Jump to content

Threeff

Honorary Members
  • Posts

    38
  • Joined

  • Last visited

Everything posted by Threeff

  1. Thanks MrC. I did all of the above steps. Now for the big question. Was this ZeroAccess infection the result of not killing it totally a couple months ago, or is a coincidence that I was infected again from an external source? If this virus is impossible to completely get rid of, maybe I need a total reformat. Thanks again, I really appreciate your doing this and your professionalism.
  2. Security Check log................ Results of screen317's Security Check version 0.99.74 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! avast! Free Antivirus `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner Adobe Flash Player 11.8.800.168 Adobe Reader 7 Adobe Reader out of Date! ````````Process Check: objlist.exe by Laurent```````` AVAST Software Avast AvastSvc.exe AVAST Software Avast avastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log``````````````````````
  3. M-Byte - 1 Object Found Computer is a little fater, but not 100%. While typing on webpage, letters showed-up slowly. Will Run Security Check..... Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.10.07.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 CPQ OWNER :: YOUR-4105E587B6 [administrator] 10/7/2013 12:48:14 PM MBAM-log-2013-10-07 (13-01-13).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 241470 Time elapsed: 12 minute(s), 6 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> No action taken. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  4. ADWCleaner log........ (Mware-b to follow) # AdwCleaner v3.006 - Report created 07/10/2013 at 12:30:18 # Updated 01/10/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : CPQ OWNER - YOUR-4105E587B6 # Running from : C:\Documents and Settings\CPQ OWNER\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 ************************* AdwCleaner[R0].txt - [1675 octets] - [07/10/2013 11:55:04] AdwCleaner[s0].txt - [1618 octets] - [07/10/2013 12:30:18] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1678 octets] ##########
  5. Pretty sure I don't need any of this, but what do you think? I'd hate to get this far and mess it up!!! # AdwCleaner v3.006 - Report created 07/10/2013 at 11:55:04 # Updated 01/10/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : CPQ OWNER - YOUR-4105E587B6 # Running from : C:\Documents and Settings\CPQ OWNER\Desktop\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Found C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Found : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 ************************* AdwCleaner[R0].txt - [1535 octets] - [07/10/2013 11:55:04] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1595 octets] ##########
  6. ComboFix log................... ComboFix 13-10-04.02 - CPQ OWNER 10/07/2013 9:33.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.698 [GMT -4:00] Running from: c:\documents and settings\CPQ OWNER\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab c:\documents and settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll . . ((((((((((((((((((((((((( Files Created from 2013-09-07 to 2013-10-07 ))))))))))))))))))))))))))))))) . . 2013-10-07 12:32 . 2013-10-07 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-10-07 12:27 . 2013-10-07 12:27 105176 ----a-w- c:\windows\system32\drivers\48230029.sys 2013-10-07 02:17 . 2013-10-07 02:17 -------- d-----w- C:\FRST 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-09-26 12:47 . 2012-04-12 14:09 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-09-26 12:47 . 2011-05-21 17:50 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-08-30 07:48 . 2013-08-21 13:58 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys 2013-08-30 07:48 . 2013-08-21 13:58 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2013-08-30 07:48 . 2013-08-21 13:58 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-08-30 07:48 . 2013-08-21 13:58 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2013-08-30 07:48 . 2013-08-21 13:58 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2013-08-30 07:48 . 2013-08-21 13:58 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-08-30 07:48 . 2013-08-21 13:58 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2013-08-30 07:48 . 2013-08-21 13:58 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2013-08-30 07:47 . 2013-08-21 13:54 41664 ----a-w- c:\windows\avastSS.scr 2013-08-30 07:47 . 2013-08-21 13:58 229648 ----a-w- c:\windows\system32\aswBoot.exe 2013-08-21 13:50 . 2013-08-21 13:48 117478104 ----a-w- c:\program files\avast_free_antivirus_setup.exe 2013-08-09 01:56 . 2004-08-04 08:00 386560 ----a-w- c:\windows\system32\themeui.dll 2013-08-08 06:05 . 2004-08-04 08:00 920064 ----a-w- c:\windows\system32\wininet.dll 2013-08-08 06:05 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-08-08 06:05 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2013-08-08 06:05 . 2004-08-04 08:00 18944 ----a-w- c:\windows\system32\corpol.dll 2013-08-08 01:27 . 2004-08-04 08:00 1877760 ----a-w- c:\windows\system32\win32k.sys 2013-08-08 00:02 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec 2013-08-05 13:30 . 2004-08-04 08:00 1289728 ----a-w- c:\windows\system32\ole32.dll 2013-08-03 18:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll 2013-08-03 15:40 . 2013-08-03 15:40 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2013-07-10 10:37 . 2004-08-04 08:00 406016 ----a-w- c:\windows\system32\usp10.dll 2010-10-25 18:36 . 2010-10-25 18:36 3524936 ----a-w- c:\program files\noteburner.exe 2010-10-12 02:46 . 2010-10-12 02:46 6153352 ----a-w- c:\program files\mbam-setup-1.46.exe 2010-05-16 21:09 . 2010-05-16 21:09 12383736 ----a-w- c:\program files\picasa36-setup.exe 2008-12-11 20:02 . 2008-12-11 20:02 355136 -c--a-w- c:\program files\SansaUpdaterInstall.exe 2008-10-08 00:52 . 2008-10-08 00:52 2934168 ----a-w- c:\program files\ccsetup212.exe 2008-07-17 14:01 . 2008-07-17 14:01 6104632 -c--a-w- c:\program files\picasaweb-current-setup.exe 2007-07-26 16:57 . 2007-07-26 16:57 470744 ----a-w- c:\program files\msgr8us.exe 2006-12-31 18:23 . 2006-12-31 18:23 12754672 ----a-w- c:\program files\MP10Setup.exe 2006-11-16 16:52 . 2006-11-16 16:52 8037624 -c--a-w- c:\program files\tunebite.exe 2006-10-14 13:58 . 2006-10-14 13:58 12841240 -c--a-w- c:\program files\SkypeSetup.exe 2006-09-10 01:44 . 2006-09-10 01:44 4983528 ----a-w- c:\program files\GoogleVideoPlayerSetup.exe 2006-08-29 22:11 . 2006-08-29 22:11 905216 ----a-w- c:\program files\iview398.exe 2006-05-14 19:50 . 2006-05-14 19:50 12089417 -c--a-w- c:\program files\ysitebuilder.exe 2006-05-14 19:37 . 2006-05-14 19:36 11817800 ----a-w- c:\program files\GoogleEarth.exe 2005-11-04 17:04 . 2005-11-04 17:04 231993 -c--a-w- c:\program files\WSUS.EXE 2005-10-24 22:53 . 2005-10-24 22:53 7680064 ----a-w- c:\program files\DivX521xp2k.exe 2005-09-29 20:37 . 2005-09-29 20:37 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe 2005-09-22 01:42 . 2005-09-22 01:42 1226512 -c--a-w- c:\program files\proxyconn.exe 2005-09-16 03:27 . 2005-09-16 03:08 381480 ----a-w- c:\program files\msgr7us.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2013-08-30 07:47 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-06 39408] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-21 19875432] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "c:\windows\system32\V0250Ext.ax"="c:\windows\system32\V0250Ext.ax" [X] "Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "(A0)"="c:\documents and settings\CPQ OWNER\Desktop\Mbar\mbar\mbar.exe" [2013-08-13 1178424] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2005-07-14 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset] 2005-02-17 21:01 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl] 2004-12-03 20:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant] 2005-04-01 22:11 794624 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher] 2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] 2005-07-10 07:03 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2005-03-04 10:36 36975 ----a-w- c:\program files\Java\jre1.5.0_02\bin\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-02-06 16:16 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2005-02-02 12:11 692316 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] 2005-02-02 12:12 102492 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 2007-07-16 19:17 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [8/21/2013 9:58 AM 49376] R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [8/21/2013 9:58 AM 177864] R0 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\48230029.sys [10/7/2013 8:27 AM 105176] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/21/2013 9:58 AM 770344] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/21/2013 9:58 AM 369584] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/21/2013 9:58 AM 29816] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [8/21/2013 9:58 AM 66336] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 11:18 AM 200192] R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [8/3/2013 11:40 AM 35144] S2 gupdate1c9adae1d0975a6;Google Update Service (gupdate1c9adae1d0975a6);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2009 8:59 PM 133104] S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [9/16/2013 12:29 PM 3273088] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/21/2013 9:53 AM 162408] S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [12/31/2006 11:18 AM 163840] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MBAMSWISSARMY *Deregistered* - TrueSight . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2013-10-07 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 12:48] . 2013-10-07 c:\windows\Tasks\avast! Emergency Update.job - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-08-21 07:47] . 2013-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 00:59] . 2013-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 00:59] . . ------- Supplementary Scan ------- . uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym&.intl=us mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchAssistant = IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - . Notify-NavLogon - (no file) MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-10-07 09:45 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(764) c:\windows\system32\Ati2evxx.dll . Completion time: 2013-10-07 09:49:05 ComboFix-quarantined-files.txt 2013-10-07 13:49 . Pre-Run: 1,651,900,416 bytes free Post-Run: 1,726,996,480 bytes free . - - End Of File - - BE0FD1D960EBDDDB9134EBB75D9E1241 E5FA06ACA0D60BA9C870D0EF3D9898C9
  7. RogueKiller log............ RogueKiller V8.7.1 [Oct 3 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : CPQ OWNER [Admin rights] Mode : Scan -- Date : 10/07/2013 09:12:26 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] StartupMonitor.exe -- C:\WINDOWS\StartupMonitor.exe [-] -> KILLED [TermProc] ¤¤¤ Registry Entries : 4 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\RunOnce : (A0) (cmd /c "C:\Documents and Settings\CPQ OWNER\Desktop\Mbar\mbar\mbar.exe" /rdv /s [7]) -> FOUND [sERVICE][ROGUE ST] HKLM\[...]\CCSet\[...]\Services : MBAMSwissArmy (C:\WINDOWS\system32\drivers\48230029.sys [7]) -> FOUND [sERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : MBAMSwissArmy (C:\WINDOWS\system32\drivers\48230029.sys [7]) -> FOUND [sERVICE][ROGUE ST] HKLM\[...]\CS003\[...]\Services : MBAMSwissArmy (C:\WINDOWS\system32\drivers\48230029.sys [7]) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] SSDT[122] : NtOpenProcess @ 0x805C1512 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB85AFC54) [Address] SSDT[128] : NtOpenThread @ 0x805C179E -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB85AFD44) [inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520) [inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630) [inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370) [inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0) [inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20) [inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90) [inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0) [inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0) [inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0) [inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980) [inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400) [inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0) [inline] EAT @iexplore.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D118A0) [inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0) [inline] EAT @iexplore.exe (UnhookWindowsHookEx) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11A70) [inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520) [inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630) [inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370) [inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0) [inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20) [inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90) [inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0) [inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0) [inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0) [inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980) [inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400) [inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0) [inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - TOSHIBA MK6025GAS +++++ --- User --- [MBR] 405dba045b3d8f3e86599d0759ec383d [bSP] 8b0279795ab923368d682d692e6d4962 : Empty MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57223 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_10072013_091225.txt >> RKreport[0]_S_10062013_220147.txt
  8. Mbar ran clean. WIll run RogueKiller again..... Malwarebytes Anti-Rootkit BETA 1.07.0.1005 www.malwarebytes.org Database version: v2013.10.07.07 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 CPQ OWNER :: YOUR-4105E587B6 [administrator] 10/7/2013 8:32:50 AM mbar-log-2013-10-07 (08-32-50).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 244153 Time elapsed: 25 minute(s), 21 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end)
  9. mbar-log-2013-10-07 (00-02-55).txtsystem-log.txt2nd Mbar resulys. Found 0Access. WIll run again... Mbar-log: Malwarebytes Anti-Rootkit BETA 1.07.0.1005 www.malwarebytes.org Database version: v2013.10.07.02 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 CPQ OWNER :: YOUR-4105E587B6 [administrator] 10/7/2013 12:02:55 AM mbar-log-2013-10-07 (00-02-55).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 244021 Time elapsed: 23 minute(s), 41 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_*202EETADPUG (Rootkit.0Access) -> Delete on reboot. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) System-log: --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 559333376 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 855552000 ======================================= Initializing... Done! Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 94E494E4 Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 117194112 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 60011642880 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-117190240-117210240)... Done! Scan finished ======================================= Removal queue found; removal started Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam... Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam... Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam... Removal finished --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 544288768 Downloaded database version: v2013.10.07.02 Downloaded database version: v2013.09.30.01 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 843599872 ======================================= Initializing... Done! Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 94E494E4 Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 117194112 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 60011642880 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-117190240-117210240)... Done! Infected: HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_*202EETADPUG --> [Rootkit.0Access] Scan finished Creating System Restore point... Cleaning up... Executing an action fixdamage.exe... Success! Queuing an action fixdamage.exe Removal scheduling successful. System shutdown needed. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 884793344 =======================================
  10. Mbar System log........ --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 559333376 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 855552000 ======================================= Initializing... Done! Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 94E494E4 Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 117194112 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 60011642880 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-117190240-117210240)... Done! Scan finished ======================================= Removal queue found; removal started Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam... Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam... Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam... Removal finished Mbar Log......... Malwarebytes Anti-Rootkit BETA 1.07.0.1005 www.malwarebytes.org Database version: v2013.07.26.06 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 CPQ OWNER :: YOUR-4105E587B6 [administrator] 10/6/2013 10:51:31 PM mbar-log-2013-10-06 (22-51-31).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 258870 Time elapsed: 23 minute(s), 49 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) Running Mbar Again...............
  11. Fixlog...... Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-10-2013 Ran by CPQ OWNER at 2013-10-06 22:37:45 Run:1 Running from C:\Documents and Settings\CPQ OWNER\Desktop\Farbar Boot Mode: Normal ============================================== Content of fixlist: ***************** U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess) ***************** *etadpug => Service deleted successfully. ==== End of Fixlog ==== Will run anti-rootkit now.......
  12. Ran Fabar without closing Rogue.... seemed to work FRST log: Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013 Ran by CPQ OWNER (administrator) on YOUR-4105E587B6 on 06-10-2013 22:18:24 Running from C:\Documents and Settings\CPQ OWNER\Desktop\Farbar Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (ATI Technologies Inc.) C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.) C:\WINDOWS\system32\Ati2evxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe () C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Skype Technologies S.A.) C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (ATI Technologies, Inc.) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\avastUI.exe (Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe (Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe () C:\Documents and Settings\CPQ OWNER\Desktop\RogueKiller.exe (Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Run StartupMonitor] - C:\Windows\StartupMonitor.exe [86016 2000-05-20] () HKLM\...\Run: [C:\WINDOWS\system32\V0250Ext.ax] - C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0250Ext.ax HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2010-09-08] (Apple Inc.) HKLM\...\Run: [ATIPTA] - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2005-07-13] (ATI Technologies, Inc.) HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4858968 2013-08-30] (AVAST Software) Winlogon\Notify\AtiExtEvent: C:\Windows\system32\Ati2evxx.dll (ATI Technologies Inc.) HKLM\...\Policies\Explorer: [NoCDBurning] 0 HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-02-06] (Google Inc.) HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [19875432 2013-06-21] (Skype Technologies S.A.) HKCU\...\Run: [updateMgr] - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [313472 2006-03-30] (Adobe Systems Incorporated) HKU\Administrator\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation) HKU\Default User\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym&.intl=us HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html SearchScopes: HKLM - DefaultScope value is missing. SearchScopes: HKCU - DefaultScope {11C0E1A0-5535-4364-A4A4-1603AC408598} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie8 SearchScopes: HKCU - {11C0E1A0-5535-4364-A4A4-1603AC408598} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie8 SearchScopes: HKCU - {4A16CC46-CF4B-4C4C-A5EC-0F91C4243308} URL = http://delicious.com/search?p={searchTerms} SearchScopes: HKCU - {4BE5F0CE-AB46-4FC8-A5BB-96511AECDC22} URL = http://www.flickr.com/search/?q={searchTerms} SearchScopes: HKCU - {F13A0B7D-4119-4CBA-8E31-7A8EABF0756D} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms} BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll No File BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.) BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKCU - No Name - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File Toolbar: HKCU - No Name - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File Toolbar: HKCU - No Name - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129639333390 DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1263.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4/jinstall-win32.cab DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 ========================== Services (Whitelisted) ================= R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-08-30] (AVAST Software) S2 gupdate1c9adae1d0975a6; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-03-25] (Google Inc.) S3 hpqwmi; C:\Program Files\HPQ\SHARED\HPQWMI.exe [98304 2005-03-04] (Hewlett-Packard Development Company, L.P.) R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [38912 2005-02-22] () S3 SandraDataSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe [173040 2005-03-01] (SiSoftware) R2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3273088 2013-09-16] (Skype Technologies S.A.) U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess) ==================== Drivers (Whitelisted) ==================== R1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [39424 2004-08-11] (Advanced Micro Devices) R2 ASCTRM; C:\Windows\System32\Drivers\ASCTRM.sys [8552 2005-07-10] (Windows ® 2000 DDK provider) R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-08-30] (AVAST Software) R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [66336 2013-08-30] (AVAST Software) R1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [49760 2013-08-30] (AVAST Software) R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-08-30] () R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-08-30] (AVAST Software) R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-08-30] (AVAST Software) R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-08-30] (AVAST Software) R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [177864 2013-08-30] () R3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [1391104 2008-10-23] (Broadcom Corporation) S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [55320 2005-01-18] (Broadcom Corporation.) R1 eabfiltr; C:\WINDOWS\system32\drivers\EABFiltr.sys [7432 2004-04-14] (Hewlett-Packard Company) S3 eabusb; C:\WINDOWS\system32\drivers\eabusb.sys [5220 2003-06-06] (Hewlett-Packard Company) S3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [8320 2007-03-08] (GARMIN Corp.) R3 HSFHWATI; C:\Windows\System32\DRIVERS\HSFHWATI.sys [200192 2004-12-15] (Conexant Systems, Inc.) S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-08-03] () R2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2008-05-20] (RealNetworks, Inc.) S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation) S3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation) R3 RTL8023xp; C:\Windows\System32\DRIVERS\Rtlnicxp.sys [74496 2005-03-03] (Realtek Semiconductor Corporation ) S3 SMCIRDA; C:\Windows\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC) S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation) R1 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5632 2006-07-24] () S3 tbhsd; C:\Windows\System32\drivers\tbhsd.sys [15488 2006-06-21] (RapidSolution Software AG) U3 TrueSight; C:\WINDOWS\system32\TrueSight.sys [26624 2013-10-06] () S3 USB_RNDIS_XP; C:\Windows\System32\DRIVERS\usb8023.sys [12928 2013-02-11] (Microsoft Corporation) S3 V0250Dev; C:\Windows\System32\DRIVERS\V0250Dev.sys [163840 2006-04-05] (Creative Technology Ltd.) U5 P3; C:\Windows\System32\Drivers\P3.sys [42752 2008-04-13] (Microsoft Corporation) U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) U3 TlntSvr; S3 wanatw; system32\DRIVERS\wanatw4.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-10-06 22:17 - 2013-10-06 22:17 - 00000000 ____D C:\FRST 2013-10-06 22:14 - 2013-10-06 22:15 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\Farbar 2013-10-06 22:01 - 2013-10-06 22:01 - 00006221 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RKreport[0]_S_10062013_220147.txt 2013-10-06 21:56 - 2013-10-06 21:56 - 00026624 _____ C:\WINDOWS\system32\TrueSight.sys 2013-10-06 18:08 - 2013-10-06 22:01 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\RK_Quarantine 2013-10-06 18:07 - 2013-10-06 18:07 - 00950272 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RogueKiller.exe 2013-10-01 09:43 - 2013-10-06 11:37 - 00000783 _____ C:\Documents and Settings\CPQ OWNER\Desktop\Vanity Light.txt 2013-09-17 14:59 - 2013-09-17 14:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$ 2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$ 2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$ ==================== One Month Modified Files and Folders ======= 2013-10-06 22:17 - 2013-10-06 22:17 - 00000000 ____D C:\FRST 2013-10-06 22:16 - 2006-10-14 09:59 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Application Data\Skype 2013-10-06 22:15 - 2013-10-06 22:14 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\Farbar 2013-10-06 22:01 - 2013-10-06 22:01 - 00006221 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RKreport[0]_S_10062013_220147.txt 2013-10-06 22:01 - 2013-10-06 18:08 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\RK_Quarantine 2013-10-06 21:56 - 2013-10-06 21:56 - 00026624 _____ C:\WINDOWS\system32\TrueSight.sys 2013-10-06 18:10 - 2013-08-27 08:02 - 00400824 _____ C:\WINDOWS\WindowsUpdate.log 2013-10-06 18:07 - 2013-10-06 18:07 - 00950272 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RogueKiller.exe 2013-10-06 17:45 - 2012-04-12 10:10 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2013-10-06 17:22 - 2009-07-10 15:14 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 2013-10-06 12:45 - 2013-08-21 09:58 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job 2013-10-06 12:45 - 2004-08-07 09:16 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl 2013-10-06 12:44 - 2009-07-10 15:14 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 2013-10-06 12:44 - 2004-08-07 09:16 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2013-10-06 12:44 - 2004-08-07 01:51 - 00000157 _____ C:\WINDOWS\wiadebug.log 2013-10-06 12:44 - 2004-08-07 01:51 - 00000049 _____ C:\WINDOWS\wiaservc.log 2013-10-06 12:43 - 2011-05-01 14:05 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2506212$ 2013-10-06 12:41 - 2005-07-04 07:53 - 00000278 ___SH C:\Documents and Settings\CPQ OWNER\ntuser.ini 2013-10-06 12:41 - 2004-08-07 09:16 - 00032650 _____ C:\WINDOWS\SchedLgU.Txt 2013-10-06 11:47 - 2005-07-04 07:53 - 00000000 ____D C:\Documents and Settings\CPQ OWNER 2013-10-06 11:37 - 2013-10-01 09:43 - 00000783 _____ C:\Documents and Settings\CPQ OWNER\Desktop\Vanity Light.txt 2013-10-02 13:01 - 2005-10-10 06:10 - 00000116 _____ C:\WINDOWS\NeroDigital.ini 2013-09-28 19:33 - 2005-07-16 06:13 - 00044544 _____ C:\Documents and Settings\CPQ OWNER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2013-09-26 21:31 - 2007-07-15 11:45 - 00000000 ___RD C:\Program Files\Skype 2013-09-26 21:31 - 2007-07-15 11:45 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype 2013-09-26 20:50 - 2006-09-11 10:59 - 00457728 ___SH C:\Documents and Settings\CPQ OWNER\Desktop\Thumbs.db 2013-09-26 20:44 - 2005-09-15 07:10 - 00001613 _____ C:\WINDOWS\PStudio.ini 2013-09-26 08:58 - 2004-08-07 08:58 - 00002577 ____C C:\WINDOWS\system32\CONFIG.NT 2013-09-26 08:47 - 2012-04-12 10:09 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe 2013-09-26 08:47 - 2011-05-21 13:50 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl 2013-09-17 20:46 - 2004-08-07 09:02 - 00312376 _____ C:\WINDOWS\system32\FNTCACHE.DAT 2013-09-17 15:02 - 2009-05-31 18:00 - 00000000 ____D C:\WINDOWS\ie8updates 2013-09-17 14:59 - 2013-09-17 14:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$ 2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$ 2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$ 2013-09-17 14:53 - 2004-08-07 08:58 - 00000603 _____ C:\WINDOWS\win.ini 2013-09-17 14:51 - 2013-07-16 22:05 - 00000000 ____D C:\WINDOWS\system32\MRT 2013-09-17 14:43 - 2005-09-30 20:52 - 76725432 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe 2013-09-17 10:18 - 2013-04-11 14:33 - 00001132 _____ C:\Documents and Settings\CPQ OWNER\Desktop\Aztlan.txt 2013-09-08 11:48 - 2008-12-29 10:21 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\Pictures - New 2013-09-08 11:19 - 2008-01-22 13:50 - 00000000 ____D C:\WINDOWS\system32\FxsTmp Some content of TEMP: ==================== C:\Documents and Settings\CPQ OWNER\Local Settings\temp\ntdll_dump.dll ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================ Addition log: Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-10-2013 Ran by CPQ OWNER at 2013-10-06 22:19:37 Running from C:\Documents and Settings\CPQ OWNER\Desktop\Farbar Boot Mode: Normal ========================================================== ==================== Security Center ======================== AV: avast! Antivirus (Disabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D} ==================== Installed Programs ====================== ABBYY FineReader 5.0 Sprint Plus (Version: 5.0.0.3501) Adobe Flash Player 11 ActiveX (Version: 11.8.800.175) Adobe Flash Player 11 Plugin (Version: 11.8.800.168) Adobe Photoshop 7.0 (Version: 7.0) Adobe Photoshop Album 2.0 Starter Edition (Version: 2.00.100) Adobe Reader 7.1.0 (Version: 7.1.0) Apple Application Support (Version: 1.3.2) Apple Mobile Device Support (Version: 3.2.0.47) Apple Software Update (Version: 2.1.2.120) ArcSoft VideoImpression 1.6FP Athlon 64 Processor Driver (Version: 1.1.0.18) ATI - Software Uninstall Utility (Version: 6.14.10.1012) ATI Control Panel (Version: 6.14.10.5160) ATI Display Driver (Version: 8.16-050713a1-025450C) Audacity 1.2.4 AutoUpdate (Version: 1.0) avast! Free Antivirus (Version: 8.0.1497.0) Bonjour (Version: 2.0.3.0) Canon ScanGear Toolbox CS 2.2 CCleaner (Version: 2.29) Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000) Conexant AC-Link Audio Creative Live! Cam Notebook Pro Driver (1.01.03.0405) Creative Live! Cam Notebook Pro User's Guide (English) Creative System Information Creative WebCam Center Data Fax SoftModem with SmartCP DivX (Version: 5.2.1) DivX Player (Version: 2.5.5) DVD Shrink 3.2 FinePixViewer Ver.2.0 FUJIFILM USB Driver Garmin Trip and Waypoint Manager v5 (Version: 5.0.0.0) Genesys USB Mass Storage Device Get Yahoo! Messenger Google Earth (Version: 7.1.1.1888) Google Toolbar for Internet Explorer (Version: 1.0.0) Google Toolbar for Internet Explorer (Version: 7.5.4413.1752) Google Update Helper (Version: 1.3.21.153) Google Video Player HP Help and Support (Version: 3.200.16.1) HP Product Detection (Version: 11.15.0009) HP Software Update (Version: 3.0.5.001) HP User Guides 0001 (Version: 1.00.0003) HP Wireless Assistant 1.01 A2 (Version: 1.01 A2) HpSdpAppCoreApp (Version: 3.00.0000) InterActual Player InterVideo WinDVD (Version: 5.0-B11.637) IrfanView (remove only) iTunes (Version: 10.0.1.22) J2SE Runtime Environment 5.0 Update 2 (Version: 1.5.0.20) Learn2 Player (Uninstall Only) LS_HSI (Version: 1.0.21.1) Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300) Media Player Codec Pack 4.1.1 MediaMonkey 3.2 (Version: 3.2) Microsoft .NET Framework 1.1 (Version: 1.1.4322) Microsoft .NET Framework 1.1 Security Update (KB2698023) Microsoft .NET Framework 1.1 Security Update (KB2833941) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319) Microsoft .NET Framework 4 Extended (Version: 4.0.30319) Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1) Microsoft Money 2005 (Version: 14) Microsoft Office File Validation Add-In (Version: 14.0.5130.5003) Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0) Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161) Microsoft Works (Version: 08.04.0623) MSN MSXML 4.0 SP2 (KB925672) (Version: 4.20.9839.0) MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0) MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0) MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0) MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0) muvee autoProducer 4.0 - SE (Version: 4.00.050) Nero 6 Demo NoteBurner 2.31 Picasa 3 (Version: 3.9) Quick Launch Buttons 5.10 B2 (Version: 5.10 B2) QuickTime (Version: 7.68.75.0) RealPlayer Basic Rhapsody Player Engine (Version: 1.0.604) SAMSUNG Mobile USB Modem 1.0 Software SAMSUNG Mobile USB Modem Software Samsung USB Driver (MCCI 4.34) WHQL v3.4 (Version: 4.34.4) Sansa Updater ScanToWeb SiSoftware Sandra Lite 2005.SR1 (Win64/32/CE) (Version: 10.50.2005.3) Skype Click to Call (Version: 6.12.13601) Skype™ 6.6 (Version: 6.6.106) Sonic Audio Module (Version: 2.0.0) Sonic Copy Module (Version: 2.0.0) Sonic Data Module (Version: 2.0.0) Sonic Express Labeler (Version: 2.0.0) Sonic MyDVD Plus (Version: 6.1.0) Sonic Update Manager (Version: 3.0.0) StartupMonitor (Version: 1.0.2.0) Synaptics Pointing Device Driver (Version: 7.13.0.1) Texas Instruments PCIxx21/x515/xx12 drivers. (Version: 1.20.0000) The Rosetta Stone TIPCI (Version: 1.20.0000) Tunatic Tweak UI Update for Windows Internet Explorer 8 (KB971180) (Version: 1) Update for Windows Internet Explorer 8 (KB976662) (Version: 1) Update for Windows Internet Explorer 8 (KB976749) (Version: 1) Update for Windows Internet Explorer 8 (KB980182) (Version: 1) Update for Windows XP (KB2141007) (Version: 1) Update for Windows XP (KB2345886) (Version: 1) Update for Windows XP (KB2467659) (Version: 1) Update for Windows XP (KB2541763) (Version: 1) Update for Windows XP (KB2607712) (Version: 1) Update for Windows XP (KB2616676-v2) (Version: 2) Update for Windows XP (KB2641690) (Version: 1) Update for Windows XP (KB2661254-v2) (Version: 2) Update for Windows XP (KB2718704) (Version: 1) Update for Windows XP (KB2736233) (Version: 1) Update for Windows XP (KB2749655) (Version: 1) Update for Windows XP (KB2863058) (Version: 1) Update for Windows XP (KB951072-v2) (Version: 2) Update for Windows XP (KB951978) (Version: 1) Update for Windows XP (KB955759) (Version: 1) Update for Windows XP (KB955839) (Version: 1) Update for Windows XP (KB967715) (Version: 1) Update for Windows XP (KB968389) (Version: 1) Update for Windows XP (KB971029) (Version: 1) Update for Windows XP (KB971737) (Version: 1) Update for Windows XP (KB973687) (Version: 1) Update for Windows XP (KB973815) (Version: 1) WD Diagnostics (Version: 1.07.0000) WD Firewire HID Driver (Version: 1.04.0001) WebFldrs XP (Version: 9.50.7523) Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0) Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5) Windows Internet Explorer 8 (Version: 20090308.140743) Windows Media Format 11 runtime Windows XP Service Pack 3 (Version: 20080414.031525) XnView 1.99.5 (Version: 1.99.5) Yahoo! Browser Services Yahoo! Install Manager Yahoo! Internet Mail Yahoo! Software Update Yahoo! Toolbar ==================== Restore Points ========================= 21-08-2013 02:49:05 Software Distribution Service 3.0 21-08-2013 13:52:46 avast! Free Antivirus Setup 21-08-2013 14:04:35 Removed Symantec AntiVirus 26-08-2013 13:32:11 System Checkpoint 29-08-2013 01:11:50 Software Distribution Service 3.0 04-09-2013 23:17:57 System Checkpoint 09-09-2013 05:35:55 System Checkpoint 17-09-2013 18:42:42 Software Distribution Service 3.0 27-09-2013 01:43:44 System Checkpoint 28-09-2013 16:09:33 System Checkpoint 04-10-2013 13:22:15 System Checkpoint 05-10-2013 20:43:05 System Checkpoint ==================== Hosts content: ========================== 2004-08-04 04:00 - 2013-08-02 21:16 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Scheduled Tasks (whitelisted) ============= Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe ==================== Loaded Modules (whitelisted) ============= 2013-10-06 12:57 - 2013-10-06 10:01 - 02104832 _____ () C:\Program Files\AVAST Software\Avast\defs\13100601\algo.dll 2004-08-04 04:00 - 2008-04-13 20:11 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll 2004-08-04 04:00 - 2008-04-13 20:11 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll 2004-08-04 04:00 - 2008-04-13 20:12 - 00192512 _____ () C:\WINDOWS\system32\qcap.dll 2004-08-04 04:00 - 2013-01-02 02:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll ==================== Alternate Data Streams (whitelisted) ========= ==================== Safe Mode (whitelisted) =================== ==================== Faulty Device Manager Devices ============= Name: Description: Class Guid: {4D36E97B-E325-11CE-BFC1-08002BE10318} Manufacturer: Service: Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. ==================== Event log errors: ========================= Application errors: ================== Error: (10/06/2013 06:08:19 PM) (Source: Application Hang) (User: ) Description: Hanging application AvastUI.exe, version 8.0.1497.376, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/06/2013 10:18:48 AM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/06/2013 10:18:41 AM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/06/2013 10:18:41 AM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 15782 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledEvent 15782 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (10/03/2013 07:07:32 PM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/03/2013 07:07:32 PM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/02/2013 01:34:38 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 15609 System errors: ============= Error: (10/06/2013 09:51:30 PM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 09:51:01 PM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 00:44:39 PM) (Source: Service Control Manager) (User: ) Description: The following boot-start or system-start driver(s) failed to load: AliIde IntelIde ViaIde Error: (10/06/2013 11:32:36 AM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 11:32:04 AM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 08:55:10 AM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 08:54:38 AM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/05/2013 00:33:22 PM) (Source: Dhcp) (User: ) Description: The IP address lease 172.16.3.42 for the Network Card with network address 00904BF14AC6 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message). Error: (10/05/2013 00:33:02 PM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service. Error: (10/04/2013 04:18:27 PM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Microsoft Office Sessions: ========================= Error: (10/06/2013 06:08:19 PM) (Source: Application Hang)(User: ) Description: AvastUI.exe8.0.1497.376hungapp0.0.0.000000000 Error: (10/06/2013 10:18:48 AM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/06/2013 10:18:41 AM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/06/2013 10:18:41 AM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 15782 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledEvent 15782 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (10/03/2013 07:07:32 PM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/03/2013 07:07:32 PM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/02/2013 01:34:38 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 15609 ==================== Memory info =========================== Percentage of memory in use: 85% Total physical RAM: 1150.48 MB Available physical RAM: 167.68 MB Total Pagefile: 2178.03 MB Available Pagefile: 1174.42 MB Total Virtual: 2047.88 MB Available Virtual: 1949.84 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:55.88 GB) (Free:1.87 GB) NTFS ==>[Drive with boot components (Windows XP)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 56 GB) (Disk ID: 94E494E4) Partition 1: (Active) - (Size=56 GB) - (Type=07 NTFS) ==================== End Of Log ============================
  13. The file {ff24043d-55f8-5ce9-a20a-8337d9b4b888} sees the same as the last infection 2 months ago.
  14. The first scan using RogueKiller didn't seem to work right, This is the result..... [Params] EulaAccepted=true I ran again with a better result...... RogueKiller V8.7.1 [Oct 3 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : CPQ OWNER [Admin rights] Mode : Scan -- Date : 10/06/2013 22:01:47 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x] -> STOPPED ¤¤¤ Registry Entries : 6 ¤¤¤ [sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND [sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND [sERVICE][ZeroAccess] HKLM\[...]\CS003\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CS003\[...]\Services : . e () -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ [inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520) [inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630) [inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370) [inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0) [inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20) [inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90) [inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0) [inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0) [inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0) [inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980) [inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400) [inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0) [inline] EAT @iexplore.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D118A0) [inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0) [inline] EAT @iexplore.exe (UnhookWindowsHookEx) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11A70) [inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520) [inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630) [inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370) [inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0) [inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20) [inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90) [inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0) [inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0) [inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0) [inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980) [inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400) [inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0) [inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - TOSHIBA MK6025GAS +++++ --- User --- [MBR] 405dba045b3d8f3e86599d0759ec383d [bSP] 8b0279795ab923368d682d692e6d4962 : Empty MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57223 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_10062013_220147.txt >>
  15. I've switched from Symantec to Avast, which did not detect anything so far.
  16. MrCharlie did a great job helping me with this issue a few months ago. We went thru the process and the computer seemed clean. She started running a little slow so I ran MalwareByte Chameleon and the log is as follows..... (WIndows XP SP3).... Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.10.06.03 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 :: YOUR-4105E587B6 [administrator] 10/6/2013 12:07:02 PM MBAM-log-2013-10-06 (12-23-03).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 240163 Time elapsed: 15 minute(s), 9 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 4 HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> No action taken. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG (Rootkit.0Access) -> No action taken. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 1 C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab (PUP.Optional.DefaultTab.A) -> No action taken. Files Detected: 1 C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll (PUP.Optional.DefaultTab) -> No action taken. (end) Do I have the same infection, new infection or false possitive? The original thread for this virus is titled "ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte ", 2 aug 2013.
  17. Sorry to bug you again MrC, after running M-byte one last time (I'm clean), I went to view a news video on Youtube and every time a window is displayed over the video which says ..... Adobe Flash Player Settings Local Storage s.ytimg.com is requesting permission to store information on your computer. Requested: up to 10 KB Currently Used: 0 KB ALLOW DENY Any advice on what this is? I've never seen it before.
  18. MrC, I ran RogueKiller with my external HD attached and it found these........ RogueKiller V8.6.4 [Jul 29 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : CPQ OWNER [Admin rights] Mode : Scan -- Date : 08/03/2013 11:22:51 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] StartupMonitor.exe -- C:\WINDOWS\StartupMonitor.exe [-] -> KILLED [TermProc] ¤¤¤ Registry Entries : 5 ¤¤¤ [HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CS003\[...]\Services : . e () -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] SSDT[31] : NtConnectPort @ 0x80599B2A -> HOOKED (Unknown @ 0x8898ADB8) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: TOSHIBA MK6025GAS +++++ --- User --- [MBR] 405dba045b3d8f3e86599d0759ec383d [bSP] 8b0279795ab923368d682d692e6d4962 : Empty MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57223 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: TOSHIBA MK6025GAS +++++ --- User --- [MBR] 7c9ed30bd74da1063d4a90f11130162a [bSP] b20e22e1615d2a9055254f006a3f6761 : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 381551 Mo User = LL1 ... OK! Error reading LL2 MBR! +++++ PhysicalDrive2: TOSHIBA MK6025GAS +++++ --- User --- [MBR] 3aa9ddfca72963c0ef19b1a361227bb7 [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 253 | Size: 1927 Mo Error reading LL1 MBR! Error reading LL2 MBR! Finished : << RKreport[0]_S_08032013_112251.txt >> 1 Process, 5 Registry and 1 Driver issue. Do I need to Delete all/some of these?
  19. Will do sir...... have a great day and thanks again!!!!
  20. Which program should I run to check for ZeroAccess? Will my Symantec sufice or should I use a specialized tool?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.