Jump to content

Virus/troja/malware persistence?


Recommended Posts

I am currently having this issue with this virus/trojan/malware that is affecting my surfing experience. One example is whenever I click on an organic link generated by google search, it leads me to random websites. Another more serious problem is the random popup of webpages to different websites and sometimes even to porn related sites as well. This is more of a problem for me because I have minors using the same web browser and they were exposed to sexually explicit pictures. I have an pro version of the Malwarebytes client and I perform full scans every time. However the viruses/trojans persist even after restart of the computer. I updated the database version to v2012.07.21.09. After each full scan, Malwarebytes detects the infected objects and I proceed to delete them but they seem to reappear shortly after a reboot. Please help!

Here is the DDS:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.3.1

Run by lol at 13:16:18 on 2012-07-24

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8172.6475 [GMT -4:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Windows\system32\Dwm.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\Explorer.EXE

C:\Program Files\TENCENT\AddrUpdate\AddrUpdate.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Logitech\Vid HD\Vid.exe

C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

A:\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

A:\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Users\lol\AppData\Local\Logitech® Webcam Software\Logishrd\LU2.0\LULnchr.exe

C:\Users\lol\AppData\Local\Logitech® Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\AIM\aim.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\taskhost.exe

"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mDefault_Page_URL = hxxp://http://www.yahoo.com/?ilc=8.yahoo.com

mStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: SteadyVideoBHO Class: {6c680bae-655c-4e3d-8fc4-e6a520c3d928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: QQ?????????: {7c260b4b-f7a0-40b5-b403-befcdc6a4c3b} - C:\Program Files (x86)\Tencent\QQPCMgr\6.8.2386.401\TSWebMon.dat

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll

TB: {65F8A3D2-4C22-4A33-9633-73167EAEEC45} - No File

TB: {687578B9-7132-4A7A-80E4-30EE31099E03} - No File

uRun: [Logitech Vid] "C:\Program Files (x86)\Logitech\Vid HD\Vid.exe" -bootmode

uRun: [QQ2009] "A:\Bin\QQ.exe" /background

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [RaidCall] C:\Program Files (x86)\raidcall\raidcall.exe

mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "A:\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AMLDEV~1.LNK - C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: qq.com\cache.tv

Trusted Zone: qq.com\qqlivecaption

Trusted Zone: qq.com\qqlivehabit

Trusted Zone: qq.com\qqlivesearch

Trusted Zone: qq.com\video_1

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{69F9D82D-6952-454E-99D0-A87E8A21FD53} : DhcpNameServer = 192.168.1.1

Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll

Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO-X64: 0x1 - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll

BHO-X64: AMD SteadyVideo BHO - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: QQ?????????: {7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} - C:\Program Files (x86)\Tencent\QQPCMgr\6.8.2386.401\TSWebMon.dat

BHO-X64: QMWSBho - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll

TB-X64: {65F8A3D2-4C22-4A33-9633-73167EAEEC45} - No File

TB-X64: {687578B9-7132-4A7A-80E4-30EE31099E03} - No File

mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun-x64: [RaidCall] C:\Program Files (x86)\raidcall\raidcall.exe

mRun-x64: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "A:\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\lol\AppData\Roaming\Mozilla\Firefox\Profiles\3m4fwu3a.default\

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.110.0\npesnlaunch.dll

FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll

FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll

FF - plugin: C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll

FF - plugin: C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.38\Bin\npSSOAxCtrlForPTLogin.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: c:\program files (x86)\kingsoft\kingsoft antivirus\npkvip.dll

FF - plugin: c:\program files (x86)\kingsoft\kingsoft antivirus\npkws.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Tencent\QQMusic\QzoneMusic\npQzoneMusic.dll

FF - plugin: C:\Program Files (x86)\Tencent\Qzone\npQQPhotoDrawEx.dll

FF - plugin: C:\Windows\system32\npdeployJava1.dll

FF - plugin: C:\Windows\system32\npmproxy.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-2-14 361984]

R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-1-3 55936]

R2 ARUpdate;Tencent SOSO Update Service;C:\Program Files\TENCENT\AddrUpdate\AddrUpdate.exe [2012-3-17 116088]

R2 MBAMService;MBAMService;A:\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-20 655944]

R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2011-8-19 450848]

R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]

R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\system32\DRIVERS\asmthub3.sys --> C:\Windows\system32\DRIVERS\asmthub3.sys [?]

R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\system32\DRIVERS\asmtxhci.sys --> C:\Windows\system32\DRIVERS\asmtxhci.sys [?]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]

R3 CompFilter64;UVCCompositeFilter;C:\Windows\system32\DRIVERS\lvbflt64.sys --> C:\Windows\system32\DRIVERS\lvbflt64.sys [?]

R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]

R3 LVUVC64;Logitech HD Webcam C615(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

RUnknown QQSysMonX64;QQSysMonX64; [x]

RUnknown TCSafeBox;TCSafeBox; [x]

RUnknown TSCPM;TSCPM; [x]

S2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-1-3 55936]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-3-21 136176]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-14 160944]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-3-21 136176]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-7-21 113120]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

SUnknown TSKSP;TSKSP; [x]

SUnknown TSSysKit;TSSysKit; [x]

.

=============== File Associations ===============

.

chm.file="hh.exe" %1

inifile=C:\Windows\SysWow64\NOTEPAD.EXE %1

txtfile=C:\Windows\notepad.exe %1

.

=============== Created Last 30 ================

.

2012-07-24 03:34:42 -------- d-----w- C:\Users\lol\AppData\Local\{4398C195-F803-4306-8C34-E9C860A3CE1A}

2012-07-24 03:34:32 -------- d-----w- C:\Users\lol\AppData\Local\{62D5682B-BCBA-4E15-8D38-6538261FD455}

2012-07-23 12:12:34 -------- d-----w- C:\Users\lol\AppData\Local\{2BA22C3B-2D6A-4A91-BAF9-42FFD0064960}

2012-07-22 13:12:23 -------- d-----w- C:\Windows\SysWow64\Tencent

2012-07-21 21:18:34 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%

2012-07-21 13:08:38 -------- d-----w- C:\Users\lol\AppData\Local\{73D34FF2-263D-4ACD-91FA-245CD4F24112}

2012-07-21 13:08:28 -------- d-----w- C:\Users\lol\AppData\Local\{220A9D16-3BFB-4015-B125-A3F6C9609A80}

2012-07-20 13:54:47 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{15E5E733-4DE7-4736-A912-0D15AA69F093}\mpengine.dll

2012-07-20 13:50:47 -------- d-----w- C:\Users\lol\AppData\Local\{7E934F1D-B875-4320-B4F6-5C42A3D7BEB0}

2012-07-20 13:50:26 -------- d-----w- C:\Users\lol\AppData\Local\{99A65BA2-7C28-4A4A-8F6E-BF3A5B3B3BC9}

2012-07-19 13:54:10 -------- d-----w- C:\Users\lol\AppData\Local\{C212BCF9-274F-4312-991E-55B26EC0CE3C}

2012-07-19 13:54:00 -------- d-----w- C:\Users\lol\AppData\Local\{F3594E50-16CB-437E-90A1-B585EF33775A}

2012-07-18 12:38:17 -------- d-----w- C:\Users\lol\AppData\Local\{3CFE3603-B389-43F5-9AEF-E380EF71042A}

2012-07-18 12:38:07 -------- d-----w- C:\Users\lol\AppData\Local\{54A84644-B74E-46A0-A4ED-9BA79A2AE149}

2012-07-17 20:56:08 -------- d-----w- C:\Users\lol\AppData\Local\{C2AD5489-D199-48A5-9987-05265A09B6EB}

2012-07-17 20:55:58 -------- d-----w- C:\Users\lol\AppData\Local\{58F5ED5F-4726-436D-AA4C-562C3832CEBE}

2012-07-17 05:19:18 -------- d-----w- C:\Users\lol\AppData\Local\{7BBF0214-E8DD-4825-BE6A-AA4E426D0C1A}

2012-07-17 05:19:08 -------- d-----w- C:\Users\lol\AppData\Local\{3C9A1408-7536-44C8-B10E-C3A3BAF46852}

2012-07-16 03:25:43 -------- d-----w- C:\Users\lol\AppData\Local\{FB5FD210-B4FE-4348-9DD2-B3999D17D851}

2012-07-16 03:25:34 -------- d-----w- C:\Users\lol\AppData\Local\{6B0A9284-0CC5-489B-ABD6-8DDCEFA0794A}

2012-07-15 13:08:09 -------- d-----w- C:\Users\lol\AppData\Local\{03C8B09F-4102-45AB-B620-FC0EFFF2BA4F}

2012-07-15 13:08:00 -------- d-----w- C:\Users\lol\AppData\Local\{D839106B-CA98-416D-B754-F0C3C01064AE}

2012-07-14 15:41:30 -------- d-----w- C:\Users\lol\AppData\Local\{9B1F8377-05FD-440F-887B-F6C68C930237}

2012-07-14 15:41:20 -------- d-----w- C:\Users\lol\AppData\Local\{E5E5B48B-7608-45CF-B9B5-0D108B76E7AD}

2012-07-13 11:35:07 -------- d-----w- C:\Users\lol\AppData\Local\{780F55A9-7A36-4899-83B0-2108A014D14A}

2012-07-13 11:34:58 -------- d-----w- C:\Users\lol\AppData\Local\{6DAFDF69-40DF-486E-939A-06E44C109DF7}

2012-07-12 06:17:01 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-11 12:25:00 -------- d-----w- C:\Users\lol\AppData\Local\{3785A70D-D5F5-44DE-AAEC-1835BD61A10A}

2012-07-11 12:24:51 -------- d-----w- C:\Users\lol\AppData\Local\{188BABC1-2A2A-480D-996B-4BE49CAB8D08}

2012-07-10 12:09:16 -------- d-----w- C:\Users\lol\AppData\Local\{C2F2F862-124A-4683-8E06-B2491CFE7ECC}

2012-07-10 12:09:07 -------- d-----w- C:\Users\lol\AppData\Local\{36A610A3-E5E0-4338-8AD3-573D7885501E}

2012-07-09 18:47:45 -------- d-----w- C:\Users\lol\AppData\Local\{31744407-C951-4A57-80E1-4C318E20D11F}

2012-07-09 18:47:35 -------- d-----w- C:\Users\lol\AppData\Local\{7DF18B33-B8E3-4E9B-AB92-F00B036438E6}

2012-07-08 12:59:25 -------- d-----w- C:\Users\lol\AppData\Local\{EE87B86A-4E81-4CB1-9E0A-097A55A34FC0}

2012-07-08 12:59:16 -------- d-----w- C:\Users\lol\AppData\Local\{C310EFA6-D36F-4B8A-A5E3-7AC8CDB13518}

2012-07-07 13:04:09 -------- d-----w- C:\Users\lol\AppData\Local\{7E7D975B-1A2E-45CC-89DA-1A6FC2FB29A1}

2012-07-07 13:04:00 -------- d-----w- C:\Users\lol\AppData\Local\{8513DB0D-A5E2-44E8-A249-914E9A094E9B}

2012-07-07 03:47:11 -------- d-----w- C:\Program Files (x86)\Yahoo!

2012-07-06 12:46:42 -------- d-----w- C:\Users\lol\AppData\Local\{8813D9C1-341A-45BC-86A2-7EDABE43FA17}

2012-07-06 12:46:32 -------- d-----w- C:\Users\lol\AppData\Local\{3164C2CC-215F-4AE8-B074-02D7E7575373}

2012-07-06 03:52:12 -------- d-----w- C:\Users\lol\AppData\Roaming\Wandoujia2

2012-07-05 13:30:24 -------- d-----w- C:\Users\lol\AppData\Local\{E8B92B5A-7BF1-4545-A3B8-4E0AA8AE9EC2}

2012-07-05 13:30:14 -------- d-----w- C:\Users\lol\AppData\Local\{F528E688-D869-4E2F-9CEF-019E55CA340E}

2012-07-04 12:47:36 -------- d-----w- C:\Users\lol\AppData\Local\{4D380753-49DF-4A03-AE41-8B65648AA0D9}

2012-07-04 12:47:27 -------- d-----w- C:\Users\lol\AppData\Local\{68F2E894-F1EE-4879-B6C0-B7D641D8CC61}

2012-07-03 13:23:45 -------- d-----w- C:\Users\lol\AppData\Local\{3A2F006A-FED1-43A0-9214-5CFBB81F47D8}

2012-07-03 13:23:36 -------- d-----w- C:\Users\lol\AppData\Local\{F2C3AB03-45D8-4739-8398-4BE3D5447BAE}

2012-07-03 01:07:55 -------- d-----w- C:\Users\lol\AppData\Local\{91508F88-5B36-444A-9440-A6DCE83F5509}

2012-07-03 01:07:45 -------- d-----w- C:\Users\lol\AppData\Local\{4D25F4E3-BB7C-4020-81E0-90ED59B8B27A}

2012-07-02 06:13:15 -------- d-----w- C:\Users\lol\AppData\Local\{E05F5329-0F3D-4BEA-BC69-645CA04FACC3}

2012-07-02 06:13:06 -------- d-----w- C:\Users\lol\AppData\Local\{6805996A-A3A2-4873-A4B9-8940150DC52D}

2012-07-01 11:54:39 -------- d-----w- C:\Users\lol\AppData\Local\{AE38552D-E8EE-4ABE-B690-AC076F00ABEE}

2012-07-01 11:54:30 -------- d-----w- C:\Users\lol\AppData\Local\{3F67CFA1-BE1E-4468-A38A-7486C8AB8EF0}

2012-06-30 23:20:28 -------- d-----w- C:\Users\lol\AppData\Local\{991CBB33-0CE4-4251-B053-2EF968E46EA1}

2012-06-30 23:20:18 -------- d-----w- C:\Users\lol\AppData\Local\{6A1BC01F-ADE1-4AB0-8D1F-260D185EE4CF}

2012-06-30 11:04:30 -------- d-----w- C:\Users\lol\AppData\Local\{62176D9D-7302-4FCA-88CB-21941BAE8D3D}

2012-06-30 11:04:21 -------- d-----w- C:\Users\lol\AppData\Local\{1685F2EF-FA29-46AC-95B8-3198BA5A04D0}

2012-06-29 12:57:41 -------- d-----w- C:\Users\lol\AppData\Local\{C0DDF930-167E-4306-941E-DFA87F430870}

2012-06-29 12:57:32 -------- d-----w- C:\Users\lol\AppData\Local\{18E5D35B-EC2B-4264-A8A3-C7FEFEB14276}

2012-06-28 13:13:36 -------- d-----w- C:\Users\lol\AppData\Local\{0F8B43E4-6DF3-49F7-AEB3-7F85ACCB288E}

2012-06-28 13:13:26 -------- d-----w- C:\Users\lol\AppData\Local\{40FD2239-3E4F-4B54-8E24-A9F62A70E2DB}

2012-06-27 14:55:06 -------- d-----w- C:\Users\lol\AppData\Local\{9240DF54-4D14-46AA-BFD2-9A7BF3F7A809}

2012-06-27 14:54:57 -------- d-----w- C:\Users\lol\AppData\Local\{AB98F9B6-7D7F-4716-86F6-C2A8643B3F36}

2012-06-26 12:45:55 -------- d-----w- C:\Users\lol\AppData\Local\{2BD65CCB-FB47-4D8A-9F8E-F69766959A9A}

2012-06-26 12:45:46 -------- d-----w- C:\Users\lol\AppData\Local\{2F474810-30E5-4FA0-901E-11CE07B21308}

2012-06-25 13:13:29 -------- d-----w- C:\Users\lol\AppData\Local\{C329F69D-1E84-4845-A80E-63811A4DD16F}

2012-06-25 13:13:20 -------- d-----w- C:\Users\lol\AppData\Local\{6091204F-CE70-44FD-9F70-FF93BE2B8EF6}

.

==================== Find3M ====================

.

2012-07-21 21:12:06 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-21 21:12:06 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-07-03 17:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll

2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll

2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll

2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll

2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys

2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys

2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll

2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll

2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll

2012-06-01 00:41:31 2829 ----a-w- C:\Windows\War3Unin.pif

2012-06-01 00:41:31 126976 ----a-w- C:\Windows\War3Unin.exe

2012-05-31 16:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe

2012-05-24 03:34:11 175616 ----a-w- C:\Windows\System32\msclmd.dll

2012-05-24 03:34:11 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2012-05-15 04:01:31 1188864 ----a-w- C:\Windows\System32\wininet.dll

2012-05-15 03:03:54 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-04-28 05:32:05 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll

2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

.

============= FINISH: 13:16:36.76 ===============

And here is the Attach:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 12/8/2011 3:07:59 AM

System Uptime: 7/24/2012 8:29:13 AM (5 hours ago)

.

Motherboard: ASRock | | 970 Extreme4

Processor: AMD FX-4100 Quad-Core Processor | CPUSocket | 3600/200mhz

.

==== Disk Partitions =========================

.

A: is FIXED (NTFS) - 466 GiB total, 89.6 GiB free.

C: is FIXED (NTFS) - 112 GiB total, 9.543 GiB free.

D: is CDROM (CDFS)

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP229: 7/21/2012 10:25:15 PM - Scheduled Checkpoint

RP230: 7/22/2012 1:50:33 AM - Windows Update

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

??QQ2011

µTorrent

ËÑË÷¸üзþÎÑ

СÃÉÌÑ

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.3)

AIM 7

AMD VISION Engine Control Center

Apple Application Support

Apple Software Update

Asmedia ASM104x USB 3.0 Host Controller Driver

Audacity 2.0

Battlelog Web Plugins

Call of Duty: Black Ops

Call of Duty: Modern Warfare 3 - Multiplayer

CameraHelperMsi

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Counter-Strike: Source

Crysis Wars

D3DX10

Diablo III

Download Updater (AOL LLC)

DYNA Font

erLT

ESN Sonar

Google Earth

Google Update Helper

IEËÑË÷ÖúÊÖ

Java Auto Updater

Java 7 Update 3

JavaFX 2.0.3

Left 4 Dead 2

Logitech Vid HD

Logitech Webcam Software

LWS Facebook

LWS Gallery

LWS Help_main

LWS Launcher

LWS Motion Detection

LWS Pictures And Video

LWS Twitter

LWS Video Mask Maker

LWS Webcam Software

LWS WLM Plugin

LWS YouTube Plugin

Malwarebytes Anti-Malware version 1.62.0.1300

Media Player Classic - Home Cinema 1.6.0.4014

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Mozilla Firefox 14.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

Origin

PCSX2 - Playstation 2 Emulator

Portal 2

PunkBuster Services

Realtek Ethernet Controller Driver

Realtek High Definition Audio Driver

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Skype™ 5.10

StarCraft II

Steam

Team Fortress 2

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition

Warcraft III

Warhammer® 40,000®: Dawn of War® II – Retribution™

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Messenger

Windows Live Photo Common

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Movie Maker 2.6

WinRAR 4.11 (32-bit)

Yahoo! Messenger

.

==== Event Viewer Messages From Past Week ========

.

7/24/2012 8:29:30 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

7/24/2012 8:29:28 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TsFltMgr

7/24/2012 8:29:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

7/24/2012 8:29:28 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

7/24/2012 8:29:28 AM, Error: Service Control Manager [7000] - The AODDriver4.1 service failed to start due to the following error: The system cannot find the file specified.

7/24/2012 8:29:20 AM, Error: Application Popup [1060] - \??\C:\Program Files (x86)\Tencent\QQPCMgr\6.8.2386.401\TSSysKi has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

7/24/2012 8:29:20 AM, Error: Application Popup [1060] - \??\C:\Program Files (x86)\Tencent\QQPCMgr\6.8.2386.401\TSKsp.s has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

7/24/2012 1:14:04 PM, Error: Service Control Manager [7034] - The QQPCMgr RTP Service service terminated unexpectedly. It has done this 1 time(s).

7/24/2012 1:11:49 PM, Error: Service Control Manager [7034] - The Kingsoft Core Service service terminated unexpectedly. It has done this 1 time(s).

7/22/2012 4:25:49 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.

7/22/2012 1:50:40 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows 7 for x64-based Systems (KB2667402).

7/21/2012 9:56:14 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

7/20/2012 1:00:39 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} and APPID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user lol-PC\lol SID (S-1-5-21-3459819790-3698481863-3427404965-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against our policy:

http://forums.malwar...showtopic=97700

----------------------------------------

Then........

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

I closed my uTorrent application and ran RogueKiller as you said and here is the report:

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: lol [Admin rights]

Mode: Scan -- Date: 07/24/2012 14:16:01

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\lol\AppData\Local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\n.) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\lol\appdata\local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\lol\appdata\local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\lol\appdata\local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS721050CLA362 ATA Device +++++

--- User ---

[MBR] ceaf6fdf0b5b5c25820a4ccffcb7070b

[bSP] 23ad5a5cc00b9688cd84c9c6cebc9194 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476837 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: OCZ-AGILITY3 ATA Device +++++

--- User ---

[MBR] 24638dee11e0dc6b9eff63ad80302d26

[bSP] 5f9ddeac9baa8becba41d25d2a4b1e33 : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

Link to post
Share on other sites

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]Now press the Search button

[*]When the search is complete, search.txt will also be written to your USB

[*]Type exit and reboot the computer normally

[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

Nevermind, this time F8 did work. However, when I tried to load FRST from my external harddrive via the cmd prompt, it said that it's not recognized as an internal or external command, operable program, or batch file. I'm sure I saved the frst to my external. Right-click "save link as" right?

Link to post
Share on other sites

Got it! Here's the frst.txt:

Scan result of Farbar Recovery Scan Tool Version: 24-07-2012 01

Ran by SYSTEM at 24-07-2012 17:11:37

Running from G:\

Windows 7 Ultimate (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11855976 2011-05-18] (Realtek Semiconductor)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [RaidCall] C:\Program Files (x86)\raidcall\raidcall.exe [x]

HKLM-x32\...\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide [205336 2011-08-12] (Logitech Inc.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [636032 2012-02-14] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)

HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "A:\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [x]

HKU\lol\...\Run: [Logitech Vid] "C:\Program Files (x86)\Logitech\Vid HD\Vid.exe" -bootmode [6129496 2011-01-12] (Logitech Inc.)

HKU\lol\...\Run: [QQ2009] "A:\Bin\QQ.exe" /background [x]

HKU\lol\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)

HKU\lol\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6595928 2012-05-25] (Yahoo! Inc.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\AML Device Install.lnk

ShortcutTarget: AML Device Install.lnk -> C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe ()

==================== Services (Whitelisted) ======

2 ARUpdate; C:\Program Files\TENCENT\AddrUpdate\AddrUpdate.exe /Service [116088 2012-03-16] (Tencent)

2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-01-03] ()

2 MBAMService; "A:\Malwarebytes' Anti-Malware\mbamservice.exe" [x]

========================== Drivers (Whitelisted) =============

2 AODDriver4.01; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55936 2012-01-03] (Advanced Micro Devices)

2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55936 2012-01-03] (Advanced Micro Devices)

3 CompFilter64; C:\Windows\System32\DRIVERS\lvbflt64.sys [25632 2011-08-19] (Logitech Inc.)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)

3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]

3 TcHardWare; \??\C:\Program Files (x86)\Tencent\QQPCMgr\6.8.2386.401\QQPCHW-x64.sys [x]

3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]

3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-24 11:48 - 2012-07-24 12:02 - 00001908 ____A C:\Windows\diagerr.xml

2012-07-24 11:39 - 2012-07-24 11:39 - 00000000 ____D C:\Users\lol\AppData\Local\{A559FB8F-74CA-4EA8-9EFB-4E2855815EC3}

2012-07-24 11:39 - 2012-07-24 11:39 - 00000000 ____D C:\Users\lol\AppData\Local\{1BC1E592-8E64-475B-94EB-3CF4FF32DADF}

2012-07-24 11:25 - 2012-07-24 17:09 - 00000000 ____D C:\FRST

2012-07-24 11:23 - 2012-07-24 11:23 - 01438203 ____A (Farbar) C:\Users\lol\Downloads\FRST64.exe

2012-07-24 10:16 - 2012-07-24 10:16 - 00002437 ____A C:\Users\lol\Desktop\RKreport[2].txt

2012-07-24 10:14 - 2012-07-24 10:14 - 01552384 ____A C:\Users\lol\Downloads\RogueKiller.exe

2012-07-24 10:14 - 2012-07-24 10:14 - 00002693 ____A C:\Users\lol\Desktop\RKreport[1].txt

2012-07-24 10:14 - 2012-07-24 10:14 - 00000000 ____D C:\Users\lol\Desktop\RK_Quarantine

2012-07-24 09:17 - 2012-07-24 09:17 - 00024855 ____A C:\Users\lol\Desktop\DDS.txt

2012-07-24 09:17 - 2012-07-24 09:17 - 00009657 ____A C:\Users\lol\Desktop\Attach.txt

2012-07-24 09:05 - 2012-07-24 09:05 - 00607260 ____R (Swearware) C:\Users\lol\Downloads\dds.scr

2012-07-23 19:34 - 2012-07-23 19:34 - 00000000 ____D C:\Users\lol\AppData\Local\{62D5682B-BCBA-4E15-8D38-6538261FD455}

2012-07-23 19:34 - 2012-07-23 19:34 - 00000000 ____D C:\Users\lol\AppData\Local\{4398C195-F803-4306-8C34-E9C860A3CE1A}

2012-07-23 04:12 - 2012-07-23 04:12 - 00000000 ____D C:\Users\lol\AppData\Local\{2BA22C3B-2D6A-4A91-BAF9-42FFD0064960}

2012-07-22 05:12 - 2012-07-22 05:12 - 00000000 ____D C:\Windows\SysWOW64\Tencent

2012-07-21 21:34 - 2012-07-21 21:34 - 00001447 ____A C:\Users\lol\Desktop\Internet Explorer.lnk

2012-07-21 19:12 - 2012-07-21 19:12 - 00001134 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-07-21 19:12 - 2012-07-21 19:12 - 00000000 ____D C:\Users\lol\AppData\Roaming\Mozilla

2012-07-21 19:12 - 2012-07-21 19:12 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2012-07-21 13:18 - 2012-07-21 13:18 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-07-21 05:08 - 2012-07-21 05:08 - 00000000 ____D C:\Users\lol\AppData\Local\{73D34FF2-263D-4ACD-91FA-245CD4F24112}

2012-07-21 05:08 - 2012-07-21 05:08 - 00000000 ____D C:\Users\lol\AppData\Local\{220A9D16-3BFB-4015-B125-A3F6C9609A80}

2012-07-20 05:50 - 2012-07-20 05:50 - 00000000 ____D C:\Users\lol\AppData\Local\{99A65BA2-7C28-4A4A-8F6E-BF3A5B3B3BC9}

2012-07-20 05:50 - 2012-07-20 05:50 - 00000000 ____D C:\Users\lol\AppData\Local\{7E934F1D-B875-4320-B4F6-5C42A3D7BEB0}

2012-07-19 05:54 - 2012-07-19 05:54 - 00000000 ____D C:\Users\lol\AppData\Local\{F3594E50-16CB-437E-90A1-B585EF33775A}

2012-07-19 05:54 - 2012-07-19 05:54 - 00000000 ____D C:\Users\lol\AppData\Local\{C212BCF9-274F-4312-991E-55B26EC0CE3C}

2012-07-18 04:38 - 2012-07-18 04:38 - 00000000 ____D C:\Users\lol\AppData\Local\{54A84644-B74E-46A0-A4ED-9BA79A2AE149}

2012-07-18 04:38 - 2012-07-18 04:38 - 00000000 ____D C:\Users\lol\AppData\Local\{3CFE3603-B389-43F5-9AEF-E380EF71042A}

2012-07-17 12:56 - 2012-07-17 12:56 - 00000000 ____D C:\Users\lol\AppData\Local\{C2AD5489-D199-48A5-9987-05265A09B6EB}

2012-07-17 12:55 - 2012-07-17 12:56 - 00000000 ____D C:\Users\lol\AppData\Local\{58F5ED5F-4726-436D-AA4C-562C3832CEBE}

2012-07-16 21:19 - 2012-07-16 21:19 - 00000000 ____D C:\Users\lol\AppData\Local\{7BBF0214-E8DD-4825-BE6A-AA4E426D0C1A}

2012-07-16 21:19 - 2012-07-16 21:19 - 00000000 ____D C:\Users\lol\AppData\Local\{3C9A1408-7536-44C8-B10E-C3A3BAF46852}

2012-07-15 19:25 - 2012-07-15 19:25 - 00000000 ____D C:\Users\lol\AppData\Local\{FB5FD210-B4FE-4348-9DD2-B3999D17D851}

2012-07-15 19:25 - 2012-07-15 19:25 - 00000000 ____D C:\Users\lol\AppData\Local\{6B0A9284-0CC5-489B-ABD6-8DDCEFA0794A}

2012-07-15 05:08 - 2012-07-15 05:08 - 00000000 ____D C:\Users\lol\AppData\Local\{D839106B-CA98-416D-B754-F0C3C01064AE}

2012-07-15 05:08 - 2012-07-15 05:08 - 00000000 ____D C:\Users\lol\AppData\Local\{03C8B09F-4102-45AB-B620-FC0EFFF2BA4F}

2012-07-14 07:41 - 2012-07-14 07:41 - 00000000 ____D C:\Users\lol\AppData\Local\{E5E5B48B-7608-45CF-B9B5-0D108B76E7AD}

2012-07-14 07:41 - 2012-07-14 07:41 - 00000000 ____D C:\Users\lol\AppData\Local\{9B1F8377-05FD-440F-887B-F6C68C930237}

2012-07-13 03:35 - 2012-07-13 03:35 - 00000000 ____D C:\Users\lol\AppData\Local\{780F55A9-7A36-4899-83B0-2108A014D14A}

2012-07-13 03:34 - 2012-07-13 03:35 - 00000000 ____D C:\Users\lol\AppData\Local\{6DAFDF69-40DF-486E-939A-06E44C109DF7}

2012-07-11 22:17 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-11 04:30 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-11 04:30 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-07-11 04:30 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-11 04:30 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-11 04:30 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-07-11 04:30 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-07-11 04:30 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-07-11 04:30 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-07-11 04:30 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-07-11 04:30 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-07-11 04:30 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-11 04:30 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-11 04:30 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-07-11 04:30 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-07-11 04:30 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-07-11 04:30 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-07-11 04:30 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-07-11 04:30 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-07-11 04:30 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-07-11 04:30 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-07-11 04:30 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-07-11 04:30 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-07-11 04:30 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2012-07-11 04:30 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll

2012-07-11 04:30 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll

2012-07-11 04:25 - 2012-07-11 04:25 - 00000000 ____D C:\Users\lol\AppData\Local\{3785A70D-D5F5-44DE-AAEC-1835BD61A10A}

2012-07-11 04:24 - 2012-07-11 04:25 - 00000000 ____D C:\Users\lol\AppData\Local\{188BABC1-2A2A-480D-996B-4BE49CAB8D08}

2012-07-10 04:09 - 2012-07-10 04:09 - 00000000 ____D C:\Users\lol\AppData\Local\{C2F2F862-124A-4683-8E06-B2491CFE7ECC}

2012-07-10 04:09 - 2012-07-10 04:09 - 00000000 ____D C:\Users\lol\AppData\Local\{36A610A3-E5E0-4338-8AD3-573D7885501E}

2012-07-09 10:47 - 2012-07-09 10:47 - 00000000 ____D C:\Users\lol\AppData\Local\{7DF18B33-B8E3-4E9B-AB92-F00B036438E6}

2012-07-09 10:47 - 2012-07-09 10:47 - 00000000 ____D C:\Users\lol\AppData\Local\{31744407-C951-4A57-80E1-4C318E20D11F}

2012-07-08 04:59 - 2012-07-08 04:59 - 00000000 ____D C:\Users\lol\AppData\Local\{EE87B86A-4E81-4CB1-9E0A-097A55A34FC0}

2012-07-08 04:59 - 2012-07-08 04:59 - 00000000 ____D C:\Users\lol\AppData\Local\{C310EFA6-D36F-4B8A-A5E3-7AC8CDB13518}

2012-07-07 05:04 - 2012-07-07 05:04 - 00000000 ____D C:\Users\lol\AppData\Local\{8513DB0D-A5E2-44E8-A249-914E9A094E9B}

2012-07-07 05:04 - 2012-07-07 05:04 - 00000000 ____D C:\Users\lol\AppData\Local\{7E7D975B-1A2E-45CC-89DA-1A6FC2FB29A1}

2012-07-06 19:48 - 2012-07-24 09:15 - 00000000 ____D C:\Users\All Users\Yahoo!

2012-07-06 19:48 - 2012-07-06 19:48 - 00001141 ____A C:\Users\Public\Desktop\Yahoo! Messenger.lnk

2012-07-06 19:47 - 2012-07-24 11:35 - 00000000 ____D C:\Program Files (x86)\Yahoo!

2012-07-06 19:46 - 2012-07-06 19:46 - 00439704 ____A (Yahoo! Inc.) C:\Users\lol\Downloads\msgr11us.exe

2012-07-06 04:46 - 2012-07-06 04:46 - 00000000 ____D C:\Users\lol\AppData\Local\{8813D9C1-341A-45BC-86A2-7EDABE43FA17}

2012-07-06 04:46 - 2012-07-06 04:46 - 00000000 ____D C:\Users\lol\AppData\Local\{3164C2CC-215F-4AE8-B074-02D7E7575373}

2012-07-05 19:52 - 2012-07-05 19:52 - 00000000 ____D C:\Users\lol\AppData\Roaming\Wandoujia2

2012-07-05 05:30 - 2012-07-05 05:30 - 00000000 ____D C:\Users\lol\AppData\Local\{F528E688-D869-4E2F-9CEF-019E55CA340E}

2012-07-05 05:30 - 2012-07-05 05:30 - 00000000 ____D C:\Users\lol\AppData\Local\{E8B92B5A-7BF1-4545-A3B8-4E0AA8AE9EC2}

2012-07-04 04:47 - 2012-07-04 04:47 - 00000000 ____D C:\Users\lol\AppData\Local\{68F2E894-F1EE-4879-B6C0-B7D641D8CC61}

2012-07-04 04:47 - 2012-07-04 04:47 - 00000000 ____D C:\Users\lol\AppData\Local\{4D380753-49DF-4A03-AE41-8B65648AA0D9}

2012-07-03 05:23 - 2012-07-03 05:23 - 00000000 ____D C:\Users\lol\AppData\Local\{F2C3AB03-45D8-4739-8398-4BE3D5447BAE}

2012-07-03 05:23 - 2012-07-03 05:23 - 00000000 ____D C:\Users\lol\AppData\Local\{3A2F006A-FED1-43A0-9214-5CFBB81F47D8}

2012-07-02 17:07 - 2012-07-02 17:08 - 00000000 ____D C:\Users\lol\AppData\Local\{91508F88-5B36-444A-9440-A6DCE83F5509}

2012-07-02 17:07 - 2012-07-02 17:07 - 00000000 ____D C:\Users\lol\AppData\Local\{4D25F4E3-BB7C-4020-81E0-90ED59B8B27A}

2012-07-01 22:13 - 2012-07-01 22:13 - 00000000 ____D C:\Users\lol\AppData\Local\{E05F5329-0F3D-4BEA-BC69-645CA04FACC3}

2012-07-01 22:13 - 2012-07-01 22:13 - 00000000 ____D C:\Users\lol\AppData\Local\{6805996A-A3A2-4873-A4B9-8940150DC52D}

2012-07-01 03:54 - 2012-07-01 03:54 - 00000000 ____D C:\Users\lol\AppData\Local\{AE38552D-E8EE-4ABE-B690-AC076F00ABEE}

2012-07-01 03:54 - 2012-07-01 03:54 - 00000000 ____D C:\Users\lol\AppData\Local\{3F67CFA1-BE1E-4468-A38A-7486C8AB8EF0}

2012-06-30 15:20 - 2012-06-30 15:20 - 00000000 ____D C:\Users\lol\AppData\Local\{991CBB33-0CE4-4251-B053-2EF968E46EA1}

2012-06-30 15:20 - 2012-06-30 15:20 - 00000000 ____D C:\Users\lol\AppData\Local\{6A1BC01F-ADE1-4AB0-8D1F-260D185EE4CF}

2012-06-30 03:04 - 2012-06-30 03:04 - 00000000 ____D C:\Users\lol\AppData\Local\{62176D9D-7302-4FCA-88CB-21941BAE8D3D}

2012-06-30 03:04 - 2012-06-30 03:04 - 00000000 ____D C:\Users\lol\AppData\Local\{1685F2EF-FA29-46AC-95B8-3198BA5A04D0}

2012-06-29 04:57 - 2012-06-29 04:57 - 00000000 ____D C:\Users\lol\AppData\Local\{C0DDF930-167E-4306-941E-DFA87F430870}

2012-06-29 04:57 - 2012-06-29 04:57 - 00000000 ____D C:\Users\lol\AppData\Local\{18E5D35B-EC2B-4264-A8A3-C7FEFEB14276}

2012-06-28 05:13 - 2012-06-28 05:13 - 00000000 ____D C:\Users\lol\AppData\Local\{40FD2239-3E4F-4B54-8E24-A9F62A70E2DB}

2012-06-28 05:13 - 2012-06-28 05:13 - 00000000 ____D C:\Users\lol\AppData\Local\{0F8B43E4-6DF3-49F7-AEB3-7F85ACCB288E}

2012-06-27 07:55 - 2010-05-06 08:58 - 00000000 ____D C:\Users\lol\Desktop\All2MP3.app

2012-06-27 06:55 - 2012-06-27 06:55 - 00000000 ____D C:\Users\lol\AppData\Local\{9240DF54-4D14-46AA-BFD2-9A7BF3F7A809}

2012-06-27 06:54 - 2012-06-27 06:55 - 00000000 ____D C:\Users\lol\AppData\Local\{AB98F9B6-7D7F-4716-86F6-C2A8643B3F36}

2012-06-26 04:45 - 2012-06-26 04:45 - 00000000 ____D C:\Users\lol\AppData\Local\{2F474810-30E5-4FA0-901E-11CE07B21308}

2012-06-26 04:45 - 2012-06-26 04:45 - 00000000 ____D C:\Users\lol\AppData\Local\{2BD65CCB-FB47-4D8A-9F8E-F69766959A9A}

2012-06-25 05:13 - 2012-06-25 05:13 - 00000000 ____D C:\Users\lol\AppData\Local\{C329F69D-1E84-4845-A80E-63811A4DD16F}

2012-06-25 05:13 - 2012-06-25 05:13 - 00000000 ____D C:\Users\lol\AppData\Local\{6091204F-CE70-44FD-9F70-FF93BE2B8EF6}

2012-06-24 04:42 - 2012-06-24 04:42 - 00000000 ____D C:\Users\lol\AppData\Local\{D4723297-3FD5-49CE-BFED-6540334E4816}

2012-06-24 04:42 - 2012-06-24 04:42 - 00000000 ____D C:\Users\lol\AppData\Local\{32DB3A0D-7FBF-4729-B9A4-830CF964082D}

============ 3 Months Modified Files ========================

2012-07-24 13:05 - 2009-07-13 21:13 - 00778660 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-24 12:54 - 2012-03-21 12:39 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-07-24 12:50 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-24 12:50 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-24 12:44 - 2009-07-13 20:51 - 00000646 ____A C:\Windows\setupact.log

2012-07-24 12:43 - 2012-03-21 12:39 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-07-24 12:43 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-24 12:02 - 2012-07-24 11:48 - 00001908 ____A C:\Windows\diagwrn.xml

2012-07-24 12:02 - 2012-07-24 11:48 - 00001908 ____A C:\Windows\diagerr.xml

2012-07-24 12:01 - 2009-07-13 20:51 - 00000000 ____A C:\Windows\setuperr.log

2012-07-24 11:35 - 2011-12-09 12:30 - 00252660 ____A C:\Windows\PFRO.log

2012-07-24 11:23 - 2012-07-24 11:23 - 01438203 ____A (Farbar) C:\Users\lol\Downloads\FRST64.exe

2012-07-24 10:16 - 2012-07-24 10:16 - 00002437 ____A C:\Users\lol\Desktop\RKreport[2].txt

2012-07-24 10:14 - 2012-07-24 10:14 - 01552384 ____A C:\Users\lol\Downloads\RogueKiller.exe

2012-07-24 10:14 - 2012-07-24 10:14 - 00002693 ____A C:\Users\lol\Desktop\RKreport[1].txt

2012-07-24 09:17 - 2012-07-24 09:17 - 00024855 ____A C:\Users\lol\Desktop\DDS.txt

2012-07-24 09:17 - 2012-07-24 09:17 - 00009657 ____A C:\Users\lol\Desktop\Attach.txt

2012-07-24 09:05 - 2012-07-24 09:05 - 00607260 ____R (Swearware) C:\Users\lol\Downloads\dds.scr

2012-07-23 19:34 - 2009-07-13 21:08 - 00032530 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-22 10:44 - 2012-01-01 16:12 - 00000101 ____A C:\Users\All Users\SWAPPINFO.ini

2012-07-22 08:35 - 2011-12-08 00:07 - 01410246 ____A C:\Windows\WindowsUpdate.log

2012-07-21 21:34 - 2012-07-21 21:34 - 00001447 ____A C:\Users\lol\Desktop\Internet Explorer.lnk

2012-07-21 19:12 - 2012-07-21 19:12 - 00001134 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-07-21 13:12 - 2012-03-29 07:35 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-07-21 13:12 - 2012-02-06 07:55 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-20 08:30 - 2012-06-21 07:01 - 00000628 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-18 12:54 - 2012-06-11 09:31 - 00012076 ____A C:\Users\lol\Desktop\FFF.Andy.Madness.xlsx

2012-07-12 03:37 - 2009-07-13 20:45 - 00432752 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-11 22:16 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini

2012-07-11 22:15 - 2011-12-08 00:15 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-06 19:48 - 2012-07-06 19:48 - 00001141 ____A C:\Users\Public\Desktop\Yahoo! Messenger.lnk

2012-07-06 19:46 - 2012-07-06 19:46 - 00439704 ____A (Yahoo! Inc.) C:\Users\lol\Downloads\msgr11us.exe

2012-07-03 09:46 - 2011-12-11 00:30 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-24 21:15 - 2012-06-06 20:06 - 00012800 ____A C:\Users\lol\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-06-21 13:47 - 2012-05-27 20:40 - 00016411 ____A C:\Users\lol\Desktop\Save1.sav

2012-06-21 11:33 - 2012-05-27 20:42 - 00000045 ____A C:\Users\lol\Desktop\config.txt

2012-06-21 11:13 - 2012-06-21 11:12 - 00666176 ____A C:\Users\lol\Desktop\pSX_1_13.rar

2012-06-21 09:23 - 2012-06-21 09:23 - 00001193 ____A C:\Users\Public\Desktop\Diablo III.lnk

2012-06-21 09:05 - 2012-06-21 09:04 - 40048208 ____A (Blizzard Entertainment) C:\Users\lol\Downloads\Diablo-III-Setup-enUS.exe

2012-06-21 07:01 - 2012-06-21 07:01 - 10062736 ____A (Malwarebytes Corporation ) C:\Users\lol\Downloads\mbam-consumer(1).exe

2012-06-19 17:06 - 2012-06-19 17:06 - 00000554 ____A C:\Users\lol\Desktop\Audacity.lnk

2012-06-11 19:08 - 2012-07-11 22:17 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 21:43 - 2012-07-11 04:30 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:41 - 2012-07-11 04:30 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-07 16:50 - 2012-06-07 16:50 - 01287528 ____A (Microsoft Corporation) C:\Users\lol\Downloads\wlsetup-web.exe

2012-06-05 22:06 - 2012-07-11 04:30 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 22:06 - 2012-07-11 04:30 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 22:02 - 2012-07-11 04:30 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-06-05 21:05 - 2012-07-11 04:30 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:05 - 2012-07-11 04:30 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-05 21:03 - 2012-07-11 04:30 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-06-02 14:19 - 2012-06-21 06:06 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-21 06:06 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-21 06:06 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-21 06:06 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-21 06:06 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-21 06:06 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-21 06:06 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-21 06:06 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-21 06:06 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-01 21:50 - 2012-07-11 04:30 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:48 - 2012-07-11 04:30 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:48 - 2012-07-11 04:30 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:45 - 2012-07-11 04:30 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:44 - 2012-07-11 04:30 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:40 - 2012-07-11 04:30 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:40 - 2012-07-11 04:30 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:39 - 2012-07-11 04:30 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:34 - 2012-07-11 04:30 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-05-31 16:44 - 2012-05-31 16:44 - 00000652 ____A C:\Users\lol\Desktop\Warcraft III.lnk

2012-05-31 16:44 - 2012-05-31 16:41 - 00014889 ____A C:\Windows\War3Unin.dat

2012-05-31 16:41 - 2012-05-31 16:41 - 00126976 ____A (Blizzard Entertainment) C:\Windows\War3Unin.exe

2012-05-31 16:41 - 2012-05-31 16:41 - 00002829 ____A C:\Windows\War3Unin.pif

2012-05-31 08:25 - 2011-12-08 00:16 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2012-05-29 13:31 - 2012-05-29 13:31 - 00001801 ____A C:\Users\lol\Desktop\iTunes.lnk

2012-05-28 12:34 - 2012-05-28 12:32 - 76761968 ____A (Apple Inc.) C:\Users\lol\Downloads\iTunes64Setup.exe

2012-05-28 12:15 - 2012-05-28 12:15 - 34629416 ____A C:\Users\lol\Downloads\vlcmediaplayer-setup.exe

2012-05-25 12:31 - 2012-05-25 12:30 - 07357440 ____A C:\Users\lol\Downloads\MM26_ENU.msi

2012-05-23 19:34 - 2009-07-13 18:36 - 00175616 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll

2012-05-23 19:34 - 2009-07-13 18:36 - 00152576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll

2012-05-14 20:01 - 2012-06-13 12:37 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-14 19:59 - 2012-06-13 12:37 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-14 19:03 - 2012-06-13 12:37 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-05-14 19:00 - 2012-06-13 12:37 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-05-04 03:06 - 2012-06-13 12:37 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-04 02:03 - 2012-06-13 12:37 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-05-04 02:03 - 2012-06-13 12:37 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-05-01 08:52 - 2011-12-16 23:07 - 00110918 ____A C:\Windows\DirectX.log

2012-05-01 08:48 - 2012-05-01 08:47 - 00007872 ____A C:\Users\lol\Documents\Uninstall STAR WARS The Old Republic.log

2012-05-01 08:45 - 2012-05-01 08:44 - 03870984 ____A C:\Users\lol\Downloads\battlelog-web-plugins-1.118.0-retail-prod.exe

2012-04-27 21:32 - 2012-06-13 12:37 - 01112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll

2012-04-27 19:55 - 2012-06-13 12:37 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

ZeroAccess:

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\@

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\L

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\L\00000004.@

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\L\201d3dde

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U\00000004.@

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U\00000008.@

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U\000000cb.@

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U\80000000.@

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U\80000032.@

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U\80000064.@

ZeroAccess:

C:\Users\lol\AppData\Local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}

C:\Users\lol\AppData\Local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\@

C:\Users\lol\AppData\Local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\L

C:\Users\lol\AppData\Local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%

Total physical RAM: 8171.65 MB

Available physical RAM: 7235.32 MB

Total Pagefile: 8169.8 MB

Available Pagefile: 7321.45 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:111.79 GB) (Free:10.81 GB) NTFS

2 Drive e: (New Volume) (Fixed) (Total:465.66 GB) (Free:89.6 GB) NTFS

3 Drive f: (Windows_7_Ultimate_64) (CDROM) (Total:3.35 GB) (Free:0 GB) UDF

4 Drive g: (STORE N GO) (Removable) (Total:0.93 GB) (Free:0.87 GB) FAT

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 1024 KB

Disk 1 Online 111 GB 0 B

Disk 2 Online 955 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 465 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E New Volume NTFS Partition 465 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 111 GB 1024 KB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 951 MB 4032 KB

==================================================================================

Disk: 2

Partition 1

Type : 0E

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G STORE N GO FAT Removable 951 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-18 11:13

======================= End Of Log ==========================

Link to post
Share on other sites

Here's the search.txt:

Farbar Recovery Scan Tool Version: 24-07-2012 01

Ran by SYSTEM at 2012-07-24 17:10:55

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}
C:\Users\lol\AppData\Local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 24-07-2012 01

Ran by SYSTEM at 2012-07-24 17:34:00 Run:1

Running from G:\

==============================================

C:\Windows\Installer\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d} moved successfully.

C:\Users\lol\AppData\Local\{6e8bb14d-22e7-cb91-dcf7-5ef330acbc7d} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Link to post
Share on other sites

Sorry I missed your reply, lets run ComboFix to clean up any leftovers.....

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Thank you for dedicating your time to helping me Mr. C. After I used FRST to fix with the fixfile you gave me last night, the issues were gone and my browsing experience was back to normal. I just took the additional step with ComboFix and it took about 10 minutes to finish the entire process. Here is the log:

ComboFix 12-07-26.03 - lol 07/25/2012 12:02:32.1.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8172.6439 [GMT -4:00]

Running from: c:\users\lol\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\security\Database\tmp.edb

.

.

((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))

.

.

2012-07-25 16:06 . 2012-07-25 16:06 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-24 19:25 . 2012-07-25 01:09 -------- d-----w- C:\FRST

2012-07-22 13:12 . 2012-07-22 13:12 -------- d-----w- c:\windows\SysWow64\Tencent

2012-07-21 21:18 . 2012-07-21 21:18 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-07-20 13:54 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{15E5E733-4DE7-4736-A912-0D15AA69F093}\mpengine.dll

2012-07-12 06:17 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys

2012-07-07 03:48 . 2012-07-24 17:15 -------- d-----w- c:\programdata\Yahoo!

2012-07-07 03:47 . 2012-07-24 19:35 -------- d-----w- c:\program files (x86)\Yahoo!

2012-07-06 03:52 . 2012-07-06 03:52 -------- d-----w- c:\users\lol\AppData\Roaming\Wandoujia2

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-21 21:12 . 2012-03-29 15:35 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-21 21:12 . 2012-02-06 15:55 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-12 06:15 . 2011-12-08 08:15 59701280 ----a-w- c:\windows\system32\MRT.exe

2012-07-03 17:46 . 2011-12-11 08:30 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-08 00:52 . 2012-06-08 00:52 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-06-02 22:19 . 2012-06-21 14:06 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-21 14:06 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-21 14:06 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-21 14:06 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-21 14:06 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-06-21 14:06 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-21 14:06 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19 . 2012-06-21 14:06 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:15 . 2012-06-21 14:06 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-01 00:41 . 2012-06-01 00:41 2829 ----a-w- c:\windows\War3Unin.pif

2012-06-01 00:41 . 2012-06-01 00:41 126976 ----a-w- c:\windows\War3Unin.exe

2012-05-31 16:25 . 2011-12-08 08:16 279656 ------w- c:\windows\system32\MpSigStub.exe

2012-05-24 03:34 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll

2012-05-24 03:34 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll

2012-05-15 04:01 . 2012-06-13 20:37 1188864 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 03:59 . 2012-06-13 20:37 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-05-15 03:03 . 2012-06-13 20:37 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-05-04 11:06 . 2012-06-13 20:37 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 10:03 . 2012-06-13 20:37 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:03 . 2012-06-13 20:37 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-04-28 05:32 . 2012-06-13 20:37 1112064 ----a-w- c:\windows\system32\rdpcorets.dll

2012-04-28 03:55 . 2012-06-13 20:37 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Logitech Vid"="c:\program files (x86)\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]

"QQ2009"="a:\bin\QQ.exe" [2012-02-07 136568]

"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-02-15 636032]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"Malwarebytes' Anti-Malware"="a:\malwarebytes' anti-malware\mbamgui.exe" [2012-07-03 462920]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

AML Device Install.lnk - c:\program files (x86)\AMD AVT\bin\kdbsync.exe [2012-1-31 10752]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-01-04 55936]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 136176]

R2 MBAMService;MBAMService;a:\malwarebytes' anti-malware\mbamservice.exe [2012-07-03 655944]

R3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [2011-08-19 25632]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 136176]

R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2011-08-19 351136]

R3 LVUVC64;Logitech HD Webcam C615(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2011-08-19 4869024]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TcHardWare;TcHardWare;c:\program files (x86)\Tencent\QQPCMgr\6.8.2386.401\QQPCHW-x64.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-08 1255736]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-02-15 235520]

S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-02-15 361984]

S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-01-04 55936]

S2 ARUpdate;Tencent SOSO Update Service;c:\program files\TENCENT\AddrUpdate\AddrUpdate.exe [2012-03-16 116088]

S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-14 160944]

S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848]

S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-02-15 10856960]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-02-15 327680]

S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-03-04 126952]

S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-03-04 390632]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-12-05 95248]

S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [2009-11-17 32344]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-04-21 471144]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 20:39]

.

2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 20:39]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-05-18 11855976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = about:blank

mStart Page = about:blank

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

Trusted Zone: qq.com\cache.tv

Trusted Zone: qq.com\qqlivecaption

Trusted Zone: qq.com\qqlivehabit

Trusted Zone: qq.com\qqlivesearch

Trusted Zone: qq.com\video_1

TCP: DhcpNameServer = 192.168.1.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll

FF - ProfilePath - c:\users\lol\AppData\Roaming\Mozilla\Firefox\Profiles\3m4fwu3a.default\

.

.

------- File Associations -------

.

inifile=c:\windows\SysWow64\NOTEPAD.EXE %1

txtfile=c:\windows\notepad.exe %1

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)

BHO-{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} - c:\program files (x86)\Tencent\QQPCMgr\6.8.2386.401\TSWebMon.dat

Wow6432Node-HKLM-Run-RaidCall - c:\program files (x86)\raidcall\raidcall.exe

BHO-{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} - c:\program files (x86)\Tencent\QQPCMgr\6.8.2386.401\TSWebMon64.dat

WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)

AddRemove-PunkBusterSvc - c:\program files (x86)\Origin Games\Battlefield 3\pbsvc.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\SysWOW64\PnkBstrA.exe

.

**************************************************************************

.

Completion time: 2012-07-25 12:09:51 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-25 16:09

.

Pre-Run: 10,242,375,680 bytes free

Post-Run: 13,981,200,384 bytes free

.

- - End Of File - - C6485FF2A0A0D8D3B497E03DFE66586C

Link to post
Share on other sites

Do you have any idea what this folder is:

2012-07-06 03:52 . 2012-07-06 03:52 -------- d-----w- c:\users\lol\AppData\Roaming\Wandoujia2

You may have to enable hidden files to see it:

http://www.howtogeek...-windows-vista/

------------------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Inside the Wandoujia2 folder is a file called 'zh-CN.wdj'. I don't know what this is or how I even got this folder.

I did the quick scan and here is the report:

ComboFix 12-07-26.03 - lol 07/25/2012 12:02:32.1.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8172.6439 [GMT -4:00]

Running from: c:\users\lol\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\security\Database\tmp.edb

.

.

((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))

.

.

2012-07-25 16:06 . 2012-07-25 16:06 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-24 19:25 . 2012-07-25 01:09 -------- d-----w- C:\FRST

2012-07-22 13:12 . 2012-07-22 13:12 -------- d-----w- c:\windows\SysWow64\Tencent

2012-07-21 21:18 . 2012-07-21 21:18 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-07-20 13:54 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{15E5E733-4DE7-4736-A912-0D15AA69F093}\mpengine.dll

2012-07-12 06:17 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys

2012-07-07 03:48 . 2012-07-24 17:15 -------- d-----w- c:\programdata\Yahoo!

2012-07-07 03:47 . 2012-07-24 19:35 -------- d-----w- c:\program files (x86)\Yahoo!

2012-07-06 03:52 . 2012-07-06 03:52 -------- d-----w- c:\users\lol\AppData\Roaming\Wandoujia2

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-21 21:12 . 2012-03-29 15:35 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-21 21:12 . 2012-02-06 15:55 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-12 06:15 . 2011-12-08 08:15 59701280 ----a-w- c:\windows\system32\MRT.exe

2012-07-03 17:46 . 2011-12-11 08:30 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-08 00:52 . 2012-06-08 00:52 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-06-02 22:19 . 2012-06-21 14:06 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-21 14:06 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-21 14:06 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-21 14:06 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-21 14:06 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-06-21 14:06 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-21 14:06 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19 . 2012-06-21 14:06 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:15 . 2012-06-21 14:06 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-01 00:41 . 2012-06-01 00:41 2829 ----a-w- c:\windows\War3Unin.pif

2012-06-01 00:41 . 2012-06-01 00:41 126976 ----a-w- c:\windows\War3Unin.exe

2012-05-31 16:25 . 2011-12-08 08:16 279656 ------w- c:\windows\system32\MpSigStub.exe

2012-05-24 03:34 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll

2012-05-24 03:34 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll

2012-05-15 04:01 . 2012-06-13 20:37 1188864 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 03:59 . 2012-06-13 20:37 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-05-15 03:03 . 2012-06-13 20:37 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-05-04 11:06 . 2012-06-13 20:37 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 10:03 . 2012-06-13 20:37 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:03 . 2012-06-13 20:37 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-04-28 05:32 . 2012-06-13 20:37 1112064 ----a-w- c:\windows\system32\rdpcorets.dll

2012-04-28 03:55 . 2012-06-13 20:37 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Logitech Vid"="c:\program files (x86)\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]

"QQ2009"="a:\bin\QQ.exe" [2012-02-07 136568]

"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-02-15 636032]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"Malwarebytes' Anti-Malware"="a:\malwarebytes' anti-malware\mbamgui.exe" [2012-07-03 462920]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

AML Device Install.lnk - c:\program files (x86)\AMD AVT\bin\kdbsync.exe [2012-1-31 10752]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-01-04 55936]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 136176]

R2 MBAMService;MBAMService;a:\malwarebytes' anti-malware\mbamservice.exe [2012-07-03 655944]

R3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [2011-08-19 25632]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 136176]

R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2011-08-19 351136]

R3 LVUVC64;Logitech HD Webcam C615(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2011-08-19 4869024]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TcHardWare;TcHardWare;c:\program files (x86)\Tencent\QQPCMgr\6.8.2386.401\QQPCHW-x64.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-08 1255736]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-02-15 235520]

S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-02-15 361984]

S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-01-04 55936]

S2 ARUpdate;Tencent SOSO Update Service;c:\program files\TENCENT\AddrUpdate\AddrUpdate.exe [2012-03-16 116088]

S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-14 160944]

S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848]

S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-02-15 10856960]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-02-15 327680]

S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-03-04 126952]

S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-03-04 390632]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-12-05 95248]

S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [2009-11-17 32344]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-04-21 471144]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 20:39]

.

2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 20:39]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-05-18 11855976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = about:blank

mStart Page = about:blank

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

Trusted Zone: qq.com\cache.tv

Trusted Zone: qq.com\qqlivecaption

Trusted Zone: qq.com\qqlivehabit

Trusted Zone: qq.com\qqlivesearch

Trusted Zone: qq.com\video_1

TCP: DhcpNameServer = 192.168.1.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll

FF - ProfilePath - c:\users\lol\AppData\Roaming\Mozilla\Firefox\Profiles\3m4fwu3a.default\

.

.

------- File Associations -------

.

inifile=c:\windows\SysWow64\NOTEPAD.EXE %1

txtfile=c:\windows\notepad.exe %1

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)

BHO-{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} - c:\program files (x86)\Tencent\QQPCMgr\6.8.2386.401\TSWebMon.dat

Wow6432Node-HKLM-Run-RaidCall - c:\program files (x86)\raidcall\raidcall.exe

BHO-{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} - c:\program files (x86)\Tencent\QQPCMgr\6.8.2386.401\TSWebMon64.dat

WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)

AddRemove-PunkBusterSvc - c:\program files (x86)\Origin Games\Battlefield 3\pbsvc.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\SysWOW64\PnkBstrA.exe

.

**************************************************************************

.

Completion time: 2012-07-25 12:09:51 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-25 16:09

.

Pre-Run: 10,242,375,680 bytes free

Post-Run: 13,981,200,384 bytes free

.

- - End Of File - - C6485FF2A0A0D8D3B497E03DFE66586C

Link to post
Share on other sites

Inside the Wandoujia2 folder is a file called 'zh-CN.wdj'. I don't know what this is or how I even got this folder.

Please Delete it

-----------------------------------------------------------------

I need the log from Malwarebytes, not ComboFix.

MrC

Link to post
Share on other sites

Oops, my mistake. Here is the Malwarebytes:

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.25.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

lol :: LOL-PC [administrator]

Protection: Enabled

7/25/2012 2:02:53 PM

mbam-log-2012-07-25 (14-02-53).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 195481

Time elapsed: 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Everything is running fine! Thank you for your help!

How come Malwarebytes does not remove the rootkit infection?

No one program can do it all, especially replacing files.

It does detect some of the files.

----------------------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.