Rootkit.0Access and Trojan.Dropper.BCMiner found, need help removing

[HarvardAce]

Post Merged

We look for post with 0 replies, so when you reply to your own topic, we assume you are being helped.

Please be patient, someone will assist you as soon as possible.

Hi everyone. Was trying to troubleshoot some unrelated problems and noticed that my NSLookup was causing a WINSOCK32.dll error. Went to do a virus scan, and noticed that MSE was no longer running. Ran Malwarebytes and came up with the following two infections:

Rootkit.0Access

Trojan.Dropper.BCMiner

Here are the DDS Logs:

Attach.txt

DDS.txt

Here's the log from the Malwarebytes run:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.19.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Jeff :: KAZEN7 [administrator]

7/19/2012 1:37:10 AM

mbam-log-2012-07-19 (02-02-03).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 208424

Time elapsed: 52 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\n (Rootkit.0Access) -> No action taken.

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

(end)

Here is the HiJackThis log, not sure if it helps:

hijackthis.log

[MrCharlie]

Welcome to the forum.

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]Now press the search button

[*]When the search is complete, search.txt will also be written to your USB

[*]Type exit and reboot the computer normally

[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[HarvardAce]

Thanks for the offer of help. I understand the risks of proceeding, but would rather attempt to get rid of the infection rather than try a format at this point.

Here is FRST.txt:

Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02

Ran by SYSTEM at 19-07-2012 18:00:27

Running from K:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]

HKLM\...\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE [4195848 2009-08-13] (Logitech Inc.)

HKLM\...\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2093064 2009-08-13] (Logitech Inc.)

HKLM\...\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe" [415752 2009-08-13] (Logitech Inc.)

HKLM\...\Run: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-06-24] (Realtek Semiconductor Corp.)

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7883296 2009-06-24] (Realtek Semiconductor)

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)

HKLM-x32\...\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-05-04] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)

HKLM-x32\...\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [36864 2007-03-19] ()

HKLM-x32\...\Run: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe" [64112 2011-03-25] (VMware, Inc.)

HKLM-x32\...\Run: [tvncontrol] "C:\Program Files (x86)\TightVNC\tvnserver.exe" -controlservice -slave [828944 2011-08-03] (GlavSoft LLC.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)

HKLM-x32\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml [10752 2012-01-31] ()

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641664 2012-04-05] (Advanced Micro Devices, Inc.)

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [462920 2012-07-03] (Malwarebytes Corporation)

HKLM-x32\...\RunOnce: [innoSetupRegFile.0000000001] "C:\Windows\is-3HN67.exe" /REG /REGSVRMODE [711240 2012-07-18] ()

Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Tcpip\..\Interfaces\{9D6F228C-CFB6-4067-91D0-DD7C123D5800}: [NameServer]10.40.1.16,10.40.1.17

Tcpip\..\Interfaces\{F379B6A6-81A1-4AFD-B0B0-B1FF197491D5}: [NameServer]192.168.1.1,167.206.251.129

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\vpngui.exe.lnk

ShortcutTarget: vpngui.exe.lnk -> C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe ()

Startup: C:\Users\Jeff\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

2 CVPND; "C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe" [1528616 2010-03-23] (Cisco Systems, Inc.)

2 LPDSVC; C:\Windows\System32\lpdsvc.dll [45568 2009-07-13] (Microsoft Corporation)

2 MSSQL$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [61913952 2010-04-03] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75136 2011-12-10] ()

4 SQLAgent$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [428384 2010-04-03] (Microsoft Corporation)

2 TVersityMediaServer; "C:\Users\Jeff\AppData\Local\TVersity\Media Server\MediaServer.exe" [884736 2010-07-24] ()

2 tvnserver; "C:\Program Files (x86)\TightVNC\tvnserver.exe" -service [828944 2011-08-03] (GlavSoft LLC.)

3 ufad-ws60; "C:\Program Files (x86)\VMware\VMware Player\vmware-ufad.exe" -d "C:\Program Files (x86)\VMware\VMware Player\\" -s ufad-p2v.xml [x]

========================== Drivers (Whitelisted) =============

3 arusb_lhx; C:\Windows\System32\Drivers\arusb_lhx.sys [553472 2008-09-29] ()

3 BCMH43XX; C:\Windows\System32\DRIVERS\bcmwlhigh664.sys [838136 2009-11-05] (Broadcom Corporation)

3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA64.sys [14992 2010-02-08] (Cisco Systems, Inc.)

3 CVPNDRVA; C:\Windows\System32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()

3 DNE; C:\Windows\System32\DRIVERS\dne64x.sys [157968 2008-11-16] (Deterministic Networks, Inc.)

3 gdrv; \??\C:\Windows\gdrv.sys [25640 2009-11-06] (Windows ® Server 2003 DDK provider)

4 RsFx0150; C:\Windows\System32\Drivers\RsFx0150.sys [313696 2010-04-03] (Microsoft Corporation)

0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2009-12-19] (Duplex Secure Ltd.)

2 vstor2-ws60; \??\C:\Program Files (x86)\VMware\VMware Player\vstor2-ws60.sys [32816 2010-08-19] (VMware, Inc.)

3 NPF; C:\Windows\System32\DRIVERS\npf.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-19 18:00 - 2012-07-19 18:00 - 00000000 ____D C:\FRST

2012-07-19 04:50 - 2012-07-19 04:50 - 00000000 ____D C:\Users\Jeff\AppData\Local\{C299AF61-5102-4A22-8C48-58A7417B274A}

2012-07-19 04:49 - 2012-07-19 04:50 - 00000000 ____D C:\Users\Jeff\AppData\Local\{78032ABD-CAF7-49F8-8B52-46D0038BB995}

2012-07-18 21:54 - 2012-07-18 21:53 - 00607260 ____R (Swearware) C:\Users\Jeff\Desktop\dds.exe

2012-07-18 21:42 - 2012-07-18 21:42 - 00003745 ____A C:\Users\Jeff\Desktop\RKreport[1].txt

2012-07-18 21:41 - 2012-07-18 21:42 - 00000000 ____D C:\Users\Jeff\Desktop\RK_Quarantine

2012-07-18 21:36 - 2012-07-18 21:36 - 00711240 ____A C:\Windows\is-3HN67.exe

2012-07-18 21:36 - 2012-07-18 21:36 - 00010550 ____A C:\Windows\is-3HN67.msg

2012-07-18 21:36 - 2012-07-18 21:36 - 00000459 ____A C:\Windows\is-3HN67.lst

2012-07-18 21:28 - 2012-07-18 21:28 - 00000000 ____D C:\Windows\LastGood

2012-07-18 16:49 - 2012-07-18 16:49 - 00000000 ____D C:\Users\Jeff\AppData\Local\{75CFA0BB-0586-4FE4-8B67-703AFE54B43E}

2012-07-18 16:49 - 2012-07-18 16:49 - 00000000 ____D C:\Users\Jeff\AppData\Local\{221AA3F9-95AF-4790-868F-5B4D49E146D5}

2012-07-18 04:49 - 2012-07-18 04:49 - 00000000 ____D C:\Users\Jeff\AppData\Local\{B0F58CE1-1E51-4BD9-8BCD-5C37D26EF26E}

2012-07-18 04:49 - 2012-07-18 04:49 - 00000000 ____D C:\Users\Jeff\AppData\Local\{5F004060-9081-43B0-BFB4-11373F5BDE83}

2012-07-17 16:48 - 2012-07-17 16:49 - 00000000 ____D C:\Users\Jeff\AppData\Local\{4C58EA44-6B6C-47FC-8EEF-A4ED0112969D}

2012-07-17 16:48 - 2012-07-17 16:48 - 00000000 ____D C:\Users\Jeff\AppData\Local\{84AE8F8E-4826-4A75-A820-AFE2C2FB2CAB}

2012-07-17 04:48 - 2012-07-17 04:48 - 00000000 ____D C:\Users\Jeff\AppData\Local\{BE90E01C-619D-4243-B187-5A0F036BC2A4}

2012-07-17 04:48 - 2012-07-17 04:48 - 00000000 ____D C:\Users\Jeff\AppData\Local\{91557078-8640-42D5-9C38-9F0E93811EB7}

2012-07-16 16:48 - 2012-07-16 16:48 - 00000000 ____D C:\Users\Jeff\AppData\Local\{47EB6C9B-D76B-48B7-8D13-CAD951F33CE2}

2012-07-16 16:48 - 2012-07-16 16:48 - 00000000 ____D C:\Users\Jeff\AppData\Local\{02404071-8560-4D90-9F6F-46EA3F3DA8B5}

2012-07-16 04:47 - 2012-07-16 04:47 - 00000000 ____D C:\Users\Jeff\AppData\Local\{DF5F7FB9-5AE3-4F83-9EDE-A681D1447D63}

2012-07-16 04:47 - 2012-07-16 04:47 - 00000000 ____D C:\Users\Jeff\AppData\Local\{CE99FD06-1AB0-4AFF-A771-D842EE6B03E0}

2012-07-15 16:47 - 2012-07-15 16:47 - 00000000 ____D C:\Users\Jeff\AppData\Local\{3B58AA2C-599C-405B-97EF-3F656F40E9A0}

2012-07-15 16:47 - 2012-07-15 16:47 - 00000000 ____D C:\Users\Jeff\AppData\Local\{316A1993-367D-4B4B-BA68-BA2BD6E3F4FE}

2012-07-15 04:47 - 2012-07-15 04:47 - 00000000 ____D C:\Users\Jeff\AppData\Local\{AFF4DD15-ECCF-4BAC-94F0-994BE0D66936}

2012-07-15 04:46 - 2012-07-15 04:47 - 00000000 ____D C:\Users\Jeff\AppData\Local\{B887B9A3-FA4E-4F82-B986-BDD3415E6992}

2012-07-14 16:46 - 2012-07-14 16:46 - 00000000 ____D C:\Users\Jeff\AppData\Local\{C043F1D6-2474-4914-8EEE-AF301858E09B}

2012-07-14 16:46 - 2012-07-14 16:46 - 00000000 ____D C:\Users\Jeff\AppData\Local\{3C9884D0-6BC5-4C09-BC6C-7DF81D4C4390}

2012-07-14 04:46 - 2012-07-14 04:46 - 00000000 ____D C:\Users\Jeff\AppData\Local\{E7963D75-B02F-4A51-ABAF-06751E3FF413}

2012-07-14 04:46 - 2012-07-14 04:46 - 00000000 ____D C:\Users\Jeff\AppData\Local\{999B496E-5D8E-4B0E-A1D9-417ABBEDFFB0}

2012-07-13 16:45 - 2012-07-13 16:46 - 00000000 ____D C:\Users\Jeff\AppData\Local\{6F68C657-705A-4C5D-9D4F-BD6BEB1B634A}

2012-07-13 16:45 - 2012-07-13 16:45 - 00000000 ____D C:\Users\Jeff\AppData\Local\{EF603ECA-33AB-4204-A250-6B83B4832362}

2012-07-13 04:45 - 2012-07-13 04:45 - 00000000 ____D C:\Users\Jeff\AppData\Local\{59D4AB9F-144D-4A04-A074-CE40385EDC8B}

2012-07-13 04:45 - 2012-07-13 04:45 - 00000000 ____D C:\Users\Jeff\AppData\Local\{42822ED1-2B5D-4699-BE71-D2DDAD80A089}

2012-07-12 16:45 - 2012-07-12 16:45 - 00000000 ____D C:\Users\Jeff\AppData\Local\{D21624A2-FE50-44EE-AFF3-8DBE31D53CC3}

2012-07-12 16:45 - 2012-07-12 16:45 - 00000000 ____D C:\Users\Jeff\AppData\Local\{9D1E3C5E-87F0-4EEF-9118-652528DEEF9C}

2012-07-12 04:44 - 2012-07-12 04:45 - 00000000 ____D C:\Users\Jeff\AppData\Local\{FFC58D08-42B9-4337-9420-2F7CB3E75C1E}

2012-07-12 04:44 - 2012-07-12 04:44 - 00000000 ____D C:\Users\Jeff\AppData\Local\{10FE95C2-9AE3-43E1-96A5-EBB0A981DCA5}

2012-07-11 16:44 - 2012-07-11 16:44 - 00000000 ____D C:\Users\Jeff\AppData\Local\{8096B9FF-56EC-430B-A531-FCEF120D9AC4}

2012-07-11 16:44 - 2012-07-11 16:44 - 00000000 ____D C:\Users\Jeff\AppData\Local\{54F6D764-87CB-447E-B16E-35AE947AAEFF}

2012-07-11 16:18 - 2012-07-11 16:17 - 00131180 ____A C:\Users\Jeff\Documents\EVEMon_Settings_3809.xml.bak

2012-07-11 04:44 - 2012-07-11 04:44 - 00000000 ____D C:\Users\Jeff\AppData\Local\{C2369F62-FBBA-4EFB-AAED-E80006DC7CD0}

2012-07-11 04:43 - 2012-07-11 04:44 - 00000000 ____D C:\Users\Jeff\AppData\Local\{A1E1269B-59C8-42D6-875C-621483B6D417}

2012-07-10 16:43 - 2012-07-10 16:43 - 00000000 ____D C:\Users\Jeff\AppData\Local\{61F5615F-05AA-4F8A-AE0D-3E02F5355418}

2012-07-10 16:43 - 2012-07-10 16:43 - 00000000 ____D C:\Users\Jeff\AppData\Local\{4453D50F-9ED5-4FDD-BEBE-F45B35DDC2C2}

2012-07-10 04:43 - 2012-07-10 04:43 - 00000000 ____D C:\Users\Jeff\AppData\Local\{CEAFC54C-3761-42DB-ADDB-4A635C48DF76}

2012-07-10 04:43 - 2012-07-10 04:43 - 00000000 ____D C:\Users\Jeff\AppData\Local\{0D8FC0C3-72A7-48A1-B941-0D43296AEB32}

2012-07-09 16:42 - 2012-07-09 16:43 - 00000000 ____D C:\Users\Jeff\AppData\Local\{6450784C-75BD-47AB-A38A-F20D8476C053}

2012-07-09 16:42 - 2012-07-09 16:42 - 00000000 ____D C:\Users\Jeff\AppData\Local\{E33D4718-639E-470C-B3FC-F4E96A8F0793}

2012-07-09 04:42 - 2012-07-09 04:42 - 00000000 ____D C:\Users\Jeff\AppData\Local\{F4D4B8DB-88FF-4181-A6FE-1C64104412C4}

2012-07-09 04:42 - 2012-07-09 04:42 - 00000000 ____D C:\Users\Jeff\AppData\Local\{E9511B25-F727-4D52-A33D-D078531FC0D0}

2012-07-08 16:42 - 2012-07-08 16:42 - 00000000 ____D C:\Users\Jeff\AppData\Local\{71667031-0A0B-4528-BF5F-9CAA14787CC7}

2012-07-08 16:42 - 2012-07-08 16:42 - 00000000 ____D C:\Users\Jeff\AppData\Local\{094480C4-391B-4CC9-9B4A-8C4C596C77F1}

2012-07-08 12:17 - 2012-07-08 12:17 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-07-08 04:41 - 2012-07-08 04:41 - 00000000 ____D C:\Users\Jeff\AppData\Local\{93E30CBE-A2C5-4B24-BAE6-4E6440D595CC}

2012-07-08 04:41 - 2012-07-08 04:41 - 00000000 ____D C:\Users\Jeff\AppData\Local\{2CF47558-3410-4D47-AB5A-2EA6ECB24776}

2012-07-07 16:41 - 2012-07-07 16:41 - 00000000 ____D C:\Users\Jeff\AppData\Local\{ACB86BC5-9B02-4E26-B0FA-CB94453F4F1A}

2012-07-07 16:41 - 2012-07-07 16:41 - 00000000 ____D C:\Users\Jeff\AppData\Local\{2308B52D-300F-419E-A718-F285D49C8EB5}

2012-07-07 08:34 - 2012-07-07 08:34 - 00000697 ____A C:\Users\Public\Desktop\The Secret World.lnk

2012-07-07 04:40 - 2012-07-07 04:41 - 00000000 ____D C:\Users\Jeff\AppData\Local\{6D79793E-C1C6-4DE0-A95B-6AEBE81F70FA}

2012-07-07 04:40 - 2012-07-07 04:40 - 00000000 ____D C:\Users\Jeff\AppData\Local\{DB6959BC-1954-46C2-ABE5-D56399EF967A}

2012-07-06 16:40 - 2012-07-06 16:40 - 00000000 ____D C:\Users\Jeff\AppData\Local\{582009A1-EE6E-47A7-AF99-ADA26113238A}

2012-07-06 16:40 - 2012-07-06 16:40 - 00000000 ____D C:\Users\Jeff\AppData\Local\{386FE790-C9D9-49AF-B17F-8826D644D4AB}

2012-07-06 04:40 - 2012-07-06 04:40 - 00000000 ____D C:\Users\Jeff\AppData\Local\{7334ECE2-C4F2-464C-A4D5-04748151C934}

2012-07-06 04:39 - 2012-07-06 04:40 - 00000000 ____D C:\Users\Jeff\AppData\Local\{B8A04445-B98E-4D7C-8759-FF8C7B75BDE1}

2012-07-05 16:39 - 2012-07-05 16:39 - 00000000 ____D C:\Users\Jeff\AppData\Local\{E5C7A8C6-241C-4003-90E5-BB68FAA9B63E}

2012-07-05 16:39 - 2012-07-05 16:39 - 00000000 ____D C:\Users\Jeff\AppData\Local\{731F45DB-ED5E-43AE-B4FB-3E5025E124EA}

2012-07-05 04:39 - 2012-07-05 04:39 - 00000000 ____D C:\Users\Jeff\AppData\Local\{D938B28B-0CFD-45D4-941B-CE049D7575B3}

2012-07-05 04:39 - 2012-07-05 04:39 - 00000000 ____D C:\Users\Jeff\AppData\Local\{B6AC410A-29F5-447E-8116-485B88FA4058}

2012-07-04 16:39 - 2012-07-04 16:39 - 00000000 ____D C:\Users\Jeff\AppData\Local\{41315D56-5D85-47D8-896E-56E4FF527602}

2012-07-04 16:38 - 2012-07-04 16:39 - 00000000 ____D C:\Users\Jeff\AppData\Local\{7F022EDE-95A7-4FA1-9A26-92FFD514DBC7}

2012-07-04 04:38 - 2012-07-04 04:38 - 00000000 ____D C:\Users\Jeff\AppData\Local\{616E335B-AE33-4242-B6F5-72069557C2E2}

2012-07-04 04:38 - 2012-07-04 04:38 - 00000000 ____D C:\Users\Jeff\AppData\Local\{02533EB0-B5E4-4E56-B4F5-4D84C5B2BCBC}

2012-07-03 16:38 - 2012-07-03 16:38 - 00000000 ____D C:\Users\Jeff\AppData\Local\{9139C0CB-D08C-4980-9521-B47E9099358C}

2012-07-03 16:38 - 2012-07-03 16:38 - 00000000 ____D C:\Users\Jeff\AppData\Local\{76112C02-9FCC-4853-8E86-B6D5CC20068D}

2012-07-03 04:37 - 2012-07-03 04:38 - 00000000 ____D C:\Users\Jeff\AppData\Local\{E5343906-145C-4E70-98DA-B41866157FC4}

2012-07-03 04:37 - 2012-07-03 04:37 - 00000000 ____D C:\Users\Jeff\AppData\Local\{FE3DC035-DE29-4AA9-92FD-C96F834A0833}

2012-07-02 16:37 - 2012-07-02 16:37 - 00000000 ____D C:\Users\Jeff\AppData\Local\{D2834CDF-729B-4AB9-BE99-D16732CEB549}

2012-07-02 16:37 - 2012-07-02 16:37 - 00000000 ____D C:\Users\Jeff\AppData\Local\{AAD462A3-02A2-4332-8E20-82C0E00C05D0}

2012-07-02 04:37 - 2012-07-02 04:37 - 00000000 ____D C:\Users\Jeff\AppData\Local\{E7D33CFE-5C4B-4FA1-9291-C8C98FFBBC9B}

2012-07-02 04:36 - 2012-07-02 04:37 - 00000000 ____D C:\Users\Jeff\AppData\Local\{483D89AA-8B17-4296-8638-81797427B8BB}

2012-07-01 16:36 - 2012-07-01 16:36 - 00000000 ____D C:\Users\Jeff\AppData\Local\{1397955F-3BED-4945-9D54-60CA6316FD60}

2012-07-01 16:36 - 2012-07-01 16:36 - 00000000 ____D C:\Users\Jeff\AppData\Local\{0F437B37-2B07-410F-A5E9-F7AB23989367}

2012-07-01 04:36 - 2012-07-01 04:36 - 00000000 ____D C:\Users\Jeff\AppData\Local\{A14B9DFB-C575-4578-A51B-AC5ABF703E21}

2012-07-01 04:36 - 2012-07-01 04:36 - 00000000 ____D C:\Users\Jeff\AppData\Local\{698BADEA-0E8B-46C1-AB6C-82D535B5163F}

2012-06-30 16:36 - 2012-06-30 16:36 - 00000000 ____D C:\Users\Jeff\AppData\Local\{147EE187-FF19-4965-A743-6858F39F2D27}

2012-06-30 16:35 - 2012-06-30 16:36 - 00000000 ____D C:\Users\Jeff\AppData\Local\{80012A5D-7974-453C-8C3E-B6C3BEED6E8E}

2012-06-30 04:35 - 2012-06-30 04:35 - 00000000 ____D C:\Users\Jeff\AppData\Local\{B545BD0D-7AC5-458F-9EBA-C5703A78A50C}

2012-06-30 04:35 - 2012-06-30 04:35 - 00000000 ____D C:\Users\Jeff\AppData\Local\{67B6761E-2247-4D11-B4DA-2632614A708B}

2012-06-29 16:35 - 2012-06-29 16:35 - 00000000 ____D C:\Users\Jeff\AppData\Local\{63570931-A6F3-4746-A335-C856C7DD5773}

2012-06-29 16:35 - 2012-06-29 16:35 - 00000000 ____D C:\Users\Jeff\AppData\Local\{01EC9EFB-5D5E-44FF-BD2F-8AD86E151820}

2012-06-29 04:34 - 2012-06-29 04:35 - 00000000 ____D C:\Users\Jeff\AppData\Local\{D259B687-600A-4143-A49B-16E188AC7008}

2012-06-29 04:34 - 2012-06-29 04:34 - 00000000 ____D C:\Users\Jeff\AppData\Local\{30761752-14AD-41AF-BC28-E7FDC54378BC}

2012-06-28 16:34 - 2012-06-28 16:34 - 00000000 ____D C:\Users\Jeff\AppData\Local\{A40C5B30-82CF-4A54-895A-F94A361D4324}

2012-06-28 16:34 - 2012-06-28 16:34 - 00000000 ____D C:\Users\Jeff\AppData\Local\{1D56AAAE-712F-4762-964E-9878F07C71DA}

2012-06-28 04:34 - 2012-06-28 04:34 - 00000000 ____D C:\Users\Jeff\AppData\Local\{8AC2C4F1-E8EA-4DC5-B743-87B800CFA585}

2012-06-28 04:34 - 2012-06-28 04:34 - 00000000 ____D C:\Users\Jeff\AppData\Local\{24AC7E1F-4B3A-456F-BEC3-038E6C24E471}

2012-06-27 16:33 - 2012-06-27 16:33 - 00000000 ____D C:\Users\Jeff\AppData\Local\{E3371E21-B5EF-4A10-BD72-914E29F1089A}

2012-06-27 16:33 - 2012-06-27 16:33 - 00000000 ____D C:\Users\Jeff\AppData\Local\{A3A9FA23-ACC2-483F-89DC-C3C28B844B7B}

2012-06-27 04:33 - 2012-06-27 04:33 - 00000000 ____D C:\Users\Jeff\AppData\Local\{6679D95F-9829-4891-8178-050AD86D84A3}

2012-06-27 04:33 - 2012-06-27 04:33 - 00000000 ____D C:\Users\Jeff\AppData\Local\{2ED8BFE9-2ADC-4142-A11D-FC1ED969DA71}

2012-06-26 16:33 - 2012-06-26 16:33 - 00000000 ____D C:\Users\Jeff\AppData\Local\{D97F0A34-F359-4C27-993A-A4FCE11D7564}

2012-06-26 16:32 - 2012-06-26 16:33 - 00000000 ____D C:\Users\Jeff\AppData\Local\{D382ACD3-3E6B-4415-A745-F8FA8D8F6204}

2012-06-26 04:32 - 2012-06-26 04:32 - 00000000 ____D C:\Users\Jeff\AppData\Local\{6D96121E-D695-46EC-ADFE-890C8C3C2DD7}

2012-06-26 04:32 - 2012-06-26 04:32 - 00000000 ____D C:\Users\Jeff\AppData\Local\{0D5AED79-C3A3-49F2-A1B2-0767792D0964}

2012-06-25 16:32 - 2012-06-25 16:32 - 00000000 ____D C:\Users\Jeff\AppData\Local\{6380D295-A91A-49FC-9D0B-65556D9CFB45}

2012-06-25 16:32 - 2012-06-25 16:32 - 00000000 ____D C:\Users\Jeff\AppData\Local\{577CDD98-332A-4022-A3BF-7080830ABA0A}

2012-06-25 04:31 - 2012-06-25 04:32 - 00000000 ____D C:\Users\Jeff\AppData\Local\{FB157469-E4EA-4D51-B9F1-5C74EEE52348}

2012-06-25 04:31 - 2012-06-25 04:31 - 00000000 ____D C:\Users\Jeff\AppData\Local\{F789BE47-9B12-4BCE-A56F-6351A53D5A01}

2012-06-24 16:31 - 2012-06-24 16:31 - 00000000 ____D C:\Users\Jeff\AppData\Local\{B15A1B0D-3160-4FE7-B453-F080F716BA13}

2012-06-24 16:31 - 2012-06-24 16:31 - 00000000 ____D C:\Users\Jeff\AppData\Local\{6D14C043-739D-4A15-B8D2-07F749EA327A}

2012-06-24 13:16 - 2012-06-24 13:16 - 00000000 ____D C:\Users\Jeff\AppData\Local\Macromedia

2012-06-24 12:47 - 2012-06-24 12:47 - 00000000 ____D C:\Users\Public\New Folder

2012-06-24 04:31 - 2012-06-24 04:31 - 00000000 ____D C:\Users\Jeff\AppData\Local\{C57F4938-41DA-4700-9969-B97FCF498490}

2012-06-24 04:31 - 2012-06-24 04:31 - 00000000 ____D C:\Users\Jeff\AppData\Local\{C3F08F29-1EFA-4E5B-BB49-403612DC9170}

2012-06-23 16:30 - 2012-06-23 16:31 - 00000000 ____D C:\Users\Jeff\AppData\Local\{7374BA9B-0377-41F8-AE93-EC585FE9D06A}

2012-06-23 16:30 - 2012-06-23 16:30 - 00000000 ____D C:\Users\Jeff\AppData\Local\{57578417-044D-486F-85D0-C36A4321788F}

2012-06-23 04:30 - 2012-06-23 04:30 - 00000000 ____D C:\Users\Jeff\AppData\Local\{DBABE6F3-5034-48E3-8B5D-204B077CD4C1}

2012-06-23 04:30 - 2012-06-23 04:30 - 00000000 ____D C:\Users\Jeff\AppData\Local\{5521D4A1-D848-4DEC-A5AD-92F9D546D33C}

2012-06-22 16:30 - 2012-06-22 16:30 - 00000000 ____D C:\Users\Jeff\AppData\Local\{0B1A9E05-2291-45DB-824D-CBDA63D8EB6A}

2012-06-22 16:29 - 2012-06-22 16:30 - 00000000 ____D C:\Users\Jeff\AppData\Local\{4214F911-C36C-4D4D-9F02-9EA07DF642AA}

2012-06-22 04:29 - 2012-06-22 04:29 - 00000000 ____D C:\Users\Jeff\AppData\Local\{FEA9C93D-AB07-40F9-AEBD-C12C1CAAAE1C}

2012-06-22 04:29 - 2012-06-22 04:29 - 00000000 ____D C:\Users\Jeff\AppData\Local\{65184BDD-CCFF-46CE-A880-53A73F1862D8}

2012-06-21 16:29 - 2012-06-21 16:29 - 00000000 ____D C:\Users\Jeff\AppData\Local\{A5430298-B6BA-4475-88B2-61985A234637}

2012-06-21 16:29 - 2012-06-21 16:29 - 00000000 ____D C:\Users\Jeff\AppData\Local\{6E91543B-97B0-4AEE-A9B6-C1EC3A99401D}

2012-06-21 04:28 - 2012-06-21 04:29 - 00000000 ____D C:\Users\Jeff\AppData\Local\{965C76F2-11E9-4D71-9267-22B9FF8688EF}

2012-06-21 04:28 - 2012-06-21 04:28 - 00000000 ____D C:\Users\Jeff\AppData\Local\{BC5FFADB-1D57-462A-9545-E50B82687063}

2012-06-20 16:28 - 2012-06-20 16:28 - 00000000 ____D C:\Users\Jeff\AppData\Local\{882098CD-C4FC-4108-BD9A-9B69F06FA7B6}

2012-06-20 16:28 - 2012-06-20 16:28 - 00000000 ____D C:\Users\Jeff\AppData\Local\{060BB9D6-2C41-446F-9DB8-2387059D00DE}

2012-06-20 04:28 - 2012-06-20 04:28 - 00000000 ____D C:\Users\Jeff\AppData\Local\{B8D906B5-DFB9-473C-945F-6CEDDD763589}

2012-06-20 04:28 - 2012-06-20 04:28 - 00000000 ____D C:\Users\Jeff\AppData\Local\{35977F80-7940-480C-8891-D1CF23FADEB5}

2012-06-19 16:27 - 2012-06-19 16:28 - 00000000 ____D C:\Users\Jeff\AppData\Local\{8DBA684B-BCC8-4161-B2A2-A210C9F95321}

2012-06-19 16:27 - 2012-06-19 16:27 - 00000000 ____D C:\Users\Jeff\AppData\Local\{143BAE6A-E889-407F-9EA2-DA9719E203F6}

2012-06-19 04:42 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-19 04:42 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-19 04:42 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-19 04:42 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-19 04:42 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-19 04:42 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-19 04:27 - 2012-06-19 04:27 - 00000000 ____D C:\Users\Jeff\AppData\Local\{E550AC0A-7046-4AD4-A40F-FE4A6CF0E2B7}

2012-06-19 04:27 - 2012-06-19 04:27 - 00000000 ____D C:\Users\Jeff\AppData\Local\{0379B8BC-0606-4810-AB61-FFD7C1A53317}

============ 3 Months Modified Files ========================

2012-07-19 13:57 - 2009-10-22 20:43 - 01482692 ____A C:\Windows\WindowsUpdate.log

2012-07-19 13:56 - 2009-10-23 09:56 - 00002072 ___AH C:\Users\Jeff\Documents\Default.rdp

2012-07-19 13:55 - 2009-07-13 21:13 - 00893746 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-19 13:52 - 2009-07-13 20:51 - 00063121 ____A C:\Windows\setupact.log

2012-07-18 21:53 - 2012-07-18 21:54 - 00607260 ____R (Swearware) C:\Users\Jeff\Desktop\dds.exe

2012-07-18 21:42 - 2012-07-18 21:42 - 00003745 ____A C:\Users\Jeff\Desktop\RKreport[1].txt

2012-07-18 21:36 - 2012-07-18 21:36 - 00711240 ____A C:\Windows\is-3HN67.exe

2012-07-18 21:36 - 2012-07-18 21:36 - 00010550 ____A C:\Windows\is-3HN67.msg

2012-07-18 21:36 - 2012-07-18 21:36 - 00000459 ____A C:\Windows\is-3HN67.lst

2012-07-15 18:20 - 2012-03-07 18:42 - 00000984 ____A C:\Users\Public\Desktop\Mass Effect 3.lnk

2012-07-15 18:20 - 2009-10-22 22:23 - 00571773 ____A C:\Windows\DirectX.log

2012-07-14 00:00 - 2010-07-02 14:14 - 00000376 ____A C:\Windows\Tasks\Intel_C_CVPO9304007V080BGN.job

2012-07-11 16:17 - 2012-07-11 16:18 - 00131180 ____A C:\Users\Jeff\Documents\EVEMon_Settings_3809.xml.bak

2012-07-08 12:06 - 2012-04-14 14:24 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-07-08 12:06 - 2011-05-31 08:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-07 13:36 - 2009-07-13 20:45 - 00016240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-07 13:36 - 2009-07-13 20:45 - 00016240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-07 08:34 - 2012-07-07 08:34 - 00000697 ____A C:\Users\Public\Desktop\The Secret World.lnk

2012-07-03 09:46 - 2011-01-10 15:44 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-15 16:29 - 2012-06-15 10:37 - 00000600 ____A C:\Users\Jeff\AppData\Local\PUTTY.RND

2012-06-15 04:36 - 2012-06-15 04:36 - 00000963 ____A C:\Users\Public\Desktop\PuTTY.lnk

2012-06-10 08:27 - 2012-06-10 08:28 - 00187876 ____A C:\Users\Jeff\Documents\EVEMon_Settings_3611.xml.bak

2012-06-02 14:19 - 2012-06-19 04:42 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-19 04:42 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-19 04:42 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:15 - 2012-06-19 04:42 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 11:19 - 2012-06-19 04:42 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-19 04:42 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-05-27 17:04 - 2012-05-27 17:04 - 00003102 ____A C:\Users\Jeff\Documents\Miner.xml

2012-05-20 04:46 - 2012-05-20 04:46 - 00000639 ____A C:\Users\Jeff\Desktop\EVE - Guaradar.lnk

2012-05-18 16:37 - 2012-05-18 16:37 - 00002378 ____A C:\Users\Jeff\Documents\MumbleAutomaticCertificateBackup.p12

2012-05-18 16:37 - 2012-05-18 16:37 - 00001014 ____A C:\Users\Public\Desktop\Mumble.lnk

2012-05-14 17:58 - 2012-05-14 17:47 - 00000911 ____A C:\Users\Public\Desktop\Diablo III.lnk

2012-05-13 08:10 - 2012-05-13 08:10 - 00000632 ____A C:\Users\Jeff\Desktop\EVE - Sadumon.lnk

2012-05-13 07:43 - 2009-12-23 19:30 - 00793898 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-05-12 13:54 - 2012-05-12 13:54 - 00001918 ____A C:\Users\Public\Desktop\DOSBox 0.74.lnk

2012-05-10 04:46 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-05-08 16:00 - 2012-05-08 16:00 - 00000963 ____A C:\Users\Public\Desktop\BitTorrent.lnk

2012-05-04 20:12 - 2011-01-31 20:01 - 00001945 ____A C:\Windows\epplauncher.mif

2012-05-03 03:48 - 2011-07-12 19:01 - 00001012 ____A C:\Users\Jeff\Desktop\Dropbox.lnk

2012-04-26 16:57 - 2012-04-26 16:57 - 00000953 ____A C:\Users\Jeff\Desktop\Guild Wars 2 Beta.lnk

ZeroAccess:

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\@

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\L

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\n

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\U

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\L\00000004.@

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\L\1afb2d56

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\L\201d3dde

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\U\00000004.@

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\U\00000008.@

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\U\000000cb.@

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\U\80000000.@

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\U\80000032.@

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\U\80000064.@

ZeroAccess:

C:\Users\Jeff\AppData\Local\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}

C:\Users\Jeff\AppData\Local\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\@

C:\Users\Jeff\AppData\Local\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\L

C:\Users\Jeff\AppData\Local\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 8%

Total physical RAM: 12283.48 MB

Available physical RAM: 11244.96 MB

Total Pagefile: 12281.63 MB

Available Pagefile: 11252.14 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:74.43 GB) (Free:5.14 GB) NTFS

2 Drive d: (Media) (Fixed) (Total:931.51 GB) (Free:343.71 GB) NTFS

3 Drive e: (Win Backup) (Fixed) (Total:931.51 GB) (Free:341.73 GB) NTFS

4 Drive f: (DATA) (Fixed) (Total:496.17 GB) (Free:150.07 GB) NTFS

5 Drive h: (BACKUP) (Fixed) (Total:100 GB) (Free:98.44 GB) NTFS

6 Drive i: (ASA_CD) (CDROM) (Total:0.42 GB) (Free:0 GB) UDF

8 Drive k: () (Removable) (Total:7.45 GB) (Free:0 GB) FAT32

9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

10 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 74 GB 0 B

Disk 1 Online 931 GB 0 B

Disk 2 Online 931 GB 1024 KB

Disk 3 Online 596 GB 0 B

Disk 4 No Media 0 B 0 B

Disk 5 Online 7633 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 74 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 74 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 931 GB 1024 KB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 D Media NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 931 GB 1024 KB

==================================================================================

Disk: 2

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E Win Backup NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 3:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 496 GB 1024 KB

Partition 2 Primary 99 GB 496 GB

==================================================================================

Disk: 3

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 F DATA NTFS Partition 496 GB Healthy

==================================================================================

Disk: 3

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 H BACKUP NTFS Partition 99 GB Healthy

==================================================================================

Partitions of Disk 5:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 7633 MB 0 B

==================================================================================

Disk: 5

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

==================================================================================

==========================================================

Last Boot: 2012-07-17 20:33

======================= End Of Log ==========================

And search.txt:

Farbar Recovery Scan Tool Version: 16-07-2012 02

Ran by SYSTEM at 2012-07-19 18:01:14

Running from K:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

[MrCharlie]

Not too bad......

OK, here you go......

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}
C:\Users\Jeff\AppData\Local\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[HarvardAce]

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 02

Ran by SYSTEM at 2012-07-19 18:26:28 Run:1

Running from K:\

==============================================

C:\Windows\Installer\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b} moved successfully.

C:\Users\Jeff\AppData\Local\{76fee3a9-ffb6-6b21-a035-3d9097d3cb4b} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

[MrCharlie]

Looks Good, lets run ComboFix to cleanup any other malware on the system......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[HarvardAce]

Combofix.txt:

ComboFix 12-07-19.02 - Jeff 07/19/2012 18:33:21.1.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12283.9979 [GMT -4:00]

Running from: c:\users\Jeff\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk

c:\users\Jeff\g2mdlhlpx.exe

c:\users\Jeff\GoToAssistDownloadHelper.exe

D:\install.exe

F:\install.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2012-06-20 to 2012-07-20 )))))))))))))))))))))))))))))))

.

.

2012-07-20 02:00 . 2012-07-20 02:00 -------- d-----w- C:\FRST

2012-07-08 20:17 . 2012-07-08 20:17 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-07-08 08:04 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CBD7AD3E-BA70-4BCC-8EEE-8DA39B3EAC81}\mpengine.dll

2012-07-07 16:34 . 2012-07-07 16:34 -------- d-----w- c:\programdata\media center programs

2012-07-07 12:57 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-07-04 12:57 . 2012-02-11 02:07 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{77E9D760-DA16-4DB8-AC45-D628BA00CF07}\gapaengine.dll

2012-06-24 21:16 . 2012-06-24 21:16 -------- d-----w- c:\users\Jeff\AppData\Local\Macromedia

2012-06-24 20:47 . 2012-06-24 20:47 -------- d-----w- c:\users\Public\New Folder

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-08 20:06 . 2012-04-14 22:24 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-08 20:06 . 2011-05-31 16:44 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-03 17:46 . 2011-01-10 23:44 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-02 22:19 . 2012-06-19 12:42 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-19 12:42 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-19 12:42 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:15 . 2012-06-19 12:42 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 19:19 . 2012-06-19 12:42 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:15 . 2012-06-19 12:42 36864 ----a-w- c:\windows\system32\wuapp.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Jeff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Jeff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Jeff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]

"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"VMware hqtray"="c:\program files (x86)\VMware\VMware Player\hqtray.exe" [2011-03-26 64112]

"tvncontrol"="c:\program files (x86)\TightVNC\tvnserver.exe" [2011-08-03 828944]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]

.

c:\users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Jeff\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-24 1207312]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 arusb_lhx;Atheros 11n Wireless LAN device driver;c:\windows\system32\DRIVERS\arusb_lhx.sys [2008-09-30 553472]

R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh664.sys [2009-11-06 838136]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-10 113120]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-19 1255736]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-04-03 59744]

R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [2010-04-03 313696]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2010-04-03 428384]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-19 834544]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-04-06 236544]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]

S2 tvnserver;TightVNC Server;c:\program files (x86)\TightVNC\tvnserver.exe [2011-08-03 828944]

S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2011-03-26 81008]

S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-03-26 539248]

S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-08-03 645048]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-04-06 11174400]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-04-06 343040]

S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-07-14 22408]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-02 187392]

.

.

Contents of the 'Scheduled Tasks' folder

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Jeff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Jeff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Jeff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Jeff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]

"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-13 4195848]

"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 2093064]

"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-13 415752]

"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-06-25 1833504]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-06-25 7883296]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]

"combofix"="c:\combofix\CF30217.3XE" [2010-11-20 345088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files (x86)\VMware\VMware Player\vsocklib.dll

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: leggmason.com\email

Trusted Zone: leggmasonemail.com\lm

Trusted Zone: lmaccess.com

Trusted Zone: permal.com\wmail

Trusted Zone: soe.com

Trusted Zone: sony.com

Trusted Zone: play.net\*

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{F379B6A6-81A1-4AFD-B0B0-B1FF197491D5}: NameServer = 192.168.1.1,167.206.251.129

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://webvpn.skyhcm.com/CACHE/stc/2/binaries/vpnweb.cab

FF - ProfilePath - c:\users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\onjba3cj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com

.

.

------- File Associations -------

.

.txt=Notepad++_file

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-MsMpSvc

AddRemove-ESN Sonar-0.70.0 - c:\program files (x86)\Battlelog Web Plugins\Sonar\esnsonar_uninstall.exe

AddRemove-Steam App 10180 - c:\program files (x86)\Steam\steam.exe

AddRemove-Steam App 10190 - c:\program files (x86)\Steam\steam.exe

AddRemove-Steam App 7670 - c:\program files (x86)\Steam\steam.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2139785191-2201416981-98182623-1001\Software\SecuROM\License information*]

"datasecu"=hex:76,63,fb,e0,fc,39,0d,9d,8b,f8,b8,a6,30,e6,73,d2,96,81,51,67,50,

cc,03,04,3a,fc,d8,22,04,a4,d4,20,45,ab,64,3f,e8,35,2d,c2,25,79,05,bb,e7,2f,\

"rkeysecu"=hex:7d,40,10,cb,c7,39,e0,67,0a,69,a8,47,07,da,5b,5c

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe

c:\windows\SysWOW64\PnkBstrA.exe

c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\users\Jeff\AppData\Local\TVersity\Media Server\MediaServer.exe

c:\windows\SysWOW64\vmnat.exe

c:\program files (x86)\VMware\VMware Player\vmware-authd.exe

c:\windows\SysWOW64\vmnetdhcp.exe

.

**************************************************************************

.

Completion time: 2012-07-19 20:21:24 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-20 00:21

.

Pre-Run: 6,445,752,320 bytes free

Post-Run: 6,924,988,416 bytes free

.

- - End Of File - - C010D0C7C1040A3D1F63F7AD39602918

[MrCharlie]

Looks Good, just.......

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[HarvardAce]

All clean!

Thank you so much for your help. I actually didn't notice anything at first -- it was only when I was trying to do an nslookup on a server at work that I noticed an issue. Then I noticed my A/V software was nowhere to be found. Everything is back up and running. I did some research on ZeroAccess and I'm pretty sure I fell for the Flash Player install method of installing. As an IT person, I'm a bit embarassed that I fell for it.

Anyway, thanks again for the help.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.19.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Jeff :: KAZEN7 [administrator]

7/19/2012 8:37:45 PM

mbam-log-2012-07-19 (20-37-45).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 201065

Time elapsed: 1 minute(s), 3 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

Great

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!