jgladwell
-
Posts
13 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by jgladwell
-
-
Uninstalling USB host controllers and letting them re-detect fixed it.
I also found a problem when I tried to run Windows Update. The BITS service was missing so I registered it as a service manually using the "sc" command and Windows is updating again.
-
The log is posted above my question about my USB drive. There were no malicious files found.
-
Seems to be running fine.
Only weird thing that I have noticed in the last few minutes is the system will not recognize my thumb drive unless I am in Recovery Mode - such as when I was running the FRST.exe tool, my thumb drive was fine. Now, it doesn't show up in Computer. My portable hard drive is fine, that is how I transferred the last log to my laptop.
-
Malwarebytes Anti-Malware 1.62.0.1300
Database version: v2012.08.08.08
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
mds :: WKS1 [administrator]
8/8/2012 11:54:07 AM
mbam-log-2012-08-08 (11-54-07).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183871
Time elapsed: 3 minute(s), 9 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
ComboFix 12-08-07.05 - mds 08/08/2012 11:26:19.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3071.2092 [GMT -5:00]
Running from: c:\users\mds\Desktop\ComboFix.exe
AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))
.
.
2012-08-08 18:45 . 2012-08-08 18:45 -------- d-----w- C:\FRST
2012-08-08 16:33 . 2012-08-08 16:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-08 08:14 . 2012-08-08 08:14 -------- d-----w- c:\users\mds\AppData\Local\ElevatedDiagnostics
2012-08-08 04:54 . 2012-08-08 04:54 -------- d-----w- c:\program files\CCleaner
2012-08-07 13:26 . 2012-08-07 13:26 -------- d-----w- C:\VritualRoot
2012-08-07 13:24 . 2012-08-08 16:33 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-08-07 13:20 . 2012-08-07 13:20 -------- d-----w- c:\programdata\CPA_VA
2012-08-07 13:20 . 2012-08-08 04:49 -------- d-----w- c:\programdata\Comodo
2012-08-07 13:20 . 2012-08-07 13:25 -------- d-----w- c:\program files\COMODO
2012-08-07 13:20 . 2012-08-07 13:20 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-08-07 12:19 . 2012-08-07 12:19 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-08-06 13:58 . 2012-08-06 13:58 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-06 13:48 . 2012-08-07 12:28 -------- d-----w- c:\programdata\036DFF8500015A1400011296F875EF7E
2012-08-06 13:47 . 2012-08-06 13:51 57344 ---ha-w- c:\windows\system32\bcdeator.dll
2012-07-28 15:50 . 2012-07-28 15:50 -------- d-----w- c:\programdata\Adaptive Server Anywhere 9
2012-07-28 15:48 . 1980-01-01 05:00 323408 ----a-w- c:\windows\system32\xceedzip.dll
2012-07-12 08:01 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 14:05 . 2012-05-09 14:22 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-07-12 14:05 . 2012-05-09 14:22 30624 ----a-w- c:\windows\system32\LMIport.dll
2012-07-12 14:05 . 2012-05-09 14:22 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-12 14:05 . 2012-05-09 14:22 87456 ----a-w- c:\windows\system32\LMIinit.dll
2012-07-03 18:46 . 2010-12-14 22:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-21 08:13 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 08:13 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 08:13 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 08:13 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 08:13 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 08:13 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 08:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-21 08:13 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12 . 2012-06-21 08:13 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-21 14:23 . 2012-05-09 14:22 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChromeFrameHelper"="c:\users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" [2012-07-31 81432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-12 7739936]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 6749512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^FA Reminder.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\FA Reminder.lnk
backup=c:\windows\pss\FA Reminder.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 B-Service;B-Service;c:\users\mds\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0DWBUYB\B-Service.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 botimmov;botimmov;c:\windows\system32\DRIVERS\botimmov.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [x]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 15:16]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 15:16]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000Core.job
- c:\users\mds\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-22 00:37]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000UA.job
- c:\users\mds\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-22 00:37]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www1.ushealthrecord.com/rxddsSecure.nsf/weblaunch?OpenAgent&WebUser:b_lorenzWebUserProfile:
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=9727FA3001CD2EAA00EFECE2&src_id=30504&camp_id=3906&tb_version=1.2.0000.2(B)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
Trusted Zone: nw-health.com\citrix
TCP: DhcpNameServer = 192.168.140.1 192.168.140.1
TCP: Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285}: NameServer = 68.105.28.11,68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(592)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(3656)
c:\windows\system32\guard32.dll
c:\windows\System32\ieframe.dll
c:\windows\System32\provsvc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-08-08 11:38:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-08 16:38
.
Pre-Run: 104,357,552,128 bytes free
Post-Run: 104,147,628,032 bytes free
.
- - End Of File - - D1F3535B169DCFC54DD5638E3D5D5ADA
-
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 08-08-2012
Ran by SYSTEM at 2012-08-08 11:08:21 Run:1
Running from F:\
==============================================
C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} moved successfully.
C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====
-
Farbar Recovery Scan Tool Version: 08-08-2012
Ran by SYSTEM at 2012-08-08 10:47:02
Running from F:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9
=== End Of Search ===
-
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 08-08-2012
Ran by SYSTEM at 08-08-2012 10:45:37
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7739936 2009-09-11] (Realtek Semiconductor)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [37232 2008-06-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2008-06-11] (Adobe Systems Inc.)
HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h [6749512 2012-03-11] (COMODO)
HKU\mds\...\Run: [Google Update] "C:\Users\mds\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-30] (Google Inc.)
HKU\mds\...\Run: [ChromeFrameHelper] "C:\Users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" --startup [81432 2012-07-30] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.140.1 192.168.140.1
AppInit_DLLs: ??Ä?????C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe C:\Windows\system32\guard32.dll
Tcpip\..\Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285}: [NameServer]68.105.28.11,68.105.28.12
================================ Services (Whitelisted) ==================
2 AERTFilters; C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe [81920 2009-03-31] (Andrea Electronics Corporation)
2 BPowMon; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [79168 2009-08-17] (Broadcom Corp.)
2 cmdAgent; "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe" [1983232 2012-03-11] (COMODO)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-12] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-12] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2011-09-16] (LogMeIn, Inc.)
3 B-Service; C:\Users\mds\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0DWBUYB\B-Service.exe [x]
========================== Drivers (Whitelisted) =============
0 botimmov; C:\Windows\System32\DRIVERS\botimmov.sys [47104 2009-07-13] ()
1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [19600 2012-03-11] (COMODO)
1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [491816 2012-03-11] (COMODO)
1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [39640 2012-03-11] (COMODO)
1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [82400 2012-02-03] (COMODO)
3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-21] (Broadcom Corporation)
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2011-09-16] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2011-09-16] (LogMeIn, Inc.)
2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2011-09-16] (LogMeIn, Inc.)
3 mbamchameleon; \??\C:\Windows\system32\drivers\mbamchameleon.sys [31560 2012-08-07] ()
3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)
4 LMIRfsClientNP; [x]
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-08-08 10:45 - 2012-08-08 10:45 - 00000000 ____D C:\FRST
2012-08-08 04:47 - 2012-08-08 04:47 - 00003105 ____A C:\Users\mds\Desktop\RKreport[1].txt
2012-08-08 04:45 - 2012-08-08 04:47 - 00000000 ____D C:\Users\mds\Desktop\RK_Quarantine
2012-08-08 04:39 - 2012-08-08 04:44 - 00000000 ____D C:\Users\mds\Desktop\Infected
2012-08-08 00:23 - 2012-08-08 06:55 - 00000202 ____A C:\Windows\setupact.log
2012-08-08 00:23 - 2012-08-08 00:23 - 00342600 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-08 00:23 - 2012-08-08 00:23 - 00001324 ____A C:\Windows\PFRO.log
2012-08-08 00:23 - 2012-08-08 00:23 - 00000000 ____A C:\Windows\setuperr.log
2012-08-08 00:12 - 2012-08-08 00:12 - 00086472 ____A C:\Users\mds\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-07 20:58 - 2012-08-07 20:58 - 00113012 ____A C:\Users\mds\Documents\cc_20120807_235816.reg
2012-08-07 20:54 - 2012-08-07 20:54 - 03907920 ____A (Piriform Ltd) C:\Users\mds\Downloads\ccsetup321.exe
2012-08-07 20:54 - 2012-08-07 20:54 - 00000967 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-08-07 20:54 - 2012-08-07 20:54 - 00000000 ____D C:\Program Files\CCleaner
2012-08-07 05:26 - 2012-08-07 05:26 - 00000000 ___HD C:\VritualRoot
2012-08-07 05:24 - 2012-08-08 07:42 - 01474832 ____A C:\Windows\System32\Drivers\sfi.dat
2012-08-07 05:22 - 2012-08-07 05:22 - 00001846 ____A C:\Users\Public\Desktop\COMODO Internet Security.lnk
2012-08-07 05:20 - 2012-08-07 20:49 - 00000000 ____D C:\Users\All Users\Comodo
2012-08-07 05:20 - 2012-08-07 05:25 - 00000000 ____D C:\Program Files\COMODO
2012-08-07 05:20 - 2012-08-07 05:20 - 01700352 ____A (Microsoft Corporation) C:\Windows\System32\gdiplus.dll
2012-08-07 05:20 - 2012-08-07 05:20 - 00000000 ____D C:\Users\All Users\CPA_VA
2012-08-07 05:19 - 2012-08-07 05:17 - 62856768 ____A (COMODO) C:\Users\mds\Desktop\cispremium_installer.exe
2012-08-07 05:14 - 2012-08-08 02:12 - 00000000 ___SD C:\32788R22FWJFW
2012-08-07 04:19 - 2012-08-07 04:19 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-08-07 04:18 - 2012-08-07 04:18 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\mds\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-07 04:18 - 2012-08-07 04:18 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-06 05:58 - 2012-08-06 05:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-06 05:48 - 2012-08-07 04:28 - 00000000 ____D C:\Users\All Users\036DFF8500015A1400011296F875EF7E
2012-08-06 05:47 - 2012-08-06 05:51 - 00057344 ___AH (FRISK Software International) C:\Windows\System32\bcdeator.dll
2012-07-28 07:50 - 2012-07-28 07:50 - 00000000 ____D C:\Users\All Users\Adaptive Server Anywhere 9
2012-07-28 07:48 - 2012-07-28 07:50 - 00001015 ____A C:\pwUpdate.log
2012-07-28 07:48 - 1979-12-31 21:00 - 00323408 ____A (Xceed Software Inc (450) 442-2626 zip@xceedsoft.com www.xceedsoft.com) C:\Windows\System32\xceedzip.dll
2012-07-12 00:02 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-12 00:02 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-12 00:02 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-12 00:02 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-12 00:02 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-12 00:02 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-12 00:02 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-12 00:02 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-12 00:02 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-12 00:02 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-12 00:02 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-12 00:02 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-12 00:02 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-12 00:02 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-12 00:01 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 02:26 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 02:26 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 02:26 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 02:26 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 02:26 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 02:26 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 02:26 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 02:26 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 02:26 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 02:26 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
============ 3 Months Modified Files ========================
2012-08-08 07:42 - 2012-08-07 05:24 - 01474832 ____A C:\Windows\System32\Drivers\sfi.dat
2012-08-08 07:41 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-08 07:41 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-08 07:37 - 2009-07-13 20:55 - 01986328 ____A C:\Windows\WindowsUpdate.log
2012-08-08 07:11 - 2011-08-22 13:36 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000UA.job
2012-08-08 07:11 - 2011-08-22 13:36 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3142347838-670113208-1110213071-1000Core.job
2012-08-08 07:07 - 2010-11-01 07:17 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-08 06:58 - 2010-11-01 07:17 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-08 06:58 - 2010-08-02 03:45 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-08 06:55 - 2012-08-08 00:23 - 00000202 ____A C:\Windows\setupact.log
2012-08-08 06:54 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-08 04:47 - 2012-08-08 04:47 - 00003105 ____A C:\Users\mds\Desktop\RKreport[1].txt
2012-08-08 00:23 - 2012-08-08 00:23 - 00342600 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-08 00:23 - 2012-08-08 00:23 - 00001324 ____A C:\Windows\PFRO.log
2012-08-08 00:23 - 2012-08-08 00:23 - 00000000 ____A C:\Windows\setuperr.log
2012-08-08 00:12 - 2012-08-08 00:12 - 00086472 ____A C:\Users\mds\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-07 20:58 - 2012-08-07 20:58 - 00113012 ____A C:\Users\mds\Documents\cc_20120807_235816.reg
2012-08-07 20:54 - 2012-08-07 20:54 - 03907920 ____A (Piriform Ltd) C:\Users\mds\Downloads\ccsetup321.exe
2012-08-07 20:54 - 2012-08-07 20:54 - 00000967 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-08-07 06:58 - 2011-11-11 06:18 - 00000322 ____A C:\Users\mds\Desktop\ushealthrecord.com Empowering You To Better Manage Your Health (2).url
2012-08-07 05:26 - 2011-12-05 17:07 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-07 05:22 - 2012-08-07 05:22 - 00001846 ____A C:\Users\Public\Desktop\COMODO Internet Security.lnk
2012-08-07 05:20 - 2012-08-07 05:20 - 01700352 ____A (Microsoft Corporation) C:\Windows\System32\gdiplus.dll
2012-08-07 05:17 - 2012-08-07 05:19 - 62856768 ____A (COMODO) C:\Users\mds\Desktop\cispremium_installer.exe
2012-08-07 04:19 - 2012-08-07 04:19 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-08-07 04:18 - 2012-08-07 04:18 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\mds\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-07 04:18 - 2012-08-07 04:18 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-07 04:17 - 2011-12-05 17:00 - 00000751 ____A C:\Windows\System32\urlecgif.dll
2012-08-06 05:51 - 2012-08-06 05:47 - 00057344 ___AH (FRISK Software International) C:\Windows\System32\bcdeator.dll
2012-07-28 07:50 - 2012-07-28 07:48 - 00001015 ____A C:\pwUpdate.log
2012-07-28 07:49 - 2010-10-29 05:17 - 00000586 ____A C:\Users\mds\Desktop\WinOMS CS.lnk
2012-07-28 07:49 - 2010-10-29 05:16 - 00046203 ____A C:\MDSSetup.log
2012-07-20 12:13 - 2012-01-11 07:11 - 00109056 ____A C:\Users\mds\Desktop\Employee absence tracker1.xls
2012-07-13 08:36 - 2010-12-30 08:00 - 00000428 ____A C:\Users\mds\Desktop\Web-Based Email Mail Index Inbox.url
2012-07-12 08:54 - 2010-11-03 12:12 - 00000198 ____A C:\tx.log
2012-07-12 06:05 - 2012-05-09 06:22 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2012-07-12 06:05 - 2012-05-09 06:22 - 00083392 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2012-07-12 06:05 - 2012-05-09 06:22 - 00030624 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-07-12 00:01 - 2010-11-02 04:54 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-03 10:46 - 2010-12-14 14:20 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-27 09:34 - 2011-09-21 06:26 - 00002004 ___AH C:\Users\mds\Documents\Default.rdp
2012-06-11 18:40 - 2012-07-12 00:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-11 02:26 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-06 07:06 - 2012-06-06 07:06 - 00009290 ____A C:\Users\mds\Desktop\Verify Patients.xlsx
2012-06-05 21:05 - 2012-07-11 02:26 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-11 02:26 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-11 02:26 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-06-21 00:13 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 00:13 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 00:13 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 00:13 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 00:13 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 00:13 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 00:13 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-21 00:13 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:12 - 2012-06-21 00:13 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-12 00:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-12 00:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-12 00:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-12 00:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-12 00:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-12 00:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-12 00:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-12 00:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-12 00:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-12 00:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-12 00:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-12 00:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-12 00:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-12 00:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-11 02:26 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-11 02:26 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-11 02:26 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-11 02:26 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-11 02:26 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-21 10:47 - 2012-05-21 10:47 - 00007872 ____A C:\Users\mds\Downloads\_2_09458C7409458A340064411986257A05 (2)
2012-05-21 10:45 - 2012-05-21 10:45 - 00007872 ____A C:\Users\mds\Downloads\_2_09458C7409458A340064411986257A05 (1)
2012-05-21 10:45 - 2012-05-21 10:45 - 00007872 ____A C:\Users\mds\Downloads\_2_09458C7409458A340064411986257A05
2012-05-21 06:23 - 2012-05-09 06:22 - 00083360 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll.000.bak
2012-05-11 06:50 - 2012-05-11 06:50 - 00062939 ____A C:\Users\mds\Documents\Medicad_All_of_2011.XLS
2012-05-11 06:48 - 2012-05-11 06:48 - 00610469 ____A C:\Users\mds\Documents\visits_all_2011_CHG.XLS
2012-05-11 06:23 - 2012-05-11 06:23 - 00001082 ____A C:\Users\mds\Desktop\My Documents.lnk
ZeroAccess:
C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}
C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@
C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L
C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U
C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L\00000004.@
C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L\201d3dde
C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U\00000004.@
C:\Windows\Installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U\000000cb.@
ZeroAccess:
C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}
C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@
C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L
C:\Users\mds\AppData\Local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 15%
Total physical RAM: 3070.8 MB
Available physical RAM: 2602.12 MB
Total Pagefile: 3069.08 MB
Available Pagefile: 2605.58 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.3 MB
======================= Partitions =========================
1 Drive c: (OS) (Fixed) (Total:136.58 GB) (Free:97.27 GB) NTFS
3 Drive f: (STORE N GO) (Removable) (Total:29.8 GB) (Free:29.8 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:12.39 GB) (Free:7.54 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 29 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 12 GB 40 MB
Partition 3 Primary 136 GB 12 GB
==================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 12 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 136 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 29 GB 0 B
==================================================================================
Disk: 1
There is no partition selected.
There is no partition selected.
Please select a partition and try again.
==================================================================================
==========================================================
Last Boot: 2012-07-27 21:24
======================= End Of Log ==========================
-
Thanks, I am going to go ahead and proceed with cleanup. It will be a while before I get home with this, but will post the results then.
Thank you!
-
RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User: mds [Admin rights]
Mode: Scan -- Date: 08/08/2012 07:47:19
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 9 ¤¤¤
[sUSP PATH] HKCU\[...]\Run : ChromeFrameHelper ("C:\Users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" --startup) -> FOUND
[sUSP PATH] HKUS\S-1-5-21-3142347838-670113208-1110213071-1000[...]\Run : ChromeFrameHelper ("C:\Users\mds\AppData\Local\Google\Chrome\Application\21.0.1180.60\chrome_frame_helper.exe" --startup) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285} : NameServer (68.105.28.11,68.105.28.12) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{2E4D6E69-226E-4527-9E70-2B4FDDEAD285} : NameServer (68.105.28.11,68.105.28.12) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L --> FOUND
[ZeroAccess][FILE] @ : c:\users\mds\appdata\local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\mds\appdata\local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\mds\appdata\local\{d005c201-7a98-9ea1-a8f7-3bb33fe2ec59}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND
[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX
[ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX
¤¤¤ Driver: [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
192.168.140.50 nas
# 127.0.0.1 www.facebook.com
# 127.0.0.1 blog.facebook.com
#127.0.0.1 apps.facebook.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD161GJ ATA Device +++++
--- User ---
[MBR] e60a1d97352d4de534209e8b79fb6731
[bSP] e38d02d105c9fcba0bf7e3d362d6c927 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12690 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 26071040 | Size: 139856 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
While running either of the DDS files, PEV.DAT crashes over and over. I am running 32bit Win7
-
Can someone help me with this computer? A client of mine bought a new computer and installed it without protection and is now pretty infected.
There was a fake antivirus which I *think* I got rid of yesterday, and now there is a search redirector and the Malwarebytes Anti-Malware is reporting rootkit0.access and Comodo Internet Security warns of the infection in c:\windows\installer\ folders.
Thanks!
Virus in c:\windows\installer and rootkit.0access
in Resolved Malware Removal Logs
Posted
Thank you very much, I appreciate it!