[PUM.UserWload & Trojan.0Access]

Thank you! I appreciate everything!!!

[PUM.UserWload & Trojan.0Access]

Security Check Log

Results of screen317's Security Check version 0.99.57

Windows 7 Service Pack 1 x86 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Java 6 Update 29

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Reader 9 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 2%

````````````````````End of Log``````````````````````

[PUM.UserWload & Trojan.0Access]

Here is the AdwCleaner logfile. I will run the other program now.

# AdwCleaner v2.105 - Logfile created 01/14/2013 at 11:16:28

# Updated 08/01/2013 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (32 bits)

# User : Teacher - 1282-SPROUTS1

# Boot Mode : Normal

# Running from : C:\Users\Teacher\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6EA0A49\AdwCleaner (1).exe

# Option [Delete]

***** [services] *****

Stopped & Deleted : WajamUpdater

***** [Files / Folders] *****

Folder Deleted : C:\Program Files\OApps

Folder Deleted : C:\Program Files\Wajam

Folder Deleted : C:\Users\Teacher\AppData\Local\Wajam

Folder Deleted : C:\Users\Teacher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider

Key Deleted : HKCU\Software\Cr_Installer

Key Deleted : HKCU\Software\InstalledBrowserExtensions

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}

Key Deleted : HKCU\Software\Wajam

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}

Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO

Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO.1

Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox

Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox.1

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}

Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO

Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO.1

Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader

Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam

Key Deleted : HKLM\Software\Wajam

Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [2877 octets] - [14/01/2013 06:59:20]

AdwCleaner[R2].txt - [2941 octets] - [14/01/2013 11:15:50]

AdwCleaner[s1].txt - [2946 octets] - [14/01/2013 11:16:28]

########## EOF - C:\AdwCleaner[s1].txt - [3006 octets] ##########

[PUM.UserWload & Trojan.0Access]

Good morning. Here is the log file as requested.

# AdwCleaner v2.105 - Logfile created 01/14/2013 at 06:59:20

# Updated 08/01/2013 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (32 bits)

# User : Teacher - 1282-SPROUTS1

# Boot Mode : Normal

# Running from : C:\Users\Teacher\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6EA0A49\AdwCleaner.exe

# Option [search]

***** [services] *****

Found : WajamUpdater

***** [Files / Folders] *****

Folder Found : C:\Program Files\OApps

Folder Found : C:\Program Files\Wajam

Folder Found : C:\Users\Teacher\AppData\Local\Wajam

Folder Found : C:\Users\Teacher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Crossrider

Key Found : HKCU\Software\Cr_Installer

Key Found : HKCU\Software\InstalledBrowserExtensions

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}

Key Found : HKCU\Software\Wajam

Key Found : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}

Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}

Key Found : HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL

Key Found : HKLM\SOFTWARE\Classes\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}

Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO

Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO.1

Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox

Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox.1

Key Found : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}

Key Found : HKLM\SOFTWARE\Classes\wajam.WajamBHO

Key Found : HKLM\SOFTWARE\Classes\wajam.WajamBHO.1

Key Found : HKLM\SOFTWARE\Classes\wajam.WajamDownloader

Key Found : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1

Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam

Key Found : HKLM\Software\Wajam

Key Found : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [2748 octets] - [14/01/2013 06:59:20]

########## EOF - C:\AdwCleaner[R1].txt - [2808 octets] ##########

[PUM.UserWload & Trojan.0Access]

Oops i just left work. I will run the program and update on Monday.

[PUM.UserWload & Trojan.0Access]

I'm so happy to let you know that I'm posting this from NORMAL MODE! I could kiss you (but I know you'd prefer a donation)! Thank you so much.

[PUM.UserWload & Trojan.0Access]

Will do.

[PUM.UserWload & Trojan.0Access]

...I noticed that misconfig won't launch from the run menu.

[PUM.UserWload & Trojan.0Access]

When I run it, it says the program has encountered a problem and can't continue. Please try again later. I rebooted and still says the same thing. This is so discouraging, I could cry!

[PUM.UserWload & Trojan.0Access]

Will do. Give me a sec.

[PUM.UserWload & Trojan.0Access]

Ok. Thanks. The frozen taskbar thing had been happening while the malware was still on the computer. Two weeks ago, I noticed it begining to happen. Then last week everything seemed to work normally, until the day before. Do you think I should do a factory reset via the system repair menu upon boot up?

[PUM.UserWload & Trojan.0Access]

Oh and the MBAM scan is not finding any threats. Do you think this may not be related to the malware? Is the malware gone?

[PUM.UserWload & Trojan.0Access]

So the status is, when I boot in normal mode, it is entering the desktop, but not loading the icons and the taskbar is frozen. I just see the blue circle. Once in a while it will load the icons, but the taskbar will still be frozen. I can only boot into safe mode.

[PUM.UserWload & Trojan.0Access]

Ok.

[PUM.UserWload & Trojan.0Access]

Nevermind...it's scanning.

Farbar Service Scanner Version: 05-01-2013

Ran by Teacher (administrator) on 11-01-2013 at 12:56:22

Running from "C:\Users\Teacher\Desktop"

Windows 7 Professional Service Pack 1 (X86)

Boot Mode: Network

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Attempt to access Google IP returned error. Google IP is offline

Attempt to access Google.com returned error: Google.com is offline

Attempt to access Yahoo IP returned error. Yahoo IP is offline

Attempt to access Yahoo.com returned error: Yahoo.com is offline

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

Action Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem service is OK.

The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

Other Services:

==============

File Check:

========

C:\windows\system32\nsisvc.dll => MD5 is legit

C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\windows\system32\dhcpcore.dll => MD5 is legit

C:\windows\system32\Drivers\afd.sys => MD5 is legit

C:\windows\system32\Drivers\tdx.sys => MD5 is legit

C:\windows\system32\Drivers\tcpip.sys

[2012-11-15 10:57] - [2012-10-03 11:58] - 1293680 ____A (Microsoft Corporation) E23A56F843E2AEBBB209D0ACCA73C640

C:\windows\system32\dnsrslvr.dll => MD5 is legit

C:\windows\system32\mpssvc.dll => MD5 is legit

C:\windows\system32\bfe.dll => MD5 is legit

C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\windows\system32\SDRSVC.dll => MD5 is legit

C:\windows\system32\vssvc.exe => MD5 is legit

C:\windows\system32\wscsvc.dll => MD5 is legit

C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\windows\system32\wuaueng.dll => MD5 is legit

C:\windows\system32\qmgr.dll => MD5 is legit

C:\windows\system32\es.dll => MD5 is legit

C:\windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\windows\system32\svchost.exe => MD5 is legit

C:\windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

[PUM.UserWload & Trojan.0Access]

I pressed scan, but it's not scanning anything.

[PUM.UserWload & Trojan.0Access]

I tried to do the gpedit.msc and the "not configured" was already selected. Just for good measure, I selected enable, rebooted (system protection tab still not there), then I rebooted and selected "not configured" again. Rebooted again and system protection tab not there. Then I accessed system restore from the system repair boot menu. When I pressed the system protection link, it just gave me a dialog box saying something about "since your computer is in a limited diagnostic state, any restore cannot be undone." I then pressed ok, and it did nothing after that. As a matter of fact, the "next" button was not even available. The only option was to press cancel.

[PUM.UserWload & Trojan.0Access]

Ok here is the most recent RKiller log

RogueKiller V8.4.2 [Jan 6 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Safe mode with network support

User : Teacher [Admin rights]

Mode : Scan -- Date : 01/11/2013 11:54:04

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH] cbsidlm-tr1_10a-RogueKiller-SEO-75764640.exe -- C:\Users\Teacher\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KWHMROKA\cbsidlm-tr1_10a-RogueKiller-SEO-75764640.exe -> KILLED [TermProc]

[sUSP PATH] Updater21804.exe -- C:\Users\Teacher\AppData\Local\Updater21804\Updater21804.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] 999c59079689fbfcab8e037a122045ec

[bSP] 42b3664ffc88267bf9e22417f1ffdce5 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 500 Mo

1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1026048 | Size: 30000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 62466048 | Size: 274743 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_S_01112013_02d1154.txt >>

RKreport[1]_S_01102013_02d1512.txt ; RKreport[2]_S_01112013_02d1154.txt

[PUM.UserWload & Trojan.0Access]

I ran combofix and after it was done, it rebooted the computer back into normal mode. However I still couldn't access the task bar. Therefore, I couldn't get to the txt file log. I rebooted into safe mode w/networking and I can't find the log. I tried booting into normal mode and there is a black screen with this error message: "C:Users/Teacher/Desktop/mbar/Data/cleanup.dll Specified module can't be found."

I did the start up repair and it couldn't find any problems. Then I tried system restore, but I am not seeing the System Protection tab.

Please advise. Thanks!

[PUM.UserWload & Trojan.0Access]

Ok. I'm running combofix now.

[PUM.UserWload & Trojan.0Access]

The computer doesn't want to start up properly in normal mode. It gets passed the login screen and Windows Explorer just stays frozen with the little blue circle that keeps going around and around. I booted into safemode w/networking and ran an MBAM scan. Here is the log. It didn't find any bugs.

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.10.10

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Teacher :: 1282-SPROUTS1 [administrator]

Protection: Disabled

1/11/2013 7:09:56 AM

mbam-log-2013-01-11 (07-09-56).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 243534

Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[PUM.UserWload & Trojan.0Access]

Thank you again! I went to start the computer again, but it wouldn't start. Then it automatically began a start up repair. I was at work while this happened, so I will see what is going on and hopefully run combo fix it when I return to work tomorrow.

[PUM.UserWload & Trojan.0Access]

Hi. I ran MBAM and here is the resulting log. Upon the second scan, there were no threats found.

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_29

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 1.596000 GHz

Memory total: 3347234816, free: 2750840832

------------ Kernel report ------------

01/10/2013 15:38:47

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\halmacpi.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\compbatt.sys

\SystemRoot\system32\DRIVERS\BATTC.SYS

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\msahci.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\DRIVERS\amdsata.sys

\SystemRoot\system32\DRIVERS\storport.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\DRIVERS\ApsHM86.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\DRIVERS\Apsx86.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\AtiPcie.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\Rt86win7.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbfilter.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\ibmpmdrv.sys

\SystemRoot\system32\DRIVERS\rtl8192Ce.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\framebuf.dll

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_diskdump.sys

\SystemRoot\System32\Drivers\dump_amdsata.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\??\C:\windows\system32\drivers\mbamchameleon.sys

\??\C:\windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\difxapi.dll

\Windows\System32\urlmon.dll

\Windows\System32\Wldap32.dll

\Windows\System32\shell32.dll

\Windows\System32\ws2_32.dll

\Windows\System32\sechost.dll

\Windows\System32\comdlg32.dll

\Windows\System32\psapi.dll

\Windows\System32\gdi32.dll

\Windows\System32\nsi.dll

\Windows\System32\msctf.dll

\Windows\System32\oleaut32.dll

\Windows\System32\setupapi.dll

\Windows\System32\msvcrt.dll

\Windows\System32\normaliz.dll

\Windows\System32\advapi32.dll

\Windows\System32\imagehlp.dll

\Windows\System32\kernel32.dll

\Windows\System32\usp10.dll

\Windows\System32\imm32.dll

\Windows\System32\shlwapi.dll

\Windows\System32\wininet.dll

\Windows\System32\ole32.dll

\Windows\System32\iertutil.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\user32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\lpk.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\wintrust.dll

\Windows\System32\comctl32.dll

\Windows\System32\devobj.dll

\Windows\System32\KernelBase.dll

\Windows\System32\crypt32.dll

\Windows\System32\msasn1.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff8635d030

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000066\

Lower Device Object: 0xffffffff8623d420

Lower Device Driver Name: \Driver\amdsata\

Driver name found: amdsata

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2013.01.10.12

Downloaded database version: v2013.01.04.01

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff8635d030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8635cd10, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff8635d5d0, DeviceName: Unknown, DriverName: \Driver\Shockprf\

DevicePointer: 0xffffffff8635d030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86351020, DeviceName: Unknown, DriverName: \Driver\amdxata\

DevicePointer: 0xffffffff8623d2f8, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8623d420, DeviceName: \Device\00000066\, DriverName: \Driver\amdsata\

------------ End ----------

Upper DeviceData: 0xffffffffa4267130, 0xffffffff8635d030, 0xffffffff85f08728

Lower DeviceData: 0xffffffffa00a8708, 0xffffffff8623d420, 0xffffffff85ea91a0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: BA21B413

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 1024000

Partition file system is NTFS

Partition is bootable

Partition 1 type is Other (0x27)

Partition is NOT ACTIVE.

Partition starts at LBA: 1026048 Numsec = 61440000

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 62466048 Numsec = 562673664

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 320072933376 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...

Done!

Performing system, memory and registry scan...

Infected: C:\$Recycle.Bin\S-1-5-21-3698045114-3507409308-3228407656-1004\$4341bd91f259578dbf8874db5a5cba77\@ --> [Trojan.Siredef.C]

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C]

Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load --> [PUM.UserWLoad]

Infected: C:\$Recycle.Bin\S-1-5-21-3698045114-3507409308-3228407656-1004\$4341bd91f259578dbf8874db5a5cba77\U --> [Trojan.Siredef.C]

Infected: C:\$Recycle.Bin\S-1-5-21-3698045114-3507409308-3228407656-1004\$4341bd91f259578dbf8874db5a5cba77\L --> [Trojan.Siredef.C]

Infected: C:\$Recycle.Bin\S-1-5-21-3698045114-3507409308-3228407656-1004\$4341bd91f259578dbf8874db5a5cba77 --> [Trojan.Siredef.C]

Done!

Scan finished

Creating System Restore point...

Could not create restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_29

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 1.596000 GHz

Memory total: 3347234816, free: 2769465344

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_29

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 1.596000 GHz

Memory total: 3347234816, free: 2910150656

------------ Kernel report ------------

01/10/2013 16:01:13

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\halmacpi.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\compbatt.sys

\SystemRoot\system32\DRIVERS\BATTC.SYS

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\msahci.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\DRIVERS\amdsata.sys

\SystemRoot\system32\DRIVERS\storport.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\DRIVERS\ApsHM86.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\DRIVERS\Apsx86.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\AtiPcie.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\Rt86win7.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbfilter.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\ibmpmdrv.sys

\SystemRoot\system32\DRIVERS\rtl8192Ce.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\framebuf.dll

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_diskdump.sys

\SystemRoot\System32\Drivers\dump_amdsata.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\??\C:\windows\system32\drivers\mbamchameleon.sys

\??\C:\windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\advapi32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\imagehlp.dll

\Windows\System32\gdi32.dll

\Windows\System32\Wldap32.dll

\Windows\System32\normaliz.dll

\Windows\System32\nsi.dll

\Windows\System32\psapi.dll

\Windows\System32\shell32.dll

\Windows\System32\difxapi.dll

\Windows\System32\shlwapi.dll

\Windows\System32\sechost.dll

\Windows\System32\usp10.dll

\Windows\System32\msvcrt.dll

\Windows\System32\imm32.dll

\Windows\System32\msctf.dll

\Windows\System32\oleaut32.dll

\Windows\System32\lpk.dll

\Windows\System32\urlmon.dll

\Windows\System32\setupapi.dll

\Windows\System32\ole32.dll

\Windows\System32\kernel32.dll

\Windows\System32\user32.dll

\Windows\System32\ws2_32.dll

\Windows\System32\iertutil.dll

\Windows\System32\clbcatq.dll

\Windows\System32\wininet.dll

\Windows\System32\KernelBase.dll

\Windows\System32\comctl32.dll

\Windows\System32\crypt32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\wintrust.dll

\Windows\System32\devobj.dll

\Windows\System32\msasn1.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff8635da90

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000066\

Lower Device Object: 0xffffffff8623d478

Lower Device Driver Name: \Driver\amdsata\

Driver name found: amdsata

DriverEntry returned 0x0

Function returned 0x0

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff8635da90, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8635d430, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff8635c020, DeviceName: Unknown, DriverName: \Driver\Shockprf\

DevicePointer: 0xffffffff8635da90, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff863478d0, DeviceName: Unknown, DriverName: \Driver\amdxata\

DevicePointer: 0xffffffff86347e00, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8623d478, DeviceName: \Device\00000066\, DriverName: \Driver\amdsata\

------------ End ----------

Upper DeviceData: 0xffffffff824237f0, 0xffffffff8635da90, 0xffffffff87a20848

Lower DeviceData: 0xffffffff82574308, 0xffffffff8623d478, 0xffffffff879dc918

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: BA21B413

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 1024000

Partition file system is NTFS

Partition is bootable

Partition 1 type is Other (0x27)

Partition is NOT ACTIVE.

Partition starts at LBA: 1026048 Numsec = 61440000

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 62466048 Numsec = 562673664

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 320072933376 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

[PUM.UserWload & Trojan.0Access]

Thank you! Here is the log from RogueKiller

RogueKiller V8.4.2 [Jan 6 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Safe mode with network support

User : Teacher [Admin rights]

Mode : Scan -- Date : 01/10/2013 15:12:30

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤

[sHELL][sUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Teacher\LOCALS~1\Temp\msauafifp.pif) -> FOUND

[sHELL][sUSP PATH] HKUS\S-1-5-21-3698045114-3507409308-3228407656-1004[...]\Windows : Load (C:\Users\Teacher\LOCALS~1\Temp\msauafifp.pif) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3698045114-3507409308-3228407656-1004\$4341bd91f259578dbf8874db5a5cba77\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3698045114-3507409308-3228407656-1004\$4341bd91f259578dbf8874db5a5cba77\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3698045114-3507409308-3228407656-1004\$4341bd91f259578dbf8874db5a5cba77\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] 999c59079689fbfcab8e037a122045ec

[bSP] 42b3664ffc88267bf9e22417f1ffdce5 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 500 Mo

1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1026048 | Size: 30000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 62466048 | Size: 274743 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_01102013_02d1512.txt >>

RKreport[1]_S_01102013_02d1512.txt

[PUM.UserWload & Trojan.0Access]

Hi. I ran a scan because my computer has been acting up (task bar freezing up etc.) I'm accessing it in safe mode w/networking and Malwarebytes picked up the following: PUM.UserWload and Trojan.0Access. I've run the requested dds scan and here are the logs. Any help will be greatly appreciated!

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

.

==== Disk Partitions =========================

.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Registry Patch to arrange icons in Device and Printers folder of Windows 7

Update for Microsoft Office 2007 (KB2508958)

Access Help

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.1

AMD USB Filter Driver

ATI Catalyst Install Manager

ATI Uninstaller

Bing Bar

Bing Rewards Client Installer

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

Conexant CX20582 SmartAudio HD

Coupon Printer for Windows

HP Photo Creations

HP Photosmart 6510 series Basic Device Software

HP Photosmart 6510 series Help

HP Photosmart 6510 series Product Improvement Study

HP Update

HUAWEI DataCard Driver 3.05

Integrated Camera

Java Auto Updater

Java 6 Update 29

Lenovo System Interface Driver

Lenovo Warranty Information

Lenovo Welcome

LiveUpdate 3.3 (Symantec Corporation)

Malwarebytes Anti-Malware version 1.60.0.1800

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MimioStudio

MSXML 4.0 SP2 (KB973688)

OGA Notifier 2.0.0048.0

On Screen Display

Realtek Ethernet Controller Driver

Realtek USB 2.0 Card Reader

Registry Patch to Enable Maximum Power Saving on WiFi Adapters for Windows 7

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition

Symantec Endpoint Protection

System Update

ThinkPad Bluetooth with Enhanced Data Rate Software

ThinkPad FullScreen Magnifier

ThinkPad Power Management Driver

ThinkPad Power Manager

ThinkPad UltraNav Driver

ThinkPad UltraNav Utility

ThinkPad Wireless LAN Adapter Software

ThinkVantage Access Connections

ThinkVantage Active Protection System

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Infopath 2007 Help (KB963662)

Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760586) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Verizon Wireless Mobile Broadband Self Activation

Windows Driver Package - Broadcom (BTHUSB) Bluetooth (04/08/2010 6.3.5.430)

Windows Driver Package - Broadcom Bluetooth (07/30/2009 6.2.0.9405)

Windows Driver Package - Broadcom Bluetooth (09/11/2009 6.2.0.9407)

Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)

Windows Driver Package - Lenovo 1.60.0.4 (11/18/2009 1.60.0.4)

WinZip

.

==== End Of File ===========================

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK

Internet Explorer: 9.0.8112.16457

Run by Teacher at 14:23:55 on 2013-01-10

.

============== Running Processes ================

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\windows\Explorer.EXE

C:\windows\system32\ctfmon.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\windows\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\windows\system32\ctfmon.exe

C:\windows\system32\NOTEPAD.EXE

C:\windows\system32\NOTEPAD.EXE

C:\windows\Explorer.EXE

C:\windows\system32\ctfmon.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\windows\system32\conhost.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\System32\svchost.exe -k secsvcs

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxps://www.google.com/

uDefault_Page_URL = hxxp://lenovo.msn.com

uWindows: Load = c:\users\teacher\locals~1\temp\msauafifp.pif

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_ActiveX.exe -update activex

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [TpShocks] TpShocks.exe

mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [AcWin7Hlpr] c:\program files\lenovo\access connections\AcTBenabler.exe

mRun: [smartAudio] c:\program files\conexant\saii\SAIICpl.exe /t

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRunOnce: [!DPLauncher] "c:\program files\microsoft\defaultpack\DPLauncher.EXE" partner=p001 comb=9

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe

StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\MapKdrive.cmd

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mimios~1.lnk - c:\program files\mimio\mimiostudio\mimiosys.exe

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{0D127773-EB4A-4DE2-81E8-90085945647E} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{354E1893-2EA3-4DF4-9194-66FF7C2ACD44} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{424518D1-6031-4FB4-B7C1-06C0000235C4} : DHCPNameServer = 10.222.254.87 10.222.254.88

TCP: Interfaces\{4C8F4FC0-1DB8-4167-8112-D124C63BE098} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{553CF1C0-7748-423B-9BAA-6A76EACDCE70} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{583602CE-97BC-4531-91E8-C7BE00BE4C31} : DHCPNameServer = 192.168.0.1

TCP: Interfaces\{583602CE-97BC-4531-91E8-C7BE00BE4C31}\14454503139313 : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{87FBA891-857F-446C-BCBF-5F0C741B0BE1} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{A617F7A6-59D8-4445-B59D-791D636F2CA3} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{AA04B850-BDA7-444F-A55D-F042687B9E6F} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{B0E6EED1-C591-468E-8D83-C1D654B248CF} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{B8795064-F4C4-4F75-95F0-35358E65FA61} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{E8E0C924-BEC6-4252-AEDE-D974081D2C2A} : DHCPNameServer = 10.1.1.10 10.1.1.1

TCP: Interfaces\{FC658BEE-FA0A-4129-A382-7818BA35444D} : DHCPNameServer = 10.1.1.10 10.1.1.1

SSODL: WebCheck - <orphaned>

LSA: Notification Packages = scecli ACGina

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2013-01-09 18:28:59 626688 ----a-w- c:\windows\system32\usp10.dll

2013-01-09 18:28:57 2345984 ----a-w- c:\windows\system32\win32k.sys

2013-01-09 18:28:55 492032 ----a-w- c:\windows\system32\win32spl.dll

2013-01-09 18:28:02 1389568 ----a-w- c:\windows\system32\msxml6.dll

2013-01-09 18:24:46 46592 ----a-w- c:\windows\system32\fpb.rs

2013-01-08 15:27:41 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{de5e0150-e825-4655-85f5-47d8ce7fc6ed}\mpengine.dll

2012-12-30 02:27:23 -------- d-----w- c:\users\teacher\appdata\roaming\Malwarebytes

2012-12-21 19:46:39 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 19:46:39 295424 ----a-w- c:\windows\system32\atmfd.dll

2012-12-12 13:31:09 376832 ----a-w- c:\windows\system32\dpnet.dll

2012-12-12 13:30:47 2048 ----a-w- c:\windows\system32\tzres.dll

.

==================== Find3M ====================

.

2012-12-07 12:26:17 308736 ----a-w- c:\windows\system32\Wpc.dll

2012-12-07 12:20:43 2576384 ----a-w- c:\windows\system32\gameux.dll

2012-11-30 04:53:34 169984 ----a-w- c:\windows\system32\winsrv.dll

2012-11-30 04:47:45 293376 ----a-w- c:\windows\system32\KernelBase.dll

2012-11-30 02:55:25 271360 ----a-w- c:\windows\system32\conhost.exe

2012-11-30 02:38:59 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2012-11-30 02:38:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2012-11-30 02:38:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2012-11-30 02:38:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2012-11-23 02:48:41 49152 ----a-w- c:\windows\system32\taskhost.exe

2012-11-20 04:51:09 220160 ----a-w- c:\windows\system32\ncrypt.dll

2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-10-16 07:39:52 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

.

============= FINISH: 14:24:14.80 ===============

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.10.10

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Teacher :: 1282-SPROUTS1 [administrator]

Protection: Disabled

1/10/2013 2:28:27 PM

mbam-log-2013-01-10 (14-28-27).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 244903

Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\Teacher\LOCALS~1\Temp\msauafifp.pif -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\$Recycle.Bin\S-1-5-21-3698045114-3507409308-3228407656-1004\$4341bd91f259578dbf8874db5a5cba77\n (Trojan.0Access) -> Quarantined and deleted successfully.

(end)