-
Posts
13 -
Joined
-
Last visited
Reputation
0 NeutralAbout jgladwell
- Birthday 06/13/1977
Profile Information
-
Location
Northwest Arkansas
-
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
Thank you very much, I appreciate it! -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
Uninstalling USB host controllers and letting them re-detect fixed it. I also found a problem when I tried to run Windows Update. The BITS service was missing so I registered it as a service manually using the "sc" command and Windows is updating again. -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
The log is posted above my question about my USB drive. There were no malicious files found. -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
Seems to be running fine. Only weird thing that I have noticed in the last few minutes is the system will not recognize my thumb drive unless I am in Recovery Mode - such as when I was running the FRST.exe tool, my thumb drive was fine. Now, it doesn't show up in Computer. My portable hard drive is fine, that is how I transferred the last log to my laptop. -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.08.08 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 mds :: WKS1 [administrator] 8/8/2012 11:54:07 AM mbam-log-2012-08-08 (11-54-07).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 183871 Time elapsed: 3 minute(s), 9 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
ComboFix 12-08-07.05 - mds 08/08/2012 11:26:19.1.2 - x86 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3071.2092 [GMT -5:00] Running from: c:\users\mds\Desktop\ComboFix.exe AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0} FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB} SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D} SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\Downloaded Program Files\popcaploader.dll c:\windows\Downloaded Program Files\popcaploader.inf . . ((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 ))))))))))))))))))))))))))))))) . . 2012-08-08 18:45 . 2012-08-08 18:45 -------- d-----w- C:\FRST 2012-08-08 16:33 . 2012-08-08 16:33 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-08 08:14 . 2012-08-08 08:14 -------- d-----w- c:\users\mds\AppData\Local\ElevatedDiagnostics 2012-08-08 04:54 . 2012-08-08 04:54 -------- d-----w- c:\program files\CCleaner 2012-08-07 13:26 . 2012-08-07 13:26 -------- d-----w- C:\VritualRoot 2012-08-07 13:24 . 2012-08-08 16:33 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat 2012-08-07 13:20 . 2012-08-07 13:20 -------- d-----w- c:\programdata\CPA_VA 2012-08-07 13:20 . 2012-08-08 04:49 -------- d-----w- c:\programdata\Comodo 2012-08-07 13:20 . 2012-08-07 13:25 -------- d-----w- c:\program files\COMODO 2012-08-07 13:20 . 2012-08-07 13:20 1700352 ----a-w- c:\windows\system32\gdiplus.dll 2012-08-07 12:19 . 2012-08-07 12:19 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2012-08-06 13:58 . 2012-08-06 13:58 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-08-06 13:48 . 2012-08-07 12:28 -------- d-----w- c:\programdata\036DFF8500015A1400011296F875EF7E 2012-08-06 13:47 . 2012-08-06 13:51 57344 ---ha-w- c:\windows\system32\bcdeator.dll 2012-07-28 15:50 . 2012-07-28 15:50 -------- d-----w- c:\programdata\Adaptive Server Anywhere 9 2012-07-28 15:48 . 1980-01-01 05:00 323408 ----a-w- c:\windows\system32\xceedzip.dll 2012-07-12 08:01 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-12 14:05 . 2012-05-09 14:22 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2012-07-12 14:05 . 2012-05-09 14:22 30624 ----a-w- c:\windows\system32\LMIport.dll 2012-07-12 14:05 . 2012-05-09 14:22 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2012-07-12 14:05 . 2012-05-09 14:22 87456 ----a-w- c:\windows\system32\LMIinit.dll 2012-07-03 18:46 . 2010-12-14 22:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-02 22:19 . 2012-06-21 08:13 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-21 08:13 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-21 08:13 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-21 08:13 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-21 08:13 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-21 08:13 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-21 08:13 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 20:19 . 2012-06-21 08:13 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 20:12 . 2012-06-21 08:13 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-21 14:23 . 2012-05-09 14:22 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ChromeFrameHelper"="c:\users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" [2012-07-31 81432] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-12 7739936] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048] "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 6749512] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\guard32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer4"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^FA Reminder.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\FA Reminder.lnk backup=c:\windows\pss\FA Reminder.lnk.CommonStartup backupExtension=.CommonStartup . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x] R3 B-Service;B-Service;c:\users\mds\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0DWBUYB\B-Service.exe [x] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x] R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] S0 botimmov;botimmov;c:\windows\system32\DRIVERS\botimmov.sys [x] S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x] S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x] S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x] S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [x] S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [x] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x] S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x] . . Contents of the 'Scheduled Tasks' folder . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 15:16] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 15:16] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000Core.job - c:\users\mds\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-22 00:37] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000UA.job - c:\users\mds\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-22 00:37] . . ------- Supplementary Scan ------- . uStart Page = https://www1.ushealthrecord.com/rxddsSecure.nsf/weblaunch?OpenAgent&WebUser:b_lorenzWebUserProfile: uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=9727FA3001CD2EAA00EFECE2&src_id=30504&camp_id=3906&tb_version=1.2.0000.2(B) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105 Trusted Zone: nw-health.com\citrix TCP: DhcpNameServer = 192.168.140.1 192.168.140.1 TCP: Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285}: NameServer = 68.105.28.11,68.105.28.12 . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(592) c:\windows\system32\guard32.dll . - - - - - - - > 'Explorer.exe'(3656) c:\windows\system32\guard32.dll c:\windows\System32\ieframe.dll c:\windows\System32\provsvc.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\windows\system32\nvvsvc.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe c:\windows\system32\sppsvc.exe . ************************************************************************** . Completion time: 2012-08-08 11:38:08 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-08 16:38 . Pre-Run: 104,357,552,128 bytes free Post-Run: 104,147,628,032 bytes free . - - End Of File - - D1F3535B169DCFC54DD5638E3D5D5ADA -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 08-08-2012 Ran by SYSTEM at 2012-08-08 11:08:21 Run:1 Running from F:\ ============================================== C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} moved successfully. C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} moved successfully. C:\Windows\assembly\GAC\Desktop.ini moved successfully. C:\Windows\System32\services.exe moved successfully. C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe ==== End of Fixlog ==== -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
Farbar Recovery Scan Tool Version: 08-08-2012 Ran by SYSTEM at 2012-08-08 10:47:02 Running from F:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 C:\Windows\System32\services.exe [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9 === End Of Search === -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 08-08-2012 Ran by SYSTEM at 08-08-2012 10:45:37 Running from F:\ Windows 7 Professional (X86) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7739936 2009-09-11] (Realtek Semiconductor) HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [37232 2008-06-12] (Adobe Systems Incorporated) HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2008-06-11] (Adobe Systems Inc.) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2011-09-16] (LogMeIn, Inc.) HKLM\...\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h [6749512 2012-03-11] (COMODO) HKU\mds\...\Run: [Google Update] "C:\Users\mds\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-30] (Google Inc.) HKU\mds\...\Run: [ChromeFrameHelper] "C:\Users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" --startup [81432 2012-07-30] (Google Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.140.1 192.168.140.1 AppInit_DLLs: ??Ä?????C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe C:\Windows\system32\guard32.dll Tcpip\..\Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285}: [NameServer]68.105.28.11,68.105.28.12 ================================ Services (Whitelisted) ================== 2 AERTFilters; C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe [81920 2009-03-31] (Andrea Electronics Corporation) 2 BPowMon; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [79168 2009-08-17] (Broadcom Corp.) 2 cmdAgent; "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe" [1983232 2012-03-11] (COMODO) 2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation) 2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-12] (LogMeIn, Inc.) 2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-12] (LogMeIn, Inc.) 2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2011-09-16] (LogMeIn, Inc.) 3 B-Service; C:\Users\mds\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0DWBUYB\B-Service.exe [x] ========================== Drivers (Whitelisted) ============= 0 botimmov; C:\Windows\System32\DRIVERS\botimmov.sys [47104 2009-07-13] () 1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [19600 2012-03-11] (COMODO) 1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [491816 2012-03-11] (COMODO) 1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [39640 2012-03-11] (COMODO) 1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [82400 2012-02-03] (COMODO) 3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-21] (Broadcom Corporation) 2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2011-09-16] (LogMeIn, Inc.) 3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2011-09-16] (LogMeIn, Inc.) 2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2011-09-16] (LogMeIn, Inc.) 3 mbamchameleon; \??\C:\Windows\system32\drivers\mbamchameleon.sys [31560 2012-08-07] () 3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation) 1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation) 3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation) 1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation) 4 LMIRfsClientNP; [x] ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-08-08 10:45 - 2012-08-08 10:45 - 00000000 ____D C:\FRST 2012-08-08 04:47 - 2012-08-08 04:47 - 00003105 ____A C:\Users\mds\Desktop\RKreport[1].txt 2012-08-08 04:45 - 2012-08-08 04:47 - 00000000 ____D C:\Users\mds\Desktop\RK_Quarantine 2012-08-08 04:39 - 2012-08-08 04:44 - 00000000 ____D C:\Users\mds\Desktop\Infected 2012-08-08 00:23 - 2012-08-08 06:55 - 00000202 ____A C:\Windows\setupact.log 2012-08-08 00:23 - 2012-08-08 00:23 - 00342600 ____A C:\Windows\System32\FNTCACHE.DAT 2012-08-08 00:23 - 2012-08-08 00:23 - 00001324 ____A C:\Windows\PFRO.log 2012-08-08 00:23 - 2012-08-08 00:23 - 00000000 ____A C:\Windows\setuperr.log 2012-08-08 00:12 - 2012-08-08 00:12 - 00086472 ____A C:\Users\mds\AppData\Local\GDIPFONTCACHEV1.DAT 2012-08-07 20:58 - 2012-08-07 20:58 - 00113012 ____A C:\Users\mds\Documents\cc_20120807_235816.reg 2012-08-07 20:54 - 2012-08-07 20:54 - 03907920 ____A (Piriform Ltd) C:\Users\mds\Downloads\ccsetup321.exe 2012-08-07 20:54 - 2012-08-07 20:54 - 00000967 ____A C:\Users\Public\Desktop\CCleaner.lnk 2012-08-07 20:54 - 2012-08-07 20:54 - 00000000 ____D C:\Program Files\CCleaner 2012-08-07 05:26 - 2012-08-07 05:26 - 00000000 ___HD C:\VritualRoot 2012-08-07 05:24 - 2012-08-08 07:42 - 01474832 ____A C:\Windows\System32\Drivers\sfi.dat 2012-08-07 05:22 - 2012-08-07 05:22 - 00001846 ____A C:\Users\Public\Desktop\COMODO Internet Security.lnk 2012-08-07 05:20 - 2012-08-07 20:49 - 00000000 ____D C:\Users\All Users\Comodo 2012-08-07 05:20 - 2012-08-07 05:25 - 00000000 ____D C:\Program Files\COMODO 2012-08-07 05:20 - 2012-08-07 05:20 - 01700352 ____A (Microsoft Corporation) C:\Windows\System32\gdiplus.dll 2012-08-07 05:20 - 2012-08-07 05:20 - 00000000 ____D C:\Users\All Users\CPA_VA 2012-08-07 05:19 - 2012-08-07 05:17 - 62856768 ____A (COMODO) C:\Users\mds\Desktop\cispremium_installer.exe 2012-08-07 05:14 - 2012-08-08 02:12 - 00000000 ___SD C:\32788R22FWJFW 2012-08-07 04:19 - 2012-08-07 04:19 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2012-08-07 04:18 - 2012-08-07 04:18 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\mds\Downloads\mbam-setup-1.62.0.1300.exe 2012-08-07 04:18 - 2012-08-07 04:18 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-08-06 05:58 - 2012-08-06 05:58 - 00000000 __SHD C:\Windows\System32\%APPDATA% 2012-08-06 05:48 - 2012-08-07 04:28 - 00000000 ____D C:\Users\All Users\036DFF8500015A1400011296F875EF7E 2012-08-06 05:47 - 2012-08-06 05:51 - 00057344 ___AH (FRISK Software International) C:\Windows\System32\bcdeator.dll 2012-07-28 07:50 - 2012-07-28 07:50 - 00000000 ____D C:\Users\All Users\Adaptive Server Anywhere 9 2012-07-28 07:48 - 2012-07-28 07:50 - 00001015 ____A C:\pwUpdate.log 2012-07-28 07:48 - 1979-12-31 21:00 - 00323408 ____A (Xceed Software Inc (450) 442-2626 zip@xceedsoft.com www.xceedsoft.com) C:\Windows\System32\xceedzip.dll 2012-07-12 00:02 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-07-12 00:02 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-07-12 00:02 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-07-12 00:02 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-07-12 00:02 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-07-12 00:02 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-07-12 00:02 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-07-12 00:02 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-07-12 00:02 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-07-12 00:02 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-07-12 00:02 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-07-12 00:02 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-07-12 00:02 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-07-12 00:02 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-07-12 00:01 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-07-11 02:26 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-07-11 02:26 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-07-11 02:26 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-07-11 02:26 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-07-11 02:26 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-07-11 02:26 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-07-11 02:26 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-07-11 02:26 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-07-11 02:26 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-07-11 02:26 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll ============ 3 Months Modified Files ======================== 2012-08-08 07:42 - 2012-08-07 05:24 - 01474832 ____A C:\Windows\System32\Drivers\sfi.dat 2012-08-08 07:41 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-08-08 07:41 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-08-08 07:37 - 2009-07-13 20:55 - 01986328 ____A C:\Windows\WindowsUpdate.log 2012-08-08 07:11 - 2011-08-22 13:36 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000UA.job 2012-08-08 07:11 - 2011-08-22 13:36 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000Core.job 2012-08-08 07:07 - 2010-11-01 07:17 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2012-08-08 06:58 - 2010-11-01 07:17 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2012-08-08 06:58 - 2010-08-02 03:45 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI 2012-08-08 06:55 - 2012-08-08 00:23 - 00000202 ____A C:\Windows\setupact.log 2012-08-08 06:54 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-08-08 04:47 - 2012-08-08 04:47 - 00003105 ____A C:\Users\mds\Desktop\RKreport[1].txt 2012-08-08 00:23 - 2012-08-08 00:23 - 00342600 ____A C:\Windows\System32\FNTCACHE.DAT 2012-08-08 00:23 - 2012-08-08 00:23 - 00001324 ____A C:\Windows\PFRO.log 2012-08-08 00:23 - 2012-08-08 00:23 - 00000000 ____A C:\Windows\setuperr.log 2012-08-08 00:12 - 2012-08-08 00:12 - 00086472 ____A C:\Users\mds\AppData\Local\GDIPFONTCACHEV1.DAT 2012-08-07 20:58 - 2012-08-07 20:58 - 00113012 ____A C:\Users\mds\Documents\cc_20120807_235816.reg 2012-08-07 20:54 - 2012-08-07 20:54 - 03907920 ____A (Piriform Ltd) C:\Users\mds\Downloads\ccsetup321.exe 2012-08-07 20:54 - 2012-08-07 20:54 - 00000967 ____A C:\Users\Public\Desktop\CCleaner.lnk 2012-08-07 06:58 - 2011-11-11 06:18 - 00000322 ____A C:\Users\mds\Desktop\ushealthrecord.com Empowering You To Better Manage Your Health (2).url 2012-08-07 05:26 - 2011-12-05 17:07 - 00001945 ____A C:\Windows\epplauncher.mif 2012-08-07 05:22 - 2012-08-07 05:22 - 00001846 ____A C:\Users\Public\Desktop\COMODO Internet Security.lnk 2012-08-07 05:20 - 2012-08-07 05:20 - 01700352 ____A (Microsoft Corporation) C:\Windows\System32\gdiplus.dll 2012-08-07 05:17 - 2012-08-07 05:19 - 62856768 ____A (COMODO) C:\Users\mds\Desktop\cispremium_installer.exe 2012-08-07 04:19 - 2012-08-07 04:19 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2012-08-07 04:18 - 2012-08-07 04:18 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\mds\Downloads\mbam-setup-1.62.0.1300.exe 2012-08-07 04:18 - 2012-08-07 04:18 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-08-07 04:17 - 2011-12-05 17:00 - 00000751 ____A C:\Windows\System32\urlecgif.dll 2012-08-06 05:51 - 2012-08-06 05:47 - 00057344 ___AH (FRISK Software International) C:\Windows\System32\bcdeator.dll 2012-07-28 07:50 - 2012-07-28 07:48 - 00001015 ____A C:\pwUpdate.log 2012-07-28 07:49 - 2010-10-29 05:17 - 00000586 ____A C:\Users\mds\Desktop\WinOMS CS.lnk 2012-07-28 07:49 - 2010-10-29 05:16 - 00046203 ____A C:\MDSSetup.log 2012-07-20 12:13 - 2012-01-11 07:11 - 00109056 ____A C:\Users\mds\Desktop\Employee absence tracker1.xls 2012-07-13 08:36 - 2010-12-30 08:00 - 00000428 ____A C:\Users\mds\Desktop\Web-Based Email Mail Index Inbox.url 2012-07-12 08:54 - 2010-11-03 12:12 - 00000198 ____A C:\tx.log 2012-07-12 06:05 - 2012-05-09 06:22 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll 2012-07-12 06:05 - 2012-05-09 06:22 - 00083392 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll 2012-07-12 06:05 - 2012-05-09 06:22 - 00030624 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll 2012-07-12 00:01 - 2010-11-02 04:54 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-07-03 10:46 - 2010-12-14 14:20 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-06-27 09:34 - 2011-09-21 06:26 - 00002004 ___AH C:\Users\mds\Documents\Default.rdp 2012-06-11 18:40 - 2012-07-12 00:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-06-08 20:41 - 2012-07-11 02:26 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-06-06 07:06 - 2012-06-06 07:06 - 00009290 ____A C:\Users\mds\Desktop\Verify Patients.xlsx 2012-06-05 21:05 - 2012-07-11 02:26 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-06-05 21:05 - 2012-07-11 02:26 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-06-05 21:03 - 2012-07-11 02:26 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-06-02 14:19 - 2012-06-21 00:13 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-02 14:19 - 2012-06-21 00:13 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-02 14:19 - 2012-06-21 00:13 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-02 14:19 - 2012-06-21 00:13 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-02 14:19 - 2012-06-21 00:13 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-02 14:12 - 2012-06-21 00:13 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-02 14:12 - 2012-06-21 00:13 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-02 12:19 - 2012-06-21 00:13 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-02 12:12 - 2012-06-21 00:13 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-06-02 01:07 - 2012-07-12 00:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-06-02 00:43 - 2012-07-12 00:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-06-02 00:33 - 2012-07-12 00:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-06-02 00:26 - 2012-07-12 00:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-06-02 00:25 - 2012-07-12 00:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-06-02 00:25 - 2012-07-12 00:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-06-02 00:23 - 2012-07-12 00:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-06-02 00:21 - 2012-07-12 00:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-06-02 00:20 - 2012-07-12 00:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-06-02 00:19 - 2012-07-12 00:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-06-02 00:19 - 2012-07-12 00:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-06-02 00:17 - 2012-07-12 00:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-06-02 00:16 - 2012-07-12 00:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-06-02 00:14 - 2012-07-12 00:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-06-01 20:45 - 2012-07-11 02:26 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-06-01 20:45 - 2012-07-11 02:26 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-06-01 20:40 - 2012-07-11 02:26 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-06-01 20:40 - 2012-07-11 02:26 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-06-01 20:39 - 2012-07-11 02:26 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-05-21 10:47 - 2012-05-21 10:47 - 00007872 ____A C:\Users\mds\Downloads\_2_09458C7409458A340064411986257A05 (2) 2012-05-21 10:45 - 2012-05-21 10:45 - 00007872 ____A C:\Users\mds\Downloads\_2_09458C7409458A340064411986257A05 (1) 2012-05-21 10:45 - 2012-05-21 10:45 - 00007872 ____A C:\Users\mds\Downloads\_2_09458C7409458A340064411986257A05 2012-05-21 06:23 - 2012-05-09 06:22 - 00083360 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll.000.bak 2012-05-11 06:50 - 2012-05-11 06:50 - 00062939 ____A C:\Users\mds\Documents\Medicad_All_of_2011.XLS 2012-05-11 06:48 - 2012-05-11 06:48 - 00610469 ____A C:\Users\mds\Documents\visits_all_2011_CHG.XLS 2012-05-11 06:23 - 2012-05-11 06:23 - 00001082 ____A C:\Users\mds\Desktop\My Documents.lnk ZeroAccess: C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L\00000004.@ C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L\201d3dde C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U\00000004.@ C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U\000000cb.@ ZeroAccess: C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U ZeroAccess: C:\Windows\assembly\GAC\Desktop.ini ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!. C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 15% Total physical RAM: 3070.8 MB Available physical RAM: 2602.12 MB Total Pagefile: 3069.08 MB Available Pagefile: 2605.58 MB Total Virtual: 2047.88 MB Available Virtual: 1970.3 MB ======================= Partitions ========================= 1 Drive c: (OS) (Fixed) (Total:136.58 GB) (Free:97.27 GB) NTFS 3 Drive f: (STORE N GO) (Removable) (Total:29.8 GB) (Free:29.8 GB) FAT32 4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 5 Drive y: (RECOVERY) (Fixed) (Total:12.39 GB) (Free:7.54 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 149 GB 0 B Disk 1 Online 29 GB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 OEM 39 MB 31 KB Partition 2 Primary 12 GB 40 MB Partition 3 Primary 136 GB 12 GB ================================================================================== Disk: 0 Partition 1 Type : DE Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 FAT Partition 39 MB Healthy Hidden ================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y RECOVERY NTFS Partition 12 GB Healthy ================================================================================== Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C OS NTFS Partition 136 GB Healthy ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- * Partition 1 Primary 29 GB 0 B ================================================================================== Disk: 1 There is no partition selected. There is no partition selected. Please select a partition and try again. ================================================================================== ========================================================== Last Boot: 2012-07-27 21:24 ======================= End Of Log ========================== -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
Thanks, I am going to go ahead and proceed with cleanup. It will be a while before I get home with this, but will post the results then. Thank you! -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
RogueKiller V7.6.5 [08/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User: mds [Admin rights] Mode: Scan -- Date: 08/08/2012 07:47:19 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 9 ¤¤¤ [sUSP PATH] HKCU\[...]\Run : ChromeFrameHelper ("C:\Users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" --startup) -> FOUND [sUSP PATH] HKUS\S-1-5-21-3142347838-670113208-1110213071-1000[...]\Run : ChromeFrameHelper ("C:\Users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" --startup) -> FOUND [DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285} : NameServer (68.105.28.11,68.105.28.12) -> FOUND [DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285} : NameServer (68.105.28.11,68.105.28.12) -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L --> FOUND [ZeroAccess][FILE] @ : c:\users\mds\appdata\local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\mds\appdata\local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\mds\appdata\local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND [susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX [ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX ¤¤¤ Driver: [LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 192.168.140.50 nas # 127.0.0.1 www.facebook.com # 127.0.0.1 blog.facebook.com #127.0.0.1 apps.facebook.com ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: SAMSUNG HD161GJ ATA Device +++++ --- User --- [MBR] e60a1d97352d4de534209e8b79fb6731 [bSP] e38d02d105c9fcba0bf7e3d362d6c927 : Windows Vista MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12690 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 26071040 | Size: 139856 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt -
Virus in c:\windows\installer and rootkit.0access
jgladwell replied to jgladwell's topic in Resolved Malware Removal Logs
While running either of the DDS files, PEV.DAT crashes over and over. I am running 32bit Win7 -
Can someone help me with this computer? A client of mine bought a new computer and installed it without protection and is now pretty infected. There was a fake antivirus which I *think* I got rid of yesterday, and now there is a search redirector and the Malwarebytes Anti-Malware is reporting rootkit0.access and Comodo Internet Security warns of the infection in c:\windows\installer\ folders. Thanks!