Jump to content

"The specified service does not exist as an installed service"


Recommended Posts

After you do that, please do this......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

OK. Done. Report attached...names have been changed to protect the innocent...

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: jason [Admin rights]

Mode: Scan -- Date: 07/19/2012 14:25:44

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 15 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : Huekrufeoq (C:\Users\jason\AppData\Roaming\Guofyg\ixetu.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-754058192-274942890-1641522791-1003[...]\Run : Huekrufeoq (C:\Users\jason\AppData\Roaming\Guofyg\ixetu.exe) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : c:\windows\installer\{713e7756-8801-a7fa-ceef-c49b3321f017}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{713e7756-8801-a7fa-ceef-c49b3321f017}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\jason\appdata\local\{713e7756-8801-a7fa-ceef-c49b3321f017}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\jason\appdata\local\{713e7756-8801-a7fa-ceef-c49b3321f017}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\jason\appdata\local\{713e7756-8801-a7fa-ceef-c49b3321f017}\L --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤

_INLINE_ : NtMapViewOfSection -> HOOKED (\Device\mfehidk01.sys @ 0xA43A05B6)

_INLINE_ : NtTerminateProcess -> HOOKED (\Device\mfehidk01.sys @ 0xA43A05E8)

_INLINE_ : NtUnmapViewOfSection -> HOOKED (\Device\mfehidk01.sys @ 0xA43A05CF)

_INLINE_ : NtYieldExecution -> HOOKED (\Device\mfehidk01.sys @ 0xA43A059D)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST325082 0AS SCSI Disk Device +++++

--- User ---

[MBR] 03b531728b05dd75d9e786b1dd1ac1d3

[bSP] bdf99326810b3ea5b3c85f61013cb3ba : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 228122 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do.

MrC

Link to post
Share on other sites

MrC

Firstly, sorry it takes so long for me to get back to you - not in the same time zone.

So despite Mcafee quarantining this infection, It's embedded... So antivirus sw is of no real value in this instance?! Kinda feel duped at this point...why bother in the first place?

Thanks for assistance so far and hope you can direct a fix. JMB

Link to post
Share on other sites

OK, run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest:

¤¤¤ Registry Entries: 15 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : Huekrufeoq (C:\Users\jason\AppData\Roaming\Guofyg\ixetu.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-754058192-274942890-1641522791-1003[...]\Run : Huekrufeoq (C:\Users\jason\AppData\Roaming\Guofyg\ixetu.exe) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND

Now click Delete on the right hand column.

--------------------------------------

This next part you may or may not be able to do, let me know:

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

MrC,

Job done - after a small fight - needed to activate Vista's Administrator control which (apparently) has a default 'inactivated' factory setting! Might need to consider this for future instructions to other mug punters such as myself..

Many thanks..again

JMB

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01

Ran by SYSTEM at 20-07-2012 15:33:45

Running from E:\

Windows Vista Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-18] (Microsoft Corporation)

HKLM\...\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2006-10-02] (Macrovision Corporation)

HKLM\...\Run: [] [x]

HKLM\...\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [221184 2006-11-04] (Sonic Solutions)

HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-08-24] (Google)

HKLM\...\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe [17920 2006-11-17] ( )

HKLM\...\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [291720 2006-11-03] ()

HKLM\...\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [304008 2006-11-03] ()

HKLM\...\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s [312200 2006-11-03] ()

HKLM\...\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16 [106496 2006-10-16] ()

HKLM\...\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [16384 2007-11-14] ( )

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-01-11] (Adobe Systems Incorporated)

HKLM\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-20] (SupportSoft, Inc.)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [413696 2008-05-26] (Apple Inc.)

HKLM\...\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [476736 2012-05-03] (McAfee, Inc.)

HKLM\...\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [x]

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13687328 2009-04-13] (NVIDIA Corporation)

HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2009-04-13] (NVIDIA Corporation)

HKLM\...\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [169312 2008-07-20] (Maxtor Corporation)

HKLM\...\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup [x]

HKLM\...\Run: [sigmatelSysTrayApp] sttray.exe [x]

HKLM\...\Run: [VX3000] C:\Windows\vVX3000.exe [762736 2010-05-19] (Microsoft Corporation)

HKLM\...\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" [119152 2010-05-19] (Microsoft Corporation)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)

HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [449608 2011-08-30] (Malwarebytes Corporation)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-08] (Sun Microsystems, Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-01-15] (Apple Inc.)

HKU\Administrator\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)

HKU\Default\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)

HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)

HKU\jason\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)

HKU\jason\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)

HKU\jason\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-20] (SupportSoft, Inc.)

HKU\jason\...\Run: [] [x]

HKU\jason\...\Run: [NokiaSuite.exe] C:\Program Files\Nokia\Nokia Suite\NokiaSuite.exe -tray [1083264 2012-01-09] (Nokia)

HKU\McAfeeMVSUser\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)

HKU\TEMP\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)

Tcpip\Parameters: [DhcpNameServer] 192.168.235.10

AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )

Startup: C:\Users\jason\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk

ShortcutTarget: Picture Motion Browser Media Check Tool.lnk -> C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)

================================ Services (Whitelisted) ==================

2 dlcx_device; C:\Windows\system32\dlcxcoms.exe -service [537480 2006-11-03] ( )

3 DSBrokerService; "C:\Program Files\DellSupport\brkrsvc.exe" [70656 2006-11-06] ()

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)

3 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2010-08-24] (Google)

3 Installer Service; C:\ProgramData\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\{92D1CEBC-7C72-4ECF-BFC6-C131EF3FE6A7}\Installer\InstallerService.exe [125952 2012-02-06] ()

2 Maxtor Sync Service; "C:\Program Files\Maxtor\Sync\SyncServices.exe" [193888 2008-07-20] (Seagate Technology LLC)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [366152 2011-08-30] (Malwarebytes Corporation)

2 McAfee SiteAdvisor Enterprise Service; "C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe" [324928 2011-05-11] (McAfee, Inc.)

2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166288 2012-02-12] (McAfee, Inc.)

2 mfevtp; "C:\Windows\system32\mfevtps.exe" [151880 2012-02-21] (McAfee, Inc.)

2 myAgtSvc; "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart [291328 2012-05-03] (McAfee, Inc.)

2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-06-04] (Skype Technologies)

2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter [201968 2008-08-13] (SupportSoft, Inc.)

3 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x]

4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]

2 RumorServer; "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /RunDLL=RumorServer.dll;ServiceHost [x]

2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]

2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

2 dsunidrv; \??\C:\Program Files\DellSupport\Drivers\dsunidrv.sys [7424 2006-08-16] (Gteko Ltd.)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22216 2011-08-30] (Malwarebytes Corporation)

3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121544 2012-02-21] (McAfee, Inc.)

3 MfeAVFK; C:\Windows\System32\drivers\mfeavfk.sys [180848 2012-02-21] (McAfee, Inc.)

3 MfeBOPK; C:\Windows\System32\drivers\mfebopk.sys [59456 2012-02-21] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464304 2012-02-21] (McAfee, Inc.)

1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64912 2012-02-21] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87656 2012-02-21] (McAfee, Inc.)

3 MfeRKDK; C:\Windows\System32\drivers\MfeRKDK.sys [34248 2009-12-14] (McAfee, Inc.)

1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [55304 2009-12-14] (McAfee, Inc.)

1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [169608 2012-02-21] (McAfee, Inc.)

3 MXOPSWD; C:\Windows\System32\DRIVERS\mxopswd.sys [22152 2007-05-02] (Maxtor Corp.)

3 STHDA; C:\Windows\System32\drivers\stwrt.sys [647680 2007-01-11] (SigmaTel, Inc.)

3 TrueSight; \??\c:\windows\system32\drivers\TrueSight.sys [14080 2012-07-19] ()

4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 mfeavfk01; [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-20 15:33 - 2012-07-20 15:33 - 00000000 ____D C:\FRST

2012-07-19 21:13 - 2012-07-19 21:13 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\PC Suite

2012-07-19 21:08 - 2012-07-19 21:08 - 00000000 ____D C:\Users\Administrator\Documents\My Google Gadgets

2012-07-19 21:08 - 2012-07-19 21:08 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Roxio

2012-07-19 21:07 - 2012-07-19 21:08 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\DellFaxCtr

2012-07-19 21:07 - 2012-07-19 21:07 - 00116664 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT

2012-07-19 21:07 - 2012-07-19 21:07 - 00008224 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

2012-07-19 21:07 - 2012-07-19 21:07 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\McAfee

2012-07-19 21:07 - 2012-07-19 21:07 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes

2012-07-19 21:07 - 2012-07-19 21:07 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\GTek

2012-07-19 21:07 - 2012-07-19 21:07 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer

2012-07-19 21:07 - 2012-07-19 21:07 - 00000000 ____D C:\Users\Administrator\AppData\Local\SupportSoft

2012-07-19 21:07 - 2012-07-19 21:07 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google

2012-07-19 21:06 - 2012-07-19 21:07 - 00000000 ____D C:\users\Administrator

2012-07-19 21:06 - 2012-07-19 21:06 - 00000020 __ASH C:\Users\Administrator\ntuser.ini

2012-07-19 21:06 - 2007-05-20 09:03 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help

2012-07-19 19:45 - 2012-07-19 19:45 - 00002849 ____A C:\Users\jason\Desktop\RKreport[3].txt

2012-07-19 19:34 - 2012-07-19 19:34 - 00002872 ____A C:\Users\jason\Desktop\RKreport[2].txt

2012-07-19 19:31 - 2012-07-19 19:31 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys

2012-07-19 19:30 - 2012-07-19 19:30 - 01552384 ____A C:\Users\jason\Downloads\RogueKiller (2).exe

2012-07-19 19:16 - 2012-07-19 19:16 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf

2012-07-19 18:52 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-19 18:42 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-07-19 18:42 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-07-19 18:42 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-07-19 18:42 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-07-19 18:42 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-07-19 18:42 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-07-19 18:42 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-07-19 18:42 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-07-19 18:42 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-07-19 18:42 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-07-19 18:42 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-07-19 18:41 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-07-19 18:41 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-07-19 18:41 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-07-18 20:25 - 2012-07-18 20:25 - 00003166 ____A C:\Users\jason\Desktop\RKreport[1].txt

2012-07-18 20:10 - 2012-07-19 19:44 - 00000000 ____D C:\Users\jason\Desktop\RK_Quarantine

2012-07-18 20:10 - 2012-07-18 20:10 - 01552384 ____A C:\Users\jason\Downloads\RogueKiller (1).exe

2012-07-18 20:08 - 2012-07-18 20:08 - 01552384 ____A C:\Users\jason\Downloads\RogueKiller.exe

2012-07-18 20:05 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-18 20:04 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-18 20:04 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-18 20:04 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-18 20:04 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-18 20:04 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-26 18:04 - 2012-06-26 18:04 - 00438618 ____A C:\Users\All Users\SPL445B.tmp

2012-06-24 16:07 - 2012-06-24 16:07 - 00000000 ____D C:\Users\jason\AppData\Local\Macromedia

============ 3 Months Modified Files ========================

2012-07-19 21:25 - 2006-11-02 05:01 - 00032624 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-19 21:25 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-19 21:24 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-19 21:24 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-19 21:23 - 2007-02-26 12:29 - 01512976 ____A C:\Windows\WindowsUpdate.log

2012-07-19 21:07 - 2012-07-19 21:07 - 00116664 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT

2012-07-19 21:07 - 2012-07-19 21:07 - 00008224 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

2012-07-19 21:06 - 2012-07-19 21:06 - 00000020 __ASH C:\Users\Administrator\ntuser.ini

2012-07-19 20:51 - 2012-03-29 14:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-07-19 19:45 - 2012-07-19 19:45 - 00002849 ____A C:\Users\jason\Desktop\RKreport[3].txt

2012-07-19 19:34 - 2012-07-19 19:34 - 00002872 ____A C:\Users\jason\Desktop\RKreport[2].txt

2012-07-19 19:31 - 2012-07-19 19:31 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys

2012-07-19 19:30 - 2012-07-19 19:30 - 01552384 ____A C:\Users\jason\Downloads\RogueKiller (2).exe

2012-07-19 19:16 - 2012-07-19 19:16 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf

2012-07-19 19:16 - 2006-11-02 04:52 - 00810077 ____A C:\Windows\setupact.log

2012-07-19 19:10 - 2006-11-02 04:47 - 00413744 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-19 18:51 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini

2012-07-19 18:42 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2012-07-18 21:51 - 2012-03-29 14:46 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-07-18 21:51 - 2011-10-11 14:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-07-18 20:56 - 2007-02-26 12:58 - 00289942 ____A C:\Windows\PFRO.log

2012-07-18 20:25 - 2012-07-18 20:25 - 00003166 ____A C:\Users\jason\Desktop\RKreport[1].txt

2012-07-18 20:10 - 2012-07-18 20:10 - 01552384 ____A C:\Users\jason\Downloads\RogueKiller (1).exe

2012-07-18 20:08 - 2012-07-18 20:08 - 01552384 ____A C:\Users\jason\Downloads\RogueKiller.exe

2012-07-18 16:14 - 2006-11-02 02:33 - 00786594 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-17 22:40 - 2006-11-02 02:22 - 61079552 ____A C:\Windows\System32\config\software_previous

2012-07-17 22:40 - 2006-11-02 02:22 - 44302336 ____A C:\Windows\System32\config\components_previous

2012-07-17 22:40 - 2006-11-02 02:22 - 27525120 ____A C:\Windows\System32\config\system_previous

2012-07-17 22:40 - 2006-11-02 02:22 - 01048576 ____A C:\Windows\System32\config\default_previous

2012-07-17 22:40 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous

2012-07-17 22:40 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous

2012-06-26 18:04 - 2012-06-26 18:04 - 00438618 ____A C:\Users\All Users\SPL445B.tmp

2012-06-13 05:40 - 2012-07-19 18:52 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 09:47 - 2012-07-18 20:05 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-05 08:47 - 2012-07-18 20:04 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 08:47 - 2012-07-18 20:04 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-04 07:26 - 2012-07-18 20:04 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-02 14:19 - 2012-06-19 04:36 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-19 04:36 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-19 04:36 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-19 04:36 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-19 04:36 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:12 - 2012-06-19 04:36 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:12 - 2012-06-19 04:36 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 01:07 - 2012-07-19 18:41 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-02 00:43 - 2012-07-19 18:41 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-02 00:33 - 2012-07-19 18:42 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-02 00:26 - 2012-07-19 18:42 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-02 00:25 - 2012-07-19 18:42 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-02 00:25 - 2012-07-19 18:41 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-02 00:23 - 2012-07-19 18:42 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-02 00:21 - 2012-07-19 18:42 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-02 00:20 - 2012-07-19 18:42 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-02 00:19 - 2012-07-19 18:42 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-02 00:19 - 2012-07-19 18:42 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-02 00:17 - 2012-07-19 18:42 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-02 00:16 - 2012-07-19 18:42 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-02 00:14 - 2012-07-19 18:42 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-01 21:19 - 2012-06-19 04:36 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-01 21:12 - 2012-06-19 04:36 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-01 16:04 - 2012-07-18 20:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 16:03 - 2012-07-18 20:04 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-05-30 18:25 - 2010-08-08 15:37 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2012-05-24 19:08 - 2011-05-26 15:17 - 00921624 ____A C:\img2-001.raw

2012-05-24 19:06 - 2012-05-24 19:06 - 01035078 ____A C:\Users\All Users\SPLB6E4.tmp

2012-05-10 20:20 - 2012-05-10 20:20 - 02657656 ____A C:\Users\All Users\SPLDCB7.tmp

2012-05-09 22:52 - 2012-05-09 22:52 - 02657656 ____A C:\Users\All Users\SPLE795.tmp

2012-05-07 20:50 - 2012-05-07 20:50 - 00684053 ____A C:\Users\All Users\SPLCB70.tmp

2012-05-01 06:03 - 2012-06-13 09:23 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-23 08:00 - 2012-06-13 09:23 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-04-23 08:00 - 2012-06-13 09:23 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-04-23 08:00 - 2012-06-13 09:23 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%

Total physical RAM: 3069.88 MB

Available physical RAM: 2741.88 MB

Total Pagefile: 2968.47 MB

Available Pagefile: 2824 MB

Total Virtual: 2047.88 MB

Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:222.78 GB) (Free:131.6 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: (STORE'N'GO) (Removable) (Total:0.96 GB) (Free:0.9 GB) FAT

4 Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:0.99 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 233 GB 686 KB

Disk 1 Online 983 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 55 MB 32 KB

Partition 2 Primary 10 GB 55 MB

Partition 3 Primary 223 GB 10 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 FAT Partition 55 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 X RECOVERY NTFS Partition 10 GB Healthy Boot

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C OS NTFS Partition 223 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 983 MB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 0E

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E STORE'N'GO FAT Removable 983 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-19 20:33

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 16-07-2012 01

Ran by SYSTEM at 2012-07-20 15:35:49

Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

[2009-09-10 21:57] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe

[2008-09-10 22:58] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe

[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\services.exe

[2009-09-10 21:57] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

Link to post
Share on other sites

Hi,

Weekend delay...Scan run again. Not run any other tools since starting this process with you.

Cheers

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: jason [Admin rights]

Mode: Scan -- Date: 07/23/2012 10:34:19

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 12 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST325082 0AS SCSI Disk Device +++++

--- User ---

[MBR] 03b531728b05dd75d9e786b1dd1ac1d3

[bSP] bdf99326810b3ea5b3c85f61013cb3ba : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 228122 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

That's clean, lets see what ComboFix says......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

File report attached. It only took 10 mins or so to run...

ComboFix 12-07-21.01 - jason 23/07/2012 12:58:48.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3070.2015 [GMT 10:00]

Running from: c:\users\jason\Downloads\ComboFix.exe

AV: McAfee® Security-as-a-Service *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

SP: McAfee® Security-as-a-Service *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Microsoft

c:\microsoft\Small Business Accounting\AnalysisToolsReportRegistrations.xml

c:\programdata\SPL221.tmp

c:\programdata\SPL29E6.tmp

c:\programdata\SPL2D6E.tmp

c:\programdata\SPL3230.tmp

c:\programdata\SPL445B.tmp

c:\programdata\SPL498B.tmp

c:\programdata\SPL51D9.tmp

c:\programdata\SPL771B.tmp

c:\programdata\SPL8017.tmp

c:\programdata\SPL9EE3.tmp

c:\programdata\SPLB6E4.tmp

c:\programdata\SPLBBA2.tmp

c:\programdata\SPLBEB5.tmp

c:\programdata\SPLCB70.tmp

c:\programdata\SPLD26.tmp

c:\programdata\SPLD3B.tmp

c:\programdata\SPLD89.tmp

c:\programdata\SPLDCB7.tmp

c:\programdata\SPLE554.tmp

c:\programdata\SPLE795.tmp

c:\programdata\SPLE855.tmp

c:\programdata\SPLEA53.tmp

c:\programdata\SPLFC4E.tmp

c:\users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix

c:\users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\System Fix.lnk

c:\users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\Uninstall System Fix.lnk

c:\users\jason\g2mdlhlpx.exe

c:\users\jason\ia_remove.sh8326.tmp

.

.

((((((((((((((((((((((((( Files Created from 2012-06-23 to 2012-07-23 )))))))))))))))))))))))))))))))

.

.

2012-07-23 03:08 . 2012-07-23 03:08 -------- d-----w- c:\users\TEMP\AppData\Local\temp

2012-07-23 03:08 . 2012-07-23 03:08 -------- d-----w- c:\users\McAfeeMVSUser\AppData\Local\temp

2012-07-23 03:08 . 2012-07-23 03:08 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-20 23:33 . 2012-07-20 23:33 -------- d-----w- C:\FRST

2012-07-20 05:06 . 2012-07-20 05:07 -------- d-----w- c:\users\Administrator

2012-07-20 02:52 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-07-20 02:41 . 2012-06-02 08:25 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-07-19 04:08 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EC8EAEBC-F6D5-4E2F-8545-9634C6AD808F}\mpengine.dll

2012-07-19 04:04 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll

2012-07-19 04:04 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-07-19 04:04 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-07-19 04:04 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-07-19 04:04 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll

2012-07-19 04:04 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll

2012-06-25 00:07 . 2012-06-25 00:07 -------- d-----w- c:\users\jason\AppData\Local\Macromedia

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-19 05:51 . 2012-03-29 22:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-19 05:51 . 2011-10-11 22:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-03 03:46 . 2011-11-18 03:43 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-02 22:19 . 2012-06-19 12:36 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-19 12:36 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-19 12:36 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-19 12:36 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-19 12:36 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-19 12:36 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-19 12:36 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 05:19 . 2012-06-19 12:36 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 05:12 . 2012-06-19 12:36 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-31 02:25 . 2010-08-08 23:37 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-05-01 14:03 . 2012-06-13 17:23 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-07-23 02:33 . 2011-05-09 07:32 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-11 446976]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-20 206064]

"NokiaSuite.exe"="c:\program files\Nokia\Nokia Suite\NokiaSuite.exe" [2012-01-10 1083264]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-25 30192]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]

"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2006-11-04 291720]

"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-04 304008]

"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-04 312200]

"DLCXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-14 16384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-20 206064]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2012-05-03 476736]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-13 13687328]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-13 92704]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]

"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 303104]

"VX3000"="c:\windows\vVX3000.exe" [2010-05-20 762736]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]

.

c:\users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-10-8 385024]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-26 113664]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-2-27 45056]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-08-17 01:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-23 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 05:51]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.hpmexecutive.com.au/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

TCP: DhcpNameServer = 192.168.235.10

FF - ProfilePath - c:\users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\gjc3x4e6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.hpmexecutive.com.au/|http://www.abc.net.au/news/|http://finance.google.com/finance

FF - prefs.js: network.proxy.type - 0

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-McAfee Managed Services Tray - c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe

SafeBoot-WudfPf

SafeBoot-WudfRd

AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-23 13:09

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

.

scanning hidden files ...

.

.

c:\users\jason\AppData\Local\Temp\catchme.dll 53248 bytes executable

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-07-23 13:12:55

ComboFix-quarantined-files.txt 2012-07-23 03:12

.

Pre-Run: 141,820,518,400 bytes free

Post-Run: 142,938,914,816 bytes free

.

- - End Of File - - F89AD09D628D474929EDEC38A2F098D2

Link to post
Share on other sites

Hi,

Ran the report as directed. Report attached.

Computer is/has been running fine, though I haven't been using it so much as typically might. If this report shows the PC is clean, what is your opinion on using the machine to access secure sites (banking etc)?

Thanks so much for your help

JMB

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.23.11

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

24/07/2012 11:25:05 AM

mbam-log-2012-07-24 (11-25-05).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 263553

Time elapsed: 8 minute(s), 48 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Computer is/has been running fine, though I haven't been using it so much as typically might. If this report shows the PC is clean, what is your opinion on using the machine to access secure sites (banking etc)?

There's no way I or anyone else can tell you the computer is 100% clean, you read the warning about backdoor trojans.

Have you update and run your anti-virus program yet?

MrC

Link to post
Share on other sites

Yes,

Updated and ran McAfee. No threats were detected. PC seems to be running fine, with the exception of the USB port connected to a printer...seems to be disabled. About to investigate/remedy.

I take onboard your comments and will be treating the machine as suspect until otherwise notified. Its an old beast anyway - been putting off replacing till I made enough money to afford it!

Would you consider this case 'closed'...for want of a better word?

Many thanks, again, for your help. Would not have known where to start without your guidance. Will be clicking on the 'Donate' button for sure.

Cheers

JMB

Link to post
Share on other sites

PC seems to be running fine, with the exception of the USB port connected to a printer...seems to be disabled. About to investigate/remedy.

No problems, just discovered that in all the unplugging done as part of the repair, I hadn't plugged the printer back in (D'oh!). Told you I was a mug punter!!

Link to post
Share on other sites

Great thumbsup.gif

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.