jgladwell

Thank you very much, I appreciate it!

Uninstalling USB host controllers and letting them re-detect fixed it. I also found a problem when I tried to run Windows Update. The BITS service was missing so I registered it as a service manually using the "sc" command and Windows is updating again.

The log is posted above my question about my USB drive. There were no malicious files found.

Seems to be running fine. Only weird thing that I have noticed in the last few minutes is the system will not recognize my thumb drive unless I am in Recovery Mode - such as when I was running the FRST.exe tool, my thumb drive was fine. Now, it doesn't show up in Computer. My portable hard drive is fine, that is how I transferred the last log to my laptop.

Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.08.08 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 mds :: WKS1 [administrator] 8/8/2012 11:54:07 AM mbam-log-2012-08-08 (11-54-07).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 183871 Time elapsed: 3 minute(s), 9 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

ComboFix 12-08-07.05 - mds 08/08/2012 11:26:19.1.2 - x86 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3071.2092 [GMT -5:00] Running from: c:\users\mds\Desktop\ComboFix.exe AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0} FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB} SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D} SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\Downloaded Program Files\popcaploader.dll c:\windows\Downloaded Program Files\popcaploader.inf . . ((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 ))))))))))))))))))))))))))))))) . . 2012-08-08 18:45 . 2012-08-08 18:45 -------- d-----w- C:\FRST 2012-08-08 16:33 . 2012-08-08 16:33 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-08 08:14 . 2012-08-08 08:14 -------- d-----w- c:\users\mds\AppData\Local\ElevatedDiagnostics 2012-08-08 04:54 . 2012-08-08 04:54 -------- d-----w- c:\program files\CCleaner 2012-08-07 13:26 . 2012-08-07 13:26 -------- d-----w- C:\VritualRoot 2012-08-07 13:24 . 2012-08-08 16:33 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat 2012-08-07 13:20 . 2012-08-07 13:20 -------- d-----w- c:\programdata\CPA_VA 2012-08-07 13:20 . 2012-08-08 04:49 -------- d-----w- c:\programdata\Comodo 2012-08-07 13:20 . 2012-08-07 13:25 -------- d-----w- c:\program files\COMODO 2012-08-07 13:20 . 2012-08-07 13:20 1700352 ----a-w- c:\windows\system32\gdiplus.dll 2012-08-07 12:19 . 2012-08-07 12:19 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2012-08-06 13:58 . 2012-08-06 13:58 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-08-06 13:48 . 2012-08-07 12:28 -------- d-----w- c:\programdata\036DFF8500015A1400011296F875EF7E 2012-08-06 13:47 . 2012-08-06 13:51 57344 ---ha-w- c:\windows\system32\bcdeator.dll 2012-07-28 15:50 . 2012-07-28 15:50 -------- d-----w- c:\programdata\Adaptive Server Anywhere 9 2012-07-28 15:48 . 1980-01-01 05:00 323408 ----a-w- c:\windows\system32\xceedzip.dll 2012-07-12 08:01 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-12 14:05 . 2012-05-09 14:22 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2012-07-12 14:05 . 2012-05-09 14:22 30624 ----a-w- c:\windows\system32\LMIport.dll 2012-07-12 14:05 . 2012-05-09 14:22 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2012-07-12 14:05 . 2012-05-09 14:22 87456 ----a-w- c:\windows\system32\LMIinit.dll 2012-07-03 18:46 . 2010-12-14 22:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-02 22:19 . 2012-06-21 08:13 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-21 08:13 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-21 08:13 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-21 08:13 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-21 08:13 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-21 08:13 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-21 08:13 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 20:19 . 2012-06-21 08:13 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 20:12 . 2012-06-21 08:13 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-21 14:23 . 2012-05-09 14:22 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ChromeFrameHelper"="c:\users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" [2012-07-31 81432] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-12 7739936] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048] "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 6749512] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\guard32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer4"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^FA Reminder.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\FA Reminder.lnk backup=c:\windows\pss\FA Reminder.lnk.CommonStartup backupExtension=.CommonStartup . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x] R3 B-Service;B-Service;c:\users\mds\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0DWBUYB\B-Service.exe [x] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x] R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] S0 botimmov;botimmov;c:\windows\system32\DRIVERS\botimmov.sys [x] S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x] S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x] S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x] S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [x] S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [x] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x] S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x] . . Contents of the 'Scheduled Tasks' folder . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 15:16] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 15:16] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000Core.job - c:\users\mds\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-22 00:37] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000UA.job - c:\users\mds\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-22 00:37] . . ------- Supplementary Scan ------- . uStart Page = https://www1.ushealthrecord.com/rxddsSecure.nsf/weblaunch?OpenAgent&WebUser:b_lorenzWebUserProfile: uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=9727FA3001CD2EAA00EFECE2&src_id=30504&camp_id=3906&tb_version=1.2.0000.2(B) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105 Trusted Zone: nw-health.com\citrix TCP: DhcpNameServer = 192.168.140.1 192.168.140.1 TCP: Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285}: NameServer = 68.105.28.11,68.105.28.12 . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(592) c:\windows\system32\guard32.dll . - - - - - - - > 'Explorer.exe'(3656) c:\windows\system32\guard32.dll c:\windows\System32\ieframe.dll c:\windows\System32\provsvc.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\windows\system32\nvvsvc.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe c:\windows\system32\sppsvc.exe . ************************************************************************** . Completion time: 2012-08-08 11:38:08 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-08 16:38 . Pre-Run: 104,357,552,128 bytes free Post-Run: 104,147,628,032 bytes free . - - End Of File - - D1F3535B169DCFC54DD5638E3D5D5ADA

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 08-08-2012 Ran by SYSTEM at 2012-08-08 11:08:21 Run:1 Running from F:\ ============================================== C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} moved successfully. C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} moved successfully. C:\Windows\assembly\GAC\Desktop.ini moved successfully. C:\Windows\System32\services.exe moved successfully. C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe ==== End of Fixlog ====

Farbar Recovery Scan Tool Version: 08-08-2012 Ran by SYSTEM at 2012-08-08 10:47:02 Running from F:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 C:\Windows\System32\services.exe [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9 === End Of Search ===

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 08-08-2012 Ran by SYSTEM at 08-08-2012 10:45:37 Running from F:\ Windows 7 Professional (X86) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7739936 2009-09-11] (Realtek Semiconductor) HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [37232 2008-06-12] (Adobe Systems Incorporated) HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2008-06-11] (Adobe Systems Inc.) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2011-09-16] (LogMeIn, Inc.) HKLM\...\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h [6749512 2012-03-11] (COMODO) HKU\mds\...\Run: [Google Update] "C:\Users\mds\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-30] (Google Inc.) HKU\mds\...\Run: [ChromeFrameHelper] "C:\Users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" --startup [81432 2012-07-30] (Google Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.140.1 192.168.140.1 AppInit_DLLs: ??Ä?????C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe C:\Windows\system32\guard32.dll Tcpip\..\Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285}: [NameServer]68.105.28.11,68.105.28.12 ================================ Services (Whitelisted) ================== 2 AERTFilters; C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe [81920 2009-03-31] (Andrea Electronics Corporation) 2 BPowMon; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [79168 2009-08-17] (Broadcom Corp.) 2 cmdAgent; "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe" [1983232 2012-03-11] (COMODO) 2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation) 2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-12] (LogMeIn, Inc.) 2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-12] (LogMeIn, Inc.) 2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2011-09-16] (LogMeIn, Inc.) 3 B-Service; C:\Users\mds\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0DWBUYB\B-Service.exe [x] ========================== Drivers (Whitelisted) ============= 0 botimmov; C:\Windows\System32\DRIVERS\botimmov.sys [47104 2009-07-13] () 1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [19600 2012-03-11] (COMODO) 1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [491816 2012-03-11] (COMODO) 1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [39640 2012-03-11] (COMODO) 1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [82400 2012-02-03] (COMODO) 3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-21] (Broadcom Corporation) 2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2011-09-16] (LogMeIn, Inc.) 3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2011-09-16] (LogMeIn, Inc.) 2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2011-09-16] (LogMeIn, Inc.) 3 mbamchameleon; \??\C:\Windows\system32\drivers\mbamchameleon.sys [31560 2012-08-07] () 3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation) 1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation) 3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation) 1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation) 4 LMIRfsClientNP; [x] ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-08-08 10:45 - 2012-08-08 10:45 - 00000000 ____D C:\FRST 2012-08-08 04:47 - 2012-08-08 04:47 - 00003105 ____A C:\Users\mds\Desktop\RKreport[1].txt 2012-08-08 04:45 - 2012-08-08 04:47 - 00000000 ____D C:\Users\mds\Desktop\RK_Quarantine 2012-08-08 04:39 - 2012-08-08 04:44 - 00000000 ____D C:\Users\mds\Desktop\Infected 2012-08-08 00:23 - 2012-08-08 06:55 - 00000202 ____A C:\Windows\setupact.log 2012-08-08 00:23 - 2012-08-08 00:23 - 00342600 ____A C:\Windows\System32\FNTCACHE.DAT 2012-08-08 00:23 - 2012-08-08 00:23 - 00001324 ____A C:\Windows\PFRO.log 2012-08-08 00:23 - 2012-08-08 00:23 - 00000000 ____A C:\Windows\setuperr.log 2012-08-08 00:12 - 2012-08-08 00:12 - 00086472 ____A C:\Users\mds\AppData\Local\GDIPFONTCACHEV1.DAT 2012-08-07 20:58 - 2012-08-07 20:58 - 00113012 ____A C:\Users\mds\Documents\cc_20120807_235816.reg 2012-08-07 20:54 - 2012-08-07 20:54 - 03907920 ____A (Piriform Ltd) C:\Users\mds\Downloads\ccsetup321.exe 2012-08-07 20:54 - 2012-08-07 20:54 - 00000967 ____A C:\Users\Public\Desktop\CCleaner.lnk 2012-08-07 20:54 - 2012-08-07 20:54 - 00000000 ____D C:\Program Files\CCleaner 2012-08-07 05:26 - 2012-08-07 05:26 - 00000000 ___HD C:\VritualRoot 2012-08-07 05:24 - 2012-08-08 07:42 - 01474832 ____A C:\Windows\System32\Drivers\sfi.dat 2012-08-07 05:22 - 2012-08-07 05:22 - 00001846 ____A C:\Users\Public\Desktop\COMODO Internet Security.lnk 2012-08-07 05:20 - 2012-08-07 20:49 - 00000000 ____D C:\Users\All Users\Comodo 2012-08-07 05:20 - 2012-08-07 05:25 - 00000000 ____D C:\Program Files\COMODO 2012-08-07 05:20 - 2012-08-07 05:20 - 01700352 ____A (Microsoft Corporation) C:\Windows\System32\gdiplus.dll 2012-08-07 05:20 - 2012-08-07 05:20 - 00000000 ____D C:\Users\All Users\CPA_VA 2012-08-07 05:19 - 2012-08-07 05:17 - 62856768 ____A (COMODO) C:\Users\mds\Desktop\cispremium_installer.exe 2012-08-07 05:14 - 2012-08-08 02:12 - 00000000 ___SD C:\32788R22FWJFW 2012-08-07 04:19 - 2012-08-07 04:19 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2012-08-07 04:18 - 2012-08-07 04:18 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\mds\Downloads\mbam-setup-1.62.0.1300.exe 2012-08-07 04:18 - 2012-08-07 04:18 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-08-06 05:58 - 2012-08-06 05:58 - 00000000 __SHD C:\Windows\System32\%APPDATA% 2012-08-06 05:48 - 2012-08-07 04:28 - 00000000 ____D C:\Users\All Users\036DFF8500015A1400011296F875EF7E 2012-08-06 05:47 - 2012-08-06 05:51 - 00057344 ___AH (FRISK Software International) C:\Windows\System32\bcdeator.dll 2012-07-28 07:50 - 2012-07-28 07:50 - 00000000 ____D C:\Users\All Users\Adaptive Server Anywhere 9 2012-07-28 07:48 - 2012-07-28 07:50 - 00001015 ____A C:\pwUpdate.log 2012-07-28 07:48 - 1979-12-31 21:00 - 00323408 ____A (Xceed Software Inc (450) 442-2626 zip@xceedsoft.com www.xceedsoft.com) C:\Windows\System32\xceedzip.dll 2012-07-12 00:02 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-07-12 00:02 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-07-12 00:02 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-07-12 00:02 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-07-12 00:02 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-07-12 00:02 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-07-12 00:02 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-07-12 00:02 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-07-12 00:02 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-07-12 00:02 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-07-12 00:02 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-07-12 00:02 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-07-12 00:02 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-07-12 00:02 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-07-12 00:01 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-07-11 02:26 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-07-11 02:26 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-07-11 02:26 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-07-11 02:26 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-07-11 02:26 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-07-11 02:26 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-07-11 02:26 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-07-11 02:26 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-07-11 02:26 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-07-11 02:26 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll ============ 3 Months Modified Files ======================== 2012-08-08 07:42 - 2012-08-07 05:24 - 01474832 ____A C:\Windows\System32\Drivers\sfi.dat 2012-08-08 07:41 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-08-08 07:41 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-08-08 07:37 - 2009-07-13 20:55 - 01986328 ____A C:\Windows\WindowsUpdate.log 2012-08-08 07:11 - 2011-08-22 13:36 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000UA.job 2012-08-08 07:11 - 2011-08-22 13:36 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000Core.job 2012-08-08 07:07 - 2010-11-01 07:17 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2012-08-08 06:58 - 2010-11-01 07:17 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2012-08-08 06:58 - 2010-08-02 03:45 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI 2012-08-08 06:55 - 2012-08-08 00:23 - 00000202 ____A C:\Windows\setupact.log 2012-08-08 06:54 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-08-08 04:47 - 2012-08-08 04:47 - 00003105 ____A C:\Users\mds\Desktop\RKreport[1].txt 2012-08-08 00:23 - 2012-08-08 00:23 - 00342600 ____A C:\Windows\System32\FNTCACHE.DAT 2012-08-08 00:23 - 2012-08-08 00:23 - 00001324 ____A C:\Windows\PFRO.log 2012-08-08 00:23 - 2012-08-08 00:23 - 00000000 ____A C:\Windows\setuperr.log 2012-08-08 00:12 - 2012-08-08 00:12 - 00086472 ____A C:\Users\mds\AppData\Local\GDIPFONTCACHEV1.DAT 2012-08-07 20:58 - 2012-08-07 20:58 - 00113012 ____A C:\Users\mds\Documents\cc_20120807_235816.reg 2012-08-07 20:54 - 2012-08-07 20:54 - 03907920 ____A (Piriform Ltd) C:\Users\mds\Downloads\ccsetup321.exe 2012-08-07 20:54 - 2012-08-07 20:54 - 00000967 ____A C:\Users\Public\Desktop\CCleaner.lnk 2012-08-07 06:58 - 2011-11-11 06:18 - 00000322 ____A C:\Users\mds\Desktop\ushealthrecord.com Empowering You To Better Manage Your Health (2).url 2012-08-07 05:26 - 2011-12-05 17:07 - 00001945 ____A C:\Windows\epplauncher.mif 2012-08-07 05:22 - 2012-08-07 05:22 - 00001846 ____A C:\Users\Public\Desktop\COMODO Internet Security.lnk 2012-08-07 05:20 - 2012-08-07 05:20 - 01700352 ____A (Microsoft Corporation) C:\Windows\System32\gdiplus.dll 2012-08-07 05:17 - 2012-08-07 05:19 - 62856768 ____A (COMODO) C:\Users\mds\Desktop\cispremium_installer.exe 2012-08-07 04:19 - 2012-08-07 04:19 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2012-08-07 04:18 - 2012-08-07 04:18 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\mds\Downloads\mbam-setup-1.62.0.1300.exe 2012-08-07 04:18 - 2012-08-07 04:18 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-08-07 04:17 - 2011-12-05 17:00 - 00000751 ____A C:\Windows\System32\urlecgif.dll 2012-08-06 05:51 - 2012-08-06 05:47 - 00057344 ___AH (FRISK Software International) C:\Windows\System32\bcdeator.dll 2012-07-28 07:50 - 2012-07-28 07:48 - 00001015 ____A C:\pwUpdate.log 2012-07-28 07:49 - 2010-10-29 05:17 - 00000586 ____A C:\Users\mds\Desktop\WinOMS CS.lnk 2012-07-28 07:49 - 2010-10-29 05:16 - 00046203 ____A C:\MDSSetup.log 2012-07-20 12:13 - 2012-01-11 07:11 - 00109056 ____A C:\Users\mds\Desktop\Employee absence tracker1.xls 2012-07-13 08:36 - 2010-12-30 08:00 - 00000428 ____A C:\Users\mds\Desktop\Web-Based Email Mail Index Inbox.url 2012-07-12 08:54 - 2010-11-03 12:12 - 00000198 ____A C:\tx.log 2012-07-12 06:05 - 2012-05-09 06:22 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll 2012-07-12 06:05 - 2012-05-09 06:22 - 00083392 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll 2012-07-12 06:05 - 2012-05-09 06:22 - 00030624 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll 2012-07-12 00:01 - 2010-11-02 04:54 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-07-03 10:46 - 2010-12-14 14:20 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-06-27 09:34 - 2011-09-21 06:26 - 00002004 ___AH C:\Users\mds\Documents\Default.rdp 2012-06-11 18:40 - 2012-07-12 00:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-06-08 20:41 - 2012-07-11 02:26 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-06-06 07:06 - 2012-06-06 07:06 - 00009290 ____A C:\Users\mds\Desktop\Verify Patients.xlsx 2012-06-05 21:05 - 2012-07-11 02:26 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-06-05 21:05 - 2012-07-11 02:26 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-06-05 21:03 - 2012-07-11 02:26 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-06-02 14:19 - 2012-06-21 00:13 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-02 14:19 - 2012-06-21 00:13 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-02 14:19 - 2012-06-21 00:13 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-02 14:19 - 2012-06-21 00:13 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-02 14:19 - 2012-06-21 00:13 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-02 14:12 - 2012-06-21 00:13 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-02 14:12 - 2012-06-21 00:13 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-02 12:19 - 2012-06-21 00:13 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-02 12:12 - 2012-06-21 00:13 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-06-02 01:07 - 2012-07-12 00:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-06-02 00:43 - 2012-07-12 00:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-06-02 00:33 - 2012-07-12 00:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-06-02 00:26 - 2012-07-12 00:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-06-02 00:25 - 2012-07-12 00:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-06-02 00:25 - 2012-07-12 00:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-06-02 00:23 - 2012-07-12 00:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-06-02 00:21 - 2012-07-12 00:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-06-02 00:20 - 2012-07-12 00:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-06-02 00:19 - 2012-07-12 00:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-06-02 00:19 - 2012-07-12 00:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-06-02 00:17 - 2012-07-12 00:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-06-02 00:16 - 2012-07-12 00:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-06-02 00:14 - 2012-07-12 00:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-06-01 20:45 - 2012-07-11 02:26 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-06-01 20:45 - 2012-07-11 02:26 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-06-01 20:40 - 2012-07-11 02:26 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-06-01 20:40 - 2012-07-11 02:26 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-06-01 20:39 - 2012-07-11 02:26 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-05-21 10:47 - 2012-05-21 10:47 - 00007872 ____A C:\Users\mds\Downloads\_2_09458C7409458A340064411986257A05 (2) 2012-05-21 10:45 - 2012-05-21 10:45 - 00007872 ____A C:\Users\mds\Downloads\_2_09458C7409458A340064411986257A05 (1) 2012-05-21 10:45 - 2012-05-21 10:45 - 00007872 ____A C:\Users\mds\Downloads\_2_09458C7409458A340064411986257A05 2012-05-21 06:23 - 2012-05-09 06:22 - 00083360 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll.000.bak 2012-05-11 06:50 - 2012-05-11 06:50 - 00062939 ____A C:\Users\mds\Documents\Medicad_All_of_2011.XLS 2012-05-11 06:48 - 2012-05-11 06:48 - 00610469 ____A C:\Users\mds\Documents\visits_all_2011_CHG.XLS 2012-05-11 06:23 - 2012-05-11 06:23 - 00001082 ____A C:\Users\mds\Desktop\My Documents.lnk ZeroAccess: C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L\00000004.@ C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L\201d3dde C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U\00000004.@ C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U\000000cb.@ ZeroAccess: C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U ZeroAccess: C:\Windows\assembly\GAC\Desktop.ini ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!. C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 15% Total physical RAM: 3070.8 MB Available physical RAM: 2602.12 MB Total Pagefile: 3069.08 MB Available Pagefile: 2605.58 MB Total Virtual: 2047.88 MB Available Virtual: 1970.3 MB ======================= Partitions ========================= 1 Drive c: (OS) (Fixed) (Total:136.58 GB) (Free:97.27 GB) NTFS 3 Drive f: (STORE N GO) (Removable) (Total:29.8 GB) (Free:29.8 GB) FAT32 4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 5 Drive y: (RECOVERY) (Fixed) (Total:12.39 GB) (Free:7.54 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 149 GB 0 B Disk 1 Online 29 GB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 OEM 39 MB 31 KB Partition 2 Primary 12 GB 40 MB Partition 3 Primary 136 GB 12 GB ================================================================================== Disk: 0 Partition 1 Type : DE Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 FAT Partition 39 MB Healthy Hidden ================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y RECOVERY NTFS Partition 12 GB Healthy ================================================================================== Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C OS NTFS Partition 136 GB Healthy ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- * Partition 1 Primary 29 GB 0 B ================================================================================== Disk: 1 There is no partition selected. There is no partition selected. Please select a partition and try again. ================================================================================== ========================================================== Last Boot: 2012-07-27 21:24 ======================= End Of Log ==========================

Thanks, I am going to go ahead and proceed with cleanup. It will be a while before I get home with this, but will post the results then. Thank you!

RogueKiller V7.6.5 [08/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User: mds [Admin rights] Mode: Scan -- Date: 08/08/2012 07:47:19 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 9 ¤¤¤ [sUSP PATH] HKCU\[...]\Run : ChromeFrameHelper ("C:\Users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" --startup) -> FOUND [sUSP PATH] HKUS\S-1-5-21-3142347838-670113208-1110213071-1000[...]\Run : ChromeFrameHelper ("C:\Users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" --startup) -> FOUND [DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285} : NameServer (68.105.28.11,68.105.28.12) -> FOUND [DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285} : NameServer (68.105.28.11,68.105.28.12) -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L --> FOUND [ZeroAccess][FILE] @ : c:\users\mds\appdata\local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\mds\appdata\local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\mds\appdata\local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND [susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX [ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX ¤¤¤ Driver: [LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 192.168.140.50 nas # 127.0.0.1 www.facebook.com # 127.0.0.1 blog.facebook.com #127.0.0.1 apps.facebook.com ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: SAMSUNG HD161GJ ATA Device +++++ --- User --- [MBR] e60a1d97352d4de534209e8b79fb6731 [bSP] e38d02d105c9fcba0bf7e3d362d6c927 : Windows Vista MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12690 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 26071040 | Size: 139856 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt

While running either of the DDS files, PEV.DAT crashes over and over. I am running 32bit Win7

Can someone help me with this computer? A client of mine bought a new computer and installed it without protection and is now pretty infected. There was a fake antivirus which I *think* I got rid of yesterday, and now there is a search redirector and the Malwarebytes Anti-Malware is reporting rootkit0.access and Comodo Internet Security warns of the infection in c:\windows\installer\ folders. Thanks!