schmijon

please see attached thank you. TDSSKiller.2.7.48.0_08.08.2012_16.09.49_log.txt

please see attached. stepping out for a bit. thank you for all your help thus far. RKreport2.txt mbam-log-2012-08-08 (11-07-21).txt

rebooted to complete deletion of svchost.exe ran mbam again same trojans appearing, need to reboot to delete as far as how the pc is running, it's fine, no slow downs, pop ups or redirects thank you.

Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.08.07 Windows 7 x64 NTFS Internet Explorer 9.0.8112.16421 Barbara :: THEBEAST [administrator] 8/8/2012 10:12:12 AM mbam-log-2012-08-08 (10-12-12).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 221094 Time elapsed: 2 minute(s), 17 second(s) Memory Processes Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> 4420 -> Delete on reboot. Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot. (end) mbam-log-2012-08-08 (10-12-12).txt

rebooted combofix did not restart again attached is combofix file from first reboot which had the error ComboFix.txt

Ran Combofix as instructed. System rebooted on its own. I logged in and received the error - Illegal operation attempted on registry key that has been marked for deletion. Combofix window still up saying not to run any programs until it is finished. Should I wait it out or do I need to reboot until I no longer receive that message. Thank you.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 03 Ran by SYSTEM at 2012-08-06 23:37:21 Run:1 Running from H:\ ============================================== C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b} moved successfully. C:\Windows\System32\services.exe moved successfully. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe ==== End of Fixlog ==== Fixlog.txt

much appreciated!!

Farbar Recovery Scan Tool Version: 05-08-2012 03 Ran by SYSTEM at 2012-08-06 23:00:08 Running from H:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06 ====== End Of Search ====== Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03 Ran by SYSTEM at 06-08-2012 22:55:29 Running from H:\ Windows 7 Professional (X64) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8306208 2009-10-21] (Realtek Semiconductor) HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x] HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation) HKLM-x32\...\Run: [bCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [346320 2009-08-04] (DeviceVM, Inc.) HKLM-x32\...\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [36864 2007-03-19] () HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-09-25] (NEC Electronics Corporation) HKLM-x32\...\Run: [MagicRotation] C:\Program Files (x86)\MagicRotation\MagicPvt.exe [1097728 2007-08-24] (Samsung Electronics, Inc.) HKLM-x32\...\Run: [MultiScreen] C:\Program Files (x86)\MultiScreen\MultiScreen.exe [114688 2008-06-30] () HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-08-26] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [268640 2011-11-12] (LeapFrog Enterprises, Inc.) HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2012-02-23] (Apple Inc.) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" [135536 2010-12-13] (Microsoft Corporation) HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.) HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKU\Barbara\...\Run: [Grid] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [376832 2009-08-26] () HKU\Barbara\...\Run: [HydraVisionMDEngine] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe" [569344 2009-08-26] (AMD) HKU\Barbara\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17146504 2012-01-31] (Skype Technologies S.A.) HKU\Barbara\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x] Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Startup: C:\Users\All Users\Start Menu\Programs\Startup\GammaTray.lnk ShortcutTarget: GammaTray.lnk -> C:\Program Files (x86)\MagicTune Premium\GammaTray.exe () Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.) Startup: C:\Users\All Users\Start Menu\Programs\Startup\NCProTray.lnk ShortcutTarget: NCProTray.lnk -> C:\Program Files (x86)\SEC\Natural Color Pro\NCProTray.exe (Samsung) Startup: C:\Users\Barbara\Start Menu\Programs\Startup\Dropbox.lnk ShortcutTarget: Dropbox.lnk -> (No File) Startup: C:\Users\Barbara\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () ==================== Services (Whitelisted) ====== 2 BCUService; C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [219360 2009-08-04] (DeviceVM, Inc.) 2 JMB36X; C:\Windows\SysWOW64\XSrvSetup.exe [65536 2009-08-05] () 2 MagicTuneEngine; C:\Program Files (x86)\MagicTune Premium\MagicTuneEngine.exe [45056 2007-08-23] () 3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation) 2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75136 2011-10-11] () 2 Smart TimeLock; C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe [114688 2009-10-13] (Gigabyte Technology CO., LTD.) ========================== Drivers (Whitelisted) ============= 3 gdrv; \??\C:\Windows\gdrv.sys [25640 2010-03-09] (Windows ® Server 2003 DDK provider) 3 GVTDrv64; \??\C:\Windows\GVTDrv64.sys [30528 2010-03-02] () 3 AODDriver; \??\C:\Program Files (x86)\gigabyte\ET6\amd64\AODDriver.sys [x] 3 atidgllk; \??\C:\Program Files (x86)\gigabyte\ET6\atidgllk.sys [x] 3 MagicTune; C:\Windows\System32\drivers\MTiCtwl.sys [x] 1 NCPro; C:\Windows\system32\drivers\MTictwl.sys [x] ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-08-06 22:55 - 2012-08-06 22:55 - 00000000 ____D C:\FRST 2012-08-06 17:30 - 2012-08-06 17:30 - 00002929 ____A C:\Users\Barbara\Desktop\RKreport[1].txt 2012-08-06 17:27 - 2012-08-06 17:30 - 00000000 ____D C:\Users\Barbara\Desktop\RK_Quarantine 2012-08-06 17:26 - 2012-08-06 17:26 - 01552896 ____A C:\Users\Barbara\Downloads\RogueKiller.exe 2012-08-06 17:09 - 2012-08-06 17:09 - 00018727 ____A C:\Users\Barbara\Desktop\DDS.txt 2012-08-06 17:08 - 2012-08-06 17:08 - 00011790 ____A C:\Users\Barbara\Desktop\Attach.txt 2012-08-06 16:58 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\System32\Drivers\etc\hosts.20120806-205812.backup 2012-08-06 16:51 - 2012-08-06 16:51 - 00607260 ____R (Swearware) C:\Users\Barbara\Desktop\dds.scr 2012-08-06 16:50 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe 2012-08-04 04:31 - 2012-08-06 17:58 - 00001408 ____A C:\Windows\PFRO.log 2012-08-04 03:38 - 2012-08-04 03:38 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\Malwarebytes 2012-08-04 03:38 - 2012-08-04 03:38 - 00000000 ____D C:\Users\All Users\Malwarebytes 2012-08-04 03:38 - 2012-08-04 03:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2012-08-04 03:38 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-08-04 03:37 - 2012-08-04 03:37 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Barbara\Downloads\mbam-setup-1.62.0.1300.exe 2012-07-30 16:45 - 2012-08-06 18:49 - 00001746 ____A C:\Windows\setupact.log 2012-07-30 16:45 - 2012-07-30 16:45 - 00000000 ____A C:\Windows\setuperr.log 2012-07-30 16:41 - 2012-07-30 16:41 - 00000085 ____A C:\Windows\wininit.ini 2012-07-30 16:09 - 2012-08-06 17:58 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2012-07-30 16:09 - 2012-08-06 17:07 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy 2012-07-30 16:08 - 2012-07-30 16:08 - 00000000 ____D C:\Program Files\CCleaner 2012-07-30 16:01 - 2012-07-30 16:01 - 16409960 ____A (Safer Networking Limited ) C:\Users\Barbara\Downloads\spybotsd162.exe 2012-07-30 16:00 - 2012-07-30 16:00 - 03907920 ____A (Piriform Ltd) C:\Users\Barbara\Downloads\ccsetup321.exe 2012-07-29 22:19 - 2012-07-30 00:38 - 00000000 ____D C:\Windows\Microsoft Antimalware 2012-07-29 20:55 - 2012-07-29 20:55 - 00000000 __SHD C:\Windows\System32\%APPDATA% 2012-07-29 20:51 - 2012-07-29 20:51 - 00000000 ____D C:\Windows\Sun 2012-07-29 18:07 - 2012-07-29 18:09 - 253886464 ____A C:\Users\Barbara\Downloads\WDO_Media64.iso 2012-07-28 19:05 - 2012-07-28 19:05 - 00000000 ____D C:\Program Files (x86)\7-Zip 2012-07-28 16:48 - 2012-07-28 16:48 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\ImTOO 2012-07-28 16:48 - 2012-07-28 16:48 - 00000000 ____D C:\Users\Barbara\AppData\Local\ImTOO 2012-07-28 16:47 - 2012-07-28 16:47 - 00000000 ____D C:\Users\All Users\ImTOO 2012-07-28 16:47 - 2012-07-28 16:47 - 00000000 ____D C:\Program Files (x86)\ImTOO 2012-07-27 21:26 - 2012-07-27 21:26 - 31436842 ____A C:\Users\Barbara\Desktop\VIDEO0048.3gp 2012-07-20 20:39 - 2012-07-20 20:39 - 00000000 ____D C:\Users\Barbara\Documents\pjs favs 2012-07-20 15:03 - 2012-07-20 15:03 - 00002014 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk 2012-07-11 06:53 - 2012-06-11 19:02 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-07-11 06:50 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-07-11 06:50 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-07-11 06:50 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-07-11 06:50 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-07-11 06:50 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-07-11 06:50 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-07-11 06:50 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-07-11 06:50 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-07-11 06:50 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-07-11 06:50 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-07-11 06:50 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-07-11 06:50 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-07-11 06:50 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-07-11 06:50 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-07-11 06:50 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-07-11 06:50 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-07-11 06:50 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-07-11 06:50 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-07-11 06:50 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-07-11 06:50 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-07-11 06:50 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-07-11 06:50 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-07-11 06:50 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-07-11 06:50 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-07-11 06:50 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-07-11 06:50 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-07-11 06:50 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-07-11 06:50 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-07-11 06:35 - 2012-07-11 06:35 - 00001895 ____A C:\Users\Barbara\AppData\Local\recently-used.xbel 2012-07-11 06:32 - 2012-07-11 06:36 - 00000000 ____D C:\Users\Barbara\.gimp-2.8 2012-07-11 06:32 - 2012-07-11 06:32 - 00000000 ____D C:\Users\Barbara\AppData\Local\gegl-0.2 2012-07-11 06:30 - 2012-07-11 06:30 - 00000000 ____D C:\Program Files\GIMP 2 2012-07-11 05:47 - 2012-06-08 21:30 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-07-11 05:47 - 2012-06-08 20:46 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2012-07-11 05:47 - 2012-06-05 21:50 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-07-11 05:47 - 2012-06-05 21:50 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-07-11 05:47 - 2012-06-05 21:09 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2012-07-11 05:47 - 2012-06-05 21:09 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2012-07-11 05:47 - 2012-06-01 21:38 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-07-11 05:47 - 2012-06-01 21:38 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-07-11 05:47 - 2012-06-01 21:37 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-07-11 05:47 - 2012-06-01 21:27 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-07-11 05:47 - 2012-06-01 21:27 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-07-11 05:47 - 2012-06-01 20:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2012-07-11 05:47 - 2012-06-01 20:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2012-07-11 05:47 - 2012-06-01 20:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2012-07-11 05:47 - 2012-06-01 20:42 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll 2012-07-08 08:16 - 2012-08-03 17:44 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\XBMC 2012-07-08 08:16 - 2012-07-08 08:16 - 00000000 ____D C:\Program Files (x86)\XBMC ============ 3 Months Modified Files ======================== 2012-08-06 18:49 - 2012-07-30 16:45 - 00001746 ____A C:\Windows\setupact.log 2012-08-06 18:49 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-08-06 18:45 - 2009-07-13 20:45 - 00015056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-08-06 18:45 - 2009-07-13 20:45 - 00015056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-08-06 17:58 - 2012-08-04 04:31 - 00001408 ____A C:\Windows\PFRO.log 2012-08-06 17:56 - 2009-07-13 21:13 - 00005202 ____A C:\Windows\System32\PerfStringBackup.INI 2012-08-06 17:30 - 2012-08-06 17:30 - 00002929 ____A C:\Users\Barbara\Desktop\RKreport[1].txt 2012-08-06 17:26 - 2012-08-06 17:26 - 01552896 ____A C:\Users\Barbara\Downloads\RogueKiller.exe 2012-08-06 17:09 - 2012-08-06 17:09 - 00018727 ____A C:\Users\Barbara\Desktop\DDS.txt 2012-08-06 17:08 - 2012-08-06 17:08 - 00011790 ____A C:\Users\Barbara\Desktop\Attach.txt 2012-08-06 16:59 - 2012-05-12 13:35 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-08-06 16:51 - 2012-08-06 16:51 - 00607260 ____R (Swearware) C:\Users\Barbara\Desktop\dds.scr 2012-08-04 03:37 - 2012-08-04 03:37 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Barbara\Downloads\mbam-setup-1.62.0.1300.exe 2012-08-04 03:20 - 2011-01-26 14:30 - 00002198 ____A C:\Windows\epplauncher.mif 2012-08-03 16:59 - 2012-05-12 13:35 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2012-08-03 16:59 - 2011-06-04 10:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2012-07-30 16:45 - 2012-07-30 16:45 - 00000000 ____A C:\Windows\setuperr.log 2012-07-30 16:41 - 2012-07-30 16:41 - 00000085 ____A C:\Windows\wininit.ini 2012-07-30 16:01 - 2012-07-30 16:01 - 16409960 ____A (Safer Networking Limited ) C:\Users\Barbara\Downloads\spybotsd162.exe 2012-07-30 16:00 - 2012-07-30 16:00 - 03907920 ____A (Piriform Ltd) C:\Users\Barbara\Downloads\ccsetup321.exe 2012-07-29 18:09 - 2012-07-29 18:07 - 253886464 ____A C:\Users\Barbara\Downloads\WDO_Media64.iso 2012-07-27 21:26 - 2012-07-27 21:26 - 31436842 ____A C:\Users\Barbara\Desktop\VIDEO0048.3gp 2012-07-20 15:03 - 2012-07-20 15:03 - 00002014 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk 2012-07-11 08:26 - 2009-07-13 20:45 - 00289152 ____A C:\Windows\System32\FNTCACHE.DAT 2012-07-11 06:51 - 2010-03-09 15:55 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-07-11 06:35 - 2012-07-11 06:35 - 00001895 ____A C:\Users\Barbara\AppData\Local\recently-used.xbel 2012-07-03 09:46 - 2012-08-04 03:38 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-07-02 14:28 - 2012-07-02 14:28 - 00013696 ____A C:\Users\Barbara\Desktop\hs_err_pid2932.log 2012-06-30 16:11 - 2012-07-06 22:29 - 35874591 ____A C:\Users\Barbara\Desktop\VIDEO0046.3gp 2012-06-12 15:56 - 2012-06-12 15:56 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk 2012-06-12 15:52 - 2012-06-12 15:52 - 00001845 ____A C:\Users\Public\Desktop\QuickTime Player.lnk 2012-06-11 19:02 - 2012-07-11 06:53 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-06-08 21:30 - 2012-07-11 05:47 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-06-08 20:46 - 2012-07-11 05:47 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2012-06-05 21:50 - 2012-07-11 05:47 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-06-05 21:50 - 2012-07-11 05:47 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-06-05 21:09 - 2012-07-11 05:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2012-06-05 21:09 - 2012-07-11 05:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2012-06-05 16:49 - 2012-06-05 16:49 - 00000542 ____A C:\Users\Barbara\Desktop\SABnzbd.lnk 2012-06-05 16:48 - 2012-06-05 16:48 - 10429661 ____A C:\Users\Barbara\Downloads\SABnzbd-0.6.15-win32-setup.exe 2012-06-03 15:40 - 2010-11-11 09:24 - 00001023 ____A C:\Users\Barbara\Desktop\Dropbox.lnk 2012-06-02 14:19 - 2012-06-21 20:20 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-02 14:19 - 2012-06-21 20:20 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-02 14:19 - 2012-06-21 20:20 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-02 14:19 - 2012-06-21 20:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-02 14:19 - 2012-06-21 20:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-02 14:15 - 2012-06-21 20:20 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-02 14:15 - 2012-06-21 20:19 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-02 11:19 - 2012-06-21 20:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-02 11:15 - 2012-06-21 20:19 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-06-02 04:49 - 2012-07-11 06:50 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-06-02 04:17 - 2012-07-11 06:50 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-06-02 04:12 - 2012-07-11 06:50 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-06-02 04:05 - 2012-07-11 06:50 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-06-02 04:05 - 2012-07-11 06:50 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-06-02 04:04 - 2012-07-11 06:50 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-06-02 04:04 - 2012-07-11 06:50 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-06-02 04:03 - 2012-07-11 06:50 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-06-02 04:01 - 2012-07-11 06:50 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-06-02 04:00 - 2012-07-11 06:50 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-06-02 03:59 - 2012-07-11 06:50 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-06-02 03:57 - 2012-07-11 06:50 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-06-02 03:57 - 2012-07-11 06:50 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-06-02 03:54 - 2012-07-11 06:50 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-06-02 01:07 - 2012-07-11 06:50 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-06-02 00:43 - 2012-07-11 06:50 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-06-02 00:33 - 2012-07-11 06:50 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-06-02 00:26 - 2012-07-11 06:50 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-06-02 00:25 - 2012-07-11 06:50 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-06-02 00:25 - 2012-07-11 06:50 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-06-02 00:23 - 2012-07-11 06:50 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-06-02 00:21 - 2012-07-11 06:50 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-06-02 00:20 - 2012-07-11 06:50 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-06-02 00:19 - 2012-07-11 06:50 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-06-02 00:19 - 2012-07-11 06:50 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-06-02 00:17 - 2012-07-11 06:50 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-06-02 00:16 - 2012-07-11 06:50 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-06-02 00:14 - 2012-07-11 06:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-06-01 21:38 - 2012-07-11 05:47 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-06-01 21:38 - 2012-07-11 05:47 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-06-01 21:37 - 2012-07-11 05:47 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-06-01 21:27 - 2012-07-11 05:47 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-06-01 21:27 - 2012-07-11 05:47 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-06-01 20:48 - 2012-07-11 05:47 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2012-06-01 20:48 - 2012-07-11 05:47 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2012-06-01 20:47 - 2012-07-11 05:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2012-06-01 20:42 - 2012-07-11 05:47 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll 2012-05-12 13:43 - 2012-05-12 13:43 - 00002491 ____A C:\Users\Public\Desktop\Safari.lnk ZeroAccess: C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b} C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\@ C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\L C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U\00000001.@ C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U\80000000.@ C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U\800000cb.@ Possible partition infection: C:\Windows\svchost.exe ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!. C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 11% Total physical RAM: 6142.49 MB Available physical RAM: 5412.81 MB Total Pagefile: 6140.64 MB Available Pagefile: 5393.34 MB Total Virtual: 8192 MB Available Virtual: 8191.9 MB ======================= Partitions ========================= 2 Drive c: () (Fixed) (Total:698.54 GB) (Free:595.37 GB) NTFS 3 Drive d: (New Volume) (Fixed) (Total:931.51 GB) (Free:589.25 GB) NTFS 6 Drive h: (KINGSTON) (Removable) (Total:7.44 GB) (Free:3.33 GB) FAT32 7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 8 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 698 GB 0 B Disk 1 Online 931 GB 0 B Disk 2 Online 7635 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 100 MB 1024 KB Partition 2 Primary 698 GB 101 MB ================================================================================== Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 Y System Rese NTFS Partition 100 MB Healthy ================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 C NTFS Partition 698 GB Healthy ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 931 GB 1024 KB ================================================================================== Disk: 1 Partition 1 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 D New Volume NTFS Partition 931 GB Healthy ================================================================================== Partitions of Disk 2: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 7631 MB 4032 KB ================================================================================== Disk: 2 Partition 1 Type : 0B Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 5 H KINGSTON FAT32 Removable 7631 MB Healthy ================================================================================== ========================================================== Last Boot: 2012-07-27 22:23 ======================= End Of Log ========================== Search.txt FRST.txt

RogueKiller V7.6.5 [08/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User: Barbara [Admin rights] Mode: Scan -- Date: 08/06/2012 21:30:07 ¤¤¤ Bad processes: 1 ¤¤¤ [sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc] ¤¤¤ Registry Entries: 4 ¤¤¤ [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\L --> FOUND [susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 www.100sexlinks.com 127.0.0.1 100sexlinks.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD7501AALS-00E8B0 ATA Device +++++ --- User --- [MBR] 6be7603acb5f29029c6a38bea1cf79f6 [bSP] 6edc8406c0b1ffc4eec2f98f9a508f98 : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 715302 Mo User = LL1 ... OK! User != LL2 ... KO! --- LL2 --- [MBR] a33db691d5e436651b3c968f2dbee4d7 [bSP] 6edc8406c0b1ffc4eec2f98f9a508f98 : Windows 7 MBR Code Partition table: 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 715302 Mo +++++ PhysicalDrive1: Hitachi HDS721010CLA332 ATA Device +++++ --- User --- [MBR] 4d06da31a3ad25adc11e6b85ded88e60 [bSP] 0e63646ce84dba51a338f6aa7192bf45 : Windows 7 MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt

1- started hearing ads played and weird music all of a sudden; thought it was flash on webpage i had open. 2- happened again with no browser open 3- ran spybot search and destory - smitfraud.c came up; attempted to remove, said to reboot to complete process 4- rebooted 5- ran spbot s&d again 6- no smitfraud.c, but 2 other trojans, attempted to remove, said to reboot to complete process 7- rebooted 8- steps 5,6,7 keep happening 9- came to malwarebytes.org and found this thread regarding smitfraud.c 10 - read this thread and here we are... DDS.txt Attach.txt