spottswoode

Thank you for the help, much appreciated!

AdwLog attached. AdwCleanerS1.txt

Results of screen317's Security Check version 0.99.56 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Norton Internet Security WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Spybot - Search & Destroy Malwarebytes Anti-Malware version 1.70.0.1100 JavaFX 2.1.1 Java 6 Update 31 Java 7 Update 9 Adobe Flash Player 11.5.502.135 Adobe Reader XI Mozilla Firefox 9.0 Firefox out of Date! ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Spybot Teatimer.exe is disabled! Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 8% ````````````````````End of Log``````````````````````

# AdwCleaner v2.104 - Logfile created 01/06/2013 at 21:07:57 # Updated 29/12/2012 by Xplode # Operating system : Windows 7 Ultimate Service Pack 1 (64 bits) # User : stephen mcallister - CLUMSEYGENIUS # Boot Mode : Normal # Running from : C:\Users\<me>\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Found : HKCU\Software\AppDataLow\Software\AskToolbar Key Found : HKCU\Software\Ask.com Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556} Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16457 [OK] Registry is clean. -\\ Mozilla Firefox v9.0 (en-GB) File : C:\Users\stephen mcallister\AppData\Roaming\Mozilla\Firefox\Profiles\hi9ucsq2.default\prefs.js Found : user_pref("gm-notifier.ui.counter.showInbox", true); File : C:\Users\<me>\AppData\Roaming\Mozilla\Firefox\Profiles\njjfnk22.default\prefs.js [OK] File is clean. ************************* AdwCleaner[R1].txt - [1466 octets] - [06/01/2013 21:07:57] ########## EOF - C:\AdwCleaner[R1].txt - [1526 octets] ########## I don't see any entries that I am concerned about losing.

combofix attached. ComboFix.txt

Sorry, didn't see the note about where to find the logs. Attached. mbar-log-2013-01-06 (20-33-21).txt system-log.txt

MBAR didn't find any threats. After I closed mbar, windows update wasn't working, but I ran fix damage and rebooted and it's working as usual.

please note: that W drive is an old drive i used when installed my ssd a couple of years ago.

mbam log when infection was found Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2012.12.31.01 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 stephen mcallister :: CLUMSEYGENIUS [administrator] 06/01/2013 6:30:55 PM mbam-log-2013-01-06 (18-30-55).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 241608 Time elapsed: 1 minute(s), 26 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\stephen mcallister\AppData\Local\Temp\13361.exe (Backdoor.Bot) -> Quarantined and deleted successfully. (end) mbam recent log Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2013.01.06.08 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 stephen mcallister :: CLUMSEYGENIUS [administrator] 06/01/2013 7:04:31 PM mbam-log-2013-01-06 (19-04-31).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 239857 Time elapsed: 1 minute(s), 13 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) RK log RogueKiller V8.4.2 [Jan 6 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : stephen mcallister [Admin rights] Mode : Scan -- Date : 01/06/2013 19:38:51 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 9 ¤¤¤ [RUN][sUSP PATH] HKCU\[...]\Run : icq (C:\Users\stephen mcallister\AppData\Roaming\ICQM\icq.exe -CU) -> FOUND [RUN][bLACKLISTDLL] HKLM\[...]\Run : Cm108Sound (C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cm108.dll,CMICtrlWnd) -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-21-3231266768-4001767025-273698762-1000[...]\Run : icq (C:\Users\stephen mcallister\AppData\Roaming\ICQM\icq.exe -CU) -> FOUND [TASK][sUSP PATH] Alarm : "C:\Users\stephen mcallister\Desktop\equinox_sci_wax_radio_090111.mp3" -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [RUN][bLACKLISTDLL] [ON_W:]HKLM\Software[...]\Run : Cm108Sound (C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cm108.dll,CMICtrlWnd) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Extern Hives: ¤¤¤ -> W:\windows\system32\config\SOFTWARE -> W:\windows\system32\config\SYSTEM -> W:\Users\Default\NTUSER.DAT -> W:\Users\Default User\NTUSER.DAT -> W:\Users\Stephen McAllister\NTUSER.DAT -> W:\Documents and Settings\Default\NTUSER.DAT -> W:\Documents and Settings\Default User\NTUSER.DAT ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD7501AALS-00J7B0 ATA Device +++++ --- User --- [MBR] 5b7a63329081828f2eecb71d675598be [bSP] 8e5db028d4964658b6060ac891226926 : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 51 | Size: 80001 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 163842192 | Size: 635400 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: OCZ-VERTEX2 ATA Device +++++ --- User --- [MBR] ab12359157b23e073c47280e4f1f7600 [bSP] 97fb3721f69c034ee0a311e495e04f4a : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive2: ST3250824AS ATA Device +++++ --- User --- [MBR] 44c8429ba71cb75c9475907c331001b0 [bSP] 5b3f940617f8364e6198b0d8688a539d : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive3: WDC WD1002FAEX-00Z3A0 ATA Device +++++ --- User --- [MBR] e11a71ec95f6ae136ad4d3fe1cddc934 [bSP] e762d14e820de1666f1328aafa4b26ba : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_01062013_02d1938.txt >> RKreport[1]_S_01062013_02d1938.txt

Malware bytes recently detected backdoor.bot. I was logging into my online banking at the time. I haven't done anything except let Malwarebytes do it's thing and when I scan again there is no sign. In the meantime, I used another machine at home to change my TD banking password and also my google email products. Attached dds.txt and Attach.txt Attach.txt DDS.txt