Still more Trojan.Dropper.BCMiner

TD_Mak · July 25, 2012

Symptoms started 7/23 around 9:50 pm:

- Chrome didn't want to go to normal websites (like Facebook) because it didn't trust the certificate

- Redirects from links coming from Google searches (though not Bing)

- Random pop-ups

- Microsoft Security Essentials collapsed

Following this are the logs from my first run of MBAM, what's generally come up in subsequent runs of MBAM, and DDS.txt. I'm attaching attach.txt.

I've seen the disclaimer about the backdoor virus, and that you can't guarantee my computer will be 100% safe ever again. I think I want to get it reasonably clean as fast as possible (it's the only way I can access internet from home right now), and I'll look at reformatting when I'm less stressed.

Thank you!

MBAM take 1:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.24.01
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Sarah M :: JOLLYGREENGIANT [administrator]
7/23/2012 9:41:53 PM
mbam-log-2012-07-23 (21-41-53).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198851
Time elapsed: 5 minute(s), 33 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Users\Sarah M\AppData\Local\Temp\154335_10.49.26.TC00327000A.temp\Setup\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Quarantined and deleted successfully.
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\n (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
(end)

MBAM take 2:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.24.01
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Sarah M :: JOLLYGREENGIANT [administrator]
7/23/2012 9:53:52 PM
mbam-log-2012-07-23 (21-53-52).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 681543
Time elapsed: 1 hour(s), 44 minute(s),
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
(end)

DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Sarah M at 9:29:42 on 2012-07-25
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3891.2102 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe
C:\Program Files (x86)\PC Tools Security\pctsSvc.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\Explorer.EXE
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\PC Tools Security\pctsGui.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\BOINC\boincmgr.exe
C:\Users\Sarah M\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler.exe
C:\Windows\System32\spool\drivers\x64\3\E_IATIGBA.EXE
C:\Users\Sarah M\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler64.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files (x86)\Corel\Dad7\QUICK.EXE
C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Corel\Shared\PFit7\PFPPOP70.EXE
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Program Files (x86)\BOINC\boinctray.exe
C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
C:\Program Files (x86)\real\realplayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\splwow64.exe
C:\Program Files (x86)\BOINC\boinc.exe
C:\windows\system32\conhost.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_6.25_windows_intelx86
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86
C:\windows\system32\conhost.exe
C:\windows\system32\conhost.exe
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_6.20_windows_intelx86
C:\windows\system32\conhost.exe
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_prod_x86.exe.6.25
C:\windows\system32\conhost.exe
C:\windows\system32\conhost.exe
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_prod_x86.exe.6.20
C:\windows\system32\conhost.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "C:\Users\Sarah M\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [boincmgr] "C:\Program Files (x86)\BOINC\boincmgr.exe" /a /s
uRun: [EPSON WorkForce 630 Series] C:\windows\system32\spool\DRIVERS\x64\3\E_IATIGBA.EXE /FU "C:\windows\TEMP\E_S8A84.tmp" /EF "HKCU"
mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [QuickFinder Scheduler] c:\program files (x86)\Corel\Shared\QFinder7\QFSCHED.EXE
mRun: [boinctray] "C:\Program Files (x86)\BOINC\boinctray.exe"
mRun: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun: [iJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [iSTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
StartupFolder: C:\Users\SARAHM~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CORELD~1.LNK - C:\Program Files (x86)\Corel\Dad7\QUICK.EXE
StartupFolder: C:\Users\SARAHM~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DING!.lnk - C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe
StartupFolder: C:\Users\SARAHM~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\Users\SARAHM~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PERFEC~1.LNK - C:\Program Files (x86)\Corel\Shared\PFit7\PFPPOP70.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
LSP: mswsock.dll
TCP: Interfaces\{16D759EC-67E8-405D-B433-3A3862029BF5} : DhcpNameServer = 194.90.1.5 212.143.212.143
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887} : DhcpNameServer = 130.132.1.9 130.132.1.10 130.132.1.11
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\2535D696C656D2031323 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\37369656E647563686 : DhcpNameServer = 192.168.4.1
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\9516C6567457563747 : DhcpNameServer = 205.171.3.65 205.171.2.65
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\9716C6560277962756C6563737 : DhcpNameServer = 130.132.1.9 130.132.1.10 130.132.1.11
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\D41676964637F6E684F6D656 : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Winamp Toolbar Loader: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO-X64: Winamp Toolbar Loader - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO-X64: Canon Easy-WebPrint EX BHO - No File
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Winamp Toolbar: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB-X64: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
mRun-x64: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun-x64: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun-x64: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun-x64: [QuickFinder Scheduler] c:\program files (x86)\Corel\Shared\QFinder7\QFSCHED.EXE
mRun-x64: [boinctray] "C:\Program Files (x86)\BOINC\boinctray.exe"
mRun-x64: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun-x64: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun-x64: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun-x64: [iJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [iSTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.spacesynth.net/forum/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.http - 189.71.26.9
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 0
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: C:\Users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: C:\Users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\Opera\program\plugins\nppl3260.dll
FF - plugin: C:\Program Files (x86)\Opera\program\plugins\nprjplug.dll
FF - plugin: C:\Program Files (x86)\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Sarah M\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\windows\system32\DRIVERS\Lbd.sys --> C:\windows\system32\DRIVERS\Lbd.sys [?]
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\system32\DRIVERS\MpFilter.sys --> C:\windows\system32\DRIVERS\MpFilter.sys [?]
R0 PCTCore;PCTools KDS;C:\windows\system32\drivers\PCTCore64.sys --> C:\windows\system32\drivers\PCTCore64.sys [?]
R0 pctDS;PC Tools Data Store;C:\windows\system32\drivers\pctDS64.sys --> C:\windows\system32\drivers\pctDS64.sys [?]
R0 pctEFA;PC Tools Extended File Attributes;C:\windows\system32\drivers\pctEFA64.sys --> C:\windows\system32\drivers\pctEFA64.sys [?]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
R1 PCTSD;PC Tools Spyware Doctor Driver;C:\windows\system32\Drivers\PCTSD64.sys --> C:\windows\system32\Drivers\PCTSD64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2011-12-26 166400]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2011-12-26 128512]
R2 FreeAgentGoNext Service;Seagate Service;C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-9-25 189736]
R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [2012-7-24 402336]
R2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [2012-7-24 1117624]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-5-15 2320920]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
R3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETw5s64.sys --> C:\windows\system32\DRIVERS\NETw5s64.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-5-15 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
R3 wdkmd;Intel WiDi KMD;C:\windows\system32\DRIVERS\WDKMD.sys --> C:\windows\system32\DRIVERS\WDKMD.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-29 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" --> C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]
S3 acpials;ALS Sensor Filter;C:\windows\system32\DRIVERS\acpials.sys --> C:\windows\system32\DRIVERS\acpials.sys [?]
S3 BrlAPI;BrlAPI;C:\cygwin\bin\cygrunsrv.exe --> C:\cygwin\bin\cygrunsrv.exe [?]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-22 1493352]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-29 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-9-22 17152]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-12 113120]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-1-19 315664]
S3 NisDrv;Microsoft Network Inspection System;C:\windows\system32\DRIVERS\NisDrvWFP.sys --> C:\windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-7-10 47128]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-7-10 369688]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
JSEFile=C:\windows\SysWow64\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
VBEFile=C:\windows\SysWow64\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
VBSFile=C:\windows\SysWow64\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.
=============== Created Last 30 ================
.
2012-07-25 03:54:42 453896 ----a-w- C:\windows\System32\drivers\pctDS64.sys
2012-07-25 03:54:42 1096688 ----a-w- C:\windows\System32\drivers\pctEFA64.sys
2012-07-25 03:54:41 339608 ----a-w- C:\windows\System32\drivers\pctgntdi64.sys
2012-07-25 03:54:41 145432 ----a-w- C:\windows\System32\drivers\pctwfpfilter64.sys
2012-07-25 03:54:34 367912 ----a-w- C:\windows\System32\drivers\PCTCore64.sys
2012-07-25 03:54:32 230952 ----a-w- C:\windows\System32\drivers\PCTSD64.sys
2012-07-25 03:54:32 14776 ----a-w- C:\windows\System32\drivers\pctBTFix64.sys
2012-07-25 03:54:30 92896 ----a-w- C:\windows\System32\drivers\pctplsg64.sys
2012-07-25 03:54:21 -------- d-----w- C:\ProgramData\PC Tools
2012-07-25 03:54:21 -------- d-----w- C:\Program Files (x86)\PC Tools Security
2012-07-25 03:54:21 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-07-25 02:57:23 -------- d-----w- C:\Users\Sarah M\AppData\Roaming\GetRightToGo
2012-07-25 00:36:18 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-23 01:11:37 -------- d-----w- C:\Users\Sarah M\AppData\Local\{AD799693-F8E3-413A-903D-EC1B5DB5D9A0}
2012-07-23 01:11:15 -------- d-----w- C:\Users\Sarah M\AppData\Local\{27FD6BF6-DFDF-4538-B895-67B49B3A44FB}
2012-07-23 01:10:30 -------- d-----w- C:\Users\Sarah M\AppData\Local\{B1D34AF4-1EC8-4344-8987-6BB700B3D003}
2012-07-23 01:10:00 -------- d-----w- C:\Users\Sarah M\AppData\Local\{A34DD1F8-FFD5-4D4F-AC8D-57EAFC9FC94A}
2012-07-22 20:55:19 -------- d-sh--w- C:\windows\SysWow64\%APPDATA%
2012-07-22 17:18:49 -------- d-----w- C:\Users\Sarah M\AppData\Roaming\Ad-Aware Antivirus
2012-07-22 02:52:24 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0F930B5F-602B-40DC-B531-16393F82D83C}\mpengine.dll
2012-07-20 00:13:18 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-18 20:17:17 -------- d-----w- C:\Program Files\iPod
2012-07-18 20:17:15 -------- d-----w- C:\Program Files\iTunes
2012-07-18 20:17:15 -------- d-----w- C:\Program Files (x86)\iTunes
2012-07-12 13:17:26 3147264 ----a-w- C:\windows\System32\win32k.sys
2012-07-11 03:02:07 -------- d--h--w- C:\ProgramData\CanonIJSDU
2012-07-04 17:33:35 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B9D123A4-7336-4AE3-8072-AFBCA5F08F75}\gapaengine.dll
2012-07-01 02:30:28 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-01 02:30:28 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
.
==================== Find3M ====================
.
2012-07-03 17:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-06 05:50:50 2003968 ----a-w- C:\windows\System32\msxml6.dll
2012-06-06 05:50:50 1880064 ----a-w- C:\windows\System32\msxml3.dll
2012-06-06 05:09:46 1389568 ----a-w- C:\windows\SysWow64\msxml6.dll
2012-06-06 05:09:46 1236992 ----a-w- C:\windows\SysWow64\msxml3.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
2012-06-02 05:38:26 95088 ----a-w- C:\windows\System32\drivers\ksecdd.sys
2012-06-02 05:38:24 152432 ----a-w- C:\windows\System32\drivers\ksecpkg.sys
2012-06-02 05:37:45 459216 ----a-w- C:\windows\System32\drivers\cng.sys
2012-06-02 05:27:02 340992 ----a-w- C:\windows\System32\schannel.dll
2012-06-02 05:27:00 307200 ----a-w- C:\windows\System32\ncrypt.dll
2012-06-02 04:48:39 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2012-06-02 04:48:35 225280 ----a-w- C:\windows\SysWow64\schannel.dll
2012-06-02 04:47:31 219136 ----a-w- C:\windows\SysWow64\ncrypt.dll
2012-06-02 04:42:51 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
2012-05-15 03:56:59 1197568 ----a-w- C:\windows\System32\wininet.dll
2012-05-15 03:08:48 981504 ----a-w- C:\windows\SysWow64\wininet.dll
2012-05-06 01:20:16 8744608 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-05-04 10:52:22 5505392 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-05-04 10:08:16 3958128 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:08:15 3902320 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-05-02 05:32:43 208896 ----a-w- C:\windows\System32\profsvc.dll
2012-04-28 03:50:40 204800 ----a-w- C:\windows\System32\drivers\rdpwd.sys
.
============= FINISH: 9:31:41.75 ===============

Attach.txt

MrCharlie · July 25, 2012

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

TD_Mak · July 25, 2012

I accidentally scanned while my USB was plugged in, so I unplugged the USB and scanned again, with these results:

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Sarah M [Admin rights]
Mode: Scan -- Date: 07/25/2012 10:06:24
¤¤¤ Bad processes: 12 ¤¤¤
[sUSP PATH] wcgrid_dsfl_vina_6.25_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_6.25_windows_intelx86 -> KILLED [TermProc]
[sUSP PATH] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[sUSP PATH] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[sUSP PATH] wcgrid_sn2s_vina_6.20_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_6.20_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcgrid_dsfl_vina_6.25_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_6.25_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcgrid_sn2s_vina_6.20_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_6.20_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcgrid_dsfl_vina_6.25_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_6.25_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcgrid_sn2s_vina_6.20_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_6.20_windows_intelx86 -> KILLED [TermProc]
¤¤¤ Registry Entries: 10 ¤¤¤
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Sarah M\AppData\Local\{c236b97c-3fcc-86bc-309d-418570865fa5}\n.) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowDownloads (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowVideos (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST9500420AS +++++
--- User ---
[MBR] 35cdcf2d6902b3140cbbf1e1c437dd83
[bSP] ad3169145d5a5582624fdef33b7b7fca : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464726 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 954832896 | Size: 10713 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

MrCharlie · July 25, 2012

Please don't put the logs in code, they're too hard to read.

Did you recently do a Adobe Flash Player Update?

-------------------------------------------------------------

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.
BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.
I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]Now press the Search button
[*]When the search is complete, search.txt will also be written to your USB
[*]Type exit and reboot the computer normally
[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

TD_Mak · July 25, 2012

There was an Adobe update the night my computer got infected. I'm not convinced it was real. I've since uninstalled Java and all Adobe products.

I don't entirely understand what you mean by "make sure system restore is running". I created a new restore point--should I now press the "System Restore" button, and reboot by going through that process?

MrCharlie · July 25, 2012

There was an Adobe update the night my computer got infected. I'm not convinced it was real. I've since uninstalled Java and all Adobe products.

It wasn't, you need java though.

I don't entirely understand what you mean by "make sure system restore is running". I created a new restore point--should I now press the "System Restore" button, and reboot by going through that process?

As long as you created a new restore point, you can proceed>

MrC

TD_Mak · July 25, 2012

My computer has been stuck on the "Shutting down" screen for the past 10 minutes. Should I just force it off and on with the power button?

MrCharlie · July 25, 2012

Yes try to use the reset button, MrC

TD_Mak · July 25, 2012

FRST.txt and Search.txt:

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01

Ran by SYSTEM at 25-07-2012 11:20:37

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]

HKLM\...\Run: [igfxTray] C:\windows\system32\igfxtray.exe [166424 2010-04-07] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [391192 2010-04-07] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [413720 2010-04-07] (Intel Corporation)

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10134560 2010-03-22] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [896032 2010-03-22] (Realtek Semiconductor)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)

HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [505696 2009-11-05] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)

HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [913720 2010-03-25] (TOSHIBA Corporation)

HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1489760 2010-04-06] (TOSHIBA Corporation)

HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)

HKLM\...\Run: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1926928 2010-01-19] (Intel® Corporation)

HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)

HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)

HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-19] (TOSHIBA Corporation)

HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-03-03] (TOSHIBA Corporation)

HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2782096 2010-07-25] (CANON INC.)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKLM-x32\...\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [34160 2009-12-25] (TOSHIBA CORPORATION)

HKLM-x32\...\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP [423936 2010-03-04] (TOSHIBA Electronics, Inc.)

HKLM-x32\...\Run: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL [352256 2010-02-22] (TOSHIBA CORPORATION)

HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295736 2011-02-11] (TOSHIBA Corporation)

HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)

HKLM-x32\...\Run: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [x]

HKLM-x32\...\Run: [QuickFinder Scheduler] c:\program files (x86)\Corel\Shared\QFinder7\QFSCHED.EXE [46080 1996-10-15] (Novell, Inc.)

HKLM-x32\...\Run: [boinctray] "C:\Program Files (x86)\BOINC\boinctray.exe" [58112 2008-11-17] (Space Sciences Laboratory)

HKLM-x32\...\Run: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [185640 2009-09-25] (Seagate LLC)

HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)

HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)

HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [847872 2009-12-02] (SEIKO EPSON CORPORATION)

HKLM-x32\...\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1213848 2010-09-14] (CANON INC.)

HKLM-x32\...\Run: [iJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE [452016 2010-09-09] (CANON INC.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)

HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [296056 2012-06-04] (RealNetworks, Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)

HKLM-x32\...\Run: [iSTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI [2659768 2012-02-24] (PC Tools)

HKU\Sarah M\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-04-08] (Google Inc.)

HKU\Sarah M\...\Run: [Google Update] "C:\Users\Sarah M\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-06-29] (Google Inc.)

HKU\Sarah M\...\Run: [boincmgr] "C:\Program Files (x86)\BOINC\boincmgr.exe" /a /s [3916544 2008-11-17] (World Community Grid)

HKU\Sarah M\...\Run: [EPSON WorkForce 630 Series] C:\windows\system32\spool\DRIVERS\x64\3\E_IATIGBA.EXE /FU "C:\windows\TEMP\E_S8A84.tmp" /EF "HKCU" [224768 2010-01-12] (SEIKO EPSON CORPORATION)

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy Software Installer.lnk

ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy Software Installer.lnk

ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)

Startup: C:\Users\Sarah M\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK

ShortcutTarget: Corel Desktop Application Director.LNK -> C:\Program Files (x86)\Corel\Dad7\QUICK.EXE (Corel Corporation Limited)

Startup: C:\Users\Sarah M\Start Menu\Programs\Startup\DING!.lnk

ShortcutTarget: DING!.lnk -> C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)

Startup: C:\Users\Sarah M\Start Menu\Programs\Startup\OpenOffice.org 3.4.lnk

ShortcutTarget: OpenOffice.org 3.4.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

Startup: C:\Users\Sarah M\Start Menu\Programs\Startup\PerfectPrint.LNK

ShortcutTarget: PerfectPrint.LNK -> C:\Program Files (x86)\Corel\Shared\PFit7\PFPPOP70.EXE (Corel Corporation)

==================== Services (Whitelisted) ======

2 FreeAgentGoNext Service; "C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe" [189736 2009-09-25] (Seagate Technology LLC)

2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [137680 2010-07-27] ()

2 MSSQL$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [40999448 2008-07-10] (Microsoft Corporation)

4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe" /service msvsmon90 [4737024 2008-07-29] (Microsoft Corporation)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [315664 2010-01-19] ()

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

2 sdAuxService; C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [402336 2012-02-24] (PC Tools)

2 sdCoreService; C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [1117624 2012-02-24] (PC Tools)

4 SQLAgent$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [369688 2008-07-10] (Microsoft Corporation)

2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-03-03] (Intel Corporation)

3 BrlAPI; C:\cygwin\bin\cygrunsrv.exe [x]

2 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [x]

========================== Drivers (Whitelisted) =============

3 acpials; C:\Windows\System32\Drivers\acpials.sys [9728 2009-07-13] (Microsoft Corporation)

1 GearAspiSys; C:\Windows\SysWow64\Drivers\GearAspiSys.sys [53412 2002-06-24] (GEAR Software)

3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-09-22] ()

0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69376 2011-08-18] (Lavasoft AB)

0 PCTCore; C:\Windows\System32\drivers\PCTCore64.sys [367912 2011-11-14] (PC Tools)

0 pctDS; C:\Windows\System32\drivers\pctDS64.sys [453896 2011-12-01] (PC Tools)

0 pctEFA; C:\Windows\System32\drivers\pctEFA64.sys [1096688 2011-12-01] (PC Tools)

1 PCTSD; C:\Windows\System32\Drivers\PCTSD64.sys [230952 2012-02-24] (PC Tools)

2 Thpsrv; [x]

2 TODDSrv; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-25 11:20 - 2012-07-25 11:20 - 00000000 ____D C:\FRST

2012-07-25 06:06 - 2012-07-25 06:06 - 00004430 ____A C:\Users\Sarah M\Desktop\RKreport[2].txt

2012-07-25 06:05 - 2012-07-25 06:05 - 00004038 ____A C:\Users\Sarah M\Desktop\RKreport[1].txt

2012-07-25 06:04 - 2012-07-25 06:05 - 00000000 ____D C:\Users\Sarah M\Desktop\RK_Quarantine

2012-07-24 19:54 - 2012-07-25 05:45 - 00000000 ____D C:\Program Files (x86)\PC Tools Security

2012-07-24 19:54 - 2012-07-24 19:55 - 01946715 ____A C:\Windows\System32\Drivers\Cat.DB

2012-07-24 19:54 - 2012-07-24 19:54 - 00002097 ____A C:\Users\Public\Desktop\PC Tools Spyware Doctor with AntiVirus.lnk

2012-07-24 19:54 - 2012-07-24 19:54 - 00000000 ____D C:\Users\All Users\PC Tools

2012-07-24 19:54 - 2012-02-24 06:37 - 00092896 ____A (PC Tools) C:\Windows\System32\Drivers\pctplsg64.sys

2012-07-24 19:54 - 2012-02-24 06:36 - 00230952 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys

2012-07-24 19:54 - 2012-02-24 06:35 - 00014776 ____A (PC Tools) C:\Windows\System32\Drivers\pctBTFix64.sys

2012-07-24 19:54 - 2012-02-24 06:31 - 00339608 ____A (PC Tools) C:\Windows\System32\Drivers\pctgntdi64.sys

2012-07-24 19:54 - 2012-02-24 06:31 - 00145432 ____A (PC Tools) C:\Windows\System32\Drivers\pctwfpfilter64.sys

2012-07-24 19:54 - 2011-12-01 12:07 - 01096688 ____A (PC Tools) C:\Windows\System32\Drivers\pctEFA64.sys

2012-07-24 19:54 - 2011-12-01 12:07 - 00453896 ____A (PC Tools) C:\Windows\System32\Drivers\pctDS64.sys

2012-07-24 19:54 - 2011-11-14 11:12 - 00367912 ____A (PC Tools) C:\Windows\System32\Drivers\PCTCore64.sys

2012-07-24 18:57 - 2012-07-24 19:54 - 00000000 ____D C:\Users\Sarah M\AppData\Roaming\GetRightToGo

2012-07-24 16:36 - 2012-07-24 16:36 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-07-24 16:26 - 2012-07-25 06:04 - 00000000 ____D C:\Users\Sarah M\Desktop\Fixme

2012-07-22 17:11 - 2012-07-22 17:11 - 00000000 ____D C:\Users\Sarah M\AppData\Local\{AD799693-F8E3-413A-903D-EC1B5DB5D9A0}

2012-07-22 17:11 - 2012-07-22 17:11 - 00000000 ____D C:\Users\Sarah M\AppData\Local\{27FD6BF6-DFDF-4538-B895-67B49B3A44FB}

2012-07-22 17:10 - 2012-07-22 17:10 - 00000000 ____D C:\Users\Sarah M\AppData\Local\{B1D34AF4-1EC8-4344-8987-6BB700B3D003}

2012-07-22 17:10 - 2012-07-22 17:10 - 00000000 ____D C:\Users\Sarah M\AppData\Local\{A34DD1F8-FFD5-4D4F-AC8D-57EAFC9FC94A}

2012-07-22 12:55 - 2012-07-22 12:55 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-07-22 09:18 - 2012-07-22 09:18 - 00000000 ____D C:\Users\Sarah M\AppData\Roaming\Ad-Aware Antivirus

2012-07-21 18:46 - 2012-07-21 18:46 - 04587128 ____A (Lavasoft Limited) C:\Users\Sarah M\Downloads\Adaware_Installer.exe

2012-07-18 12:18 - 2012-07-18 12:18 - 00001754 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-07-18 12:17 - 2012-07-18 12:18 - 00000000 ____D C:\Program Files\iTunes

2012-07-18 12:17 - 2012-07-18 12:18 - 00000000 ____D C:\Program Files (x86)\iTunes

2012-07-18 12:17 - 2012-07-18 12:17 - 00000000 ____D C:\Program Files\iPod

2012-07-12 05:17 - 2012-06-11 19:02 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-11 05:20 - 2012-06-08 21:30 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-11 05:20 - 2012-06-08 20:46 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-07-11 05:20 - 2012-06-05 21:50 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-11 05:20 - 2012-06-05 21:50 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-11 05:20 - 2012-06-05 21:09 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-07-11 05:20 - 2012-06-05 21:09 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-07-11 05:20 - 2012-06-01 21:38 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-07-11 05:20 - 2012-06-01 21:38 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-11 05:20 - 2012-06-01 21:37 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-07-11 05:20 - 2012-06-01 21:27 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-11 05:20 - 2012-06-01 21:27 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-07-11 05:20 - 2012-06-01 20:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-07-11 05:20 - 2012-06-01 20:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-07-11 05:20 - 2012-06-01 20:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-07-11 05:20 - 2012-06-01 20:42 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-07-10 19:02 - 2012-07-10 19:02 - 00000000 ___HD C:\Users\All Users\CanonIJSDU

2012-07-06 05:25 - 2012-07-06 05:25 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk

2012-06-30 20:07 - 2012-06-30 20:07 - 00000000 ____D C:\Users\Public\Documents\sun

2012-06-30 20:06 - 2012-06-30 20:06 - 00001168 ____A C:\Users\Public\Desktop\OpenOffice.org 3.4.lnk

2012-06-30 19:18 - 2012-06-30 19:18 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2012-06-30 19:18 - 2012-06-30 19:18 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

============ 3 Months Modified Files ========================

2012-07-25 06:46 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-25 06:46 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-25 06:30 - 2010-05-15 18:31 - 01555010 ____A C:\Windows\WindowsUpdate.log

2012-07-25 06:16 - 2010-06-29 16:13 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2115260704-4282515749-2195956881-1001UA.job

2012-07-25 06:06 - 2012-07-25 06:06 - 00004430 ____A C:\Users\Sarah M\Desktop\RKreport[2].txt

2012-07-25 06:05 - 2012-07-25 06:05 - 00004038 ____A C:\Users\Sarah M\Desktop\RKreport[1].txt

2012-07-25 06:04 - 2010-06-29 16:07 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-07-25 05:24 - 2010-06-29 16:07 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-07-25 05:24 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-25 05:24 - 2009-07-13 20:51 - 00042538 ____A C:\Windows\setupact.log

2012-07-24 19:55 - 2012-07-24 19:54 - 01946715 ____A C:\Windows\System32\Drivers\Cat.DB

2012-07-24 19:54 - 2012-07-24 19:54 - 00002097 ____A C:\Users\Public\Desktop\PC Tools Spyware Doctor with AntiVirus.lnk

2012-07-24 18:48 - 2010-04-08 18:34 - 00211012 ____A C:\Windows\PFRO.log

2012-07-24 18:08 - 2009-07-13 21:13 - 00875576 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-23 17:41 - 2012-05-02 17:39 - 00001084 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-23 17:20 - 2010-08-18 19:58 - 00005642 ____A C:\Users\Sarah M\Desktop\To Do.txt

2012-07-22 08:34 - 2011-05-07 20:30 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat

2012-07-22 08:34 - 2011-05-07 20:30 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat

2012-07-22 08:32 - 2010-06-29 16:13 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2115260704-4282515749-2195956881-1001Core.job

2012-07-21 18:46 - 2012-07-21 18:46 - 04587128 ____A (Lavasoft Limited) C:\Users\Sarah M\Downloads\Adaware_Installer.exe

2012-07-18 12:18 - 2012-07-18 12:18 - 00001754 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-07-14 23:12 - 2011-01-05 11:38 - 00001042 ____A C:\Users\Sarah M\Desktop\Dropbox.lnk

2012-07-12 15:47 - 2009-07-13 20:45 - 00383224 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-12 15:31 - 2010-06-29 16:16 - 00002430 ____A C:\Users\Sarah M\Desktop\Google Chrome.lnk

2012-07-12 05:10 - 2010-08-21 17:12 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-10 19:01 - 2010-06-29 15:54 - 00095224 ____A C:\Users\Sarah M\AppData\Local\GDIPFONTCACHEV1.DAT

2012-07-06 05:25 - 2012-07-06 05:25 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk

2012-07-03 09:46 - 2011-11-06 14:23 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-30 20:06 - 2012-06-30 20:06 - 00001168 ____A C:\Users\Public\Desktop\OpenOffice.org 3.4.lnk

2012-06-16 17:48 - 2010-08-01 13:34 - 00001634 ____A C:\Users\Sarah M\Desktop\DivX Movies.lnk

2012-06-16 17:47 - 2012-06-16 17:47 - 00001087 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk

2012-06-11 19:02 - 2012-07-12 05:17 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 21:30 - 2012-07-11 05:20 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:46 - 2012-07-11 05:20 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 21:50 - 2012-07-11 05:20 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 21:50 - 2012-07-11 05:20 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 21:09 - 2012-07-11 05:20 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:09 - 2012-07-11 05:20 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-04 05:31 - 2012-06-04 05:31 - 00001046 ____A C:\Users\Public\Desktop\RealPlayer.lnk

2012-06-04 05:30 - 2011-11-30 17:36 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll

2012-06-04 05:30 - 2011-11-30 17:36 - 00198832 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll

2012-06-04 05:30 - 2011-11-30 17:36 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll

2012-06-04 05:30 - 2011-11-30 17:36 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll

2012-06-02 14:19 - 2012-06-22 04:36 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-22 04:36 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-22 04:36 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-22 04:36 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-22 04:36 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-22 04:36 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-22 04:36 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-22 04:35 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-22 04:35 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-01 21:38 - 2012-07-11 05:20 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:38 - 2012-07-11 05:20 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:37 - 2012-07-11 05:20 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:27 - 2012-07-11 05:20 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:27 - 2012-07-11 05:20 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:48 - 2012-07-11 05:20 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:48 - 2012-07-11 05:20 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:47 - 2012-07-11 05:20 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:42 - 2012-07-11 05:20 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-05-30 15:28 - 2012-05-30 15:28 - 00001816 ____A C:\Users\Public\Desktop\QuickTime Player.lnk

2012-05-20 17:59 - 2012-05-20 17:59 - 00000954 ____A C:\Users\Public\Desktop\Psycle Modular Music Creation Studio.lnk

2012-05-20 17:59 - 2012-05-20 17:58 - 06750341 ____A (psycledelics ) C:\Users\Sarah M\Downloads\PsycleInstallerx86-1.10.1.exe

2012-05-20 17:53 - 2012-05-20 17:53 - 00007466 ____A C:\Users\Sarah M\Downloads\nativehost.cpp

2012-05-20 17:18 - 2012-05-20 17:18 - 06534484 ____A (psycledelics ) C:\Users\Sarah M\Downloads\PsycleInstallerx64-1.10.1.exe

2012-05-17 15:28 - 2011-01-29 11:34 - 00869966 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-05-14 19:56 - 2012-06-13 15:12 - 01197568 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-14 19:52 - 2012-06-13 15:12 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-14 19:08 - 2012-06-13 15:12 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-05-14 19:06 - 2012-06-13 15:12 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-05-14 18:37 - 2012-05-14 18:38 - 03264328 ____A (Microsoft Corporation) C:\Users\Sarah M\Desktop\vb_web.exe

2012-05-05 19:59 - 2012-05-05 19:59 - 06379888 ____A (BitTorrent, Inc.) C:\Users\Sarah M\Desktop\BitTorrent.exe

2012-05-05 17:20 - 2012-05-05 17:20 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2012-05-04 02:52 - 2012-06-13 15:12 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-04 02:08 - 2012-06-13 15:12 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-05-04 02:08 - 2012-06-13 15:12 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-05-01 21:32 - 2012-06-13 15:12 - 00208896 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-05-01 04:51 - 2011-01-29 11:35 - 00001945 ____A C:\Windows\epplauncher.mif

2012-04-27 19:50 - 2012-06-13 15:11 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

ZeroAccess:

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\@

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\L

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\L\00000004.@

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\L\201d3dde

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\00000004.@

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\000000cb.@

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\80000000.@

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\80000032.@

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\80000064.@

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%

Total physical RAM: 3890.67 MB

Available physical RAM: 3317.13 MB

Total Pagefile: 3888.82 MB

Available Pagefile: 3301.96 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI105835W0G) (Fixed) (Total:453.83 GB) (Free:308.71 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[system with boot components (obtained from reading drive)]

4 Drive f: () (Removable) (Total:14.99 GB) (Free:14.91 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 Online 15 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 1500 MB 1024 KB

Partition 2 Primary 453 GB 1501 MB

Partition 3 Primary 10 GB 455 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C TI105835W0G NTFS Partition 453 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 14 GB 1140 KB

==================================================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT32 Removable 14 GB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-23 20:00

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 25-07-2012 01

Ran by SYSTEM at 2012-07-25 11:23:22

Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

MrCharlie · July 25, 2012

OK, here you go......Please carefully carry out this procedure!!!!!!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

TD_Mak · July 25, 2012

Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01

Ran by SYSTEM at 2012-07-25 12:00:58 Run:1

Running from F:\

==============================================

C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

MrCharlie · July 25, 2012

Well Done, lets run ComboFix to clean up any left overs........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

TD_Mak · July 25, 2012

ComboFix is telling me that Lavasoft Ad-Watch Live! is running on my PC, but all I had was on-demand Ad-Aware scanning. There's nothing about Lavasoft or Ad-Aware in the process list in the Task Manager that I can find, and I even just uninstalled Ad-Aware, with no leftover programs labelled as "Ad-Aware" or Lavasoft (other than "threatwork", which is not currently running). I don't know why ComboFix thinks it's running, but I'm hesitant to move it forward while it's throwing warnings.

MrCharlie · July 25, 2012

As long as it's not running, it's OK to run CF.

MrC

TD_Mak · July 25, 2012

CombcFix.txt:

ComboFix 12-07-26.03 - Sarah M 07/25/2012 13:40:34.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3891.2058 [GMT -4:00]

Running from: c:\users\Sarah M\Desktop\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Install.exe

c:\windows\winhelp.ini

.

((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))

.

2012-07-25 19:20 . 2012-07-25 19:20 -------- d-----w- C:\FRST

2012-07-25 18:17 . 2012-07-25 18:17 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-25 02:57 . 2012-07-25 03:54 -------- d-----w- c:\users\Sarah M\AppData\Roaming\GetRightToGo

2012-07-25 00:36 . 2012-07-25 00:36 -------- d-----w- C:\TDSSKiller_Quarantine

2012-07-22 20:55 . 2012-07-22 20:55 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-07-22 17:18 . 2012-07-22 17:18 -------- d-----w- c:\users\Sarah M\AppData\Roaming\Ad-Aware Antivirus

2012-07-22 02:52 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0F930B5F-602B-40DC-B531-16393F82D83C}\mpengine.dll

2012-07-20 00:13 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-07-18 20:17 . 2012-07-18 20:17 -------- d-----w- c:\program files\iPod

2012-07-18 20:17 . 2012-07-18 20:18 -------- d-----w- c:\program files\iTunes

2012-07-18 20:17 . 2012-07-18 20:18 -------- d-----w- c:\program files (x86)\iTunes

2012-07-12 13:17 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 03:02 . 2012-07-11 03:02 -------- d--h--w- c:\programdata\CanonIJSDU

2012-07-06 13:25 . 2012-07-06 13:25 -------- d-----w- c:\program files (x86)\Common Files\Skype

2012-07-04 17:33 . 2012-02-11 23:45 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B9D123A4-7336-4AE3-8072-AFBCA5F08F75}\gapaengine.dll

2012-07-01 03:18 . 2012-07-01 03:18 -------- d-----w- c:\program files\Microsoft Silverlight

2012-07-01 03:18 . 2012-07-01 03:18 -------- d-----w- c:\program files (x86)\Microsoft Silverlight

2012-07-01 02:30 . 2012-07-01 02:30 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll

2012-07-01 02:30 . 2012-07-01 02:30 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-12 13:10 . 2010-08-22 01:12 59701280 ----a-w- c:\windows\system32\MRT.exe

2012-07-03 17:46 . 2011-11-06 22:23 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-02 22:19 . 2012-06-22 12:36 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-22 12:36 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-22 12:36 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-22 12:36 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-22 12:36 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-06-22 12:36 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-22 12:36 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19 . 2012-06-22 12:35 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:15 . 2012-06-22 12:35 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-05-17 13:50 . 2012-05-15 02:50 205984 ----a-w- c:\programdata\Microsoft\VBExpress\10.0\1033\ResourceCache.dll

2012-05-15 03:56 . 2012-06-13 23:12 1197568 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 03:52 . 2012-06-13 23:12 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-05-15 03:08 . 2012-06-13 23:12 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-05-06 01:20 . 2012-05-06 01:20 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2012-05-04 10:52 . 2012-06-13 23:12 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 10:08 . 2012-06-13 23:12 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:08 . 2012-06-13 23:12 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-05-02 05:32 . 2012-06-13 23:12 208896 ----a-w- c:\windows\system32\profsvc.dll

2012-04-28 03:50 . 2012-06-13 23:11 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-09 39408]

"boincmgr"="c:\program files (x86)\BOINC\boincmgr.exe" [2008-11-17 3916544]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-12-25 34160]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]

"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-02-23 352256]

"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]

"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]

"QuickFinder Scheduler"="c:\program files (x86)\Corel\Shared\QFinder7\QFSCHED.EXE" [1996-10-16 46080]

"boinctray"="c:\program files (x86)\BOINC\boinctray.exe" [2008-11-17 58112]

"MaxMenuMgr"="c:\program files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-25 185640]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]

"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]

"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872]

"CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]

"IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-06-04 296056]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]

.

c:\users\Sarah M\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Corel Desktop Application Director.LNK - c:\program files (x86)\Corel\Dad7\QUICK.EXE [2010-8-1 165888]

DING!.lnk - c:\program files (x86)\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

OpenOffice.org 3.4.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-4-19 1199104]

PerfectPrint.LNK - c:\program files (x86)\Corel\Shared\PFit7\PFPPOP70.EXE [2010-8-1 282624]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Best Buy Software Installer.lnk - c:\program files\Best Buy Software Installer\Best Buy Software Installer.exe [2010-2-15 1135560]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

R1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\gearaspisys.sys [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-30 135664]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]

R3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-14 9728]

R3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-30 135664]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-01 113120]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-01-20 315664]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]

R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-02 1255736]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 34880]

S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 14784]

S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2010-03-06 482384]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400]

S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-25 189736]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-04-06 258928]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-04-07 158976]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-04-07 271872]

S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2010-05-18 164464]

S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392]

S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-01-12 325152]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]

S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]

S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [2009-12-18 36760]

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-30 00:07]

.

2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-30 00:07]

.

2012-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2115260704-4282515749-2195956881-1001Core.job

- c:\users\Sarah M\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-30 00:07]

.

2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2115260704-4282515749-2195956881-1001UA.job

- c:\users\Sarah M\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-30 00:07]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 97792 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 97792 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 97792 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 97792 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-07 166424]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-07 391192]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-07 413720]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-22 10134560]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-22 896032]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-01-20 1926928]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2782096]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.4.1

FF - ProfilePath - c:\users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.spacesynth.net/forum/

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=

FF - prefs.js: network.proxy.http - 189.71.26.9

FF - prefs.js: network.proxy.http_port - 80

FF - prefs.js: network.proxy.type - 0

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

------- File Associations -------

.

JSEFile=c:\windows\SysWow64\rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

SafeBoot-MsMpSvc

Toolbar-Locked - (no file)

HKLM-Run-(Default) - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE

HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe

HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe

HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe

HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe

HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe

HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe

HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\program files (x86)\OpenOffice.org 3\program\soffice.exe

c:\program files (x86)\OpenOffice.org 3\program\soffice.bin

c:\program files (x86)\BOINC\boinc.exe

.

**************************************************************************

.

Completion time: 2012-07-25 14:24:52 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-25 18:24

.

Pre-Run: 331,761,242,112 bytes free

Post-Run: 333,182,971,904 bytes free

.

- - End Of File - - 4BD55D82996563A3CB60814D6DE02A77

MrCharlie · July 25, 2012

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

TD_Mak · July 25, 2012

I'm posting the MBAM log below. Computer seems to be running fine--no pop-ups or redirects, no longer messing with the layout of my desktop, and Chrome seems happy. MS Security Essentials is telling me the "the specified service does not exist as an installed service" when I try to run it... I'm guess that could be fixed with a reinstall. I'll also re-install the Adobe products and Java.

Thank you so much for your help, and especially for the prompt replies. Made my day (and week) a lot better.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.25.07

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Sarah M :: JOLLYGREENGIANT [administrator]

7/25/2012 2:48:42 PM

mbam-log-2012-07-25 (14-48-42).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 197585

Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

MrCharlie · July 25, 2012

Great

That seems to happen a lot with MSE and a reinstall will work.

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

LDTate · July 26, 2012

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Still more Trojan.Dropper.BCMiner

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information