Jump to content

Trojan.Dropper.BCMiner help


Recommended Posts

I have run Malwarebytes & removed this several times (and reset my computer as instructed) and it keeps reappearing. It is presenting with redirecting during google and bing searches and opening new windows.

DDS.txt:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.4.1

Run by Lindsey at 11:44:33 on 2012-07-12

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3032.1614 [GMT -4:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe -k NetworkService

C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnect.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe

C:\Windows\System32\StikyNot.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE

C:\Windows\splwow64.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - C:\Program Files (x86)\Search Toolbar\tbhelper.dll

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll

TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [Conime] %windir%\system32\conime.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [<NO NAME>]

mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript

dRunOnce: [KodakHomeCenter] "C:\Program Files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe"

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslconnect.johnshopkins.edu/dana-cached/sc/JuniperSetupClient.cab

TCP: DhcpNameServer = 172.24.165.6

TCP: Interfaces\{23B73F66-4A9A-4D5C-8C96-7A7FCC52533B} : DhcpNameServer = 172.24.165.6

TCP: Interfaces\{23B73F66-4A9A-4D5C-8C96-7A7FCC52533B}\2416272797 : DhcpNameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{23B73F66-4A9A-4D5C-8C96-7A7FCC52533B}\A4847457563747E65647 : DhcpNameServer = 162.129.20.10 128.220.127.215

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: SmartSelect - No File

BHO-X64: TBSB05974 Class: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll

BHO-X64: TBSB05974 - No File

TB-X64: Search Toolbar: {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll

TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun-x64: [Conime] %windir%\system32\conime.exe

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [(Default)]

mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Lindsey\AppData\Roaming\Mozilla\Firefox\Profiles\81s1jkvk.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol500.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll

FF - plugin: C:\Users\Lindsey\AppData\Roaming\Mozilla\Firefox\Profiles\81s1jkvk.default\extensions\LogMeInClient@logmein.com\plugins\npLMI64.dll

FF - plugin: C:\Users\Lindsey\AppData\Roaming\Mozilla\Firefox\Profiles\81s1jkvk.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-18 169312]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [2011-12-19 394672]

R2 MotoConnect Service;MotoConnect Service;C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe [2010-6-4 92928]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-7-7 257224]

S3 androidusb;ADB Interface Driver;C:\Windows\system32\Drivers\motoandroid.sys --> C:\Windows\system32\Drivers\motoandroid.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2012-07-12 12:31:04 3147264 ----a-w- C:\Windows\System32\win32k.sys

2012-07-11 10:58:59 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll

2012-07-11 10:58:59 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll

2012-07-08 03:21:13 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%

2012-07-08 03:12:43 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-06-24 11:55:08 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-24 11:54:40 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-24 11:53:34 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-24 11:53:34 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-14 12:51:59 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

.

==================== Find3M ====================

.

2012-07-08 03:12:43 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-06 05:50:50 2003968 ----a-w- C:\Windows\System32\msxml6.dll

2012-06-06 05:50:50 1880064 ----a-w- C:\Windows\System32\msxml3.dll

2012-06-06 05:09:46 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-06-06 05:09:46 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-06-04 12:39:13 60304 ----a-w- C:\Users\Lindsey\g2mdlhlpx.exe

2012-06-02 05:38:26 95088 ----a-w- C:\Windows\System32\drivers\ksecdd.sys

2012-06-02 05:38:24 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2012-06-02 05:37:45 459216 ----a-w- C:\Windows\System32\drivers\cng.sys

2012-06-02 05:27:02 340992 ----a-w- C:\Windows\System32\schannel.dll

2012-06-02 05:27:00 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2012-06-02 04:48:39 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2012-06-02 04:48:35 225280 ----a-w- C:\Windows\SysWow64\schannel.dll

2012-06-02 04:47:31 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2012-06-02 04:42:51 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll

2012-05-15 03:56:59 1197568 ----a-w- C:\Windows\System32\wininet.dll

2012-05-15 03:08:48 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-05-04 10:52:22 5505392 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-04 10:08:16 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:08:15 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-05-02 05:32:43 208896 ----a-w- C:\Windows\System32\profsvc.dll

2012-04-28 03:50:40 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-04-26 05:34:38 76288 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-04-26 05:34:37 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-04-26 05:28:32 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-04-24 05:59:45 182272 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-04-24 05:59:45 1460224 ----a-w- C:\Windows\System32\crypt32.dll

2012-04-24 05:59:45 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-04-24 04:47:04 139264 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-04-24 04:47:04 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

2012-04-24 04:47:03 1156608 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-04-20 06:22:18 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2012-04-20 05:05:47 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2012-04-20 05:00:31 482816 ----a-w- C:\Windows\System32\html.iec

2012-04-20 04:15:04 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2012-04-20 03:58:07 386048 ----a-w- C:\Windows\SysWow64\html.iec

.

============= FINISH: 11:45:38.67 ===============

The Attach.txt file says to not post the log but rather attach it, but I could kindly post the log if desired.

Thank you very much for your assistance.

Attach.txt

DDS.txt

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!!)

Post back the report.

MrC

------->Logs will be closed if you haven't replied within 3 days!<--------

Link to post
Share on other sites

Sorry -- I had a DVD & a camera card attached - they are out now.

Here's the report from the rogue killer:

RogueKiller V7.6.3 [07/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User: Lindsey [Admin rights]

Mode: Scan -- Date: 07/12/2012 14:59:34

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤

[bLACKLIST DLL] HKLM\[...]\Wow6432Node\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\n.) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\lindsey\appdata\local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\lindsey\appdata\local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\lindsey\appdata\local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250320AS ATA Device +++++

--- User ---

[MBR] a084862d138709887f25ae4faae7a586

[bSP] 5a97af284bb174316536415652ee65bc : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223434 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Thanks you!

Link to post
Share on other sites

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

  • There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  • I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

----------------------------------------

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

Link to post
Share on other sites

FRST.txt:

Scan result of Farbar Recovery Scan Tool Version: 11-07-2012

Ran by SYSTEM at 12-07-2012 19:15:28

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [305664 2009-01-23] (Alps Electric Co., Ltd.)

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-08-25] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-08-25] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-08-25] (Intel Corporation)

HKLM\...\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe [2922496 2011-06-16] (Eastman Kodak Company)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [Conime] %windir%\system32\conime.exe [x]

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-10-25] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2010-10-25] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [821144 2010-10-25] (Adobe Systems Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)

HKU\Lindsey\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1082440 2012-04-04] (Malwarebytes Corporation)

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

Startup: C:\Users\All Users\Start Menu\Programs\Startup\vpngui.exe.lnk

ShortcutTarget: vpngui.exe.lnk -> C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe ()

==================== Services (Whitelisted) ======

2 AdobeActiveFileMonitor8.0; C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [169312 2009-09-18] (Adobe Systems Incorporated)

2 CVPND; "C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe" [1528616 2010-03-23] (Cisco Systems, Inc.)

2 MotoConnect Service; C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe [92928 2009-12-14] ()

========================== Drivers (Whitelisted) =============

3 androidusb; C:\Windows\System32\Drivers\motoandroid.sys [31744 2009-07-10] (Motorola)

3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA64.sys [14992 2010-02-08] (Cisco Systems, Inc.)

3 CVPNDRVA; C:\Windows\System32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()

3 DNE; C:\Windows\System32\DRIVERS\dne64x.sys [157968 2008-11-16] (Deterministic Networks, Inc.)

3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-18] (LogMeIn, Inc.)

3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-12 14:56 - 2012-07-12 19:15 - 00000000 ____D C:\FRST

2012-07-12 14:47 - 2012-07-12 14:47 - 01434551 ____A (Farbar) C:\Users\Lindsey\Desktop\FRST64.exe

2012-07-12 10:59 - 2012-07-12 10:59 - 00002389 ____A C:\Users\Lindsey\Desktop\RKreport[1].txt

2012-07-12 10:58 - 2012-07-12 10:59 - 00000000 ____D C:\Users\Lindsey\Desktop\RK_Quarantine

2012-07-12 10:58 - 2012-07-12 10:58 - 01558016 ____A C:\Users\Lindsey\Desktop\RogueKiller.exe

2012-07-12 07:49 - 2012-07-12 07:49 - 00002472 ____A C:\Users\Lindsey\Desktop\Attach.zip

2012-07-12 07:48 - 2012-07-12 07:48 - 00008047 ____A C:\Users\Lindsey\Desktop\Attach.txt

2012-07-12 07:46 - 2012-07-12 07:46 - 00018206 ____A C:\Users\Lindsey\Desktop\DDS.txt

2012-07-12 07:43 - 2012-07-12 07:43 - 00607260 ____R (Swearware) C:\Users\Lindsey\Desktop\dds.com

2012-07-12 04:31 - 2012-06-11 19:02 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-11 02:59 - 2012-06-08 21:30 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-11 02:59 - 2012-06-08 20:46 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-07-11 02:59 - 2012-06-05 21:50 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-11 02:59 - 2012-06-05 21:50 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-11 02:59 - 2012-06-05 21:09 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-07-11 02:59 - 2012-06-05 21:09 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-07-11 02:59 - 2012-06-01 21:38 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-07-11 02:59 - 2012-06-01 21:38 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-11 02:59 - 2012-06-01 21:37 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-07-11 02:59 - 2012-06-01 21:27 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-11 02:59 - 2012-06-01 21:27 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-07-11 02:59 - 2012-06-01 20:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-07-11 02:59 - 2012-06-01 20:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-07-11 02:59 - 2012-06-01 20:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-07-11 02:59 - 2012-06-01 20:42 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-07-07 19:21 - 2012-07-07 19:21 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-07-07 19:12 - 2012-07-12 14:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-07-07 19:12 - 2012-07-07 19:12 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-07-07 19:12 - 2012-07-07 19:12 - 00000000 ____D C:\Windows\System32\Macromed

2012-07-05 05:21 - 2012-07-05 05:22 - 00000000 ____D C:\Users\Lindsey\Desktop\New folder

2012-07-03 10:13 - 2012-07-11 16:51 - 00000000 ____D C:\Users\Lindsey\Desktop\WEBSITE

2012-06-30 10:21 - 2012-07-12 14:36 - 00000000 ____D C:\Users\Lindsey\Desktop\Financial

2012-06-27 04:17 - 2012-06-28 03:58 - 00000000 ____D C:\Users\Lindsey\Downloads\Traveling with kids

2012-06-26 14:50 - 2012-06-26 15:05 - 00000000 ____D C:\Users\Lindsey\Downloads\BOBS

2012-06-24 17:20 - 2012-06-30 10:33 - 00069252 ____A C:\Users\Lindsey\Desktop\Christmas Budget 2012.xlsx

2012-06-24 03:55 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-24 03:55 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-24 03:55 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-24 03:55 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-24 03:54 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-24 03:54 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-24 03:54 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-24 03:53 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-24 03:53 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-23 12:30 - 2012-07-12 08:31 - 00000000 ____D C:\Users\Lindsey\Desktop\Home Decor Ideas

2012-06-15 16:56 - 2012-07-09 17:16 - 00000000 ____D C:\Users\Lindsey\Downloads\exercise

2012-06-14 08:16 - 2012-07-11 17:20 - 00000000 ____D C:\Users\Lindsey\Downloads\Duck Party

2012-06-14 08:16 - 2012-07-01 04:46 - 00000000 ____D C:\Users\Lindsey\Downloads\New folder

2012-06-14 04:52 - 2012-05-14 19:56 - 01197568 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-14 04:52 - 2012-05-14 19:52 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-14 04:52 - 2012-05-14 19:08 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-14 04:52 - 2012-05-14 19:06 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-14 04:52 - 2012-04-19 22:25 - 01501184 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-14 04:52 - 2012-04-19 22:25 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-14 04:52 - 2012-04-19 22:23 - 01026560 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll

2012-06-14 04:52 - 2012-04-19 22:22 - 09373696 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-14 04:52 - 2012-04-19 22:22 - 00736256 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-06-14 04:52 - 2012-04-19 22:22 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-14 04:52 - 2012-04-19 22:22 - 00082944 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll

2012-06-14 04:52 - 2012-04-19 22:22 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll

2012-06-14 04:52 - 2012-04-19 22:21 - 12405760 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-14 04:52 - 2012-04-19 22:21 - 02458624 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-14 04:52 - 2012-04-19 22:21 - 00445952 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll

2012-06-14 04:52 - 2012-04-19 22:21 - 00256000 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll

2012-06-14 04:52 - 2012-04-19 22:21 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-14 04:52 - 2012-04-19 22:18 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe

2012-06-14 04:52 - 2012-04-19 21:07 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-14 04:52 - 2012-04-19 21:07 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-14 04:52 - 2012-04-19 21:06 - 06028288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-14 04:52 - 2012-04-19 21:06 - 00627200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-06-14 04:52 - 2012-04-19 21:06 - 00606208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll

2012-06-14 04:52 - 2012-04-19 21:06 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-14 04:52 - 2012-04-19 21:06 - 00064512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll

2012-06-14 04:52 - 2012-04-19 21:05 - 11019776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-14 04:52 - 2012-04-19 21:05 - 02072576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-14 04:52 - 2012-04-19 21:05 - 00381440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2012-06-14 04:52 - 2012-04-19 21:05 - 00185856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll

2012-06-14 04:52 - 2012-04-19 21:05 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-14 04:52 - 2012-04-19 21:05 - 00044544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll

2012-06-14 04:52 - 2012-04-19 21:03 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe

2012-06-14 04:52 - 2012-04-19 21:00 - 00482816 ____A (Microsoft Corporation) C:\Windows\System32\html.iec

2012-06-14 04:52 - 2012-04-19 19:58 - 00386048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec

2012-06-14 04:52 - 2012-04-16 21:38 - 00851968 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-14 04:52 - 2012-04-16 20:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-14 04:51 - 2012-05-04 02:52 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-06-14 04:51 - 2012-05-04 02:08 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-06-14 04:51 - 2012-05-04 02:08 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-06-14 04:51 - 2012-05-01 21:32 - 00208896 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-06-14 04:51 - 2012-04-27 19:50 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-06-14 04:51 - 2012-04-25 21:34 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-06-14 04:51 - 2012-04-25 21:34 - 00076288 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-06-14 04:51 - 2012-04-25 21:28 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-06-14 04:51 - 2012-04-23 21:59 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-06-14 04:51 - 2012-04-23 21:59 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-06-14 04:51 - 2012-04-23 21:59 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-06-14 04:51 - 2012-04-23 20:47 - 01156608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-06-14 04:51 - 2012-04-23 20:47 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-06-14 04:51 - 2012-04-23 20:47 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2012-06-14 04:51 - 2012-04-19 20:15 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-14 04:51 - 2012-04-19 19:24 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-14 04:51 - 2012-04-07 04:18 - 03213824 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

2012-06-14 04:51 - 2012-04-07 03:34 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

============ 3 Months Modified Files ========================

2012-07-12 15:11 - 2009-10-28 12:29 - 01234320 ____A C:\Windows\WindowsUpdate.log

2012-07-12 14:56 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-12 14:47 - 2012-07-12 14:47 - 01434551 ____A (Farbar) C:\Users\Lindsey\Desktop\FRST64.exe

2012-07-12 14:32 - 2012-07-07 19:12 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-07-12 10:59 - 2012-07-12 10:59 - 00002389 ____A C:\Users\Lindsey\Desktop\RKreport[1].txt

2012-07-12 10:58 - 2012-07-12 10:58 - 01558016 ____A C:\Users\Lindsey\Desktop\RogueKiller.exe

2012-07-12 07:49 - 2012-07-12 07:49 - 00002472 ____A C:\Users\Lindsey\Desktop\Attach.zip

2012-07-12 07:48 - 2012-07-12 07:48 - 00008047 ____A C:\Users\Lindsey\Desktop\Attach.txt

2012-07-12 07:46 - 2012-07-12 07:46 - 00018206 ____A C:\Users\Lindsey\Desktop\DDS.txt

2012-07-12 07:44 - 2009-10-31 07:12 - 00003506 ____A C:\Users\Lindsey\Documents\pwd.txt

2012-07-12 07:43 - 2012-07-12 07:43 - 00607260 ____R (Swearware) C:\Users\Lindsey\Desktop\dds.com

2012-07-12 04:56 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-12 04:56 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-12 04:49 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-12 04:49 - 2009-07-13 20:51 - 00059757 ____A C:\Windows\setupact.log

2012-07-12 04:49 - 2009-07-13 20:45 - 00422176 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-12 04:30 - 2009-07-13 18:34 - 00000493 ____A C:\Windows\win.ini

2012-07-12 04:25 - 2009-11-17 09:16 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-10 11:09 - 2010-01-20 18:25 - 00000879 ____A C:\Users\Lindsey\Documents\bdays.txt

2012-07-10 09:37 - 2009-11-17 09:11 - 00052194 ____A C:\Windows\PFRO.log

2012-07-10 07:25 - 2012-06-04 08:53 - 00010568 ____A C:\Users\Lindsey\Desktop\Luscinias caloric needs.xlsx

2012-07-09 15:48 - 2009-10-31 16:22 - 01456640 __ASH C:\Users\Lindsey\Documents\Thumbs.db

2012-07-07 19:12 - 2012-07-07 19:12 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-07-07 19:12 - 2011-12-07 06:13 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-06-30 10:33 - 2012-06-24 17:20 - 00069252 ____A C:\Users\Lindsey\Desktop\Christmas Budget 2012.xlsx

2012-06-11 19:02 - 2012-07-12 04:31 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-10 12:52 - 2012-06-10 12:52 - 00010996 ____A C:\Users\Lindsey\Desktop\meal planning carb cal fat.xlsx

2012-06-08 21:30 - 2012-07-11 02:59 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:46 - 2012-07-11 02:59 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 21:50 - 2012-07-11 02:59 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 21:50 - 2012-07-11 02:59 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 21:09 - 2012-07-11 02:59 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:09 - 2012-07-11 02:59 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-04 04:39 - 2012-06-04 04:39 - 00060304 ____A C:\Users\Lindsey\g2mdlhlpx.exe

2012-06-04 04:36 - 2012-06-04 04:37 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-06-04 04:36 - 2012-06-04 04:37 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-06-02 14:19 - 2012-06-24 03:55 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-24 03:55 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-24 03:55 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-24 03:54 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-24 03:54 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-24 03:55 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-24 03:54 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-24 03:53 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-24 03:53 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 10:13 - 2012-06-02 10:13 - 00855016 ____A C:\Windows\Minidump\060212-29312-01.dmp

2012-06-02 10:13 - 2010-01-27 16:40 - 384869082 ____A C:\Windows\MEMORY.DMP

2012-06-01 21:38 - 2012-07-11 02:59 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:38 - 2012-07-11 02:59 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:37 - 2012-07-11 02:59 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:27 - 2012-07-11 02:59 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:27 - 2012-07-11 02:59 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:48 - 2012-07-11 02:59 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:48 - 2012-07-11 02:59 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:47 - 2012-07-11 02:59 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:42 - 2012-07-11 02:59 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-06-01 12:22 - 2012-06-01 12:22 - 00000165 ___AH C:\Users\Lindsey\Desktop\~$PPAM - Pelvic Pain and Vaginitis.pptx

2012-05-21 08:57 - 2012-05-21 08:57 - 00277488 ____A C:\Windows\Minidump\052112-31434-01.dmp

2012-05-20 16:14 - 2012-05-20 16:14 - 00000165 ___AH C:\Users\Lindsey\Desktop\~$DOLP.xlsx

2012-05-14 19:56 - 2012-06-14 04:52 - 01197568 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-14 19:52 - 2012-06-14 04:52 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-14 19:08 - 2012-06-14 04:52 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-05-14 19:06 - 2012-06-14 04:52 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-05-04 02:52 - 2012-06-14 04:51 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-04 02:08 - 2012-06-14 04:51 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-05-04 02:08 - 2012-06-14 04:51 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-05-01 21:32 - 2012-06-14 04:51 - 00208896 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-04-27 19:50 - 2012-06-14 04:51 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-25 21:34 - 2012-06-14 04:51 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-04-25 21:34 - 2012-06-14 04:51 - 00076288 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-04-25 21:28 - 2012-06-14 04:51 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-04-24 05:53 - 2009-10-29 12:52 - 00110312 ____A C:\Users\Lindsey\AppData\Local\GDIPFONTCACHEV1.DAT

2012-04-23 21:59 - 2012-06-14 04:51 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-04-23 21:59 - 2012-06-14 04:51 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-04-23 21:59 - 2012-06-14 04:51 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-04-23 20:47 - 2012-06-14 04:51 - 01156608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-04-23 20:47 - 2012-06-14 04:51 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-04-23 20:47 - 2012-06-14 04:51 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2012-04-19 22:25 - 2012-06-14 04:52 - 01501184 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-04-19 22:25 - 2012-06-14 04:52 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-04-19 22:23 - 2012-06-14 04:52 - 01026560 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll

2012-04-19 22:22 - 2012-06-14 04:52 - 09373696 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-04-19 22:22 - 2012-06-14 04:52 - 00736256 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-04-19 22:22 - 2012-06-14 04:52 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-04-19 22:22 - 2012-06-14 04:52 - 00082944 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll

2012-04-19 22:22 - 2012-06-14 04:52 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll

2012-04-19 22:21 - 2012-06-14 04:52 - 12405760 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-04-19 22:21 - 2012-06-14 04:52 - 02458624 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-04-19 22:21 - 2012-06-14 04:52 - 00445952 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll

2012-04-19 22:21 - 2012-06-14 04:52 - 00256000 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll

2012-04-19 22:21 - 2012-06-14 04:52 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-04-19 22:18 - 2012-06-14 04:52 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe

2012-04-19 21:07 - 2012-06-14 04:52 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-04-19 21:07 - 2012-06-14 04:52 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-04-19 21:06 - 2012-06-14 04:52 - 06028288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-04-19 21:06 - 2012-06-14 04:52 - 00627200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-04-19 21:06 - 2012-06-14 04:52 - 00606208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll

2012-04-19 21:06 - 2012-06-14 04:52 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-04-19 21:06 - 2012-06-14 04:52 - 00064512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll

2012-04-19 21:05 - 2012-06-14 04:52 - 11019776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-04-19 21:05 - 2012-06-14 04:52 - 02072576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-04-19 21:05 - 2012-06-14 04:52 - 00381440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2012-04-19 21:05 - 2012-06-14 04:52 - 00185856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll

2012-04-19 21:05 - 2012-06-14 04:52 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-04-19 21:05 - 2012-06-14 04:52 - 00044544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll

2012-04-19 21:03 - 2012-06-14 04:52 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe

2012-04-19 21:00 - 2012-06-14 04:52 - 00482816 ____A (Microsoft Corporation) C:\Windows\System32\html.iec

2012-04-19 20:15 - 2012-06-14 04:51 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-04-19 19:58 - 2012-06-14 04:52 - 00386048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec

2012-04-19 19:24 - 2012-06-14 04:51 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-04-16 21:38 - 2012-06-14 04:52 - 00851968 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-04-16 20:45 - 2012-06-14 04:52 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

ZeroAccess:

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\00000004.@

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\1afb2d56

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\201d3dde

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\00000004.@

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\00000008.@

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\000000cb.@

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000000.@

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000032.@

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000064.@

ZeroAccess:

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%

Total physical RAM: 3032.36 MB

Available physical RAM: 2505.68 MB

Total Pagefile: 3030.51 MB

Available Pagefile: 2495.3 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:218.2 GB) (Free:133.32 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.11 GB) NTFS

5 Drive g: (PINKY TOE) (Removable) (Total:0.24 GB) (Free:0.23 GB) FAT

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 Online 244 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 218 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 D RECOVERY NTFS Partition 14 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 218 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 244 MB 49 KB

==================================================================================

Disk: 2

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G PINKY TOE FAT Removable 244 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-28 17:26

======================= End Of Log ==========================

Link to post
Share on other sites

services.exe is infected and has to be replaced:

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

MrC

Link to post
Share on other sites

Farbar Recovery Scan Tool Version: 11-07-2012

Ran by SYSTEM at 2012-07-12 19:58:41

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Link to post
Share on other sites

OK, here you go......

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\00000004.@
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\1afb2d56
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\201d3dde
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\00000004.@
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\00000008.@
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\000000cb.@
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000000.@
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000032.@
C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000064.@
C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}
C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@
C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L
C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Good morning MrC! Thank you for helping me! Here is the Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 11-07-2012

Ran by SYSTEM at 2012-07-13 08:22:26 Run:1

Running from G:\

==============================================

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6} moved successfully.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\00000004.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\1afb2d56 not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\201d3dde not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\00000004.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\00000008.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\000000cb.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000000.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000032.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000064.@ not found.

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6} moved successfully.

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@ not found.

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L not found.

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U not found.

C:\Windows\assembly\GAC_32\Desktop.iniC:\Windows\assembly\GAC_64\Desktop.ini not found.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Link to post
Share on other sites

Something happened with the fixlist.txt because it didn't read this one correctly:

C:\Windows\assembly\GAC_32\Desktop.iniC:\Windows\assembly\GAC_64\Desktop.ini not found.

Attached it fixlist.txt, download and use it to run the fix again.

Post the log when done.

MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 11-07-2012

Ran by SYSTEM at 2012-07-13 08:42:12 Run:2

Running from G:\

==============================================

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6} not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\00000004.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\1afb2d56 not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L\201d3dde not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\00000004.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\00000008.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\000000cb.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000000.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000032.@ not found.

C:\Windows\Installer\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U\80000064.@ not found.

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6} not found.

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\@ not found.

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\L not found.

C:\Users\Lindsey\AppData\Local\{434328ed-d607-c34f-0e5f-6586c3fad3e6}\U not found.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Link to post
Share on other sites

Good...it worked correctly this time.

Next.....

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

1 - I had the McAfee program (purchased) when I first bought my computer. I stopped the subscription and deleted it months ago (by uninstalling through the "add/remove programs" feature and then deleted all McAfee folders)

2 - ComboFix is posting a warning before running that it detects active McAfee programs and apparently they all have to be disabled.

3 - In the instructions linked above (Here.) it says to disable the program by clicking on the M icon in the bottom right hand corner of the screen. I don't have a M icon there.

Since I did uninstall McAfee a while back (and a search of the C drive doesn't pick up "McAfee"), should I just go ahead and run ComboFix ?

Link to post
Share on other sites

Sorry for the delay -- meetings. <_<

I ran ComboFix and the computer reset. There was an error message that popped up but I didn't get a chance to read it.

The program now has a blue screen that says:

Preparing Log Report.

Do not run any programs until ComboFix has finished.

And it has a blinking cursor but is not doing anything.

Link to post
Share on other sites

Woops - wasn't patient enough. Here it is:

ComboFix 12-07-13.01 - Lindsey 07/13/2012 16:14:13.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3032.1627 [GMT -4:00]

Running from: H:\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\Search Toolbar

c:\program files (x86)\Search Toolbar\basis.xml

c:\program files (x86)\Search Toolbar\bg.bmp

c:\program files (x86)\Search Toolbar\bing_logo.png

c:\program files (x86)\Search Toolbar\celebrity.png

c:\program files (x86)\Search Toolbar\drop_images.png

c:\program files (x86)\Search Toolbar\drop_maps.png

c:\program files (x86)\Search Toolbar\drop_news.png

c:\program files (x86)\Search Toolbar\drop_videos.png

c:\program files (x86)\Search Toolbar\drop_web.png

c:\program files (x86)\Search Toolbar\facebook.png

c:\program files (x86)\Search Toolbar\favicon.png

c:\program files (x86)\Search Toolbar\games.png

c:\program files (x86)\Search Toolbar\hotmail.png

c:\program files (x86)\Search Toolbar\images.png

c:\program files (x86)\Search Toolbar\include.xml

c:\program files (x86)\Search Toolbar\info.txt

c:\program files (x86)\Search Toolbar\lifestyle.png

c:\program files (x86)\Search Toolbar\maps.png

c:\program files (x86)\Search Toolbar\messenger.png

c:\program files (x86)\Search Toolbar\msn.png

c:\program files (x86)\Search Toolbar\news.png

c:\program files (x86)\Search Toolbar\twitter.png

c:\program files (x86)\Search Toolbar\version.txt

c:\program files (x86)\Search Toolbar\video.png

c:\program files (x86)\Search Toolbar\videos.png

c:\program files (x86)\Search Toolbar\weather.png

c:\program files (x86)\Search Toolbar\web.png

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk

c:\users\Lindsey\AppData\Local\{92B55118-63DF-4BE4-B7D6-A11ECFCA5591}

c:\users\Lindsey\AppData\Local\{92B55118-63DF-4BE4-B7D6-A11ECFCA5591}\chrome\content\overlay.xul

c:\users\Lindsey\AppData\Local\{92B55118-63DF-4BE4-B7D6-A11ECFCA5591}\install.rdf

c:\users\Lindsey\AppData\Roaming\Bitrix Security

c:\users\Lindsey\AppData\Roaming\Bitrix Security\dizgoouro64_shrd

c:\users\Lindsey\AppData\Roaming\Bitrix Security\dupm

c:\users\Lindsey\AppData\Roaming\Bitrix Security\fg.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\gakpr_shrd

c:\users\Lindsey\AppData\Roaming\Bitrix Security\jje.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\kfwhsb_shrd

c:\users\Lindsey\AppData\Roaming\Bitrix Security\ljgh.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\lopx.ico

c:\users\Lindsey\AppData\Roaming\Bitrix Security\lsvagr

c:\users\Lindsey\AppData\Roaming\Bitrix Security\mxd1.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\qbkf62_shrd

c:\users\Lindsey\AppData\Roaming\Bitrix Security\qnf.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\rtxx.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\sjrpx

c:\users\Lindsey\AppData\Roaming\Bitrix Security\xkmdihzjd_shrd

c:\users\Lindsey\AppData\Roaming\Low

c:\users\Lindsey\AppData\Roaming\Low\dazyen.bii

c:\users\Lindsey\g2mdlhlpx.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-06-13 to 2012-07-13 )))))))))))))))))))))))))))))))

.

.

2012-07-12 22:56 . 2012-07-13 03:15 -------- d-----w- C:\FRST

2012-07-12 12:31 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 10:58 . 2012-06-06 05:50 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll

2012-07-11 10:58 . 2012-06-06 05:09 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll

2012-07-08 03:21 . 2012-07-08 03:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-07-08 03:12 . 2012-07-08 03:12 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-08 03:12 . 2012-07-08 03:12 -------- d-----w- c:\windows\system32\Macromed

2012-06-24 11:55 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-24 11:55 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-24 11:55 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-24 11:55 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-24 11:54 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-24 11:54 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-24 11:54 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-24 11:53 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-24 11:53 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-14 12:51 . 2012-04-20 04:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-08 03:12 . 2011-12-07 14:13 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-10-25 932288]

"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"KodakHomeCenter"="c:\program files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe" [2011-12-12 2234288]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 257224]

R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 31744]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-03 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-26 1255736]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2008-06-16 55024]

S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [2011-12-19 394672]

S2 MotoConnect Service;MotoConnect Service;c:\program files (x86)\Motorola\MotoConnectService\MotoConnectService.exe [2009-12-14 92928]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-13 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 03:12]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-01-23 305664]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]

"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe" [2011-06-16 2922496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

FF - ProfilePath - c:\users\Lindsey\AppData\Roaming\Mozilla\Firefox\Profiles\81s1jkvk.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files (x86)\Search Toolbar\tbcore3.dll

Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe

Wow6432Node-HKLM-Run-Conime - c:\windows\system32\conime.exe

WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe

c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe

c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files (x86)\Motorola\MotoConnectService\MotoConnect.exe

.

**************************************************************************

.

Completion time: 2012-07-13 16:37:53 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-13 20:37

.

Pre-Run: 143,412,600,832 bytes free

Post-Run: 144,598,294,528 bytes free

.

- - End Of File - - D8FD94D402E2811066B2611772595541

Link to post
Share on other sites

ComboFix 12-07-13.01 - Lindsey 07/13/2012 16:14:13.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3032.1627 [GMT -4:00]

Running from: H:\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\Search Toolbar

c:\program files (x86)\Search Toolbar\basis.xml

c:\program files (x86)\Search Toolbar\bg.bmp

c:\program files (x86)\Search Toolbar\bing_logo.png

c:\program files (x86)\Search Toolbar\celebrity.png

c:\program files (x86)\Search Toolbar\drop_images.png

c:\program files (x86)\Search Toolbar\drop_maps.png

c:\program files (x86)\Search Toolbar\drop_news.png

c:\program files (x86)\Search Toolbar\drop_videos.png

c:\program files (x86)\Search Toolbar\drop_web.png

c:\program files (x86)\Search Toolbar\facebook.png

c:\program files (x86)\Search Toolbar\favicon.png

c:\program files (x86)\Search Toolbar\games.png

c:\program files (x86)\Search Toolbar\hotmail.png

c:\program files (x86)\Search Toolbar\images.png

c:\program files (x86)\Search Toolbar\include.xml

c:\program files (x86)\Search Toolbar\info.txt

c:\program files (x86)\Search Toolbar\lifestyle.png

c:\program files (x86)\Search Toolbar\maps.png

c:\program files (x86)\Search Toolbar\messenger.png

c:\program files (x86)\Search Toolbar\msn.png

c:\program files (x86)\Search Toolbar\news.png

c:\program files (x86)\Search Toolbar\twitter.png

c:\program files (x86)\Search Toolbar\version.txt

c:\program files (x86)\Search Toolbar\video.png

c:\program files (x86)\Search Toolbar\videos.png

c:\program files (x86)\Search Toolbar\weather.png

c:\program files (x86)\Search Toolbar\web.png

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk

c:\users\Lindsey\AppData\Local\{92B55118-63DF-4BE4-B7D6-A11ECFCA5591}

c:\users\Lindsey\AppData\Local\{92B55118-63DF-4BE4-B7D6-A11ECFCA5591}\chrome\content\overlay.xul

c:\users\Lindsey\AppData\Local\{92B55118-63DF-4BE4-B7D6-A11ECFCA5591}\install.rdf

c:\users\Lindsey\AppData\Roaming\Bitrix Security

c:\users\Lindsey\AppData\Roaming\Bitrix Security\dizgoouro64_shrd

c:\users\Lindsey\AppData\Roaming\Bitrix Security\dupm

c:\users\Lindsey\AppData\Roaming\Bitrix Security\fg.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\gakpr_shrd

c:\users\Lindsey\AppData\Roaming\Bitrix Security\jje.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\kfwhsb_shrd

c:\users\Lindsey\AppData\Roaming\Bitrix Security\ljgh.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\lopx.ico

c:\users\Lindsey\AppData\Roaming\Bitrix Security\lsvagr

c:\users\Lindsey\AppData\Roaming\Bitrix Security\mxd1.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\qbkf62_shrd

c:\users\Lindsey\AppData\Roaming\Bitrix Security\qnf.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\rtxx.txt

c:\users\Lindsey\AppData\Roaming\Bitrix Security\sjrpx

c:\users\Lindsey\AppData\Roaming\Bitrix Security\xkmdihzjd_shrd

c:\users\Lindsey\AppData\Roaming\Low

c:\users\Lindsey\AppData\Roaming\Low\dazyen.bii

c:\users\Lindsey\g2mdlhlpx.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-06-13 to 2012-07-13 )))))))))))))))))))))))))))))))

.

.

2012-07-12 22:56 . 2012-07-13 03:15 -------- d-----w- C:\FRST

2012-07-12 12:31 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 10:58 . 2012-06-06 05:50 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll

2012-07-11 10:58 . 2012-06-06 05:09 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll

2012-07-08 03:21 . 2012-07-08 03:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-07-08 03:12 . 2012-07-08 03:12 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-08 03:12 . 2012-07-08 03:12 -------- d-----w- c:\windows\system32\Macromed

2012-06-24 11:55 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-24 11:55 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-24 11:55 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-24 11:55 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-24 11:54 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-24 11:54 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-24 11:54 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-24 11:53 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-24 11:53 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-14 12:51 . 2012-04-20 04:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-08 03:12 . 2011-12-07 14:13 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-10-25 932288]

"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"KodakHomeCenter"="c:\program files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe" [2011-12-12 2234288]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 257224]

R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 31744]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-03 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-26 1255736]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2008-06-16 55024]

S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [2011-12-19 394672]

S2 MotoConnect Service;MotoConnect Service;c:\program files (x86)\Motorola\MotoConnectService\MotoConnectService.exe [2009-12-14 92928]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-13 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 03:12]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-01-23 305664]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]

"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe" [2011-06-16 2922496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

FF - ProfilePath - c:\users\Lindsey\AppData\Roaming\Mozilla\Firefox\Profiles\81s1jkvk.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files (x86)\Search Toolbar\tbcore3.dll

Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe

Wow6432Node-HKLM-Run-Conime - c:\windows\system32\conime.exe

WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe

c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe

c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files (x86)\Motorola\MotoConnectService\MotoConnect.exe

.

**************************************************************************

.

Completion time: 2012-07-13 16:37:53 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-13 20:37

.

Pre-Run: 143,412,600,832 bytes free

Post-Run: 144,598,294,528 bytes free

.

- - End Of File - - D8FD94D402E2811066B2611772595541

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.