messenger.lnk
2012-04-09 12:18 - 2012-04-09 12:18 - 00351771 ____N C:\Users\CurrentLoggedUser\Desktop\mathtype_formating_a_rac_namecryptedtoprotectyourprivacy_x2012486205880768048440831432865711024668305057850052377380074468034.rar
2012-04-07 04:31 - 2012-06-12 23:52 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-07 03:26 - 2012-06-12 23:52 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-04 05:56 - 2012-06-29 13:41 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 4060.49 MB
Available physical RAM: 3422.42 MB
Total Pagefile: 4058.64 MB
Available Pagefile: 3422.03 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:146.48 GB) (Free:45.71 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (Downloads) (Fixed) (Total:149.05 GB) (Free:11.42 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (New Volume) (Fixed) (Total:319.27 GB) (Free:20.93 GB) NTFS
5 Drive g: () (Removable) (Total:1.86 GB) (Free:1.85 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 1024 KB
Disk 1 Online 149 GB 0 B
Disk 2 Online 1900 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 146 GB 1024 KB
Partition 2 Primary 319 GB 146 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 146 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E New Volume NTFS Partition 319 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Downloads NTFS Partition 149 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1899 MB 16 KB

==================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT Removable 1899 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-28 17:06

======================= End Of Log ==========================

kevinf80 · « **Reply #43 on:** July 01, 2012, 05:49:36 PM »

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Code: [Select]

start
2012-07-01 14:39 - 2012-07-01 14:39 - 00050176 ____A C:\hex007.exe
2012-07-01 14:38 - 2012-07-01 14:38 - 00050176 ____A C:\Windows\System32\hex007.exe
2012-07-01 14:37 - 2012-07-01 14:37 - 00000064 ____A C:\xp007.exe
2012-07-01 14:37 - 2012-07-01 14:37 - 00000061 ____A C:\Windows\System32\xp007.exe
2012-07-01 14:35 - 2010-11-20 05:24 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\p.exe
2012-07-01 14:33 - 2009-07-13 17:38 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\ws.exe
end

Now please enter System Recovery Options as you did to get the log.

Run FRST64 or FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Lets see how we go this time, the file you dropped in the bin may very well have been the re-infector....

Kevin

Allam · « **Reply #44 on:** July 01, 2012, 06:00:47 PM »

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 30-06-2012 04
Ran by SYSTEM at 2012-07-02 01:53:26 Run:2
Running from G:\

==============================================

C:\hex007.exe moved successfully.
C:\Windows\System32\hex007.exe moved successfully.
C:\xp007.exe moved successfully.
C:\Windows\System32\xp007.exe moved successfully.
C:\Windows\System32\p.exe moved successfully.
C:\Windows\System32\ws.exe moved successfully.

==== End of Fixlog ====

News:

Author Topic: [Inactive] Trojan-Downloader.BAT Infection And Strange Behavior (Read 3779 times)

Allam

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

kevinf80

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

Allam

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

kevinf80

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

Allam

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

kevinf80

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

Allam

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

kevinf80

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

Allam

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

kevinf80

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

Allam

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

kevinf80

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

Allam

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

kevinf80

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior

Allam

Re: [In Progress K] Trojan-Downloader.BAT Infection And Strange Behavior