Author Topic: help needed (Read 27365 times)

saeid · « **on:** June 22, 2012, 02:15:29 AM »

my computer effected by some kind of virus , it doesn't run smoothly , please help me ! thanks .

saeid · « **Reply #1 on:** June 22, 2012, 02:17:43 AM »

I think it's name is
Trojan.Agent/Gen-Ransom

Allan · « **Reply #2 on:** June 22, 2012, 05:35:45 AM »

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

saeid · « **Reply #3 on:** June 27, 2012, 09:38:53 AM »

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.27.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Saeid :: SAEID-PC [administrator]

Protection: Enabled

6/27/2012 18:23:47
mbam-log-2012-06-27 (18-23-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200426
Time elapsed: 12 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 7
C:\Program Files\Common Files\aol\1332525462\ee\xprt6.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\AOLDiag\tbdiag.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\os\ver5_2_1_1\os.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\notification\ver7_1_1_1\Notify.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\localStorage\ver8_1_1_1\clsSvc.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\metrics\ver4_1_11_1\cmls.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\osInfo\ver2_1_1_1\osInfo.dll (Virus.Ramnit) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\CLISTART.EXE (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|StartCCC (Virus.Ramnit) -> Data: "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Nimbuzz (Virus.Ramnit) -> Data: C:\Program Files\Nimbuzz\Nimbuzz.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 19
C:\Program Files\Common Files\aol\1332525462\ee\xprt6.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\AOLDiag\tbdiag.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\os\ver5_2_1_1\os.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\notification\ver7_1_1_1\Notify.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\localStorage\ver8_1_1_1\clsSvc.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\metrics\ver4_1_11_1\cmls.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\Common Files\aol\1332525462\ee\services\osInfo\ver2_1_1_1\osInfo.dll (Virus.Ramnit) -> Delete on reboot.
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\Program Files\Nimbuzz\Nimbuzz.exe (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\iexploremgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\Plugins\npqtplugin6.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\plugins\npdnu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\users\saeid\appdata\roaming\microsoft\windows\start menu\programs\startup\kkwheaoi.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\Explorermgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

saeid · « **Reply #4 on:** June 27, 2012, 09:43:11 AM »

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/27/2012 at 08:12 PM

Application Version : 5.0.1144

Core Rules Database Version : 8805
Trace Rules Database Version: 6617

Scan type : Complete Scan
Total Scan Time : 00:12:59

Operating System Information
Windows 7 Ultimate 32-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 720
Memory threats detected : 0
Registry items scanned : 37492
Registry threats detected : 0
File items scanned : 12821
File threats detected : 4

Trojan.Agent/Gen-Ransom
   E:\F.I.L.T.E.R S.H.E.K.A.N T.O.R BROWSER 1.3.17\TOR BROWSER\TOR BROWSER\FIREFOXPORTABLE\APP\FIREFOX\TBB-FIREFOXMGR.EXE
   C:\PROGRAM FILES\COMMON FILES\AOL\1332525462\EE\AOLSOFTWAREMGR.EXE
   C:\PROGRAM FILES\COMMON FILES\AOL\LOADER\AOLLOADMGR.EXE
   C:\PROGRAM FILES\SPYWAREBLASTER\SPYWAREBLASTERMGR.EXE

saeid · « **Reply #5 on:** June 27, 2012, 09:53:39 AM »

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_21
Run by Saeid at 20:17:55 on 2012-06-27
Microsoft Windows 7 Ultimate 6.1.7601.1.1256.981.1033.18.3063.1518 [GMT 4.5:30]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\mobsync.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:8118
uURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\progra~1\idm\quickf~1\plugins\IEHelp.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E33CF602-D945-461A-83F0-819F76A199F8} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
mRun: [HostManager] c:\program files\common files\aol\1332525462\ee\AOLSoftware.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Anti-Banner - %ProductRoot%\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: Interfaces\{081331FC-0698-45FF-A217-F68D7A67B14D} : NameServer = 192.168.1.3 192.168.1.2
TCP: Interfaces\{3A34C73F-9578-4F9C-853C-3DA2882DCDCA} : DhcpNameServer = 192.168.1.2 192.168.1.3
TCP: Interfaces\{3A34C73F-9578-4F9C-853C-3DA2882DCDCA}\24562756E6A69616E60275962756C656373702C416E6 : DhcpNameServer = 192.168.1.2 213.176.0.5 4.2.2.4 192.168.1.3
TCP: Interfaces\{3A34C73F-9578-4F9C-853C-3DA2882DCDCA}\44C496E6B6 : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{3A34C73F-9578-4F9C-853C-3DA2882DCDCA}\D696D6 : DhcpNameServer = 192.168.0.12 192.168.0.9 4.2.2.4
TCP: Interfaces\{EB069C30-DB0F-4DAE-83D4-466F9A5FEFE4} : NameServer = 8.4.4.8,3.2.2.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\windows\system32\guard32.dll, c:\progra~1\kasper~1\kasper~2\kloehk.dll, c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll, c:\progra~1\kasper~1\kasper~1\kloehk.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1   www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\saeid\appdata\roaming\mozilla\firefox\profiles\qaurd1x0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=55555
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 8090
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8090
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 8090
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8090
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
.
---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-3-11 491816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2012-3-11 39640]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-15 176128]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-11-23 1052472]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2011-11-14 89376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-27 654408]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-3-30 1153368]
R2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\drivers\TurboB.sys [2009-11-2 14808]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-11-15 5586432]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-11-15 209920]
R3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\drivers\bcmvwl32.sys [2011-11-15 17144]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-11-15 45352]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-11-15 29472]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-11-15 132480]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-27 22344]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 AVP;Kaspersky Anti-Virus Service;"c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe" -r --> c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-11-15 13336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-11-26 15872]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-11-15 197224]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-12-5 257568]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-11-26 52224]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2012-06-27 12:47:12   --------   d-----w-   c:\programdata\Malwarebytes
2012-06-27 12:47:11   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-27 12:47:11   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-06-27 12:14:24   --------   d-----w-   c:\program files\Defraggler
2012-06-27 12:14:12   --------   d-----w-   c:\program files\Speccy
2012-06-26 11:22:47   6762896   ------w-   c:\programdata\microsoft\windows defender\definition updates\{f3581fe0-ee13-4696-bfb0-ef95e33069f1}\mpengine.dll
2012-06-22 08:12:49   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-22 08:12:09   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-22 08:11:24   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-22 08:11:24   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-21 12:44:57   --------   d-----w-   c:\programdata\CPA_VA
2012-06-21 11:40:15   162320   ------w-   c:\program files\mozilla *Blocked Russian URL*\components\KavLinkFilter.dll
2012-06-15 16:16:37   --------   d-----w-   c:\users\saeid\appdata\roaming\SUPERAntiSpyware.com
2012-06-15 16:16:17   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-06-15 16:16:17   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-06-14 15:58:53   95259   ----a-w-   c:\windows\system32\drivers\klick.dat
2012-06-14 15:58:53   108059   ----a-w-   c:\windows\system32\drivers\klin.dat
2012-06-14 15:54:01   109240   ------w-   c:\program files\mozilla *Blocked Russian URL*\components\abhelperxpcom.dll
2012-06-14 15:32:44   --------   d-----w-   c:\windows\system32\MpEngineStore
2012-06-14 13:25:30   --------   d-----w-   c:\programdata\Kaspersky Lab Setup Files
2012-06-13 12:46:29   919040   ----a-w-   c:\windows\system32\rdpcorets.dll
2012-06-13 12:46:29   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-06-13 12:41:23   2343936   ----a-w-   c:\windows\system32\win32k.sys
2012-06-13 12:41:14   8192   ----a-w-   c:\windows\system32\rdrmemptylst.exe
2012-06-13 12:41:14   58880   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-06-13 12:41:14   129536   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-06-13 12:20:54   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-13 12:20:54   423656   ------w-   c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-06-11 10:23:13   90112   ----a-w-   c:\windows\system32\dpl100.dll
2012-06-11 10:23:13   593938   ----a-w-   c:\windows\system32\x264vfw.dll
2012-06-11 10:23:13   3596288   ----a-w-   c:\windows\system32\qt-dx331.dll
2012-06-11 10:23:13   217088   ----a-w-   c:\windows\system32\xvidvfw.dll
2012-06-11 10:23:13   200704   ----a-w-   c:\windows\system32\ssldivx.dll
2012-06-11 10:23:13   200704   ----a-w-   c:\windows\system32\dtu100.dll
2012-06-11 10:23:13   1415680   ----a-w-   c:\windows\system32\WMV9VCM.dll
2012-06-11 10:23:13   118784   ----a-w-   c:\windows\system32\ac3acm.acm
2012-06-11 10:23:13   1044480   ----a-w-   c:\windows\system32\libdivx.dll
2012-06-11 10:23:12   620180   ----a-w-   c:\windows\system32\divx.dll
2012-06-11 10:23:11   --------   d-----w-   c:\program files\K-Lite Codec Pack
2012-06-01 17:15:17   --------   d-----w-   c:\users\saeid\appdata\local\assembly
2012-06-01 17:10:07   --------   d-----w-   c:\users\saeid\appdata\local\VisualBeeClient
2012-05-31 15:16:05   --------   d-----w-   C:\Documents
2012-05-31 11:52:41   --------   d-----w-   c:\users\saeid\appdata\roaming\MathWorks
2012-05-31 06:49:08   407104   ----a-w-   c:\windows\system32\MSHFLXGD.OCX
2012-05-31 06:14:30   --------   d-----w-   c:\program files\MATLAB
.
==================== Find3M ====================
.
2012-05-17 22:45:37   1800192   ----a-w-   c:\windows\system32\jscript9.dll
2012-05-17 22:35:47   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-05-17 22:35:39   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-04-21 11:19:10   205   ----a-w-   c:\windows\system32\lsprst7.dll
2012-04-14 10:46:16   1025   ----a-w-   c:\windows\system32\sysprs7.dll
2012-03-31 04:39:37   3968368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39:37   3913072   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-03-30 10:23:11   1291632   ----a-w-   c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 20:22:03.94 ===============

saeid · « **Reply #6 on:** June 27, 2012, 09:59:10 AM »

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 11/15/2011 17:46:21
System Uptime: 6/27/2012 20:14:26 (0 hours ago)
.
Motherboard: Dell Inc. | | 0YXXJJ
Processor: Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz | CPU 1 | 2528/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 78 GiB total, 34.222 GiB free.
D: is FIXED (NTFS) - 176 GiB total, 87.541 GiB free.
E: is FIXED (NTFS) - 212 GiB total, 144.962 GiB free.
F: is CDROM ()
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{00005601-0000-1000-8000-0002EE000001}_LOCALMFG&000F\9&2D793958&0&001F01B2F70B_C00000004
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{00005601-0000-1000-8000-0002EE000001}_LOCALMFG&000F\9&2D793958&0&001F01B2F70B_C00000004
Service:
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASKUTIL
Device ID: ROOT\LEGACY_SASKUTIL\0000
Manufacturer:
Name: SASKUTIL
PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
Service: SASKUTIL
.
Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{00005005-0000-1000-8000-0002EE000001}_LOCALMFG&000F\9&2D793958&0&001F01B2F70B_C00000004
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{00005005-0000-1000-8000-0002EE000001}_LOCALMFG&000F\9&2D793958&0&001F01B2F70B_C00000004
Service:
.
==== System Restore Points ===================
.
RP153: 6/17/2012 20:12:46 - Windows Update
RP154: 6/21/2012 16:01:31 - Installed Kaspersky Internet Security 2010.
RP155: 6/22/2012 12:40:04 - Windows Update
RP156: 6/22/2012 12:49:33 - Windows Update
RP157: 6/26/2012 15:49:37 - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9.0.45.0
Adobe Flash Player Plugin
Adobe Reader X
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
ATI AVIVO Codecs
ATI Catalyst Install Manager
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Comodo Dragon
COMODO GeekBuddy
COMODO Internet Security
Crystal Reports for Visual Studio
CyberLink PowerDVD 9
Defraggler
Dell Driver Download Manager
Download Updater (AOL LLC)
DW WLAN Card Utility
ESET Online Scanner v3
Google Chrome
Hauppauge TV Tuner Driver
ImTOO 3GP Video Converter
ImTOO Video Cutter
Intel(R) Control Center
Intel(R) Management Engine Components
Intel(R) Rapid Storage Technology
Internet Download Manager
Java Auto Updater
Java(TM) 6 Update 21
K-Lite Codec Pack 2.77 Full
Kaspersky Internet Security 2010
Kaspersky Internet Security 2011
Longman Dictionary of Contemporary English 5th Edition
Longman iBT
Malwarebytes Anti-Malware version 1.61.0.1400
MATLAB R2011b
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 R2 Data-Tier Application Framework
Microsoft SQL Server 2008 R2 Data-Tier Application Project
Microsoft SQL Server 2008 R2 Transact-SQL Language Service
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft Sync Framework Runtime v1.0 SP1 (x86)
Microsoft Sync Framework SDK v1.0 SP1
Microsoft Sync Framework Services v1.0 SP1 (x86)
Microsoft Team Foundation Server 2010 Object Model - ENU
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
Microsoft Visual F# 2.0 Runtime
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Office Developer Tools (x86)
Microsoft Visual Studio 2010 Performance Collection Tools - ENU
Microsoft Visual Studio 2010 Performance Tools - ENU
Microsoft Visual Studio 2010 Remote Debugger - ENU
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio Macro Tools
Mozilla Firefox 11.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8 Essentials
neroxml
Nimbuzz 2.2.1
ooVoo
PunkBuster Services
QUICKfind server v1.1
QuickSet32
Realtek Ethernet Controller Driver For Windows 7
Realtek USB 2.0 Card Reader
Recuva
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Service Pack 1 for SQL Server 2008 (KB968369)
Skype™ 5.3
Smarty Uninstaller Pro
Speccy
Spybot - Search & Destroy
SpywareBlaster 4.6
Sql Server Customer Experience Improvement Program
SUPERAntiSpyware
Synaptics Pointing Device Driver
The Klub 17 [v 6.10]
The KMPlayer (remove only)
UltraISO Premium V9.36
Uninstall AOL Emergency Connect Utility 1.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687267) 32-Bit Edition
Visual Studio Tools for the Office system 3.0 Runtime
Web Deployment Tool
WIDCOMM Bluetooth Software
Windows Driver Package - Broadcom Corporation (BTHUSB) Bluetooth (03/24/2010 6.3.0.2501)
WinRAR archiver
Yahoo! Messenger
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
6/27/2012 20:17:32, Error: Service Control Manager [7000] - The SASKUTIL service failed to start due to the following error: The system cannot find the file specified.
6/27/2012 20:17:00, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intel(R) Management & Security Application User Notification Service service to connect.
6/27/2012 20:17:00, Error: Service Control Manager [7000] - The Intel(R) Management & Security Application User Notification Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/27/2012 20:16:58, Error: Service Control Manager [7034] - The Intel(R) Rapid Storage Technology service terminated unexpectedly. It has done this 1 time(s).
6/27/2012 20:14:54, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: KLIM6 SASKUTIL
6/27/2012 20:14:46, Error: Service Control Manager [7000] - The Kaspersky Anti-Virus Service service failed to start due to the following error: The system cannot find the file specified.
6/27/2012 20:01:13, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{081331FC-0698-45FF-A217-F68D7A67B14D} because another computer on the network has the same name. The server could not start.
6/27/2012 18:21:46, Error: EventLog [6008] - The previous system shutdown at 6:20:47 PM on ‎6/‎27/‎2012 was unexpected.
6/27/2012 17:10:04, Error: EventLog [6008] - The previous system shutdown at 5:08:33 PM on ‎6/‎27/‎2012 was unexpected.
6/27/2012 16:49:50, Error: EventLog [6008] - The previous system shutdown at 4:47:53 PM on ‎6/‎27/‎2012 was unexpected.
6/27/2012 12:04:30, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
6/26/2012 23:48:05, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume ADATA SH93.
6/26/2012 23:12:02, Error: EventLog [6008] - The previous system shutdown at 11:10:38 PM on ‎6/‎26/‎2012 was unexpected.
6/26/2012 21:39:29, Error: Microsoft-Windows-SharedAccess_NAT [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.5, since the IP address is outside the 192.168.173.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.
6/26/2012 21:29:28, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
6/26/2012 00:10:43, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.81.168. The computer with the IP address 192.168.81.118 did not allow the name to be claimed by this computer.
6/26/2012 00:07:28, Error: bowser [8003] - The master browser has received a server announcement from the computer WIN7WD320G-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3A34C73F-9578-4F9C-853C-3DA2. The master browser is stopping or an election is being forced.
6/26/2012 00:07:26, Error: NetBT [4319] - A duplicate name has been detected on the TCP network. The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
6/25/2012 17:54:20, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SBSD Security Center Service service to connect.
6/25/2012 17:54:20, Error: Service Control Manager [7000] - The SBSD Security Center Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/23/2012 10:12:20, Error: Service Control Manager [7000] - The Windows Modules Installer service failed to start due to the following error: The pipe has been ended.
6/23/2012 10:12:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "109" attempting to start the service TrustedInstaller with arguments "" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
6/23/2012 10:06:52, Error: EventLog [6008] - The previous system shutdown at 10:05:51 AM on ‎6/‎23/‎2012 was unexpected.
6/21/2012 17:13:33, Error: EventLog [6008] - The previous system shutdown at 5:11:27 PM on ‎6/‎21/‎2012 was unexpected.
6/21/2012 17:04:32, Error: bowser [8003] - The master browser has received a server announcement from the computer MILAD-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3A34C73F-9578-4F9C-853C-3DA2882DC. The master browser is stopping or an election is being forced.
6/21/2012 16:50:41, Error: EventLog [6008] - The previous system shutdown at 4:49:22 PM on ‎6/‎21/‎2012 was unexpected.
6/21/2012 16:05:13, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
6/21/2012 15:45:33, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
6/21/2012 15:42:31, Error: EventLog [6008] - The previous system shutdown at 1:08:41 PM on ‎6/‎20/‎2012 was unexpected.
6/20/2012 13:05:22, Error: Service Control Manager [7031] - The Kaspersky Anti-Virus Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
.
==== End Of File ===========================

SuperDave · « **Reply #7 on:** June 27, 2012, 01:18:51 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
***********************************************************
Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

saeid · « **Reply #8 on:** June 29, 2012, 12:05:07 AM »

ComboFix 12-06-28.03 - Saeid 06/29/2012 9:23.3.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1256.981.1033.18.3063.1879 [GMT 4.5:30]
Running from: c:\users\Saeid\Documents\Downloads\Programs\ComboFix.exe
FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\dmlconf.dat
c:\users\Saeid\AppData\Local\assembly\tmp
c:\windows\system32\drivers\npf.sys
c:\windows\system32\lsprst7.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-29 )))))))))))))))))))))))))))))))
.
.
2012-06-27 13:30 . 2012-06-27 13:30   --------   d-----w-   c:\programdata\Yahoo! Companion
2012-06-27 12:47 . 2012-06-27 12:47   --------   d-----w-   c:\programdata\Malwarebytes
2012-06-27 12:47 . 2012-06-27 12:47   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-06-27 12:47 . 2012-04-04 11:26   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-27 12:14 . 2012-06-27 12:14   --------   d-----w-   c:\program files\Defraggler
2012-06-27 12:14 . 2012-06-27 12:14   --------   d-----w-   c:\program files\Speccy
2012-06-27 12:12 . 2012-06-27 12:12   --------   d-----w-   c:\program files\Recuva
2012-06-26 11:22 . 2012-05-31 03:41   6762896   ------w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{F3581FE0-EE13-4696-BFB0-EF95E33069F1}\mpengine.dll
2012-06-22 08:12 . 2012-06-02 22:19   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-22 08:12 . 2012-06-02 22:19   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-22 08:12 . 2012-06-02 22:12   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-22 08:12 . 2012-06-02 22:19   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-22 08:12 . 2012-06-02 22:19   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-22 08:12 . 2012-06-02 22:19   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-22 08:12 . 2012-06-02 22:12   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-22 08:11 . 2012-06-02 10:49   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-22 08:11 . 2012-06-02 10:42   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-21 12:44 . 2012-06-25 13:25   --------   d-----w-   c:\programdata\CPA_VA
2012-06-21 11:40 . 2009-10-20 16:04   162320   ------w-   c:\program files\Mozilla *Blocked Russian URL*\components\KavLinkFilter.dll
2012-06-15 16:16 . 2012-06-15 16:16   --------   d-----w-   c:\users\Saeid\AppData\Roaming\SUPERAntiSpyware.com
2012-06-15 16:16 . 2012-06-21 20:33   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-06-15 16:16 . 2012-06-15 16:16   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-06-14 15:58 . 2012-06-21 11:39   108059   ----a-w-   c:\windows\system32\drivers\klin.dat
2012-06-14 15:58 . 2012-06-21 11:39   95259   ----a-w-   c:\windows\system32\drivers\klick.dat
2012-06-14 15:54 . 2010-07-01 17:04   109240   ------w-   c:\program files\Mozilla *Blocked Russian URL*\components\abhelperxpcom.dll
2012-06-14 15:32 . 2012-06-14 15:32   --------   d-----w-   c:\windows\system32\MpEngineStore
2012-06-14 13:25 . 2012-06-21 11:30   --------   d-----w-   c:\programdata\Kaspersky Lab Setup Files
2012-06-13 12:46 . 2012-04-28 04:41   919040   ----a-w-   c:\windows\system32\rdpcorets.dll
2012-06-13 12:46 . 2012-04-28 03:17   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-06-13 12:41 . 2012-05-15 01:05   2343936   ----a-w-   c:\windows\system32\win32k.sys
2012-06-13 12:41 . 2012-04-26 04:45   58880   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-06-13 12:41 . 2012-04-26 04:45   129536   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-06-13 12:41 . 2012-04-26 04:41   8192   ----a-w-   c:\windows\system32\rdrmemptylst.exe
2012-06-13 12:20 . 2012-06-13 12:20   423656   ------w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-06-13 12:20 . 2012-06-13 12:20   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-11 10:24 . 2012-06-11 10:24   --------   d-----w-   c:\users\Saeid\AppData\Roaming\Media Player Classic
2012-06-11 10:23 . 2006-09-13 18:44   593938   ----a-w-   c:\windows\system32\x264vfw.dll
2012-06-11 10:23 . 2006-06-21 08:12   200704   ----a-w-   c:\windows\system32\ssldivx.dll
2012-06-11 10:23 . 2006-06-21 08:12   1044480   ----a-w-   c:\windows\system32\libdivx.dll
2012-06-11 10:23 . 2006-05-24 20:17   3596288   ----a-w-   c:\windows\system32\qt-dx331.dll
2012-06-11 10:23 . 2006-05-24 20:16   200704   ----a-w-   c:\windows\system32\dtu100.dll
2012-06-11 10:23 . 2006-05-13 18:46   118784   ----a-w-   c:\windows\system32\ac3acm.acm
2012-06-11 10:23 . 2006-04-07 22:43   90112   ----a-w-   c:\windows\system32\dpl100.dll
2012-06-11 10:23 . 2006-02-27 11:00   217088   ----a-w-   c:\windows\system32\xvidvfw.dll
2012-06-11 10:23 . 2003-06-22 22:14   1415680   ----a-w-   c:\windows\system32\WMV9VCM.dll
2012-06-11 10:23 . 2006-07-03 19:10   620180   ----a-w-   c:\windows\system32\divx.dll
2012-06-11 10:23 . 2012-06-11 10:23   --------   d-----w-   c:\program files\K-Lite Codec Pack
2012-06-01 17:15 . 2012-06-29 05:01   --------   d-----w-   c:\users\Saeid\AppData\Local\assembly
2012-06-01 17:10 . 2012-06-01 17:15   --------   d-----w-   c:\users\Saeid\AppData\Local\VisualBeeClient
2012-05-31 15:16 . 2012-05-31 15:16   --------   d-----w-   C:\Documents
2012-05-31 11:52 . 2012-05-31 11:52   --------   d-----w-   c:\users\Saeid\AppData\Roaming\MathWorks
2012-05-31 06:49 . 2004-03-01 18:35   407104   ----a-w-   c:\windows\system32\MSHFLXGD.OCX
2012-05-31 06:14 . 2012-05-31 06:14   --------   d-----w-   c:\program files\MATLAB
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-18 21:59 . 2011-11-15 18:04   97208   ------w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 14:50   21864   ------w-   c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-20 4617600]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2012-02-22 6591800]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-11-14 3437976]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-23 1594664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696]
"HostManager"="c:\program files\Common Files\AOL\1332525462\ee\AOLSoftware.exe" [2009-07-20 41264]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 6749512]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-02 5249024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ------w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R1 dvxrctzt;dvxrctzt;c:\windows\system32\drivers\dvxrctzt.sys

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys

R1 SASKUTIL;SASKUTIL;

R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe

R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys

S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys

S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys

S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe

S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe

S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys

S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl32.sys

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys

S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:8118
IE: Add to Anti-Banner - %ProductRoot%\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{081331FC-0698-45FF-A217-F68D7A67B14D}: NameServer = 192.168.1.3 192.168.1.2
TCP: Interfaces\{EB069C30-DB0F-4DAE-83D4-466F9A5FEFE4}: NameServer = 8.4.4.8,3.2.2.3
FF - ProfilePath - c:\users\Saeid\AppData\Roaming\Mozilla\Firefox\Profiles\qaurd1x0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=55555
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 8090
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8090
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 8090
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8090
FF - prefs.js: network.proxy.type - 0
FF - user.js: protocol-handler.warn-external.dnUpdate - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{0e38f85e-eee9-426a-ae1c-60c36b729951} - (no file)
HKLM-Run-BDRegion - c:\program files\Cyberlink\Shared Files\brs.exe
AddRemove-{2C72D4EA-BA65-4B9D-92F9-B916A25A8C4D}_is1 - c:\program files\TKM17\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1338443668-846065355-974167902-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:21,88,68,61,66,d5,35,e4,b7,c5,6a,2f,15,55,a4,7a,45,55,3b,d5,75,31,69,
cc,2d,4a,31,52,d8,3e,6e,cf,5b,5f,0c,2e,c9,48,50,70,5a,49,98,2a,26,be,a6,e6,\
"??"=hex:fe,94,16,33,a2,f0,68,4b,6b,9d,81,d8,7c,85,bb,9d
.
[HKEY_USERS\S-1-5-21-1338443668-846065355-974167902-1000_Classes\CLSID\{01680c4a-b31f-45d3-8be1-b859b4623e35}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000028
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-1338443668-846065355-974167902-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):1b,d8,92,eb,22,77,b1,b4,34,91,07,25,ff,2e,77,3c,bb,80,33,ab,b8,
d7,2f,07,46,07,e5,b1,19,39,ef,99,67,03,07,de,17,77,9b,1a,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\guard32.dll
.
Completion time: 2012-06-29 09:39:07
ComboFix-quarantined-files.txt 2012-06-29 05:09
.
Pre-Run: 36,514,598,912 bytes free
Post-Run: 36,162,297,856 bytes free
.
- - End Of File - - ED5A56F1DA15E4B0EB76CB998FD10176

SuperDave · « **Reply #9 on:** June 29, 2012, 04:30:28 PM »

How's the computer working now?

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

saeid · « **Reply #10 on:** June 30, 2012, 01:44:56 AM »

my computer works better but virus still remains
some application affected by this virus and stop working
aha, there's an another problem , for example when I remove this virus, after a few second it appear again I dont know why .
this virus exist in my flash memory , after I open it without scan thiese things happen
I tried to remove or format my flash memory but viruses appear again and getting massive

saeid · « **Reply #11 on:** June 30, 2012, 02:37:00 AM »

SysProt Antirootkit shows an error : Error scanning SSDT hooks .

I run the program anyway

saeid · « **Reply #12 on:** June 30, 2012, 03:51:28 AM »

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\spdz.sys
Service Name: ---
Module Base: 8B8BE000
Module End: 8B9BF000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 90016000
Module End: 901CB000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 94156000
Module End: 94167000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: H:\eBooks\anlysis and designتحليل و طراحي.pdf
Status: Hidden

Object: H:\eBooks\RUPمقدمه اي بر _S.pdf
Status: Hidden

Object: H:\System Volume Information\Chkdsk
Status: Access denied

Object: H:\System Volume Information\EfaData
Status: Access denied

Object: H:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: H:\System Volume Information\tracking.log
Status: Access denied

Object: H:\System Volume Information\_restore{15340ADA-EE95-432D-BCCF-71B80D548ED2}
Status: Access denied

Object: H:\System Volume Information\_restore{A8202132-62D5-497E-83F1-48EA9107B7DC}
Status: Access denied

Object: H:\System Volume Information\_restore{C8E5EAA1-BE76-4B85-8F3E-AC22AFE45187}
Status: Access denied

Object: H:\System Volume Information\_restore{D031A46D-8465-4667-8301-CCC538EFA6F8}
Status: Access denied

Object: E:\flash\matlab\Seasons\جلسه 05 ويرايش 01.ppsx
Status: Hidden

Object: E:\flash\matlab\Seasons\جلسه 07 ويرايش 01.ppsx
Status: Hidden

Object: E:\flash\matlab\Seasons\جلسه 09 ويرايش 01.ppsx
Status: Hidden

Object: E:\flash\matlab\Seasons\جلسه 10 ويرايش 01.ppsx
Status: Hidden

Object: E:\flash\matlab\Seasons\جلسه 11 ويرايش 01.ppsx
Status: Hidden

Object: E:\flash\PASW Statistics 18 [www.p30day.com]\فروشگاه اينترنتي نگين.url
Status: Hidden

Object: E:\flash\آزميش.docx
Status: Hidden

Object: E:\New folder\New folder\هيدرواستاتيک.docx
Status: Hidden

Object: E:\New folder\Sayalat az\1\5-Venturi Meter\وانتوري.bmp
Status: Hidden

Object: E:\New folder\Sayalat az\myself\جت پرتابي
Status: Hidden

Object: E:\New folder\Sayalat az\myself\ضريب پسا
Status: Hidden

Object: E:\New folder\Sayalat az\myself\ونتوري
Status: Hidden

Object: E:\New folder\Sayalat az\myself\گردابه\دانشگاه صنعتي امير کبير22.docx
Status: Hidden

Object: E:\New folder\Sayalat az\سيالات()جودكي\جت پرتابي
Status: Hidden

Object: E:\New folder\درس علم مواد\مواد مركب\شيشه.doc
Status: Hidden

Object: E:\sdadasdad\شيخ بهايي (مثنويات پراکنده) گر نبود خنگ مطلي لگام - ويکي‌نبشته.htm
Status: Hidden

Object: E:\sdadasdad\شيخ بهايي (مثنويات پراکنده) گر نبود خنگ مطلي لگام - ويکي‌نبشته_files
Status: Hidden

Object: E:\sdadasdad\قدرت تفکر مثبت , جادوي انرژي مثبت - مطالب ابر آموخته ام که با پول مي شود خانه خريد ولي آشيانه نه.htm
Status: Hidden

Object: E:\sdadasdad\قدرت تفکر مثبت , جادوي انرژي مثبت - مطالب ابر آموخته ام که با پول مي شود خانه خريد ولي آشيانه نه_files
Status: Hidden

Object: E:\STC3.2-Full\New folder\Copied\1\5-Venturi Meter\وانتوري.bmp
Status: Hidden

Object: E:\STC3.2-Full\New folder\Copied\myself\جت پرتابي
Status: Hidden

Object: E:\STC3.2-Full\New folder\Copied\myself\ضريب پسا
Status: Hidden

Object: E:\STC3.2-Full\New folder\Copied\myself\ونتوري
Status: Hidden

Object: E:\STC3.2-Full\New folder\Copied\myself\گردابه\دانشگاه صنعتي امير کبير22.docx
Status: Hidden

Object: E:\STC3.2-Full\New folder\Copied\سيالات()جودكي\جت پرتابي
Status: Hidden

Object: E:\STC3.2-Full\New folder\New Folder\آز فيزيک2
Status: Hidden

Object: E:\STC3.2-Full\New folder\Photos\القاي فارادي 2.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\Photos\القاي فارادي.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\Photos\مطالعه ي خازن.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\Photos\ميدان مغناطيسي زمين.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\Photos\کار با اسيلوسکوپ.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\Photos\کاربا اسيلوسکوپ.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\physics lab2\Photos\القاي فارادي 2.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\physics lab2\Photos\القاي فارادي.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\physics lab2\Photos\مطالعه ي خازن.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\physics lab2\Photos\ميدان مغناطيسي زمين.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\physics lab2\Photos\کار با اسيلوسکوپ.jpg
Status: Hidden

Object: E:\STC3.2-Full\New folder\physics lab2\Photos\کاربا اسيلوسکوپ.jpg
Status: Hidden

Object: D:\System Volume Information\tracking.log
Status: Access denied

Object: D:\Videos\Movies\New folder\A.N\زنان شنا و کشتي نگاه نکنند.mp4
Status: Hidden

Object: D:\Videos\Movies\New folder\fun\اسامي امامان به ترتيب.mp4
Status: Hidden

Object: D:\Videos\Movies\New folder\fun\بي شمشير.mp4
Status: Hidden

Object: D:\Videos\Movies\New folder\fun\تبليغات بازرگاني قبل از انقلاب.mp4
Status: Hidden

Object: D:\Videos\Movies\New folder\fun\تست ماشين لباس شويي.mp4
Status: Hidden

Object: D:\Videos\Movies\New folder\fun\خبرنگار آتيشي.mp4
Status: Hidden

Object: D:\Videos\Movies\New folder\fun\خدايا به اينها مغز عطا بفرما.mp4
Status: Hidden

Object: D:\Videos\Movies\New folder\fun\خيلي قشنگ ميخواد باباشو بپيچونه.mp4
Status: Hidden

Object: D:\Videos\Movies\New folder\fun\شاهين جعفرقلي - خواننده ايراني.mp4
Status: Hidden

Object: D:\Videos\Movies\New folder\fun\کوکتل تقليدي.mp4
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\Catalog\BackupGlobalCatalog
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\Catalog\GlobalCatalog
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\Catalog
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache\{07cef2ff-c079-4635-a68e-99dc61f91b6f}
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache
Status: Access denied

Object: C:\Users\Saeid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kkwheaoi.exe
Status: Hidden

Object: C:\Windows\CSC\v2.0.6\namespace
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\pq
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\sm
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\temp
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
Status: Access denied

SuperDave · « **Reply #13 on:** June 30, 2012, 02:44:34 PM »

If it's Ramnit.....

I'm afraid I have very bad news.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
•Understanding virus names

•Threat aliases for Win32/Ramnit.A
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and are a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
•When should I re-format? How should I reinstall?

•Where to draw the line? When to recommend a format and reinstall?

Quote

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You
This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?

Quote

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
**************************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

saeid · « **Reply #14 on:** July 01, 2012, 12:12:19 AM »

I perform a full format but this virus still remain in my flash memory

I'll reinstall OS but there is no guarantee this virus will be remove !

this flash memory still have virus if I connet this flash after reinstall OS , I have this problem again

what should I do with this flash ?

Computer Hope Forum

News:

Author Topic: help needed (Read 27365 times)

saeid

help needed

saeid

Re: help needed

Allan

Re: help needed

saeid

Re: help needed

saeid

Re: help needed

saeid

Re: help needed

saeid

Re: help needed

SuperDave

Re: help needed

saeid

Re: help needed

SuperDave

Re: help needed

saeid

Re: help needed

saeid

Re: help needed

saeid

Re: help needed

SuperDave

Re: help needed

saeid

Re: help needed