Jump to content

TheRoss

Members
  • Posts

    9
  • Joined

  • Last visited

Everything posted by TheRoss

  1. Thank you for all of your help. You are a gentleman and a scholar. I have to go to bed now but will perform the cleanup tomorrow. I will post here to let you know how the cleanup went. Once again, thank you very much.
  2. Here is the report. Everything seems to be running much better now. Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.06.13 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Ross :: SKYNET [administrator] Protection: Enabled 8/6/2012 11:12:10 PM mbam-log-2012-08-06 (23-12-10).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 237146 Time elapsed: 1 minute(s), 30 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  3. Here is the results of the log file. Just testing the internet already seems much better. ComboFix 12-08-05.02 - Ross 08/06/2012 22:39:00.1.8 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8183.6615 [GMT -4:00] Running from: c:\users\Ross\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-07-07 to 2012-08-07 ))))))))))))))))))))))))))))))) . . 2012-08-07 04:54 . 2012-08-07 04:54 -------- d-----w- C:\FRST 2012-08-07 02:43 . 2012-08-07 02:43 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-08-06 13:45 . 2012-08-06 13:45 -------- d-sh--w- c:\windows\SysWow64\%APPDATA% 2012-08-05 15:29 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FA9F97FC-D969-4B33-93DE-5C29EE8740EE}\mpengine.dll 2012-08-05 05:41 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-07-13 07:04 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-07-13 07:01 . 2012-06-02 11:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-07-13 07:01 . 2012-06-02 08:16 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2012-07-13 07:01 . 2012-06-02 12:52 174200 ----a-w- c:\program files\Internet Explorer\sqmapi.dll 2012-07-13 07:01 . 2012-06-02 12:04 237056 ----a-w- c:\windows\system32\url.dll 2012-07-13 07:01 . 2012-06-02 12:03 548864 ----a-w- c:\program files\Internet Explorer\ieproxy.dll 2012-07-13 07:01 . 2012-06-02 11:57 96768 ----a-w- c:\windows\system32\mshtmled.dll 2012-07-13 07:01 . 2012-06-02 09:08 140920 ----a-w- c:\program files (x86)\Internet Explorer\sqmapi.dll 2012-07-13 07:01 . 2012-06-02 08:22 194560 ----a-w- c:\program files (x86)\Internet Explorer\ieproxy.dll 2012-07-13 02:33 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll 2012-07-13 02:33 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll 2012-07-13 02:33 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll 2012-07-13 02:33 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll 2012-07-13 02:33 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll 2012-07-13 02:33 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-07 02:45 . 2011-01-17 11:39 25640 ----a-w- c:\windows\gdrv.sys 2012-08-02 21:53 . 2012-04-12 12:31 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-08-02 21:53 . 2011-06-03 13:58 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-13 07:01 . 2011-01-19 22:55 59701280 ----a-w- c:\windows\system32\MRT.exe 2012-07-03 17:46 . 2011-12-16 19:21 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-02 22:19 . 2012-07-02 13:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-07-02 13:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:19 . 2012-07-02 13:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-07-02 13:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-07-02 13:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:15 . 2012-07-02 13:19 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:15 . 2012-07-02 13:19 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 19:19 . 2012-07-02 13:18 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 19:15 . 2012-07-02 13:18 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-05-22 13:15 . 2012-05-22 13:15 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll 2012-05-22 13:15 . 2012-05-22 13:15 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184] "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-15 375000] "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696] "NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-10-21 106496] "ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920] "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-05-12 300472] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888] "TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-05-22 296056] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux1"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R0 is3srv;is3srv;c:\windows\SySWOW64\drivers\is3srv64.sys [2011-09-26 74768] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [x] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-02 250056] R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272] R3 etdrv;etdrv;c:\windows\etdrv.sys [2011-09-15 25640] R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys [2011-09-23 30528] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696] R3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-12-08 14944] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-18 1255736] S0 szkg5;szkg5;c:\windows\SySWOW64\DRIVERS\szkg64.sys [2011-09-26 74768] S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2010-04-27 21544] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-10-15 223464] S2 DES2 Service;DES2 Service for Energy Saving.;c:\program files (x86)\GIGABYTE\EnergySaver2\des2svr.exe [2009-06-17 68136] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944] S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504] S2 Smart TimeLock;Smart TimeLock Service;c:\program files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe [2009-10-13 114688] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-16 369256] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904] S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-10-26 75264] S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-10-26 176640] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-09-07 155752] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-04 346144] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-08-06 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 21:53] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-26 10135584] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2782096] "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: clonewarsadventures.com Trusted Zone: download.com Trusted Zone: draftanalyzer.com Trusted Zone: freerealms.com Trusted Zone: go.com\games.espn Trusted Zone: soe.com Trusted Zone: sony.com TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67 . - - - - ORPHANS REMOVED - - - - . SafeBoot-MsMpSvc HKLM-Run-LogMeIn GUI - c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe AddRemove-RealPlayer 15.0 - c:\program files (x86)\real\realplayer\Update\r1puninst.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe . ************************************************************************** . Completion time: 2012-08-06 22:50:59 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-07 02:50 . Pre-Run: 779,128,918,016 bytes free Post-Run: 779,103,043,584 bytes free . - - End Of File - - 64680591FEA0F8F104A9392DEB4833B3
  4. Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 03 Ran by SYSTEM at 2012-08-06 21:29:59 Run:1 Running from F:\ ============================================== C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64} moved successfully. C:\Users\Ross\AppData\Local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64} moved successfully. C:\Windows\assembly\GAC_32\Desktop.ini moved successfully. C:\Windows\assembly\GAC_64\Desktop.ini moved successfully. C:\Windows\System32\services.exe moved successfully. C:\Windows\system64\services.exe copied successfully to C:\Windows\System32\services.exe ==== End of Fixlog ====
  5. I don't see anything in the code box. Do I paste the text that is in the fixlist.txt file?
  6. Here is the text from FRST.txt Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03 Ran by SYSTEM at 06-08-2012 20:54:17 Running from F:\ Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10135584 2010-03-26] (Realtek Semiconductor) HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2782096 2010-07-25] (CANON INC.) HKLM\...\Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon [767312 2009-09-03] (CANON INC.) HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [x] HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation) HKLM-x32\...\Run: [bCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [375000 2009-10-15] (DeviceVM, Inc.) HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-10-02] (Intel Corporation) HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-10-20] (NEC Electronics Corporation) HKLM-x32\...\Run: [iSUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2005-02-17] (InstallShield Software Corporation) HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation) HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [300472 2010-05-12] (Citrix Systems, Inc.) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.) HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296056 2012-05-22] (RealNetworks, Inc.) HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.) HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation) HKU\Ross\...\Run: [iSUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [221184 2005-02-17] (InstallShield Software Corporation) HKU\Ross\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 97.81.22.195 71.92.29.130 24.217.201.67 ==================== Services (Whitelisted) ====== 3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] () 2 BCUService; C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [223464 2009-10-15] (DeviceVM, Inc.) 2 DES2 Service; "C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe" [68136 2009-06-17] () 2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation) 3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation) 2 Smart TimeLock; C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe [114688 2009-10-13] (Gigabyte Technology CO., LTD.) 2 szserver; "C:\Program Files (x86)\Common Files\iS3\Anti-Spyware\SZServer.exe" [67408 2012-04-04] (iS3, Inc.) ========================== Drivers (Whitelisted) ============= 1 AppleCharger; C:\Windows\System32\Drivers\AppleCharger.sys [21544 2010-04-27] () 3 etdrv; \??\C:\Windows\etdrv.sys [25640 2011-09-15] (Windows ® Server 2003 DDK provider) 3 gdrv; \??\C:\Windows\gdrv.sys [25640 2012-08-06] (Windows ® Server 2003 DDK provider) 3 GVTDrv64; \??\C:\Windows\GVTDrv64.sys [30528 2011-09-23] () 0 is3srv; C:\Windows\SysWow64\drivers\is3srv64.sys [74768 2011-09-26] (iS3 Inc.) 3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2010-09-17] (LogMeIn, Inc.) 2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2010-09-17] (LogMeIn, Inc.) 3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation) 3 radpms; C:\Windows\System32\Drivers\radpms.sys [14944 2010-12-08] (LogMeIn, Inc.) 0 szkg5; C:\Windows\SysWow64\DRIVERS\szkg64.sys [74768 2011-09-26] (iS3 Inc.) 2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [x] 4 LMIRfsClientNP; [x] ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-08-06 20:54 - 2012-08-06 20:54 - 00000000 ____D C:\FRST 2012-08-06 16:47 - 2012-08-06 16:44 - 01439659 ____A (Farbar) C:\Users\Ross\Desktop\FRST64.exe 2012-08-06 16:30 - 2012-08-06 16:30 - 00002452 ____A C:\Users\Ross\Desktop\RKreport[1].txt 2012-08-06 16:29 - 2012-08-06 16:30 - 00000000 ____D C:\Users\Ross\Desktop\RK_Quarantine 2012-08-06 16:28 - 2012-08-06 16:28 - 01552896 ____A C:\Users\Ross\Desktop\RogueKiller.exe 2012-08-06 16:14 - 2012-08-06 16:14 - 00019827 ____A C:\Users\Ross\Desktop\DDS.txt 2012-08-06 16:14 - 2012-08-06 16:14 - 00010731 ____A C:\Users\Ross\Desktop\Attach.txt 2012-08-06 16:12 - 2012-08-06 16:13 - 00607260 ____R (Swearware) C:\Users\Ross\Desktop\dds.scr 2012-08-06 15:30 - 2012-08-06 15:36 - 00000976 ____A C:\Windows\System32\Drivers\kgpfr2.cfg 2012-08-06 15:25 - 2012-08-06 16:47 - 00001144 ____A C:\Windows\System32\Drivers\kgpcpy.cfg 2012-08-06 15:17 - 2012-08-06 15:17 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-08-06 15:14 - 2012-08-06 15:14 - 00282224 ____A C:\Windows\Minidump\080612-36020-01.dmp 2012-08-06 15:09 - 2012-08-06 15:09 - 00282224 ____A C:\Windows\Minidump\080612-35849-01.dmp 2012-08-06 15:05 - 2012-08-06 15:05 - 00282144 ____A C:\Windows\Minidump\080612-33571-01.dmp 2012-08-06 14:53 - 2012-08-06 14:53 - 00282608 ____A C:\Windows\Minidump\080612-18517-01.dmp 2012-08-06 05:45 - 2012-08-06 05:45 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA% 2012-08-06 05:37 - 2012-08-06 10:37 - 00001384 ____A C:\Windows\SysWOW64\Drivers\kgpfr2.cfg 2012-07-12 23:04 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-07-12 23:01 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-07-12 23:01 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-07-12 23:01 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-07-12 23:01 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-07-12 23:01 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-07-12 23:01 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-07-12 23:00 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-07-12 23:00 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-07-12 23:00 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-07-12 23:00 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-07-12 23:00 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-07-12 23:00 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-07-12 23:00 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-07-12 23:00 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-07-12 23:00 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-07-12 23:00 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-07-12 23:00 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-07-12 23:00 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-07-12 23:00 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-07-12 23:00 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-07-12 23:00 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-07-12 23:00 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-07-12 23:00 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-07-12 23:00 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-07-12 23:00 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-07-12 23:00 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-07-12 23:00 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-07-12 23:00 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-07-12 18:33 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-07-12 18:33 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-07-12 18:33 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2012-07-12 18:33 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2012-07-12 18:33 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll 2012-07-12 18:33 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll 2012-07-12 18:32 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-07-12 18:32 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2012-07-12 18:32 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-07-12 18:32 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll 2012-07-12 18:32 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-07-12 18:32 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-07-12 18:32 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-07-12 18:32 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-07-12 18:32 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-07-12 18:32 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2012-07-12 18:32 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2012-07-12 18:32 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2012-07-12 18:32 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll ============ 3 Months Modified Files ======================== 2012-08-06 16:47 - 2012-08-06 15:25 - 00001144 ____A C:\Windows\System32\Drivers\kgpcpy.cfg 2012-08-06 16:44 - 2012-08-06 16:47 - 01439659 ____A (Farbar) C:\Users\Ross\Desktop\FRST64.exe 2012-08-06 16:36 - 2011-01-17 03:28 - 01250961 ____A C:\Windows\WindowsUpdate.log 2012-08-06 16:30 - 2012-08-06 16:30 - 00002452 ____A C:\Users\Ross\Desktop\RKreport[1].txt 2012-08-06 16:28 - 2012-08-06 16:28 - 01552896 ____A C:\Users\Ross\Desktop\RogueKiller.exe 2012-08-06 16:14 - 2012-08-06 16:14 - 00019827 ____A C:\Users\Ross\Desktop\DDS.txt 2012-08-06 16:14 - 2012-08-06 16:14 - 00010731 ____A C:\Users\Ross\Desktop\Attach.txt 2012-08-06 16:13 - 2012-08-06 16:12 - 00607260 ____R (Swearware) C:\Users\Ross\Desktop\dds.scr 2012-08-06 16:00 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At42.job 2012-08-06 16:00 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At41.job 2012-08-06 15:53 - 2012-04-12 04:31 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-08-06 15:36 - 2012-08-06 15:30 - 00000976 ____A C:\Windows\System32\Drivers\kgpfr2.cfg 2012-08-06 15:32 - 2009-07-13 21:13 - 00786532 ____A C:\Windows\System32\PerfStringBackup.INI 2012-08-06 15:32 - 2009-07-13 20:45 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-08-06 15:32 - 2009-07-13 20:45 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-08-06 15:25 - 2011-01-17 03:39 - 00025640 ____A (Windows ® Server 2003 DDK provider) C:\Windows\gdrv.sys 2012-08-06 15:25 - 2011-01-16 19:28 - 00015872 ____A C:\Windows\PFRO.log 2012-08-06 15:25 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-08-06 15:25 - 2009-07-13 20:51 - 00036972 ____A C:\Windows\setupact.log 2012-08-06 15:17 - 2012-08-06 15:17 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-08-06 15:14 - 2012-08-06 15:14 - 00282224 ____A C:\Windows\Minidump\080612-36020-01.dmp 2012-08-06 15:13 - 2012-02-13 05:35 - 568772715 ____A C:\Windows\MEMORY.DMP 2012-08-06 15:09 - 2012-08-06 15:09 - 00282224 ____A C:\Windows\Minidump\080612-35849-01.dmp 2012-08-06 15:05 - 2012-08-06 15:05 - 00282144 ____A C:\Windows\Minidump\080612-33571-01.dmp 2012-08-06 15:00 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At40.job 2012-08-06 15:00 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At39.job 2012-08-06 14:53 - 2012-08-06 14:53 - 00282608 ____A C:\Windows\Minidump\080612-18517-01.dmp 2012-08-06 14:49 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At31.job 2012-08-06 14:27 - 2011-12-17 08:02 - 00000016 ____A C:\Windows\System32\config\software.szfi 2012-08-06 14:00 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At38.job 2012-08-06 14:00 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At37.job 2012-08-06 13:00 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At36.job 2012-08-06 13:00 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At35.job 2012-08-06 12:00 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At34.job 2012-08-06 12:00 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At33.job 2012-08-06 11:00 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At32.job 2012-08-06 10:37 - 2012-08-06 05:37 - 00001384 ____A C:\Windows\SysWOW64\Drivers\kgpfr2.cfg 2012-08-06 10:18 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At30.job 2012-08-06 10:18 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At28.job 2012-08-06 10:18 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At26.job 2012-08-06 10:18 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At29.job 2012-08-06 10:18 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At27.job 2012-08-06 10:18 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At25.job 2012-08-05 19:00 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At48.job 2012-08-05 19:00 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At47.job 2012-08-05 18:00 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At46.job 2012-08-05 18:00 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At45.job 2012-08-05 17:00 - 2011-12-16 11:02 - 00000348 ____A C:\Windows\Tasks\At44.job 2012-08-05 17:00 - 2011-12-16 11:02 - 00000346 ____A C:\Windows\Tasks\At43.job 2012-08-02 13:53 - 2012-04-12 04:31 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2012-08-02 13:53 - 2011-06-03 05:58 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2012-07-12 23:22 - 2009-07-13 20:45 - 00413312 ____A C:\Windows\System32\FNTCACHE.DAT 2012-07-12 23:03 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini 2012-07-12 23:01 - 2011-01-19 14:55 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-07-03 12:42 - 2012-06-12 11:16 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk 2012-07-03 09:46 - 2011-12-16 11:21 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-06-11 19:08 - 2012-07-12 23:04 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-06-08 21:43 - 2012-07-12 18:32 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-06-08 20:41 - 2012-07-12 18:32 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2012-06-05 22:06 - 2012-07-12 18:33 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-06-05 22:06 - 2012-07-12 18:33 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-06-05 22:02 - 2012-07-12 18:32 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-06-05 21:05 - 2012-07-12 18:33 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2012-06-05 21:05 - 2012-07-12 18:33 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2012-06-05 21:03 - 2012-07-12 18:32 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll 2012-06-04 12:34 - 2012-06-04 10:17 - 00002588 ____A C:\Users\Ross\Desktop\DC Universe Online Live.lnk 2012-06-02 14:19 - 2012-07-02 05:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-02 14:19 - 2012-07-02 05:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-02 14:19 - 2012-07-02 05:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-02 14:19 - 2012-07-02 05:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-02 14:19 - 2012-07-02 05:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-02 14:15 - 2012-07-02 05:19 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-02 14:15 - 2012-07-02 05:19 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-02 11:19 - 2012-07-02 05:18 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-02 11:15 - 2012-07-02 05:18 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-06-02 04:49 - 2012-07-12 23:00 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-06-02 04:17 - 2012-07-12 23:00 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-06-02 04:12 - 2012-07-12 23:00 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-06-02 04:05 - 2012-07-12 23:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-06-02 04:05 - 2012-07-12 23:00 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-06-02 04:04 - 2012-07-12 23:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-06-02 04:04 - 2012-07-12 23:00 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-06-02 04:03 - 2012-07-12 23:00 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-06-02 04:01 - 2012-07-12 23:00 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-06-02 04:00 - 2012-07-12 23:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-06-02 03:59 - 2012-07-12 23:00 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-06-02 03:57 - 2012-07-12 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-06-02 03:57 - 2012-07-12 23:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-06-02 03:54 - 2012-07-12 23:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-06-02 01:07 - 2012-07-12 23:00 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-06-02 00:43 - 2012-07-12 23:00 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-06-02 00:33 - 2012-07-12 23:00 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-06-02 00:26 - 2012-07-12 23:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-06-02 00:25 - 2012-07-12 23:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-06-02 00:25 - 2012-07-12 23:00 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-06-02 00:23 - 2012-07-12 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-06-02 00:21 - 2012-07-12 23:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-06-02 00:20 - 2012-07-12 23:00 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-06-02 00:19 - 2012-07-12 23:00 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-06-02 00:19 - 2012-07-12 23:00 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-06-02 00:17 - 2012-07-12 23:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-06-02 00:16 - 2012-07-12 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-06-02 00:14 - 2012-07-12 23:00 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-06-01 21:50 - 2012-07-12 18:32 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-06-01 21:48 - 2012-07-12 18:32 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-06-01 21:48 - 2012-07-12 18:32 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-06-01 21:45 - 2012-07-12 18:32 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-06-01 21:44 - 2012-07-12 18:32 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-06-01 20:40 - 2012-07-12 18:32 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2012-06-01 20:40 - 2012-07-12 18:32 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2012-06-01 20:39 - 2012-07-12 18:32 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2012-06-01 20:34 - 2012-07-12 18:32 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll 2012-05-22 09:13 - 2012-05-22 09:13 - 00290656 ____A C:\Windows\Minidump\052212-22682-01.dmp 2012-05-22 05:15 - 2012-05-22 05:15 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll 2012-05-22 05:15 - 2012-05-22 05:15 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll 2012-05-22 05:15 - 2012-05-22 05:15 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll 2012-05-22 05:15 - 2012-05-22 05:15 - 00198832 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll 2012-05-22 05:15 - 2012-05-22 05:15 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll 2012-05-22 05:15 - 2012-05-22 05:15 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll ZeroAccess: C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64} C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\@ C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\L C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\L\00000004.@ C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\L\201d3dde C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\00000004.@ C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\00000008.@ C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\000000cb.@ C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\80000000.@ C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\80000032.@ C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\80000064.@ ZeroAccess: C:\Users\Ross\AppData\Local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64} C:\Users\Ross\AppData\Local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\@ C:\Users\Ross\AppData\Local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\L C:\Users\Ross\AppData\Local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\n C:\Users\Ross\AppData\Local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U ZeroAccess: C:\Windows\assembly\GAC_32\Desktop.ini ZeroAccess: C:\Windows\assembly\GAC_64\Desktop.ini ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!. C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 10% Total physical RAM: 8183.42 MB Available physical RAM: 7363.34 MB Total Pagefile: 8181.57 MB Available Pagefile: 7346.77 MB Total Virtual: 8192 MB Available Virtual: 8191.9 MB ======================= Partitions ========================= 1 Drive c: () (Fixed) (Total:931.41 GB) (Free:725.97 GB) NTFS 3 Drive f: (My Passport) (Fixed) (Total:298.08 GB) (Free:254.65 GB) NTFS 4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 931 GB 0 B Disk 1 Online 298 GB 9 MB Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 100 MB 1024 KB Partition 2 Primary 931 GB 101 MB ================================================================================== Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y System Rese NTFS Partition 100 MB Healthy ================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 931 GB Healthy ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 298 GB 31 KB ================================================================================== Disk: 1 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 F My Passport NTFS Partition 298 GB Healthy ================================================================================== ========================================================== Last Boot: 2012-08-04 19:39 ======================= End Of Log ========================== Here is the text from SEARCH.txt Farbar Recovery Scan Tool Version: 05-08-2012 03 Ran by SYSTEM at 2012-08-06 20:55:34 Running from F:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\system64\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06 ====== End Of Search ======
  7. Here is the text from the report. RogueKiller V7.6.5 [08/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User: Ross [Admin rights] Mode: Scan -- Date: 08/06/2012 20:30:05 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 5 ¤¤¤ [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Ross\AppData\Local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\n.) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\L --> FOUND [ZeroAccess][FILE] n : c:\users\ross\appdata\local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\n --> FOUND [ZeroAccess][FILE] @ : c:\users\ross\appdata\local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\ross\appdata\local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\ross\appdata\local\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\L --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND [susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD1002FAEX-00Z3A0 +++++ --- User --- [MBR] 06893dc73fbb6d02557cfd2ec88a0627 [bSP] 4c8017eb2affdfe6f8e9680524d0398d : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt
  8. Apologies for posting again. I missed up the first time and didn't attach the files. I didn't see a way to edit it. I hope I di it right this time. Malware Bytes and Stopzilla recently detected the sirefef rootkit. I havae a Windows 7 64 home. Removing it and rebooting it does not work, as it returns during another scan. System restore fails to a blue screen and memory dump. Any help removing this safely is greatly appreciated. Here is the text from the detection log. Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.06.13 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Ross :: SKYNET [administrator] Protection: Enabled 8/6/2012 7:28:13 PM mbam-log-2012-08-06 (19-41-55).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 235698 Time elapsed: 2 minute(s), 18 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 3 C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken. C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\000000cb.@ (Rootkit.0Access) -> No action taken. C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\80000032.@ (Rootkit.0Access) -> No action taken. (end) Attach.txt DDS.txt
  9. Malware Bytes and Stopzilla recently detected the sirefef rootkit. I havae a Windows 7 64 home. Removing it and rebooting it does not work, as it returns during another scan. System restore fails to a blue screen and memory dump. Any help removing this safely is greatly appreciated. Here is the text from the detection log. Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.06.13 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Ross :: SKYNET [administrator] Protection: Enabled 8/6/2012 7:28:13 PM mbam-log-2012-08-06 (19-41-55).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 235698 Time elapsed: 2 minute(s), 18 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 3 C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken. C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\000000cb.@ (Rootkit.0Access) -> No action taken. C:\Windows\Installer\{8bf14eb0-88ce-f2e1-fa1a-7713993e0f64}\U\80000032.@ (Rootkit.0Access) -> No action taken. (end)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.