trojan.small trojan.sirefef rootkit.0access removal

[skizzerboom]

Assistance is requested in removing three infections, trojan.small, trojan.sirefef and rootkit.0access detected and quarantined by mbam version 1.61.0.1400, which reappear after deletion and reboot.

Thank you.

[CatByte]

Hi,

Please post the MBAM log

[skizzerboom]

Thank you , I believe this is what you requested.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.23.05

Windows 7 Service Pack 1 x86 NTFS (Safe Mode)

Internet Explorer 9.0.8112.16421

Dale :: CHAPMANPC [administrator]

Protection: Disabled

6/23/2012 12:52:30 PM

mbam-log-2012-06-23 (12-52-30).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 212044

Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|fopcynweq (Trojan.Lameshield) -> Data: C:\Users\Dale\AppData\Local\fopcynweq.exe -> Quarantined and deleted successfully.

HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\Dale\AppData\Local\{a33cce43-982e-15b3-0307-78280978ec8c}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 9

C:\Users\Dale\AppData\Local\fopcynweq.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.

C:\Users\Dale\Local Settings\fopcynweq.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.

C:\Users\Dale\Local Settings\Application Data\fopcynweq.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.

C:\Users\Dale\Local Settings\Temporary Internet Files\Content.IE5\I3HUV9AN\soft5[1].exe (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Users\Dale\Local Settings\Temporary Internet Files\Content.IE5\VWEPY4W9\soft4[1].exe (Trojan.Lameshield) -> Quarantined and deleted successfully.

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\n (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

[skizzerboom]

Actually this is a more current log.

Malwarebytes Anti-Malware (PRO) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.23.05

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Dale :: CHAPMANPC [administrator]

Protection: Enabled

6/24/2012 5:40:51 PM

mbam-log-2012-06-24 (17-40-51).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 320949

Time elapsed: 29 minute(s), 40 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

[CatByte]

thank-you

please run the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

(you need the 32bit version)

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]type exit and reboot the computer normally

[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

[skizzerboom]

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-06-2012 01

Ran by SYSTEM at 25-06-2012 18:42:55

Running from F:\

Windows 7 Ultimate Service Pack 1 (X86) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-09-23] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [173592 2009-09-23] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [150552 2009-09-23] (Intel Corporation)

HKLM\...\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe [36864 2002-09-23] ()

HKLM\...\Run: [PP8 Reminder] "C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini" [469 2011-11-05] ()

HKLM\...\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [1687552 2005-11-21] (Sonic Solutions)

HKLM\...\Run: [] [x]

HKLM\...\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [163840 2005-11-22] ()

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2012-04-03] (Adobe Systems Incorporated)

HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [815512 2012-04-03] (Adobe Systems Inc.)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM\...\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1446248 2011-12-15] (Garmin)

HKLM\...\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1059472 2011-12-05] (Carbonite, Inc.)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)

HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)

HKLM\...\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" [782336 2012-06-24] (BitDefender S.R.L.)

HKU\Dale\...\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe" "/Trigger RunAtLogon" [39816 2011-11-22] (Citrix Online, a division of Citrix Systems, Inc.)

HKU\Dale\...\Run: [Adobe Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [1261472 2012-04-03] (Adobe Systems Incorporated)

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\Parameters: [DhcpNameServer] 208.180.83.133 208.180.42.68

Startup: C:\Users\Dale\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

2 CarboniteService; "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [4426384 2011-12-05] (Carbonite, Inc. (www.carbonite.com))

3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [556544 2010-11-20] (Microsoft Corporation)

3 ehSched; C:\Windows\ehome\ehsched.exe [94720 2009-07-13] (Microsoft Corporation)

2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)

2 IntuitUpdateService; "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [13672 2010-08-23] (Intuit Inc.)

2 IntuitUpdateServiceV4; "C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" [13672 2011-08-25] (Intuit Inc.)

2 LIVESRV; "C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service [419096 2012-06-24] (BitDefender SRL)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)

3 osppsvc; "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" [4640000 2010-01-09] (Microsoft Corporation)

2 RoxLiveShare; "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe" [233472 2005-11-22] (Sonic Solutions)

3 RoxMediaDB; "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe" [864256 2005-11-22] (Sonic Solutions)

3 RoxUPnPRenderer; "C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe" [45056 2005-11-21] (Sonic Solutions)

2 RoxUpnpServer; "C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe" [409600 2005-11-21] (Sonic Solutions)

2 RoxWatch; "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe" [155648 2005-11-22] (Sonic Solutions)

3 scan; C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll [323584 2012-06-24] (S.C. BitDefender S.R.L)

2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [158856 2012-01-31] (Skype Technologies)

2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)

2 VSSERV; "C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe" /service [1626112 2009-04-06] (BitDefender S. R. L.)

3 wbengine; "C:\Windows\system32\wbengine.exe" [1203200 2010-11-20] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

3 bdfm; C:\Windows\System32\drivers\bdfm.sys [146312 2012-06-24] (BitDefender S.R.L. Bucharest, ROMANIA)

3 bdfsfltr; C:\Windows\System32\DRIVERS\bdfsfltr.sys [266376 2009-04-06] (BitDefender S.R.L. Bucharest, ROMANIA)

3 BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys [8832 2009-01-12] (BitDefender S.R.L.)

1 cdudf_xp; C:\Windows\System32\Drivers\cdudf_xp.sys [311680 2005-10-22] (Sonic Solutions)

3 dvd_2K; C:\Windows\System32\Drivers\dvd_2K.sys [27264 2005-10-22] (Sonic Solutions)

3 LVRS; C:\Windows\System32\DRIVERS\lvrs.sys [315808 2011-08-19] (Logitech Inc.)

3 LVUVC; C:\Windows\System32\DRIVERS\lvuvc.sys [4332960 2012-01-18] (Logitech Inc.)

3 mbamchameleon; \??\C:\Windows\system32\drivers\mbamchameleon.sys [28488 2012-06-23] ()

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)

3 mmc_2K; C:\Windows\System32\Drivers\mmc_2K.sys [27136 2005-10-22] (Sonic Solutions)

3 Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys [13056 2008-09-02] ()

1 pwd_2k; C:\Windows\System32\Drivers\pwd_2k.sys [119168 2005-10-22] (Sonic Solutions)

1 RxFilter; C:\Windows\System32\DRIVERS\RxFilter.sys [50176 2005-11-21] (Sonic Solutions)

3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [77184 2010-11-20] (Microsoft Corporation)

3 terminpt; C:\Windows\system32\drivers\terminpt.sys [25600 2010-11-20] (Microsoft Corporation)

3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [112640 2010-11-20] (Microsoft Corporation)

3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-06-25 18:42 - 2012-06-25 18:43 - 00000000 ____D C:\FRST

2012-06-24 18:16 - 2012-06-24 18:16 - 00081984 ____A C:\Windows\System32\bdod.bin

2012-06-24 18:16 - 2012-06-24 18:16 - 00065773 ____A C:\Windows\System32\BDUpdateV1.xml

2012-06-24 18:05 - 2012-06-24 18:05 - 00000850 ____A C:\Windows\System32\ProductTweaks.xml

2012-06-24 18:05 - 2012-06-24 18:05 - 00000385 ____A C:\Windows\System32\user_gensett.xml

2012-06-24 18:04 - 2012-06-24 18:04 - 00000000 __SHD C:\found.000

2012-06-24 17:58 - 2012-06-24 17:59 - 16208824 ____A (Microsoft Corporation) C:\Users\Dale\Downloads\Windows-KB890830-V4.9.exe

2012-06-24 17:56 - 2012-06-24 18:01 - 00000000 ____D C:\Users\All Users\BitDefender

2012-06-24 17:56 - 2012-06-24 17:56 - 00002096 ____A C:\Users\Public\Desktop\BitDefender Free Edition 2009.lnk

2012-06-24 17:56 - 2012-06-24 17:56 - 00000000 ____D C:\Users\Dale\AppData\Roaming\BitDefender

2012-06-24 17:56 - 2012-06-24 17:56 - 00000000 ____D C:\Program Files\BitDefender

2012-06-24 17:55 - 2012-06-24 17:56 - 00000000 ____D C:\Program Files\Common Files\BitDefender

2012-06-24 05:59 - 2012-06-24 05:59 - 00000174 ____A C:\Users\Dale\Desktop\New shortcut.lnk

2012-06-24 05:56 - 2012-06-24 05:56 - 00001270 ____A C:\Users\Dale\Desktop\shutdown.lnk

2012-06-24 04:42 - 2012-06-24 04:43 - 10288512 ____A (Microsoft Corporation) C:\Users\Dale\Downloads\mseinstall (1).exe

2012-06-24 01:14 - 2012-06-24 04:43 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0

2012-06-23 09:37 - 2012-06-23 09:52 - 00028488 ____A C:\Windows\System32\Drivers\mbamchameleon.sys

2012-06-23 09:37 - 2012-06-23 09:37 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-06-23 09:37 - 2012-06-23 09:37 - 00000000 ____D C:\Users\Dale\AppData\Roaming\Malwarebytes

2012-06-23 09:37 - 2012-06-23 09:37 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-06-23 09:37 - 2012-06-23 09:37 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-06-23 09:37 - 2012-04-04 12:56 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-23 09:36 - 2012-06-23 09:37 - 00000000 ___AD C:\Users\Dale\Desktop\Chameleon

2012-06-23 09:05 - 2012-06-23 09:05 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-06-19 04:48 - 2011-02-18 22:30 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll

2012-06-19 04:48 - 2011-02-18 22:30 - 00739840 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2012-06-19 04:46 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-19 04:46 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-19 04:46 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-19 04:46 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-19 04:45 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-19 04:45 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-19 04:45 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-19 04:45 - 2012-06-02 12:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-19 04:45 - 2012-06-02 12:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-14 00:01 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-14 00:01 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-14 00:01 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-14 00:01 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-14 00:01 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-14 00:01 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-14 00:01 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-14 00:01 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-14 00:01 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-14 00:01 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-14 00:01 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-14 00:01 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-14 00:01 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-14 00:01 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-13 14:41 - 2012-05-14 17:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-13 14:41 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-06-13 14:41 - 2012-04-27 20:41 - 00919040 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll

2012-06-13 14:41 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-06-13 14:41 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-06-13 14:41 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-06-13 14:41 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-06-13 14:41 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-06-13 14:41 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-06-13 14:41 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-06-13 14:41 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

2012-06-12 06:29 - 2012-06-25 15:20 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-06-12 06:29 - 2012-06-25 10:12 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-06-12 06:29 - 2012-06-12 06:30 - 00000000 ____D C:\Program Files\Google

2012-06-12 06:29 - 2012-06-12 06:29 - 00000000 ____D C:\Users\Dale\AppData\Local\Google

2012-05-27 13:16 - 2012-05-27 13:16 - 02306888 ____A (CatenaLogic ) C:\Users\Dale\Downloads\mymediabookmarks_exe_1.5.exe

2012-05-27 13:16 - 2012-05-27 13:16 - 00000000 ____D C:\Users\Dale\AppData\Roaming\CatenaLogic

2012-05-27 13:16 - 2012-05-27 13:16 - 00000000 ____D C:\Program Files\CatenaLogic

2012-05-26 08:22 - 2012-05-26 08:22 - 00001754 ____A C:\Users\Dale\Desktop\recipes - Shortcut.lnk

2012-05-26 08:20 - 2012-05-26 08:20 - 00001732 ____A C:\Users\Dale\Documents\recipes - Shortcut (2).lnk

2012-05-26 08:19 - 2012-05-26 08:19 - 00001732 ____A C:\Users\Dale\Documents\recipes - Shortcut.lnk

============ 3 Months Modified Files and Folders ===============

2012-06-25 15:26 - 2011-11-05 11:43 - 01458755 ____A C:\Windows\WindowsUpdate.log

2012-06-25 15:20 - 2012-06-12 06:29 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-06-25 15:20 - 2009-07-13 20:39 - 00125680 ____A C:\Windows\setupact.log

2012-06-25 15:19 - 2012-04-12 02:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-06-25 10:12 - 2012-06-12 06:29 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-06-25 09:58 - 2011-11-07 16:35 - 00000000 ___AD C:\Users\Dale\Documents\Outlook Files

2012-06-25 04:30 - 2009-07-13 20:34 - 00026048 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-06-25 04:30 - 2009-07-13 20:34 - 00026048 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-06-25 04:28 - 2010-11-20 13:01 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI

2012-06-25 04:22 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-06-24 18:16 - 2012-06-24 18:16 - 00081984 ____A C:\Windows\System32\bdod.bin

2012-06-24 18:16 - 2012-06-24 18:16 - 00065773 ____A C:\Windows\System32\BDUpdateV1.xml

2012-06-24 18:15 - 2009-04-15 12:13 - 00146312 ____A (BitDefender S.R.L. Bucharest, ROMANIA) C:\Windows\System32\Drivers\bdfm.sys

2012-06-24 18:05 - 2012-06-24 18:05 - 00000850 ____A C:\Windows\System32\ProductTweaks.xml

2012-06-24 18:05 - 2012-06-24 18:05 - 00000385 ____A C:\Windows\System32\user_gensett.xml

2012-06-24 18:04 - 2012-06-24 18:04 - 00000000 __SHD C:\found.000

2012-06-24 18:01 - 2012-06-24 17:56 - 00000000 ____D C:\Users\All Users\BitDefender

2012-06-24 17:59 - 2012-06-24 17:58 - 16208824 ____A (Microsoft Corporation) C:\Users\Dale\Downloads\Windows-KB890830-V4.9.exe

2012-06-24 17:56 - 2012-06-24 17:56 - 00002096 ____A C:\Users\Public\Desktop\BitDefender Free Edition 2009.lnk

2012-06-24 17:56 - 2012-06-24 17:56 - 00000000 ____D C:\Users\Dale\AppData\Roaming\BitDefender

2012-06-24 17:56 - 2012-06-24 17:56 - 00000000 ____D C:\Program Files\BitDefender

2012-06-24 17:56 - 2012-06-24 17:55 - 00000000 ____D C:\Program Files\Common Files\BitDefender

2012-06-24 16:43 - 2010-11-20 13:48 - 00035076 ____A C:\Windows\PFRO.log

2012-06-24 16:43 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\schemas

2012-06-24 13:54 - 2011-11-05 09:48 - 00000000 ____D C:\users\Dale

2012-06-24 13:53 - 2010-11-20 16:46 - 00000000 ___RD C:\Users\Public\Recorded TV

2012-06-24 13:53 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore

2012-06-24 13:53 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration

2012-06-24 13:27 - 2011-11-05 10:11 - 00001945 ____A C:\Windows\epplauncher.mif

2012-06-24 05:59 - 2012-06-24 05:59 - 00000174 ____A C:\Users\Dale\Desktop\New shortcut.lnk

2012-06-24 05:56 - 2012-06-24 05:56 - 00001270 ____A C:\Users\Dale\Desktop\shutdown.lnk

2012-06-24 04:43 - 2012-06-24 04:42 - 10288512 ____A (Microsoft Corporation) C:\Users\Dale\Downloads\mseinstall (1).exe

2012-06-24 04:43 - 2012-06-24 01:14 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0

2012-06-24 04:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Speech

2012-06-24 04:02 - 2012-01-11 05:27 - 00000000 __SHD C:\Users\Dale\AppData\Local\{a33cce43-982e-15b3-0307-78280978ec8c}

2012-06-23 10:19 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\Offline Web Pages

2012-06-23 10:10 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\TAPI

2012-06-23 09:52 - 2012-06-23 09:37 - 00028488 ____A C:\Windows\System32\Drivers\mbamchameleon.sys

2012-06-23 09:37 - 2012-06-23 09:37 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-06-23 09:37 - 2012-06-23 09:37 - 00000000 ____D C:\Users\Dale\AppData\Roaming\Malwarebytes

2012-06-23 09:37 - 2012-06-23 09:37 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-06-23 09:37 - 2012-06-23 09:37 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-06-23 09:37 - 2012-06-23 09:36 - 00000000 ___AD C:\Users\Dale\Desktop\Chameleon

2012-06-23 09:05 - 2012-06-23 09:05 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-06-20 04:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache

2012-06-20 00:18 - 2011-11-07 18:00 - 00000000 ___AD C:\Users\Dale\Documents\recipes

2012-06-14 16:07 - 2011-11-05 09:48 - 00000000 ____D C:\Users\Dale\AppData\Local\VirtualStore

2012-06-14 10:10 - 2011-12-09 20:52 - 00212992 __ASH C:\Users\Dale\Documents\Thumbs.db

2012-06-14 02:58 - 2012-04-12 02:55 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-06-14 02:58 - 2011-11-08 11:22 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-06-14 00:35 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET

2012-06-14 00:27 - 2009-07-13 20:33 - 00457128 ____A C:\Windows\System32\FNTCACHE.DAT

2012-06-14 00:10 - 2011-11-05 13:32 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-06-12 18:19 - 2011-11-05 14:00 - 00002002 ___AH C:\Users\Dale\Documents\Default.rdp

2012-06-12 18:09 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp

2012-06-12 15:04 - 2011-12-03 16:11 - 00002014 ____A C:\Users\Public\Desktop\Adobe Acrobat X Standard.lnk

2012-06-12 15:02 - 2011-11-05 13:50 - 00000000 ____D C:\Program Files\Common Files\Adobe

2012-06-12 06:30 - 2012-06-12 06:29 - 00000000 ____D C:\Program Files\Google

2012-06-12 06:29 - 2012-06-12 06:29 - 00000000 ____D C:\Users\Dale\AppData\Local\Google

2012-06-03 20:35 - 2011-11-05 10:36 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-06-02 14:19 - 2012-06-19 04:46 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-19 04:46 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-19 04:46 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-19 04:45 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-19 04:45 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:12 - 2012-06-19 04:46 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:12 - 2012-06-19 04:45 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 12:19 - 2012-06-19 04:45 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 12:12 - 2012-06-19 04:45 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-05-27 13:16 - 2012-05-27 13:16 - 02306888 ____A (CatenaLogic ) C:\Users\Dale\Downloads\mymediabookmarks_exe_1.5.exe

2012-05-27 13:16 - 2012-05-27 13:16 - 00000000 ____D C:\Users\Dale\AppData\Roaming\CatenaLogic

2012-05-27 13:16 - 2012-05-27 13:16 - 00000000 ____D C:\Program Files\CatenaLogic

2012-05-26 08:22 - 2012-05-26 08:22 - 00001754 ____A C:\Users\Dale\Desktop\recipes - Shortcut.lnk

2012-05-26 08:20 - 2012-05-26 08:20 - 00001732 ____A C:\Users\Dale\Documents\recipes - Shortcut (2).lnk

2012-05-26 08:19 - 2012-05-26 08:19 - 00001732 ____A C:\Users\Dale\Documents\recipes - Shortcut.lnk

2012-05-23 19:26 - 2011-11-07 01:30 - 00000000 ____D C:\Users\Dale\AppData\Roaming\Roxio

2012-05-23 19:25 - 2012-05-23 14:41 - 1234847870 ____A C:\Users\Dale\Downloads\volume12.wmv

2012-05-19 11:13 - 2011-11-05 13:32 - 00000000 ____D C:\Users\Dale\AppData\Local\Microsoft Help

2012-05-17 15:11 - 2012-06-14 00:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-05-17 14:48 - 2012-06-14 00:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-05-17 14:45 - 2012-06-14 00:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-05-17 14:36 - 2012-06-14 00:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-05-17 14:35 - 2012-06-14 00:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-05-17 14:35 - 2012-06-14 00:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-17 14:33 - 2012-06-14 00:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-05-17 14:31 - 2012-06-14 00:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-17 14:29 - 2012-06-14 00:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-05-17 14:29 - 2012-06-14 00:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-05-17 14:27 - 2012-06-14 00:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-05-17 14:25 - 2012-06-14 00:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-05-17 14:24 - 2012-06-14 00:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-05-17 14:20 - 2012-06-14 00:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-05-15 15:11 - 2012-05-15 15:11 - 25656265 ____A C:\Users\Dale\Downloads\what_if..._.mp3

2012-05-14 17:05 - 2012-06-13 14:41 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-05-13 12:31 - 2011-11-07 17:41 - 00000000 ___AD C:\Users\Dale\Documents\KC 401k

2012-05-12 00:27 - 2010-11-20 16:46 - 00000000 ____D C:\Program Files\Windows Journal

2012-05-05 07:12 - 2012-05-05 07:12 - 85164032 ____A C:\Users\Dale\Accounts.QDF-backup

2012-04-30 20:44 - 2012-06-13 14:41 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-04-27 20:41 - 2012-06-13 14:41 - 00919040 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll

2012-04-27 19:17 - 2012-06-13 14:41 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-25 20:45 - 2012-06-13 14:41 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-04-25 20:45 - 2012-06-13 14:41 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-04-25 20:41 - 2012-06-13 14:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-04-23 20:36 - 2012-06-13 14:41 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-04-23 20:36 - 2012-06-13 14:41 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-04-23 20:36 - 2012-06-13 14:41 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-04-19 19:19 - 2012-04-19 19:19 - 00004328 ____A C:\Users\Dale\Downloads\149920312.vcs

2012-04-13 18:25 - 2011-12-31 08:27 - 00000000 ___AD C:\Users\Dale\Documents\TurboTax

2012-04-13 17:27 - 2011-11-07 18:01 - 00000000 ___AD C:\Users\Dale\Documents\tax returns

2012-04-12 02:54 - 2011-11-22 18:26 - 00001339 ____A C:\Users\Dale\Desktop\GoToMeeting.lnk

2012-04-12 00:08 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini

2012-04-11 10:26 - 2011-11-07 17:40 - 00000000 ___AD C:\Users\Dale\Documents\DC 401k

2012-04-10 08:39 - 2011-11-07 17:40 - 00000000 ___AD C:\Users\Dale\Documents\Karen Chapman

2012-04-10 04:36 - 2012-04-10 04:36 - 00092660 ____A C:\Users\Dale\Downloads\20120101.ofx

2012-04-07 03:26 - 2012-06-13 14:41 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

2012-04-04 12:56 - 2012-06-23 09:37 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-03-30 20:39 - 2012-05-11 04:25 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2012-03-30 20:39 - 2012-05-11 04:25 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-03-30 02:23 - 2012-05-11 04:25 - 01291632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

ZeroAccess:

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\@

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\L

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\00000001.@

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\80000000.@

C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\800000cb.@

ZeroAccess:

C:\Users\Dale\AppData\Local\{a33cce43-982e-15b3-0307-78280978ec8c}

C:\Users\Dale\AppData\Local\{a33cce43-982e-15b3-0307-78280978ec8c}\@

C:\Users\Dale\AppData\Local\{a33cce43-982e-15b3-0307-78280978ec8c}\L

C:\Users\Dale\AppData\Local\{a33cce43-982e-15b3-0307-78280978ec8c}\U

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 26%

Total physical RAM: 2004.61 MB

Available physical RAM: 1472.32 MB

Total Pagefile: 2004.61 MB

Available Pagefile: 1473.96 MB

Total Virtual: 2047.88 MB

Available Virtual: 1968.68 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:931.41 GB) (Free:822.43 GB) NTFS

2 Drive e: (KRD10) (CDROM) (Total:0.26 GB) (Free:0 GB) CDFS

3 Drive f: () (Removable) (Total:0.96 GB) (Free:0.37 GB) FAT

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 982 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 931 GB 101 MB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 931 GB Healthy

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 981 MB 31 KB

======================================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT Removable 981 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-18 05:00

======================= End Of Log ==========================

[CatByte]

Hi,

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
HKLM\...\Run: [] [x]
2012-06-24 04:02 - 2012-01-11 05:27 - 00000000 __SHD C:\Users\Dale\AppData\Local\{a33cce43-982e-15b3-0307-78280978ec8c}
C:\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}
C:\Users\Dale\AppData\Local\{a33cce43-982e-15b3-0307-78280978ec8c}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

NEXT

Refer to the ComboFix User's Guide

1. Download ComboFix from one of these locations:
   Link 1
   Link 2
   * IMPORTANT !!! Place ComboFix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on ComboFix.exe & follow the prompts.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[skizzerboom]

here is the log , there were no problems in rebooting the system. Shall I proceed with the combofix portion of the instructions?

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-06-2012 01

Ran by SYSTEM at 2012-06-25 19:35:26 Run:1

Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .

==== End of Fixlog ====

[CatByte]

yes please

[skizzerboom]

combofix log:

ComboFix 12-06-25.04 - Dale 06/25/2012 20:00:53.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2005.1125 [GMT -5:00]

Running from: c:\users\Dale\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Dale\AppData\Local\Microsoft\Windows\Temporary Internet Files\{CEB564B2-B049-4586-98CF-9C4E69359D2A}.xps

c:\users\Dale\AppData\Local\Temp\{D140E787-DCE6-49D7-8D76-B99F23B6DE93}\fpb.tmp

c:\users\Dale\Documents\EPT3A3.tmp

c:\users\Dale\g2mdlhlpx.exe

c:\windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\@

c:\windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\80000000.@

c:\windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\800000cb.@

c:\windows\system32\spool\prtprocs\w32x86\ppbiPr.dll

.

Infected copy of c:\windows\system32\Services.exe was found and disinfected

Restored copy from - c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-05-26 to 2012-06-26 )))))))))))))))))))))))))))))))

.

.

2012-06-26 02:42 . 2012-06-26 02:43 -------- d-----w- C:\FRST

2012-06-25 02:16 . 2012-06-26 00:44 81984 ----a-w- c:\windows\system32\bdod.bin

2012-06-25 02:04 . 2012-06-25 02:04 -------- d-----w- C:\found.000

2012-06-25 01:56 . 2012-06-25 01:56 -------- d-----w- c:\users\Dale\AppData\Roaming\BitDefender

2012-06-25 01:56 . 2012-06-26 00:50 -------- d-----w- c:\program files\BitDefender

2012-06-25 01:56 . 2012-06-25 23:46 -------- d-----w- c:\programdata\BitDefender

2012-06-25 01:55 . 2012-06-26 00:50 -------- d-----w- c:\program files\Common Files\BitDefender

2012-06-24 09:14 . 2012-06-24 12:43 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2012-06-23 17:37 . 2012-06-23 17:37 -------- d-----w- c:\users\Dale\AppData\Roaming\Malwarebytes

2012-06-23 17:37 . 2012-06-23 17:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-23 17:37 . 2012-06-23 17:37 -------- d-----w- c:\programdata\Malwarebytes

2012-06-23 17:37 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-23 17:37 . 2012-06-23 17:52 28488 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-06-23 17:05 . 2012-06-23 17:05 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-06-19 12:48 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll

2012-06-19 12:48 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll

2012-06-19 12:46 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-19 12:46 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-19 12:46 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-19 12:46 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-19 12:45 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-19 12:45 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-19 12:45 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-19 12:45 . 2012-06-02 20:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-19 12:45 . 2012-06-02 20:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-13 22:41 . 2012-04-28 04:41 919040 ----a-w- c:\windows\system32\rdpcorets.dll

2012-06-13 22:41 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 22:41 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll

2012-06-13 22:41 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 22:41 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-13 22:41 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll

2012-06-13 22:41 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-13 22:41 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll

2012-06-13 22:41 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-13 22:41 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-13 22:41 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-12 14:29 . 2012-06-12 14:30 -------- d-----w- c:\program files\Google

2012-06-12 14:29 . 2012-06-12 14:29 -------- d-----w- c:\users\Dale\AppData\Local\Google

2012-05-27 21:16 . 2012-05-27 21:16 -------- d-----w- c:\users\Dale\AppData\Roaming\CatenaLogic

2012-05-27 21:16 . 2012-05-27 21:16 -------- d-----w- c:\program files\CatenaLogic

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-14 10:58 . 2012-04-12 10:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-14 10:58 . 2011-11-08 19:22 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-03-31 04:39 . 2012-05-11 12:25 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-03-31 04:39 . 2012-05-11 12:25 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-03-30 10:23 . 2012-05-11 12:25 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2011-12-06 02:41 1005712 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2011-12-06 02:41 1005712 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2011-12-06 02:41 1005712 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GoToMeeting"="c:\program files\Citrix\GoToMeeting\880\g2mstart.exe" [2011-11-23 39816]

"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2012-04-04 1261472]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]

"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]

"PP8 Reminder"="c:\program files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" [2002-09-26 57344]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-11-22 1687552]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-11-22 163840]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-12-15 1446248]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-12-06 1059472]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

c:\users\Dale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-06-12 116648]

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-01-31 158856]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-14 257224]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-06-12 116648]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-06-23 28488]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-06 1343400]

S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]

S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-26 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 10:58]

.

2012-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-12 14:29]

.

2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-12 14:29]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105

Trusted Zone: anb.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: lowes.com\www

Trusted Zone: southwest.com\www

TCP: DhcpNameServer = 208.180.83.133 208.180.42.68

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(4036)

c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\Shellex.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\taskhost.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe

c:\windows\system32\msiexec.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

c:\windows\system32\WUDFHost.exe

c:\windows\System32\rundll32.exe

c:\windows\system32\conhost.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\windows\system32\sppsvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\taskhost.exe

.

**************************************************************************

.

Completion time: 2012-06-25 20:10:41 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-26 01:10

.

Pre-Run: 903,465,676,800 bytes free

Post-Run: 903,240,810,496 bytes free

.

- - End Of File - - E99F2A447DA52E5917820A37CB271BD7

[CatByte]

that's looking better

Please run the following:

• Please open your MalwareBytes AntiMalware Program
  
• Click the Update Tab and search for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish, so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected. <-- very important
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activeX control to install
  
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  
• Click Scan
  
• Wait for the scan to finish
  
• When the scan completes, press the LIST OF THREATS FOUND button
  
• Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  
• Include the contents of this report in your next reply.
  
• Press the BACK button.
  
• Press Finish
  

NEXT

Please advise how the computer is running now and if there are any outstanding issues

[skizzerboom]

Malwarebytes Anti-Malware (PRO) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.25.10

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Dale :: CHAPMANPC [administrator]

Protection: Enabled

6/25/2012 8:23:12 PM

mbam-log-2012-06-25 (20-23-12).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 209276

Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

C:\Qoobox\Quarantine\C\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan

C:\Qoobox\Quarantine\C\Windows\Installer\{a33cce43-982e-15b3-0307-78280978ec8c}\U\800000cb.@.vir probably a variant of Win32/Agent.TEO trojan

[CatByte]

Hi,

Those detections by ESET are in quarantine already which we will be clearing up shortly,

please run one more diagnostic scan so I can make sure you are clean, please advise how the computer is running now and if there are any outstanding issues

Please download DDS from either of these links

LINK 1

LINK 2

and save it to your desktop.

• Disable any script blocking protection
  
• Double click dds to run the tool.
  
• When done, two DDS.txt's will open.
  
• Save both reports to your desktop.
  

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt.

[skizzerboom]

2 dds logs:

Computer seems to be running just fine.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Dale at 19:03:33 on 2012-06-26

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2005.1134 [GMT -5:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\Explorer.EXE

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\880\g2mstart.exe" "/Trigger RunAtLogon"

uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [indexSearch] c:\program files\scansoft\paperport\IndexSearch.exe

mRun: [PP8 Reminder] "c:\program files\scansoft\paperport\webereg\navbrowser.exe" -r "c:\program files\scansoft\paperport\webereg\navLoad.ini"

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 8\drag to disc\DrgToDsc.exe"

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\users\dale\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

Trusted Zone: anb.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: lowes.com\www

Trusted Zone: southwest.com\www

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: DhcpNameServer = 208.180.83.133 208.180.42.68

TCP: Interfaces\{809513B4-9808-48FD-A63E-65081E6E4C6B} : DhcpNameServer = 172.16.4.11 172.16.4.12

TCP: Interfaces\{9C383740-C6F1-4434-97E5-175D62866C99} : DhcpNameServer = 208.180.83.133 208.180.42.68

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-23 654408]

R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2012-1-18 450848]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-23 22344]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-6-25 40776]

R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-6-12 116648]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-1-31 158856]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 257224]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-6-12 116648]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-6-23 28488]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]

S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]

S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]

S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-11-6 1343400]

.

=============== Created Last 30 ================

.

2012-06-26 12:47:47 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{92355e35-251d-49e6-8815-6d04640e5425}\offreg.dll

2012-06-26 12:45:27 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll

2012-06-26 12:45:24 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{92355e35-251d-49e6-8815-6d04640e5425}\mpengine.dll

2012-06-26 02:42:27 -------- d-----w- C:\FRST

2012-06-26 01:35:32 -------- d-----w- c:\program files\ESET

2012-06-26 01:21:49 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-06-26 01:07:30 -------- d-----w- C:\$RECYCLE.BIN

2012-06-26 00:58:53 98816 ----a-w- c:\windows\sed.exe

2012-06-26 00:58:53 518144 ----a-w- c:\windows\SWREG.exe

2012-06-26 00:58:53 256000 ----a-w- c:\windows\PEV.exe

2012-06-26 00:58:53 208896 ----a-w- c:\windows\MBR.exe

2012-06-26 00:49:41 -------- d-----w- c:\windows\system32\appmgmt

2012-06-25 02:16:41 81984 ----a-w- c:\windows\system32\bdod.bin

2012-06-25 02:04:07 -------- d-----w- C:\found.000

2012-06-25 01:56:25 -------- d-----w- c:\users\dale\appdata\roaming\BitDefender

2012-06-25 01:56:01 -------- d-----w- c:\programdata\BitDefender

2012-06-25 01:56:01 -------- d-----w- c:\program files\BitDefender

2012-06-25 01:55:01 -------- d-----w- c:\program files\common files\BitDefender

2012-06-24 09:14:02 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2012-06-23 17:37:16 -------- d-----w- c:\users\dale\appdata\roaming\Malwarebytes

2012-06-23 17:37:13 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-23 17:37:13 -------- d-----w- c:\programdata\Malwarebytes

2012-06-23 17:37:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-23 17:37:03 28488 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-06-23 17:05:17 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-06-19 12:48:35 805376 ----a-w- c:\windows\system32\FntCache.dll

2012-06-19 12:48:35 739840 ----a-w- c:\windows\system32\d2d1.dll

2012-06-19 12:46:02 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-19 12:45:40 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-19 12:45:27 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-19 12:45:27 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-13 22:41:37 919040 ----a-w- c:\windows\system32\rdpcorets.dll

2012-06-13 22:41:37 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 22:41:36 2342400 ----a-w- c:\windows\system32\msi.dll

2012-06-13 22:41:35 2343936 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 22:41:30 140288 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-13 22:41:30 1158656 ----a-w- c:\windows\system32\crypt32.dll

2012-06-13 22:41:30 103936 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-13 22:41:23 164352 ----a-w- c:\windows\system32\profsvc.dll

2012-06-13 22:41:22 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-13 22:41:22 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-13 22:41:22 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-12 14:29:17 -------- d-----w- c:\users\dale\appdata\local\Google

.

==================== Find3M ====================

.

2012-06-14 10:58:12 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-14 10:58:12 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-03-31 04:39:37 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-03-31 04:39:37 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-03-30 10:23:11 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

============= FINISH: 19:04:01.10 ===============

ATTACH.TXT

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 11/5/2011 12:48:36 PM

System Uptime: 6/26/2012 12:41:05 PM (7 hours ago)

.

Motherboard: Dell Inc. | | 0PU052

Processor: Intel® Core2 Duo CPU E4500 @ 2.20GHz | CPU | 2200/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 931 GiB total, 840.683 GiB free.

D: is CDROM (CDFS)

E: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: PCI Simple Communications Controller

Device ID: PCI\VEN_8086&DEV_29B4&SUBSYS_02111028&REV_02\3&172E68DD&0&18

Manufacturer:

Name: PCI Simple Communications Controller

PNP Device ID: PCI\VEN_8086&DEV_29B4&SUBSYS_02111028&REV_02\3&172E68DD&0&18

Service:

.

Class GUID:

Description: PCI Serial Port

Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B

Manufacturer:

Name: PCI Serial Port

PNP Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B

Service:

.

==== System Restore Points ===================

.

RP101: 6/19/2012 7:45:13 AM - Windows Update

RP102: 6/20/2012 3:00:23 AM - Windows Update

RP103: 6/24/2012 7:46:13 AM - Windows Update

RP104: 6/24/2012 4:45:15 PM - Restore Operation

RP105: 6/24/2012 8:55:19 PM - Installed BitDefender Free Edition 2009

RP106: 6/25/2012 7:43:48 PM - Removed BitDefender Free Edition 2009

RP107: 6/25/2012 7:49:49 PM - Removed BitDefender Free Edition 2009

.

==== Installed Programs ======================

.

.

Adobe Acrobat X Standard

Adobe Flash Player 11 ActiveX

AnswerWorks 5.0 English Runtime

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AutoUpdate

Bonjour

Carbonite

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

DivX

ESET Online Scanner v3

Garmin Lifetime Updater

Google Earth Plug-in

Google Update Helper

GoToMeeting 5.1.0.880

Intel® Graphics Media Accelerator Driver

iSEEK AnswerWorks English Runtime

iTunes

Java Auto Updater

Java 6 Update 29

Malwarebytes Anti-Malware version 1.61.0.1400

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Excel MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Standard 2010

Microsoft Office Word MUI (English) 2010

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MyMediaBookmarks

NetWaiting

NRP Instructor DVD-ROM

PaperPort 8.0 SE

Quicken 2012

QuickTime

Roxio Easy Media Creator 8 Suite

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Skype™ 5.8

TurboTax 2010

TurboTax 2010 WinPerFedFormset

TurboTax 2010 WinPerReleaseEngine

TurboTax 2010 WinPerTaxSupport

TurboTax 2010 wrapper

TurboTax 2011

TurboTax 2011 WinPerFedFormset

TurboTax 2011 WinPerReleaseEngine

TurboTax 2011 WinPerTaxSupport

TurboTax 2011 wrapper

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

.

==== Event Viewer Messages From Past Week ========

.

6/25/2012 8:06:20 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

6/25/2012 7:57:15 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy1.

6/25/2012 7:57:12 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy10.

6/25/2012 7:57:04 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy3.

6/25/2012 7:57:01 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy5.

6/25/2012 7:56:59 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy7.

6/25/2012 7:52:29 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

6/25/2012 7:52:29 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

6/25/2012 7:52:04 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

6/25/2012 7:52:03 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

6/25/2012 7:52:03 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

6/24/2012 9:19:52 PM, Error: Service Control Manager [7000] - The Profos service failed to start due to the following error: The request is not supported.

6/24/2012 9:17:03 PM, Error: Service Control Manager [7000] - The bdfm service failed to start due to the following error: Access is denied.

6/24/2012 9:06:11 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

6/24/2012 9:06:11 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473536.

6/24/2012 8:53:42 AM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.

6/24/2012 8:25:43 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

6/24/2012 8:25:43 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolume2.

6/24/2012 7:58:29 AM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

6/24/2012 7:57:20 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Volume Shadow Copy service to connect.

6/24/2012 7:57:20 PM, Error: Service Control Manager [7000] - The Volume Shadow Copy service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

6/24/2012 7:54:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}

6/24/2012 4:25:00 PM, Error: Microsoft Antimalware [1119] -

6/24/2012 4:24:19 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

6/24/2012 4:24:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

6/24/2012 4:24:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

6/24/2012 4:24:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

6/24/2012 4:24:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

6/24/2012 4:24:17 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/24/2012 4:24:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}

6/24/2012 4:24:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

6/24/2012 4:24:08 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cdudf_xp CSC DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss RxFilter spldr tdx Wanarpv6 WfpLwf

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

6/24/2012 4:24:08 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

6/24/2012 10:06:43 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.

6/23/2012 12:51:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}

6/23/2012 12:51:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

6/20/2012 3:01:28 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the CarboniteService service, but this action failed with the following error: An instance of the service is already running.

6/20/2012 3:00:28 AM, Error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/20/2012 12:31:27 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UMVPFSrv service.

6/19/2012 12:57:45 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

.

==== End Of File ===========================

[CatByte]

Hi

I'm just a little concerned about some of the reported errors

6/25/2012 7:57:15 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy1.

let's run chkdsk just to make sure all is OK

• Go to Start and type in cmd
  
• Right-click on the cmd icon above, and click Run As Administrator
  
• Type in chkdsk /R to the command window that appears, and press enter
  
• Agree to the prompt, then reboot your system
  

Note: Upon Reboot(Restart), CHKDSK will start and carry out the repairs required.

NEXT

Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp

let me know if chkdsk reports any issues

[skizzerboom]

chkdsk completed without errors, Java is updated.

[CatByte]

OK, good.

We just have some housecleaning to do now, please do the following:

You can delete the DDS and FRST logs and programs from your desktop.

NEXT

Follow these steps to uninstall Combofix

• Make sure your security programs are totally disabled.
  
• Click START then RUN
  
• Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.
  

If there are any logs/tools remaining on your desktop > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

• It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
  Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  
• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
• Make Internet Explorer more secure
  
  • Click Start > Run
    
  • Type Inetcpl.cpl & click OK
    
  • Click on the Security tab
    
  • Click Reset all zones to default level
    
  • Make sure the Internet Zone is selected & Click Custom level
    
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
    

  [*]Download TFC to your desktop

  • Close any open windows.
    
  • Double click the TFC icon to run the program
    
  • TFC will close all open programs itself in order to run,
    
  • Click the Start button to begin the process.
    
  • Allow TFC to run uninterrupted.
    
  • The program should not take long to finish it's job
    
  • Once its finished it should automatically reboot your machine,
    
  • if it doesn't, manually reboot to ensure a complete clean
    

  It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
    
  • Yellow for caution
    
  • Red to stop
    

  WOT has an addon available for both Firefox and IE

  [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  [*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:

  PC Safety and Security--What Do I Need?.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

[skizzerboom]

Thanks, I have completed all the cleanup tasks. I am wondering about the 2 files in quarantine and your earlier post,

"Those detections by ESET are in quarantine already which we will be clearing up shortly," --- did we do sometning to accomplish that?

Thank you

[CatByte]

My apologies, I should have explained, performing the combofix /uninstall routine removes those files automatically.

You should be good to go

[skizzerboom]

thank you very much, youve been a big and gracious help.

[CatByte]

you are welcome

stay safe

~CB

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!