-
Posts
18 -
Joined
-
Last visited
Reputation
0 NeutralProfile Information
-
Location
CHI, IL
-
Any good FREE Anti-Keyloggers?
johnp9929 replied to johnp9929's topic in Malwarebytes for Windows Support Forum
Thanks.. Puts my mind at ease. Thanks again!- 9 replies
-
- keylogging
- software
-
(and 4 more)
Tagged with:
-
Are there any reliable, free antikeyloggers out there? Only taking answers from experienced members.
- 9 replies
-
- keylogging
- software
-
(and 4 more)
Tagged with:
-
Well, everything seems to be in order now... time to close the thread. Installed Microsoft Security Essentials, which found a simple trojan and some adware, which I knew were there. Got rid of them with ease. Thank you again!
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
It's working now, thank you! Can I call you Doc?
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
Farbar Service Scanner Version: 26-07-2012 Ran by William (administrator) on 27-07-2012 at 17:44:14 Running from "C:\Users\William\Desktop" Microsoft Windows 7 Professional Service Pack 1 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ Windows Update: ============ BITS Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist. The ImagePath of BITS service is OK. The ServiceDll of BITS service is OK. Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== Other Services: ============== sharedaccess Service is not running. Checking service configuration: The start type of sharedaccess service is set to Auto The ImagePath of sharedaccess service is OK. The ServiceDll of sharedaccess service is OK. File Check: ======== C:\Windows\system32\nsisvc.dll => MD5 is legit C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit C:\Windows\system32\dhcpcore.dll => MD5 is legit C:\Windows\system32\Drivers\afd.sys => MD5 is legit C:\Windows\system32\Drivers\tdx.sys => MD5 is legit C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit C:\Windows\system32\dnsrslvr.dll => MD5 is legit C:\Windows\system32\mpssvc.dll => MD5 is legit C:\Windows\system32\bfe.dll => MD5 is legit C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit C:\Windows\system32\SDRSVC.dll => MD5 is legit C:\Windows\system32\vssvc.exe => MD5 is legit C:\Windows\system32\wscsvc.dll => MD5 is legit C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\system32\wuaueng.dll => MD5 is legit C:\Windows\system32\qmgr.dll => MD5 is legit C:\Windows\system32\es.dll => MD5 is legit C:\Windows\system32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\system32\svchost.exe => MD5 is legit C:\Windows\system32\rpcss.dll => MD5 is legit **** End of log ****
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
Wait! I tried installing updates for windows, but it fails and I end up with Error code 80246008
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
My machine is running faster than before. MBAM found nothing. Hooray! I have access to Windows Firewall, Defender, and Update again! Thank you so much! I'll be sure to return if I face any more problems!
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
Here's the Combofix log: ComboFix 12-07-27.03 - William 07/27/2012 16:45:04.1.4 - x86 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.2326 [GMT -5:00] Running from: c:\users\William\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\install.exe C:\LOG7F1.tmp C:\LOG8.tmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\01d00098f732f640c6a5c8d431515b46.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\049497fd8947e722ae04b02eab871c18.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\067a9fd1541da872bb757c3da6a33d92.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0783fa07a21528ab730a1df23334399c.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0999dc9d92e75202025b885f39592438.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0ba4ed06c78b5997716890d067fe2f51.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0bb985ae9fc3a38262b3fd4c5cb03a3e.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0ccc70e9bd23465e9e97d9445314fa13.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0d5b5b246d05342352b6c776e1cf5212.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\11e75649feaf8ef009c4ed99aafe8310.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\1ba01a94a454af76ad1d723478b7127d.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\1ec397e7e85d3c521dc4c849c4e3ea0f.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\1f840d5d0d14655c624d157818b7003d.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\24c8b24d8a5c9889dac59d968fa1b8d8.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\251f27bb0e06e757f562bc1dc84a615f.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\25e9c02c9d769d249732f66e042c290e.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\28358b19588cf08bbb5de8b51850fe3a.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\288a0b7430370eb282f72b7e015c3c9a.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\28e51fb50e37beadbd134e4ae50e8f63.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2a066ba87c16f28ec9819e3285252403.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2c5a2cabd3b78548df720c3ee90efb41.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2c86ccbe1c6e19b40bb8de244b0ba1e7.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2d0afc3654f0a438f23598fb84be758c.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2dfb42d5ca2c7ccc627743d095dfbac9.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2eacacaddf4a71fe74de2b3f14074ac6.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\354c633ff9bf6fb3ecfad0ad65113c47.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\366a8f1bc352313a1074df76fdbce056.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\393e4d90773d8bbc9b905d903b618bdf.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\397bc65516fb1e815aa106a3d14d5305.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\3c1498e5ef362e757dc43d17482960f3.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\3ca41046bcb79924498d631f343d4371.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\461b3a8e7cfacb0c812e36aed9447c6d.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\46ceb001bfdc384ffe00657d8c567973.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\46eb2cd25804a00a1f22c69c4020c7e5.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\47d1dba34092ceb5412ac6f70c51e606.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\485d27cb769c9983f17e3d9eb5d03c5c.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\4b377d6eea3966e34c9a3ac2c647e5e5.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\4e216d83dc7da9779966ea4d31e236dd.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\4e6865e0bf7cf90244ce414917cc6556.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\51303604fcc7ede3ff317e6daac0c19a.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\52b483be9d71439ea530fb17638e5382.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\56613b7bd5cb1c3e01ecaa7a811022a9.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\59a83ef1238e50bddcc7caeb618d1824.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\59d3e0ea0c210c7674fea90f5382090c.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\5af1fa38e21413b7b2f5c6371f706543.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\5c5edcfe25ff895bc5c6a8d734710c5c.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\5f45a68915125fa8ad11a60ebffe29ee.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\6166b09fdf1ac1eaa1ae57a6eb20c03b.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\63eb5d17d60101356a7bbfdaae9afa57.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\654f8818ae39026c29f34808452fb02f.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\69482b1568b01b43c70d0ace76055f7e.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\6ab204a5ef9f916fe93d527a421ffdda.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\741983fb8768fa4d118c8ca59f82bb83.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\7cef98e862160d452cf773da8f4e2064.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\7f1d8b588793a67a9e8271b309c497c8.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\82724e37ddf746e5c798c9541a83d990.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\877d5ef68d1b6d7922fd09e955289803.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\8abcdf24b4bfa351f3b767c4232c6d02.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\91a1315c3d05215b1504e5899d32b936.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\9a40bf533c72981026081869543bbde2.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\9a846edeab464b62f0f2a74c54059f0b.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\9c5178781b9775c8036205fa67727330.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\9f9c2aa3ed1b1b0f922524c5a5260d1c.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\a26ba057241a8c2ae219a8db7335f51c.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\a67e0c2d6a842bf89983192c7e42d7c7.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\a9583053db1a9b326763e99e2321c517.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\ad63fa05a8e976a9e0939831eb5ba308.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\b2c8a6ebad81932fcbe8461599d71865.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\b527594c48bbaad67924ced89a416e20.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\b86745632d1223fab788478c41828d9a.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\b88e5980318f9688b4348228079f4f04.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c25b7660062dfaf312f7142d2126cf2e.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c2a9bad2a6f3c5b8aba800c2646abbf0.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c36f2f770b74dd9e49947e924f85eeea.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c636b5bf68f8ea6811c91dd569143b63.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c73959eceda75ddf82609033ed2756e9.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\ccbebc209ee7342ed2a62b6d6e996645.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d0d1583aaf54f587014b422167bddd89.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d41d8cd98f00b204e9800998ecf8427e.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d7c0d1ef6446382c3f7bb71308ba122f.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d8c72d47eaed4bf47aa5d4f291a7c350.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d909bf9e40d3de9bfa779059a90ff834.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\dc973701a6a9f218f60e389f479684db.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\dcc3ea4461b925db5858951892b5fa12.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\df0ea822d926c8fa5e9401e70f2cea67.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\e09d50f5972f50e03ca6be41cf66e0b5.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\e261f32b2da3462f5a3f10d0e3cb11c7.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\e52ee3c662672a47bf85d717ebb4ae8e.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\e5c061252396f14b1dca59f288bf9c20.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\ebc4635e6aeb6c62f3801a378bdfaa4d.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\ecb246b7273dc7466b406d7b8b10c09e.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\f63720489499e58792f33295e3dfbf29.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\f9531b586c797615c6b11c5d9e8b7302.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\fd44d831ab115f692f560f8ea07c9868.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\fe5046d3ac6595d8f385d8a45126456e.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\fe6d388665fbc8cdfabaa8dc587839f7.bmp c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\hgstarter_verinfo.dat c:\windows\system32\npkpdb.dll c:\windows\TEMP\logishrd\LVPrcInj02.dll . Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe . Infected copy of c:\windows\System32\winver.exe was found and disinfected Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_b627d45ffdcc6f00\winver.exe . . ((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 ))))))))))))))))))))))))))))))) . . 2012-07-27 22:00 . 2012-07-27 22:01 -------- d-----w- C:\FRST 2012-07-27 21:55 . 2012-07-27 21:55 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B23C0C53-AA04-4350-B47A-811F61C4B9A9}\offreg.dll 2012-07-27 21:53 . 2012-07-27 21:53 -------- d-----w- c:\users\Park Family\AppData\Local\temp 2012-07-27 21:53 . 2012-07-27 21:55 -------- d-----w- c:\users\William\AppData\Local\temp 2012-07-27 21:53 . 2012-07-27 21:53 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-27 18:02 . 2012-07-27 18:02 -------- d-----w- c:\program files\Safari 2012-07-26 11:56 . 2012-07-26 11:56 -------- d-----w- c:\users\William\AppData\Local\Macromedia 2012-07-25 21:19 . 2012-07-27 17:44 -------- d-----w- c:\users\William\AppData\Roaming\.techniclauncher 2012-07-23 19:07 . 2012-07-27 21:55 -------- d-----w- c:\users\William\AppData\Local\LogMeIn Hamachi 2012-07-23 19:06 . 2012-07-23 19:06 -------- d-----w- c:\program files\LogMeIn Hamachi 2012-07-13 19:27 . 2012-07-13 19:27 -------- d-----w- C:\TDSSKiller_Quarantine 2012-07-11 18:49 . 2012-07-11 18:49 -------- d-----w- c:\program files\AMD APP 2012-07-11 18:45 . 2012-07-11 18:45 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-07-11 18:45 . 2012-07-11 18:44 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-07-11 18:44 . 2012-07-11 18:44 -------- d-----w- c:\program files\Java 2012-07-11 18:43 . 2012-07-11 18:43 -------- d-----w- c:\programdata\McAfee 2012-07-04 10:34 . 2012-07-04 10:34 -------- d-----w- c:\users\William\AppData\Local\ECRSC 2012-07-04 10:34 . 2012-07-04 10:51 -------- d-----w- c:\users\William\AppData\Roaming\ESTsoft 2012-07-04 10:34 . 2012-07-11 21:33 -------- d-----w- c:\program files\ESTsoft 2012-07-04 10:34 . 2012-07-04 10:34 -------- d-----w- c:\programdata\ESTsoft 2012-06-29 22:13 . 2012-06-29 22:13 -------- d-----w- c:\users\William\AppData\Roaming\DivX 2012-06-29 22:13 . 2012-06-29 22:18 -------- d-----w- c:\program files\Common Files\PX Storage Engine . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-27 13:44 . 2011-10-31 02:01 140800 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2012-07-27 13:44 . 2011-10-31 02:07 283304 ----a-w- c:\windows\system32\PnkBstrB.xtr 2012-07-27 13:44 . 2011-10-31 02:01 283304 ----a-w- c:\windows\system32\PnkBstrB.exe 2012-07-27 13:44 . 2011-10-31 02:01 280904 ----a-w- c:\windows\system32\PnkBstrB.ex0 2012-07-26 11:16 . 2012-04-04 11:58 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-26 11:16 . 2011-10-30 12:31 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-11 18:44 . 2011-10-30 16:40 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-07-03 18:46 . 2012-04-07 02:11 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-25 11:17 . 2011-10-31 02:01 76888 ----a-w- c:\windows\system32\PnkBstrA.exe 2012-06-25 00:50 . 2011-12-06 23:44 138056 ----a-w- c:\users\William\AppData\Roaming\PnkBstrK.sys 2012-06-25 00:49 . 2012-06-25 00:49 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe 2012-06-11 18:50 . 2012-06-11 18:50 159232 ----a-w- c:\windows\system32\clinfo.exe 2012-06-11 18:50 . 2012-06-11 18:50 65024 ----a-w- c:\windows\system32\OpenVideo.dll 2012-06-11 18:50 . 2012-06-11 18:50 56320 ----a-w- c:\windows\system32\OVDecode.dll 2012-06-11 18:49 . 2012-06-11 18:49 13008896 ----a-w- c:\windows\system32\amdocl.dll 2012-06-02 22:19 . 2012-06-22 20:21 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-22 20:21 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-22 20:21 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-22 20:21 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-22 20:21 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-22 20:21 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-22 20:21 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 20:19 . 2012-06-22 20:21 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 20:12 . 2012-06-22 20:21 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-17 22:45 . 2012-06-13 13:45 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-05-17 22:35 . 2012-06-13 13:45 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-17 22:35 . 2012-06-13 13:45 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-17 22:29 . 2012-06-13 13:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-17 22:24 . 2012-06-13 13:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-05-15 01:05 . 2012-06-13 10:44 2343936 ----a-w- c:\windows\system32\win32k.sys 2012-05-04 09:59 . 2012-06-13 13:44 514560 ----a-w- c:\windows\system32\qdvd.dll 2012-05-01 04:44 . 2012-06-13 10:44 164352 ----a-w- c:\windows\system32\profsvc.dll 2012-06-16 01:15 . 2011-10-30 04:23 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll [-] 2010-11-19 . BE8C64439F1E2AF088063218C16EB9FE . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll [7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-30 39408] "RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304] "HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2008-12-01 380928] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304] "SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2012-01-19 114992] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-06-27 1996200] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ D-Link AirPlus G Configuration Utility.lnk - c:\program files\D-Link AirPlus G\AirPlus.exe [2012-1-8 294912] NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111v2.exe [2009-10-10 1728512] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x] R2 NTAService;Nate Address Search Service;c:\program files\Nate\AddressSearch\ntasvr.exe [x] R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x] R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys [x] R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys [x] R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys [x] R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys [x] R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x] R3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\DRIVERS\PRISMNDS.sys [x] R3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] R3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WN111v2w7.sys [x] R3 XDva391;XDva391;c:\windows\system32\XDva391.sys [x] R3 XDva392;XDva392;c:\windows\system32\XDva392.sys [x] R3 XDva393;XDva393;c:\windows\system32\XDva393.sys [x] R3 XDva397;XDva397;c:\windows\system32\XDva397.sys [x] R3 XDva398;XDva398;c:\windows\system32\XDva398.sys [x] S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x] S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [x] S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x] S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [x] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x] S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x] S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x] S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x] S3 npkakl;npkakl;c:\windows\system32\npkakl.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-10-30 04:16] . 2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-10-30 04:16] . 2012-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311700126-1893408969-2311707057-1003Core.job - c:\users\William\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-08 04:16] . 2012-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311700126-1893408969-2311707057-1003UA.job - c:\users\William\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-08 04:16] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.blackl.com/black-google.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 DPF: {24F6E6A8-852C-45A8-ADD3-C4AB0D6FD231} - hxxp://plugin.inicis.com/wallet61/INIwallet61_vista.cab DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://vbv.samsungcard.co.kr/XecureObject/xw_install.cab DPF: {811AD393-A55A-4FB8-B13C-9BCC0C3CA86A} - hxxps://vbv.samsungcard.co.kr/besoft/safeon/UsafeOnSamSungCard.cab DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg8.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124 DPF: {9709739B-4909-489B-A1F7-148C74F16EEE} - hxxp://s.nx.com/ActiveX/ocx/nxsysinfo.cab DPF: {B128EFF9-0B1C-4C65-A162-28165A3A0A18} - hxxp://ssl.makeshop.co.kr/ssl/MSecure.cab DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://id.hangame.com/common/activex/HanSetup1040.cab DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://comic.naver.com/common/cab/NaverAXGuide.cab FF - ProfilePath - c:\users\William\AppData\Roaming\Mozilla\Firefox\Profiles\17br2dth.default\ FF - prefs.js: browser.search.defaulturl - FF - prefs.js: network.proxy.type - 0 FF - user.js: extentions.y2layers.installId - b97b0ce6-7c59-45e7-8c0a-9197d3d4d5f2 FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader . - - - - ORPHANS REMOVED - - - - . HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe HKCU-Run-Spotify - c:\users\William\AppData\Roaming\Spotify\Spotify.exe HKLM-Run-jswtrayutil - c:\program files\NETGEAR\WN111v2\jswtrayutil.exe SafeBoot-53987127.sys SafeBoot-78182580.sys AddRemove-Battlelog Web Plugins - c:\program files\Battlelog Web Plugins\uninstall.exe AddRemove-SoftcampSCSK - c:\windows\system32\UnSCSK.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(3980) c:\program files\ATI Technologies\HydraVision\HydraDMH.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\atieclxx.exe c:\windows\system32\brsvc01a.exe c:\windows\system32\brss01a.exe c:\windows\system32\npkcmsvc.exe c:\windows\system32\PnkBstrA.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe c:\windows\System32\rundll32.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\windows\system32\WUDFHost.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe c:\windows\system32\sppsvc.exe c:\windows\system32\AUDIODG.EXE c:\windows\system32\taskhost.exe . ************************************************************************** . Completion time: 2012-07-27 17:02:32 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-27 22:02 . Pre-Run: 242,427,170,816 bytes free Post-Run: 249,222,180,864 bytes free . - - End Of File - - 483CA60C71EE8A14E7C90AFC754D7563
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
My PC restarted a few moments after I ran Combofix... Is that normal?
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
Here you go! Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01 Ran by SYSTEM at 2012-07-27 16:30:35 Run:2 Running from F:\ ============================================== C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda} moved successfully. C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda} moved successfully. C:\Windows\System32\services.exe moved successfully. C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe ==== End of Fixlog ====
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
Here you go: Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01 Ran by SYSTEM at 2012-07-27 15:33:56 Run:1 Running from F:\ ============================================== C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe not found. Could not find C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}C:\Windows\System32\services.exe. Could not find C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe. ==== End of Fixlog ====
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
Here's the RogueKiller log! RogueKiller V7.6.4 [07/17/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User: William [Admin rights] Mode: Scan -- Date: 07/27/2012 14:47:45 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 3 ¤¤¤ [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] n : c:\windows\installer\{098a6706-3321-4926-c724-844ca3898fda}\n --> FOUND [ZeroAccess][FILE] @ : c:\windows\installer\{098a6706-3321-4926-c724-844ca3898fda}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{098a6706-3321-4926-c724-844ca3898fda}\U --> FOUND [ZeroAccess][FILE] @ : c:\users\william\appdata\local\{098a6706-3321-4926-c724-844ca3898fda}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\william\appdata\local\{098a6706-3321-4926-c724-844ca3898fda}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\william\appdata\local\{098a6706-3321-4926-c724-844ca3898fda}\L --> FOUND [susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX [ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX ¤¤¤ Driver: [LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD6400AAKS-00A7B0 ATA Device +++++ --- User --- [MBR] 0616268c8f94215f089b3802237da29e [bSP] fa82828a8829fbd62a898c3cd278c341 : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610469 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt Do you need the RogueKiller Quarantine folder content?
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with:
-
Here's the FRST log: Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01 Ran by SYSTEM at 27-07-2012 14:01:00 Running from F:\ Windows 7 Professional (X86) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WN111v2\jswtrayutil.exe" [x] HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2793304 2009-10-14] () HKLM\...\Run: [sweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe [114992 2012-01-19] (SweetIM Technologies Ltd.) HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation) HKLM\...\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641664 2012-04-05] (Advanced Micro Devices, Inc.) HKLM\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files\AMD AVT\bin\kdbsync.exe" aml [10752 2012-02-20] () HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.) HKLM\...\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start [1996200 2012-06-27] (LogMeIn Inc.) HKU\Park Family\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-10-29] (Google Inc.) HKU\Park Family\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [4910912 2011-08-01] (DT Soft Ltd) HKU\Park Family\...\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe [3082320 2012-01-28] () HKU\Park Family\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [x] HKU\William\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-10-29] (Google Inc.) HKU\William\...\Run: [Google Update] "C:\Users\William\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-10-29] (Google Inc.) HKU\William\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [x] HKU\William\...\Run: [spotify] "C:\Users\William\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [x] HKU\William\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation) HKU\William\...\Run: [HydraVisionDesktopManager] "C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe" [380928 2008-12-01] (AMD) Startup: C:\Users\All Users\Start Menu\Programs\Startup\D-Link AirPlus G Configuration Utility.lnk ShortcutTarget: D-Link AirPlus G Configuration Utility.lnk -> C:\Program Files\D-Link AirPlus G\AirPlus.exe (D-Link) Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk ShortcutTarget: NETGEAR WN111v2 Smart Wizard.lnk -> C:\Program Files\NETGEAR\WN111v2\WN111v2.exe (NETGEAR) ================================ Services (Whitelisted) ================== 2 Brother XP spl Service; C:\Windows\system32\brsvc01a.exe [57344 2001-11-22] (brother Industries Ltd) 2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation) 2 Hamachi2Svc; "C:\Program Files\LogMeIn Hamachi\hamachi-2.exe" -s [1385896 2012-06-27] (LogMeIn Inc.) 2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation) 2 npkcmsvc; C:\Windows\system32\npkcmsvc.exe [191008 2012-02-28] (INCA Internet Co., Ltd.) 2 NTAService; C:\Program Files\Nate\AddressSearch\ntasvr.exe /service [122880 2011-07-19] (SK Communications) 2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2012-06-25] () 2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-06-14] (Skype Technologies) ========================== Drivers (Whitelisted) ============= 3 Andbus; C:\Windows\System32\DRIVERS\lgandbus.sys [14336 2010-12-07] (LG Electronics Inc.) 3 AndDiag; C:\Windows\System32\DRIVERS\lganddiag.sys [20736 2010-12-07] (LG Electronics Inc.) 3 AndGps; C:\Windows\System32\DRIVERS\lgandgps.sys [20096 2010-12-07] (LG Electronics Inc.) 3 ANDModem; C:\Windows\System32\DRIVERS\lgandmodem.sys [25088 2010-12-07] (LG Electronics Inc.) 1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [232512 2011-10-30] (DT Soft Ltd) 3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.) 3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-06] () 3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation) 3 npkakl; \??\C:\Windows\system32\npkakl.sys [29216 2009-08-20] (INCA Internet Co.,Ltd.) 3 npkcrypt; \??\C:\Windows\system32\npkcrypt.sys [55200 2009-07-24] (INCA Internet Co., Ltd.) 3 PRISM; C:\Windows\System32\DRIVERS\PRISMNDS.sys [676352 2003-10-02] (GlobespanVirata, Inc.) 3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [33512 2012-04-06] (AnchorFree Inc) 3 TVICHW32; \??\C:\Windows\system32\TVICHW32.SYS [29632 2011-05-22] (EnTech Taiwan) 3 W8100PCI; C:\Windows\System32\DRIVERS\mrv8k51.sys [258560 2004-04-02] (Marvell Semiconductor, Inc) 3 WN111v2; C:\Windows\System32\DRIVERS\WN111v2w7.sys [624128 2010-04-27] (Atheros Communications, Inc.) 3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x] 3 scsk5; C:\Windows\System32\drivers\scsk5.sys [x] 3 XDva391; \??\C:\Windows\system32\XDva391.sys [x] 3 XDva392; \??\C:\Windows\system32\XDva392.sys [x] 3 XDva393; \??\C:\Windows\system32\XDva393.sys [x] 3 XDva397; \??\C:\Windows\system32\XDva397.sys [x] 3 XDva398; \??\C:\Windows\system32\XDva398.sys [x] ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-07-27 14:00 - 2012-07-27 14:01 - 00000000 ____D C:\FRST 2012-07-27 10:18 - 2012-07-27 10:18 - 00187464 ____A (Webroot) C:\Users\William\Downloads\antizeroaccess.exe 2012-07-27 10:02 - 2012-07-27 10:02 - 00002479 ____A C:\Users\Public\Desktop\Safari.lnk 2012-07-27 10:02 - 2012-07-27 10:02 - 00000000 ____D C:\Program Files\Safari 2012-07-26 03:56 - 2012-07-26 03:56 - 00000000 ____D C:\Users\William\AppData\Local\Macromedia 2012-07-25 13:19 - 2012-07-27 09:44 - 00000000 ____D C:\Users\William\AppData\Roaming\.techniclauncher 2012-07-25 13:19 - 2012-07-25 13:19 - 00052736 ____A (Technic) C:\Users\William\Desktop\TechnicLauncher.exe 2012-07-23 11:07 - 2012-07-27 10:39 - 00000000 ____D C:\Users\William\AppData\Local\LogMeIn Hamachi 2012-07-23 11:06 - 2012-07-23 11:06 - 00000896 ____A C:\Users\Public\Desktop\LogMeIn Hamachi.lnk 2012-07-23 11:06 - 2012-07-23 11:06 - 00000000 ____D C:\Program Files\LogMeIn Hamachi 2012-07-19 03:20 - 2012-07-19 03:20 - 00000000 ____D C:\Users\William\Desktop\tdsskiller 2012-07-18 13:07 - 2012-07-18 13:07 - 00010200 ____A C:\Users\William\Downloads\Galldr.ttf 2012-07-18 13:06 - 2012-07-18 13:06 - 00054244 ____A C:\Users\William\Downloads\Ancient Language.ttf 2012-07-13 11:33 - 2012-07-24 10:22 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\William\Desktop\tdsskiller.exe 2012-07-13 11:27 - 2012-07-13 11:27 - 00000000 ____D C:\TDSSKiller_Quarantine 2012-07-11 10:49 - 2012-07-11 10:49 - 00000000 ____D C:\Program Files\AMD APP 2012-07-11 10:45 - 2012-07-11 10:45 - 00000000 __SHD C:\Windows\System32\%APPDATA% 2012-07-11 10:45 - 2012-07-11 10:44 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll 2012-07-11 10:45 - 2012-07-11 10:44 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe 2012-07-11 10:45 - 2012-07-11 10:44 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe 2012-07-11 10:45 - 2012-07-11 10:44 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe 2012-07-11 10:44 - 2012-07-11 10:44 - 00000000 ____D C:\Program Files\Java 2012-07-11 10:43 - 2012-07-11 10:43 - 00000000 ____D C:\Users\All Users\McAfee 2012-07-11 10:36 - 2012-07-11 10:36 - 00143200 ____A C:\Windows\Minidump\071112-33774-01.dmp 2012-07-04 02:34 - 2012-07-11 13:33 - 00000000 ____D C:\Program Files\ESTsoft 2012-07-04 02:34 - 2012-07-04 02:51 - 00000000 ____D C:\Users\William\AppData\Roaming\ESTsoft 2012-07-04 02:34 - 2012-07-04 02:34 - 00000000 ____D C:\Users\William\AppData\Local\ECRSC 2012-07-04 02:34 - 2012-07-04 02:34 - 00000000 ____D C:\Users\All Users\ESTsoft 2012-06-29 14:13 - 2012-06-29 14:18 - 00000000 ____D C:\Program Files\Common Files\PX Storage Engine 2012-06-29 14:13 - 2012-06-29 14:13 - 00000000 ____D C:\Users\William\AppData\Roaming\DivX 2012-06-29 14:10 - 2012-06-29 14:11 - 00933256 ____A (DivX, LLC) C:\Users\William\Downloads\DivXInstaller(1).exe ============ 3 Months Modified Files ======================== 2012-07-27 10:39 - 2012-01-08 05:21 - 00096835 ____A C:\PGError.log 2012-07-27 10:39 - 2011-10-29 20:16 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2012-07-27 10:39 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-07-27 10:39 - 2009-07-13 20:39 - 00083508 ____A C:\Windows\setupact.log 2012-07-27 10:38 - 2011-10-30 00:17 - 00562706 ____A C:\Windows\PFRO.log 2012-07-27 10:37 - 2009-07-13 20:34 - 00021696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-07-27 10:37 - 2009-07-13 20:34 - 00021696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-07-27 10:36 - 2011-10-29 20:16 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2012-07-27 10:18 - 2012-07-27 10:18 - 00187464 ____A (Webroot) C:\Users\William\Downloads\antizeroaccess.exe 2012-07-27 10:06 - 2012-01-07 16:41 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311700126-1893408969-2311707057-1003UA.job 2012-07-27 10:02 - 2012-07-27 10:02 - 00002479 ____A C:\Users\Public\Desktop\Safari.lnk 2012-07-27 05:44 - 2011-10-30 18:07 - 00283304 ____A C:\Windows\System32\PnkBstrB.xtr 2012-07-27 05:44 - 2011-10-30 18:01 - 00283304 ____A C:\Windows\System32\PnkBstrB.exe 2012-07-27 05:44 - 2011-10-30 18:01 - 00280904 ____A C:\Windows\System32\PnkBstrB.ex0 2012-07-27 05:44 - 2011-10-30 18:01 - 00140800 ____A C:\Windows\System32\Drivers\PnkBstrK.sys 2012-07-27 03:30 - 2012-01-10 07:38 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs 2012-07-26 14:15 - 2012-01-07 16:41 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311700126-1893408969-2311707057-1003Core.job 2012-07-26 03:16 - 2012-04-04 03:58 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2012-07-26 03:16 - 2011-10-30 04:31 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2012-07-25 13:19 - 2012-07-25 13:19 - 00052736 ____A (Technic) C:\Users\William\Desktop\TechnicLauncher.exe 2012-07-24 10:22 - 2012-07-13 11:33 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\William\Desktop\tdsskiller.exe 2012-07-23 11:06 - 2012-07-23 11:06 - 00000896 ____A C:\Users\Public\Desktop\LogMeIn Hamachi.lnk 2012-07-18 13:07 - 2012-07-18 13:07 - 00010200 ____A C:\Users\William\Downloads\Galldr.ttf 2012-07-18 13:06 - 2012-07-18 13:06 - 00054244 ____A C:\Users\William\Downloads\Ancient Language.ttf 2012-07-12 14:07 - 2012-01-07 16:42 - 00002416 ____A C:\Users\William\Desktop\Google Chrome.lnk 2012-07-12 03:39 - 2012-04-06 18:34 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-07-11 14:06 - 2009-07-13 20:53 - 00032566 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2012-07-11 10:44 - 2012-07-11 10:45 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll 2012-07-11 10:44 - 2012-07-11 10:45 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe 2012-07-11 10:44 - 2012-07-11 10:45 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe 2012-07-11 10:44 - 2012-07-11 10:45 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe 2012-07-11 10:44 - 2011-10-30 08:40 - 00472840 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll 2012-07-11 10:41 - 2011-11-07 04:57 - 00001945 ____A C:\Windows\epplauncher.mif 2012-07-11 10:36 - 2012-07-11 10:36 - 00143200 ____A C:\Windows\Minidump\071112-33774-01.dmp 2012-07-11 10:36 - 2012-01-13 17:36 - 244922723 ____A C:\Windows\MEMORY.DMP 2012-07-03 10:46 - 2012-04-06 18:11 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-07-03 06:58 - 2011-10-29 21:20 - 01964025 ____A C:\Windows\WindowsUpdate.log 2012-06-29 14:11 - 2012-06-29 14:10 - 00933256 ____A (DivX, LLC) C:\Users\William\Downloads\DivXInstaller(1).exe 2012-06-27 16:17 - 2011-10-29 21:36 - 00729688 ____A C:\Windows\System32\PerfStringBackup.INI 2012-06-26 09:32 - 2012-06-26 09:30 - 38494576 ____A (Apple Inc.) C:\Users\William\Downloads\SafariSetup.exe 2012-06-25 10:09 - 2012-06-25 10:08 - 00278561 ____A C:\Users\William\Desktop\Minecraft.exe 2012-06-25 06:07 - 2012-06-08 10:16 - 00000643 ____A C:\Users\William\Desktop\C&C Generals Windows 7 Cure.website 2012-06-25 03:17 - 2011-10-30 18:01 - 00076888 ____A C:\Windows\System32\PnkBstrA.exe 2012-06-24 16:50 - 2011-12-06 15:44 - 00138056 ____A C:\Users\William\AppData\Roaming\PnkBstrK.sys 2012-06-24 16:49 - 2012-06-24 16:49 - 02434856 ____A C:\Windows\System32\pbsvc_bc2.exe 2012-06-24 12:15 - 2012-06-24 12:08 - 111678378 ____A C:\Users\William\Downloads\swbf2v1.3patch_full_revision_117.exe 2012-06-23 18:55 - 2012-06-23 18:55 - 00002216 ____A C:\Users\Public\Desktop\Star Wars Republic Commando.lnk 2012-06-23 18:46 - 2011-10-30 05:05 - 00014774 ____A C:\Windows\DirectX.log 2012-06-23 18:40 - 2012-06-23 18:40 - 00001924 ____A C:\Users\William\Desktop\Play Star Wars Battlefront II.lnk 2012-06-23 18:26 - 2012-06-23 18:26 - 00002134 ____A C:\Users\Public\Desktop\Star Wars Battlefront.lnk 2012-06-13 06:05 - 2009-07-13 20:33 - 00395808 ____A C:\Windows\System32\FNTCACHE.DAT 2012-06-13 05:48 - 2011-10-29 20:31 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-06-11 10:50 - 2012-06-11 10:50 - 00159232 ____A C:\Windows\System32\clinfo.exe 2012-06-11 10:50 - 2012-06-11 10:50 - 00065024 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OpenVideo.dll 2012-06-11 10:50 - 2012-06-11 10:50 - 00056320 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OVDecode.dll 2012-06-11 10:49 - 2012-06-11 10:49 - 13008896 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\amdocl.dll 2012-06-07 04:06 - 2011-12-22 12:35 - 00000024 ____A C:\Users\William\random.dat 2012-06-07 03:45 - 2011-12-22 12:35 - 00000047 ____A C:\Users\William\jagex_cl_runescape_LIVE1.dat 2012-06-07 03:45 - 2011-12-22 12:35 - 00000032 ____A C:\Users\William\jagex_cl_runescape_LIVE.dat 2012-06-03 06:36 - 2012-06-03 06:36 - 00541816 ____A (Sterkly LLC) C:\Users\William\Downloads\BestVideoDownloader(2).exe 2012-06-03 06:35 - 2012-06-03 06:34 - 00541816 ____A (Sterkly LLC) C:\Users\William\Downloads\BestVideoDownloader(1).exe 2012-06-02 14:19 - 2012-06-22 12:21 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-02 14:19 - 2012-06-22 12:21 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-02 14:19 - 2012-06-22 12:21 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-02 14:19 - 2012-06-22 12:21 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-02 14:19 - 2012-06-22 12:21 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-02 14:12 - 2012-06-22 12:21 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-02 14:12 - 2012-06-22 12:21 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-02 12:19 - 2012-06-22 12:21 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-02 12:14 - 2012-06-02 12:14 - 00583168 ____A C:\Users\William\Desktop\w-c-Subject ?Verb Agreement (1).ppt 2012-06-02 12:14 - 2012-06-02 12:14 - 00107864 ____A C:\Users\William\Downloads\w-c-Subject ?Verb Agreement.pptx 2012-06-02 12:14 - 2012-06-02 12:14 - 00107864 ____A C:\Users\William\Downloads\w-c-Subject ?Verb Agreement (1).pptx 2012-06-02 12:12 - 2012-06-22 12:21 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-05-29 18:03 - 2012-05-29 17:58 - 76225536 ____A (The GIMP Team ) C:\Users\William\Downloads\gimp-2.8.0-setup.exe 2012-05-20 15:39 - 2012-05-20 15:39 - 00002028 ____A C:\Users\Public\Desktop\Zoo Tycoon Complete Collection.lnk 2012-05-17 15:11 - 2012-06-13 05:45 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-05-17 14:48 - 2012-06-13 05:45 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-05-17 14:45 - 2012-06-13 05:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-05-17 14:36 - 2012-06-13 05:45 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-05-17 14:35 - 2012-06-13 05:45 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-05-17 14:35 - 2012-06-13 05:45 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-05-17 14:33 - 2012-06-13 05:45 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-05-17 14:31 - 2012-06-13 05:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-05-17 14:29 - 2012-06-13 05:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-05-17 14:29 - 2012-06-13 05:45 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-05-17 14:28 - 2012-05-17 14:28 - 00004096 ___AH C:\Users\William\AppData\Local\keyfile3.drm 2012-05-17 14:27 - 2012-06-13 05:45 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-05-17 14:25 - 2012-06-13 05:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-05-17 14:24 - 2012-06-13 05:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-05-17 14:20 - 2012-06-13 05:45 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-05-14 17:05 - 2012-06-13 02:44 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-05-10 15:19 - 2009-07-13 18:04 - 00000499 ____A C:\Windows\win.ini 2012-05-04 01:59 - 2012-06-13 05:44 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll 2012-05-03 14:17 - 2012-04-19 13:51 - 00000511 ____A C:\Users\William\Desktop\Tamiya America - First in Quality Around the World.website 2012-05-02 14:43 - 2012-01-25 16:14 - 00023552 ____A C:\Users\William\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2012-05-02 14:31 - 2012-05-02 14:31 - 00001080 ____A C:\Users\Public\Desktop\Prism Video File Converter.lnk 2012-04-30 20:44 - 2012-06-13 02:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll 2012-04-30 14:28 - 2012-04-30 14:28 - 00541816 ____A (Sterkly LLC) C:\Users\William\Downloads\BestVideoDownloader.exe ZeroAccess: C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda} C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\@ C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\n C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\U C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\U\00000001.@ C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\U\80000000.@ ZeroAccess: C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda} C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}\@ C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}\L C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}\U ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe [2011-10-30 16:45] - [2010-11-19 12:17] - 0285696 ____A (Microsoft Corporation) 1562571D6B1541098E677C3BB78709A0 C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!. C:\Windows\System32\User32.dll [2011-10-30 16:45] - [2010-11-19 12:21] - 0811520 ____A (Microsoft Corporation) BE8C64439F1E2AF088063218C16EB9FE C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 6% Total physical RAM: 8190.3 MB Available physical RAM: 7683.79 MB Total Pagefile: 8188.58 MB Available Pagefile: 7688.54 MB Total Virtual: 2047.88 MB Available Virtual: 1956.7 MB ======================= Partitions ========================= 1 Drive c: () (Fixed) (Total:596.16 GB) (Free:225.87 GB) NTFS ==>[Drive with boot components (obtained from BCD)] 4 Drive f: (TravelDrive) (Removable) (Total:1.92 GB) (Free:1.92 GB) FAT 5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 596 GB 8 MB Disk 1 Online 1968 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 596 GB 31 KB ================================================================================== Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 596 GB Healthy ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 1967 MB 16 KB ================================================================================== Disk: 1 Partition 1 Type : 0E Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 F TravelDrive FAT Removable 1967 MB Healthy ================================================================================== ========================================================== Last Boot: 2012-07-23 10:08 ======================= End Of Log ========================== And the Search log: Farbar Recovery Scan Tool Version: 25-07-2012 01 Ran by SYSTEM at 2012-07-27 14:20:34 Running from F:\ ================== Search: "services.exe" =================== C:\Windows.old\Windows\system32\services.exe [2008-04-14 04:00] - [2009-02-06 03:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315 C:\Windows.old\Windows\system32\dllcache\services.exe [2008-04-14 04:00] - [2009-02-06 03:11] - 0110592 ___AC (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315 C:\Windows.old\Windows\$NtUninstallKB956572$\services.exe [2010-03-22 18:18] - [2008-04-14 04:00] - 0108544 ___AC (Microsoft Corporation) 0E776ED5F7CC9F94299E70461B7B8185 C:\Windows.old\Windows\$hf_mig$\KB956572\SP3QFE\services.exe [2010-03-22 04:51] - [2009-02-06 03:06] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6 C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 C:\Windows\System32\services.exe [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9 === End Of Search === I'm downloading RogueKiller right now... Will have the log soon!
- 22 replies
-
- rootkit
- zeroaccess
-
(and 1 more)
Tagged with: