Jump to content

bromtruy90

Members
  • Posts

    4
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thank you for your valuable time. You helped me a great dear. As a gratitude for your help, I'll be sure to leave you a little donation.

  2. Thank you. MBAM Quickscan Report: Malwarebytes Anti-Malware (Trial) 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.22.07 Windows 7 x64 NTFS Internet Explorer 9.0.8112.16421 Christopher :: CHRIS [administrator] Protection: Disabled 7/22/2012 10:45:26 AM mbam-log-2012-07-22 (10-45-26).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 188885 Time elapsed: 24 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  3. Thank you. ComboFix.txt: ComboFix 12-07-21.01 - Christopher 07/22/2012 10:16:11.1.4 - x64 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4007.2855 [GMT -4:00] Running from: c:\users\Christopher\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\Install.exe . . ((((((((((((((((((((((((( Files Created from 2012-06-22 to 2012-07-22 ))))))))))))))))))))))))))))))) . . 2012-07-22 14:18 . 2012-07-22 14:18 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-22 13:57 . 2012-07-22 13:57 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBBEBABC-521F-4F58-8427-5B43BC468F84}\offreg.dll 2012-07-22 13:52 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-07-21 03:55 . 2012-07-21 13:40 -------- d-----w- C:\FRST 2012-07-21 03:29 . 2012-07-21 03:29 -------- d-----w- c:\users\Christopher\AppData\Roaming\Malwarebytes 2012-07-21 03:29 . 2012-07-22 13:52 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-07-21 03:29 . 2012-07-21 03:29 -------- d-----w- c:\programdata\Malwarebytes 2012-07-19 09:57 . 2012-07-19 09:57 -------- d-----w- c:\windows\SysWow64\%APPDATA% 2012-07-15 15:41 . 2012-07-22 13:47 -------- d-----w- c:\users\Christopher\AppData\Roaming\mIRC 2012-07-15 15:41 . 2012-07-16 22:57 -------- d-----w- c:\program files (x86)\mIRC . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-15 21:50 . 2012-03-30 17:45 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-07-15 21:50 . 2011-11-21 02:00 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240] "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 136176] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-15 250056] R3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2010-03-23 12032] R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 136176] R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 51727736] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976] R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184] R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [2011-08-19 30720] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736] R3 VKbms;Razer Gaming Device;c:\windows\system32\DRIVERS\VKbms.sys [2010-10-01 13312] R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\CHRIST~1\AppData\Local\Temp\Rar$EXa0.872\WinRing0x64.sys [x] S0 AppleHFS;AppleHFS; [x] S0 AppleMNT;AppleMNT; [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2011-07-02 224640] S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2011-07-02 111488] S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2011-07-02 17752] S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2011-07-02 22872] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-06-10 2655768] S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-14 9728] S3 AppleBtBc;Apple Broadcom Built-in Bluetooth;c:\windows\system32\DRIVERS\AppleBtBc.sys [2011-05-19 19456] S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys [2011-02-01 12288] S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys [2011-02-01 38912] S3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x64.sys [2011-06-10 18432] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-07-02 317440] S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [2011-05-25 32256] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904] S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2011-06-10 56344] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MBAMPROTECTOR . Contents of the 'Scheduled Tasks' folder . 2012-07-15 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 21:50] . 2012-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 01:58] . 2012-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 01:58] . 2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1162428748-2533749864-4287374698-1000Core.job - c:\users\Christopher\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-20 23:23] . 2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1162428748-2533749864-4287374698-1000UA.job - c:\users\Christopher\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-20 23:23] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-07-02 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-07-02 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-07-02 416024] "Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2011-07-02 741760] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = https://www.google.ca/ mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000 TCP: DhcpNameServer = 24.200.243.189 24.200.210.241 24.200.228.113 CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll FF - ProfilePath - c:\users\Christopher\AppData\Roaming\Mozilla\Firefox\Profiles\ff978n4x.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-07-22 10:20:19 ComboFix-quarantined-files.txt 2012-07-22 14:20 . Pre-Run: 15,502,069,760 bytes free Post-Run: 15,215,734,784 bytes free . - - End Of File - - F1B0F578062FD5070A65223D035B2A28
  4. Thank you. Fixlog.txt: Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01 Ran by SYSTEM at 2012-07-22 13:36:03 Run:6 Running from D:\ ============================================== C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53} moved successfully. C:\Users\Christopher\AppData\Local\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53} moved successfully. C:\Windows\assembly\GAC_32\Desktop.ini moved successfully. C:\Windows\assembly\GAC_64\Desktop.ini moved successfully. C:\Windows\System32\services.exe moved successfully. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe ==== End of Fixlog ====
  5. Like many users here, Malwarebytes has been unsucessful for me in removing Trojan.Dropper.BCMiner. Randomly, whenever I open a webpage in Internet Explorer, an unexpected Pop-up will appear, I assume this is the result of the Trojan. After reading other threads, that are directly related to my issue, I've already gone and done the requests made by MrCharlie in other similar threads. Here's my FRST.txt and Search.txt logs: FRST.txt Scan result of Farbar Recovery Scan Tool Version: 20-07-2012 01 Ran by SYSTEM at 21-07-2012 05:40:13 Running from D:\ Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [167704 2011-07-02] (Intel Corporation) HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [392472 2011-07-02] (Intel Corporation) HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [416024 2011-07-02] (Intel Corporation) HKLM\...\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\Bootcamp.exe [741760 2011-07-02] (Apple Inc.) HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.) HKLM-x32\...\Run: [] [x] HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2012-04-03] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [815512 2012-04-03] (Adobe Systems Inc.) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.) HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation) HKU\Christopher\...\Run: [Google Update] "C:\Users\Christopher\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-11-20] (Google Inc.) Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation) Tcpip\Parameters: [DhcpNameServer] 24.200.243.189 24.200.210.241 24.200.228.113 ==================== Services (Whitelisted) ====== 2 AppleOSSMgr; C:\Windows\system32\AppleOSSMgr.exe [224640 2011-07-02] () 2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation) 2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75136 2012-02-24] () 2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2655768 2011-06-09] (Intel Corporation) ========================== Drivers (Whitelisted) ============= 3 acpials; C:\Windows\System32\Drivers\acpials.sys [9728 2009-07-13] (Microsoft Corporation) 3 applemtm; C:\Windows\System32\Drivers\applemtm.sys [12288 2011-01-31] (Apple Inc.) 3 applemtp; C:\Windows\System32\Drivers\applemtp.sys [38912 2011-01-31] (Apple Inc.) 3 CirrusFilter; C:\Windows\System32\DRIVERS\CS420x64.sys [18432 2011-06-09] (Cirrus Logic) 3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA64.sys [14992 2010-02-08] (Cisco Systems, Inc.) 4 DNE; C:\Windows\System32\DRIVERS\dne64x.sys [157968 2008-11-16] (Deterministic Networks, Inc.) 3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation) 3 tapoas; C:\Windows\System32\Drivers\tapoas.sys [30720 2011-08-18] (The OpenVPN Project) 3 WinRing0_1_2_0; \??\C:\Users\CHRIST~1\AppData\Local\Temp\Rar$EXa0.872\WinRing0x64.sys [x] ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-07-20 19:38 - 2012-07-20 19:38 - 00262144 ____A C:\Windows\Minidump\072012-31247-01.dmp 2012-07-20 19:38 - 2012-07-20 19:38 - 00000000 ____D C:\Windows\Minidump 2012-07-20 19:37 - 2012-07-20 19:37 - 607744473 ____A C:\Windows\MEMORY.DMP 2012-07-20 19:29 - 2012-07-20 19:29 - 00001121 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-07-20 19:29 - 2012-07-20 19:29 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Malwarebytes 2012-07-20 19:29 - 2012-07-20 19:29 - 00000000 ____D C:\Users\All Users\Malwarebytes 2012-07-20 19:29 - 2012-07-20 19:29 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2012-07-20 19:29 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-07-19 09:55 - 2012-07-19 09:55 - 00148812 ___AH C:\Windows\SysWOW64\mlfcache.dat 2012-07-19 01:57 - 2012-07-19 01:57 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA% 2012-07-15 07:41 - 2012-07-20 19:40 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\mIRC 2012-07-15 07:41 - 2012-07-20 19:39 - 00000000 ____D C:\Program Files (x86)\mIRC ============ 3 Months Modified Files ======================== 2012-07-20 21:28 - 2012-03-30 09:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-07-20 21:22 - 2011-11-20 17:58 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2012-07-20 21:21 - 2012-03-23 04:28 - 00005096 ____A C:\Windows\setupact.log 2012-07-20 21:21 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-07-20 21:14 - 2009-07-13 20:45 - 00014208 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-07-20 21:14 - 2009-07-13 20:45 - 00014208 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-07-20 21:11 - 2009-07-13 21:13 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI 2012-07-20 21:10 - 2011-11-20 20:05 - 00943209 ____A C:\Windows\WindowsUpdate.log 2012-07-20 20:44 - 2011-11-20 15:23 - 00000932 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1162428748-2533749864-4287374698-1000UA.job 2012-07-20 19:55 - 2011-11-20 17:58 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2012-07-20 19:44 - 2012-03-29 22:12 - 00002288 ____A C:\Windows\PFRO.log 2012-07-20 19:38 - 2012-07-20 19:38 - 00262144 ____A C:\Windows\Minidump\072012-31247-01.dmp 2012-07-20 19:37 - 2012-07-20 19:37 - 607744473 ____A C:\Windows\MEMORY.DMP 2012-07-20 19:29 - 2012-07-20 19:29 - 00001121 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-07-19 09:55 - 2012-07-19 09:55 - 00148812 ___AH C:\Windows\SysWOW64\mlfcache.dat 2012-07-19 00:44 - 2011-11-20 15:23 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1162428748-2533749864-4287374698-1000Core.job 2012-07-16 14:59 - 2012-04-26 16:11 - 00013207 ____A C:\Users\Christopher\ovpntray.log 2012-07-15 13:50 - 2012-03-30 09:45 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2012-07-15 13:50 - 2011-11-20 18:00 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2012-07-03 09:46 - 2012-07-20 19:29 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-05-23 12:16 - 2012-05-23 12:16 - 00001142 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk 2012-05-01 12:18 - 2012-05-06 09:21 - 00046288 ____A C:\Users\Public\Documents\MarkC_Windows7_MouseFix.zip ZeroAccess: C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53} C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\@ C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\L C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\U C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\L\00000004.@ C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\L\1afb2d56 C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\L\201d3dde C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\U\00000004.@ C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\U\00000008.@ C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\U\000000cb.@ C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\U\80000000.@ C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\U\80000032.@ C:\Windows\Installer\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\U\80000064.@ ZeroAccess: C:\Users\Christopher\AppData\Local\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53} C:\Users\Christopher\AppData\Local\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\@ C:\Users\Christopher\AppData\Local\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\L C:\Users\Christopher\AppData\Local\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\n C:\Users\Christopher\AppData\Local\{8ff2dc01-3410-35ac-a5da-a8b9e85fbe53}\U ZeroAccess: C:\Windows\assembly\GAC_32\Desktop.ini ZeroAccess: C:\Windows\assembly\GAC_64\Desktop.ini ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!. C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 13% Total physical RAM: 4006.73 MB Available physical RAM: 3459.89 MB Total Pagefile: 4004.88 MB Available Pagefile: 3448.69 MB Total Virtual: 8192 MB Available Virtual: 8191.91 MB ======================= Partitions ========================= 1 Drive c: (BOOTCAMP) (Fixed) (Total:47 GB) (Free:13.37 GB) NTFS ==>[Drive with boot components (obtained from BCD)] 2 Drive d: () (Removable) (Total:3.73 GB) (Free:3.54 GB) NTFS 4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 113 GB 0 B Disk 1 Online 3822 MB 0 B Disk 2 No Media 0 B 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 200 MB 512 B Partition 2 Primary 65 GB 200 MB Partition 3 Primary 619 MB 65 GB Partition 4 Primary 47 GB 65 GB ================================================================================== Disk: 0 Partition 1 Type : EE Hidden: Yes Active: No There is no volume associated with this partition. ================================================================================== Disk: 0 Partition 2 Type : AF Hidden: Yes Active: No There is no volume associated with this partition. ================================================================================== Disk: 0 Partition 3 Type : AB Hidden: Yes Active: No There is no volume associated with this partition. ================================================================================== Disk: 0 Partition 4 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 0 C BOOTCAMP NTFS Partition 47 GB Healthy ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 3821 MB 64 KB ================================================================================== Disk: 1 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 D NTFS Removable 3821 MB Healthy ================================================================================== ========================================================== Last Boot: 2012-07-18 12:48 ======================= End Of Log ========================== Search.txt Farbar Recovery Scan Tool Version: 20-07-2012 01 Ran by SYSTEM at 2012-07-21 05:46:04 Running from D:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06 ====== End Of Search ======
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.