Jump to content

rootkit.0access, help!


Recommended Posts

I know I posted a topic on this before, and I'm terribly sorry, I completely forgot about it.

I have Farbar downloaded onto my jumpdrive, plugged it into the infected machine, accessed BIOS Settings, started Repair, Windows is still loading files... I promise to stay into this, this time.. :)

Will have the logs soon!

Link to post
Share on other sites

Run this scan also:

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Here's the FRST log:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01

Ran by SYSTEM at 27-07-2012 14:01:00

Running from F:\

Windows 7 Professional (X86) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WN111v2\jswtrayutil.exe" [x]

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2793304 2009-10-14] ()

HKLM\...\Run: [sweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe [114992 2012-01-19] (SweetIM Technologies Ltd.)

HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)

HKLM\...\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641664 2012-04-05] (Advanced Micro Devices, Inc.)

HKLM\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files\AMD AVT\bin\kdbsync.exe" aml [10752 2012-02-20] ()

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)

HKLM\...\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start [1996200 2012-06-27] (LogMeIn Inc.)

HKU\Park Family\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-10-29] (Google Inc.)

HKU\Park Family\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [4910912 2011-08-01] (DT Soft Ltd)

HKU\Park Family\...\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe [3082320 2012-01-28] ()

HKU\Park Family\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [x]

HKU\William\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-10-29] (Google Inc.)

HKU\William\...\Run: [Google Update] "C:\Users\William\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-10-29] (Google Inc.)

HKU\William\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [x]

HKU\William\...\Run: [spotify] "C:\Users\William\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [x]

HKU\William\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)

HKU\William\...\Run: [HydraVisionDesktopManager] "C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe" [380928 2008-12-01] (AMD)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\D-Link AirPlus G Configuration Utility.lnk

ShortcutTarget: D-Link AirPlus G Configuration Utility.lnk -> C:\Program Files\D-Link AirPlus G\AirPlus.exe (D-Link)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk

ShortcutTarget: NETGEAR WN111v2 Smart Wizard.lnk -> C:\Program Files\NETGEAR\WN111v2\WN111v2.exe (NETGEAR)

================================ Services (Whitelisted) ==================

2 Brother XP spl Service; C:\Windows\system32\brsvc01a.exe [57344 2001-11-22] (brother Industries Ltd)

2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)

2 Hamachi2Svc; "C:\Program Files\LogMeIn Hamachi\hamachi-2.exe" -s [1385896 2012-06-27] (LogMeIn Inc.)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

2 npkcmsvc; C:\Windows\system32\npkcmsvc.exe [191008 2012-02-28] (INCA Internet Co., Ltd.)

2 NTAService; C:\Program Files\Nate\AddressSearch\ntasvr.exe /service [122880 2011-07-19] (SK Communications)

2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2012-06-25] ()

2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-06-14] (Skype Technologies)

========================== Drivers (Whitelisted) =============

3 Andbus; C:\Windows\System32\DRIVERS\lgandbus.sys [14336 2010-12-07] (LG Electronics Inc.)

3 AndDiag; C:\Windows\System32\DRIVERS\lganddiag.sys [20736 2010-12-07] (LG Electronics Inc.)

3 AndGps; C:\Windows\System32\DRIVERS\lgandgps.sys [20096 2010-12-07] (LG Electronics Inc.)

3 ANDModem; C:\Windows\System32\DRIVERS\lgandmodem.sys [25088 2010-12-07] (LG Electronics Inc.)

1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [232512 2011-10-30] (DT Soft Ltd)

3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)

3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-06] ()

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)

3 npkakl; \??\C:\Windows\system32\npkakl.sys [29216 2009-08-20] (INCA Internet Co.,Ltd.)

3 npkcrypt; \??\C:\Windows\system32\npkcrypt.sys [55200 2009-07-24] (INCA Internet Co., Ltd.)

3 PRISM; C:\Windows\System32\DRIVERS\PRISMNDS.sys [676352 2003-10-02] (GlobespanVirata, Inc.)

3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [33512 2012-04-06] (AnchorFree Inc)

3 TVICHW32; \??\C:\Windows\system32\TVICHW32.SYS [29632 2011-05-22] (EnTech Taiwan)

3 W8100PCI; C:\Windows\System32\DRIVERS\mrv8k51.sys [258560 2004-04-02] (Marvell Semiconductor, Inc)

3 WN111v2; C:\Windows\System32\DRIVERS\WN111v2w7.sys [624128 2010-04-27] (Atheros Communications, Inc.)

3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x]

3 scsk5; C:\Windows\System32\drivers\scsk5.sys [x]

3 XDva391; \??\C:\Windows\system32\XDva391.sys [x]

3 XDva392; \??\C:\Windows\system32\XDva392.sys [x]

3 XDva393; \??\C:\Windows\system32\XDva393.sys [x]

3 XDva397; \??\C:\Windows\system32\XDva397.sys [x]

3 XDva398; \??\C:\Windows\system32\XDva398.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-27 14:00 - 2012-07-27 14:01 - 00000000 ____D C:\FRST

2012-07-27 10:18 - 2012-07-27 10:18 - 00187464 ____A (Webroot) C:\Users\William\Downloads\antizeroaccess.exe

2012-07-27 10:02 - 2012-07-27 10:02 - 00002479 ____A C:\Users\Public\Desktop\Safari.lnk

2012-07-27 10:02 - 2012-07-27 10:02 - 00000000 ____D C:\Program Files\Safari

2012-07-26 03:56 - 2012-07-26 03:56 - 00000000 ____D C:\Users\William\AppData\Local\Macromedia

2012-07-25 13:19 - 2012-07-27 09:44 - 00000000 ____D C:\Users\William\AppData\Roaming\.techniclauncher

2012-07-25 13:19 - 2012-07-25 13:19 - 00052736 ____A (Technic) C:\Users\William\Desktop\TechnicLauncher.exe

2012-07-23 11:07 - 2012-07-27 10:39 - 00000000 ____D C:\Users\William\AppData\Local\LogMeIn Hamachi

2012-07-23 11:06 - 2012-07-23 11:06 - 00000896 ____A C:\Users\Public\Desktop\LogMeIn Hamachi.lnk

2012-07-23 11:06 - 2012-07-23 11:06 - 00000000 ____D C:\Program Files\LogMeIn Hamachi

2012-07-19 03:20 - 2012-07-19 03:20 - 00000000 ____D C:\Users\William\Desktop\tdsskiller

2012-07-18 13:07 - 2012-07-18 13:07 - 00010200 ____A C:\Users\William\Downloads\Galldr.ttf

2012-07-18 13:06 - 2012-07-18 13:06 - 00054244 ____A C:\Users\William\Downloads\Ancient Language.ttf

2012-07-13 11:33 - 2012-07-24 10:22 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\William\Desktop\tdsskiller.exe

2012-07-13 11:27 - 2012-07-13 11:27 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-07-11 10:49 - 2012-07-11 10:49 - 00000000 ____D C:\Program Files\AMD APP

2012-07-11 10:45 - 2012-07-11 10:45 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-07-11 10:45 - 2012-07-11 10:44 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll

2012-07-11 10:45 - 2012-07-11 10:44 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe

2012-07-11 10:45 - 2012-07-11 10:44 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe

2012-07-11 10:45 - 2012-07-11 10:44 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe

2012-07-11 10:44 - 2012-07-11 10:44 - 00000000 ____D C:\Program Files\Java

2012-07-11 10:43 - 2012-07-11 10:43 - 00000000 ____D C:\Users\All Users\McAfee

2012-07-11 10:36 - 2012-07-11 10:36 - 00143200 ____A C:\Windows\Minidump\071112-33774-01.dmp

2012-07-04 02:34 - 2012-07-11 13:33 - 00000000 ____D C:\Program Files\ESTsoft

2012-07-04 02:34 - 2012-07-04 02:51 - 00000000 ____D C:\Users\William\AppData\Roaming\ESTsoft

2012-07-04 02:34 - 2012-07-04 02:34 - 00000000 ____D C:\Users\William\AppData\Local\ECRSC

2012-07-04 02:34 - 2012-07-04 02:34 - 00000000 ____D C:\Users\All Users\ESTsoft

2012-06-29 14:13 - 2012-06-29 14:18 - 00000000 ____D C:\Program Files\Common Files\PX Storage Engine

2012-06-29 14:13 - 2012-06-29 14:13 - 00000000 ____D C:\Users\William\AppData\Roaming\DivX

2012-06-29 14:10 - 2012-06-29 14:11 - 00933256 ____A (DivX, LLC) C:\Users\William\Downloads\DivXInstaller(1).exe

============ 3 Months Modified Files ========================

2012-07-27 10:39 - 2012-01-08 05:21 - 00096835 ____A C:\PGError.log

2012-07-27 10:39 - 2011-10-29 20:16 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-07-27 10:39 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-27 10:39 - 2009-07-13 20:39 - 00083508 ____A C:\Windows\setupact.log

2012-07-27 10:38 - 2011-10-30 00:17 - 00562706 ____A C:\Windows\PFRO.log

2012-07-27 10:37 - 2009-07-13 20:34 - 00021696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-27 10:37 - 2009-07-13 20:34 - 00021696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-27 10:36 - 2011-10-29 20:16 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-07-27 10:18 - 2012-07-27 10:18 - 00187464 ____A (Webroot) C:\Users\William\Downloads\antizeroaccess.exe

2012-07-27 10:06 - 2012-01-07 16:41 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311700126-1893408969-2311707057-1003UA.job

2012-07-27 10:02 - 2012-07-27 10:02 - 00002479 ____A C:\Users\Public\Desktop\Safari.lnk

2012-07-27 05:44 - 2011-10-30 18:07 - 00283304 ____A C:\Windows\System32\PnkBstrB.xtr

2012-07-27 05:44 - 2011-10-30 18:01 - 00283304 ____A C:\Windows\System32\PnkBstrB.exe

2012-07-27 05:44 - 2011-10-30 18:01 - 00280904 ____A C:\Windows\System32\PnkBstrB.ex0

2012-07-27 05:44 - 2011-10-30 18:01 - 00140800 ____A C:\Windows\System32\Drivers\PnkBstrK.sys

2012-07-27 03:30 - 2012-01-10 07:38 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs

2012-07-26 14:15 - 2012-01-07 16:41 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311700126-1893408969-2311707057-1003Core.job

2012-07-26 03:16 - 2012-04-04 03:58 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-07-26 03:16 - 2011-10-30 04:31 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-07-25 13:19 - 2012-07-25 13:19 - 00052736 ____A (Technic) C:\Users\William\Desktop\TechnicLauncher.exe

2012-07-24 10:22 - 2012-07-13 11:33 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\William\Desktop\tdsskiller.exe

2012-07-23 11:06 - 2012-07-23 11:06 - 00000896 ____A C:\Users\Public\Desktop\LogMeIn Hamachi.lnk

2012-07-18 13:07 - 2012-07-18 13:07 - 00010200 ____A C:\Users\William\Downloads\Galldr.ttf

2012-07-18 13:06 - 2012-07-18 13:06 - 00054244 ____A C:\Users\William\Downloads\Ancient Language.ttf

2012-07-12 14:07 - 2012-01-07 16:42 - 00002416 ____A C:\Users\William\Desktop\Google Chrome.lnk

2012-07-12 03:39 - 2012-04-06 18:34 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-11 14:06 - 2009-07-13 20:53 - 00032566 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-11 10:44 - 2012-07-11 10:45 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll

2012-07-11 10:44 - 2012-07-11 10:45 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe

2012-07-11 10:44 - 2012-07-11 10:45 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe

2012-07-11 10:44 - 2012-07-11 10:45 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe

2012-07-11 10:44 - 2011-10-30 08:40 - 00472840 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll

2012-07-11 10:41 - 2011-11-07 04:57 - 00001945 ____A C:\Windows\epplauncher.mif

2012-07-11 10:36 - 2012-07-11 10:36 - 00143200 ____A C:\Windows\Minidump\071112-33774-01.dmp

2012-07-11 10:36 - 2012-01-13 17:36 - 244922723 ____A C:\Windows\MEMORY.DMP

2012-07-03 10:46 - 2012-04-06 18:11 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-03 06:58 - 2011-10-29 21:20 - 01964025 ____A C:\Windows\WindowsUpdate.log

2012-06-29 14:11 - 2012-06-29 14:10 - 00933256 ____A (DivX, LLC) C:\Users\William\Downloads\DivXInstaller(1).exe

2012-06-27 16:17 - 2011-10-29 21:36 - 00729688 ____A C:\Windows\System32\PerfStringBackup.INI

2012-06-26 09:32 - 2012-06-26 09:30 - 38494576 ____A (Apple Inc.) C:\Users\William\Downloads\SafariSetup.exe

2012-06-25 10:09 - 2012-06-25 10:08 - 00278561 ____A C:\Users\William\Desktop\Minecraft.exe

2012-06-25 06:07 - 2012-06-08 10:16 - 00000643 ____A C:\Users\William\Desktop\C&C Generals Windows 7 Cure.website

2012-06-25 03:17 - 2011-10-30 18:01 - 00076888 ____A C:\Windows\System32\PnkBstrA.exe

2012-06-24 16:50 - 2011-12-06 15:44 - 00138056 ____A C:\Users\William\AppData\Roaming\PnkBstrK.sys

2012-06-24 16:49 - 2012-06-24 16:49 - 02434856 ____A C:\Windows\System32\pbsvc_bc2.exe

2012-06-24 12:15 - 2012-06-24 12:08 - 111678378 ____A C:\Users\William\Downloads\swbf2v1.3patch_full_revision_117.exe

2012-06-23 18:55 - 2012-06-23 18:55 - 00002216 ____A C:\Users\Public\Desktop\Star Wars Republic Commando.lnk

2012-06-23 18:46 - 2011-10-30 05:05 - 00014774 ____A C:\Windows\DirectX.log

2012-06-23 18:40 - 2012-06-23 18:40 - 00001924 ____A C:\Users\William\Desktop\Play Star Wars Battlefront II.lnk

2012-06-23 18:26 - 2012-06-23 18:26 - 00002134 ____A C:\Users\Public\Desktop\Star Wars Battlefront.lnk

2012-06-13 06:05 - 2009-07-13 20:33 - 00395808 ____A C:\Windows\System32\FNTCACHE.DAT

2012-06-13 05:48 - 2011-10-29 20:31 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-06-11 10:50 - 2012-06-11 10:50 - 00159232 ____A C:\Windows\System32\clinfo.exe

2012-06-11 10:50 - 2012-06-11 10:50 - 00065024 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OpenVideo.dll

2012-06-11 10:50 - 2012-06-11 10:50 - 00056320 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OVDecode.dll

2012-06-11 10:49 - 2012-06-11 10:49 - 13008896 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\amdocl.dll

2012-06-07 04:06 - 2011-12-22 12:35 - 00000024 ____A C:\Users\William\random.dat

2012-06-07 03:45 - 2011-12-22 12:35 - 00000047 ____A C:\Users\William\jagex_cl_runescape_LIVE1.dat

2012-06-07 03:45 - 2011-12-22 12:35 - 00000032 ____A C:\Users\William\jagex_cl_runescape_LIVE.dat

2012-06-03 06:36 - 2012-06-03 06:36 - 00541816 ____A (Sterkly LLC) C:\Users\William\Downloads\BestVideoDownloader(2).exe

2012-06-03 06:35 - 2012-06-03 06:34 - 00541816 ____A (Sterkly LLC) C:\Users\William\Downloads\BestVideoDownloader(1).exe

2012-06-02 14:19 - 2012-06-22 12:21 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-22 12:21 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-22 12:21 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-22 12:21 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-22 12:21 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:12 - 2012-06-22 12:21 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:12 - 2012-06-22 12:21 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 12:19 - 2012-06-22 12:21 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 12:14 - 2012-06-02 12:14 - 00583168 ____A C:\Users\William\Desktop\w-c-Subject ?Verb Agreement (1).ppt

2012-06-02 12:14 - 2012-06-02 12:14 - 00107864 ____A C:\Users\William\Downloads\w-c-Subject ?Verb Agreement.pptx

2012-06-02 12:14 - 2012-06-02 12:14 - 00107864 ____A C:\Users\William\Downloads\w-c-Subject ?Verb Agreement (1).pptx

2012-06-02 12:12 - 2012-06-22 12:21 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-05-29 18:03 - 2012-05-29 17:58 - 76225536 ____A (The GIMP Team ) C:\Users\William\Downloads\gimp-2.8.0-setup.exe

2012-05-20 15:39 - 2012-05-20 15:39 - 00002028 ____A C:\Users\Public\Desktop\Zoo Tycoon Complete Collection.lnk

2012-05-17 15:11 - 2012-06-13 05:45 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-05-17 14:48 - 2012-06-13 05:45 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-05-17 14:45 - 2012-06-13 05:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-05-17 14:36 - 2012-06-13 05:45 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-05-17 14:35 - 2012-06-13 05:45 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-05-17 14:35 - 2012-06-13 05:45 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-17 14:33 - 2012-06-13 05:45 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-05-17 14:31 - 2012-06-13 05:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-17 14:29 - 2012-06-13 05:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-05-17 14:29 - 2012-06-13 05:45 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-05-17 14:28 - 2012-05-17 14:28 - 00004096 ___AH C:\Users\William\AppData\Local\keyfile3.drm

2012-05-17 14:27 - 2012-06-13 05:45 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-05-17 14:25 - 2012-06-13 05:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-05-17 14:24 - 2012-06-13 05:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-05-17 14:20 - 2012-06-13 05:45 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-05-14 17:05 - 2012-06-13 02:44 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-05-10 15:19 - 2009-07-13 18:04 - 00000499 ____A C:\Windows\win.ini

2012-05-04 01:59 - 2012-06-13 05:44 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll

2012-05-03 14:17 - 2012-04-19 13:51 - 00000511 ____A C:\Users\William\Desktop\Tamiya America - First in Quality Around the World.website

2012-05-02 14:43 - 2012-01-25 16:14 - 00023552 ____A C:\Users\William\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-05-02 14:31 - 2012-05-02 14:31 - 00001080 ____A C:\Users\Public\Desktop\Prism Video File Converter.lnk

2012-04-30 20:44 - 2012-06-13 02:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-04-30 14:28 - 2012-04-30 14:28 - 00541816 ____A (Sterkly LLC) C:\Users\William\Downloads\BestVideoDownloader.exe

ZeroAccess:

C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}

C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\@

C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\n

C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\U

C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\U\00000001.@

C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}\U\80000000.@

ZeroAccess:

C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}

C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}\@

C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}\L

C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}\U

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe

[2011-10-30 16:45] - [2010-11-19 12:17] - 0285696 ____A (Microsoft Corporation) 1562571D6B1541098E677C3BB78709A0

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll

[2011-10-30 16:45] - [2010-11-19 12:21] - 0811520 ____A (Microsoft Corporation) BE8C64439F1E2AF088063218C16EB9FE

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 6%

Total physical RAM: 8190.3 MB

Available physical RAM: 7683.79 MB

Total Pagefile: 8188.58 MB

Available Pagefile: 7688.54 MB

Total Virtual: 2047.88 MB

Available Virtual: 1956.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:596.16 GB) (Free:225.87 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

4 Drive f: (TravelDrive) (Removable) (Total:1.92 GB) (Free:1.92 GB) FAT

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 596 GB 8 MB

Disk 1 Online 1968 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 596 GB 31 KB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 596 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1967 MB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 0E

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F TravelDrive FAT Removable 1967 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-23 10:08

======================= End Of Log ==========================

And the Search log:

Farbar Recovery Scan Tool Version: 25-07-2012 01

Ran by SYSTEM at 2012-07-27 14:20:34

Running from F:\

================== Search: "services.exe" ===================

C:\Windows.old\Windows\system32\services.exe

[2008-04-14 04:00] - [2009-02-06 03:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\Windows.old\Windows\system32\dllcache\services.exe

[2008-04-14 04:00] - [2009-02-06 03:11] - 0110592 ___AC (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\Windows.old\Windows\$NtUninstallKB956572$\services.exe

[2010-03-22 18:18] - [2008-04-14 04:00] - 0108544 ___AC (Microsoft Corporation) 0E776ED5F7CC9F94299E70461B7B8185

C:\Windows.old\Windows\$hf_mig$\KB956572\SP3QFE\services.exe

[2010-03-22 04:51] - [2009-02-06 03:06] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

I'm downloading RogueKiller right now... Will have the log soon!

Link to post
Share on other sites

Here's the RogueKiller log!

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User: William [Admin rights]

Mode: Scan -- Date: 07/27/2012 14:47:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] n : c:\windows\installer\{098a6706-3321-4926-c724-844ca3898fda}\n --> FOUND

[ZeroAccess][FILE] @ : c:\windows\installer\{098a6706-3321-4926-c724-844ca3898fda}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{098a6706-3321-4926-c724-844ca3898fda}\U --> FOUND

[ZeroAccess][FILE] @ : c:\users\william\appdata\local\{098a6706-3321-4926-c724-844ca3898fda}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\william\appdata\local\{098a6706-3321-4926-c724-844ca3898fda}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\william\appdata\local\{098a6706-3321-4926-c724-844ca3898fda}\L --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

[ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-00A7B0 ATA Device +++++

--- User ---

[MBR] 0616268c8f94215f089b3802237da29e

[bSP] fa82828a8829fbd62a898c3cd278c341 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610469 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Do you need the RogueKiller Quarantine folder content?

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}
C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Here you go:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01

Ran by SYSTEM at 2012-07-27 15:33:56 Run:1

Running from F:\

==============================================

C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe not found.

Could not find C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}C:\Windows\System32\services.exe.

Could not find C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda}C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda}C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe.

==== End of Fixlog ====

Link to post
Share on other sites

Here you go!

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01

Ran by SYSTEM at 2012-07-27 16:30:35 Run:2

Running from F:\

==============================================

C:\Windows\Installer\{098a6706-3321-4926-c724-844ca3898fda} moved successfully.

C:\Users\William\AppData\Local\{098a6706-3321-4926-c724-844ca3898fda} moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Here's the Combofix log:

ComboFix 12-07-27.03 - William 07/27/2012 16:45:04.1.4 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.2326 [GMT -5:00]

Running from: c:\users\William\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

C:\LOG7F1.tmp

C:\LOG8.tmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\01d00098f732f640c6a5c8d431515b46.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\049497fd8947e722ae04b02eab871c18.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\067a9fd1541da872bb757c3da6a33d92.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0783fa07a21528ab730a1df23334399c.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0999dc9d92e75202025b885f39592438.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0ba4ed06c78b5997716890d067fe2f51.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0bb985ae9fc3a38262b3fd4c5cb03a3e.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0ccc70e9bd23465e9e97d9445314fa13.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\0d5b5b246d05342352b6c776e1cf5212.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\11e75649feaf8ef009c4ed99aafe8310.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\1ba01a94a454af76ad1d723478b7127d.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\1ec397e7e85d3c521dc4c849c4e3ea0f.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\1f840d5d0d14655c624d157818b7003d.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\24c8b24d8a5c9889dac59d968fa1b8d8.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\251f27bb0e06e757f562bc1dc84a615f.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\25e9c02c9d769d249732f66e042c290e.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\28358b19588cf08bbb5de8b51850fe3a.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\288a0b7430370eb282f72b7e015c3c9a.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\28e51fb50e37beadbd134e4ae50e8f63.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2a066ba87c16f28ec9819e3285252403.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2c5a2cabd3b78548df720c3ee90efb41.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2c86ccbe1c6e19b40bb8de244b0ba1e7.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2d0afc3654f0a438f23598fb84be758c.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2dfb42d5ca2c7ccc627743d095dfbac9.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\2eacacaddf4a71fe74de2b3f14074ac6.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\354c633ff9bf6fb3ecfad0ad65113c47.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\366a8f1bc352313a1074df76fdbce056.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\393e4d90773d8bbc9b905d903b618bdf.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\397bc65516fb1e815aa106a3d14d5305.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\3c1498e5ef362e757dc43d17482960f3.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\3ca41046bcb79924498d631f343d4371.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\461b3a8e7cfacb0c812e36aed9447c6d.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\46ceb001bfdc384ffe00657d8c567973.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\46eb2cd25804a00a1f22c69c4020c7e5.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\47d1dba34092ceb5412ac6f70c51e606.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\485d27cb769c9983f17e3d9eb5d03c5c.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\4b377d6eea3966e34c9a3ac2c647e5e5.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\4e216d83dc7da9779966ea4d31e236dd.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\4e6865e0bf7cf90244ce414917cc6556.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\51303604fcc7ede3ff317e6daac0c19a.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\52b483be9d71439ea530fb17638e5382.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\56613b7bd5cb1c3e01ecaa7a811022a9.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\59a83ef1238e50bddcc7caeb618d1824.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\59d3e0ea0c210c7674fea90f5382090c.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\5af1fa38e21413b7b2f5c6371f706543.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\5c5edcfe25ff895bc5c6a8d734710c5c.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\5f45a68915125fa8ad11a60ebffe29ee.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\6166b09fdf1ac1eaa1ae57a6eb20c03b.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\63eb5d17d60101356a7bbfdaae9afa57.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\654f8818ae39026c29f34808452fb02f.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\69482b1568b01b43c70d0ace76055f7e.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\6ab204a5ef9f916fe93d527a421ffdda.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\741983fb8768fa4d118c8ca59f82bb83.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\7cef98e862160d452cf773da8f4e2064.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\7f1d8b588793a67a9e8271b309c497c8.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\82724e37ddf746e5c798c9541a83d990.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\877d5ef68d1b6d7922fd09e955289803.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\8abcdf24b4bfa351f3b767c4232c6d02.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\91a1315c3d05215b1504e5899d32b936.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\9a40bf533c72981026081869543bbde2.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\9a846edeab464b62f0f2a74c54059f0b.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\9c5178781b9775c8036205fa67727330.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\9f9c2aa3ed1b1b0f922524c5a5260d1c.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\a26ba057241a8c2ae219a8db7335f51c.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\a67e0c2d6a842bf89983192c7e42d7c7.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\a9583053db1a9b326763e99e2321c517.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\ad63fa05a8e976a9e0939831eb5ba308.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\b2c8a6ebad81932fcbe8461599d71865.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\b527594c48bbaad67924ced89a416e20.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\b86745632d1223fab788478c41828d9a.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\b88e5980318f9688b4348228079f4f04.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c25b7660062dfaf312f7142d2126cf2e.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c2a9bad2a6f3c5b8aba800c2646abbf0.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c36f2f770b74dd9e49947e924f85eeea.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c636b5bf68f8ea6811c91dd569143b63.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\c73959eceda75ddf82609033ed2756e9.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\ccbebc209ee7342ed2a62b6d6e996645.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d0d1583aaf54f587014b422167bddd89.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d41d8cd98f00b204e9800998ecf8427e.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d7c0d1ef6446382c3f7bb71308ba122f.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d8c72d47eaed4bf47aa5d4f291a7c350.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\d909bf9e40d3de9bfa779059a90ff834.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\dc973701a6a9f218f60e389f479684db.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\dcc3ea4461b925db5858951892b5fa12.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\df0ea822d926c8fa5e9401e70f2cea67.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\e09d50f5972f50e03ca6be41cf66e0b5.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\e261f32b2da3462f5a3f10d0e3cb11c7.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\e52ee3c662672a47bf85d717ebb4ae8e.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\e5c061252396f14b1dca59f288bf9c20.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\ebc4635e6aeb6c62f3801a378bdfaa4d.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\ecb246b7273dc7466b406d7b8b10c09e.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\f63720489499e58792f33295e3dfbf29.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\f9531b586c797615c6b11c5d9e8b7302.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\fd44d831ab115f692f560f8ea07c9868.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\fe5046d3ac6595d8f385d8a45126456e.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\fe6d388665fbc8cdfabaa8dc587839f7.bmp

c:\users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\hgstarter_verinfo.dat

c:\windows\system32\npkpdb.dll

c:\windows\TEMP\logishrd\LVPrcInj02.dll

.

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe

.

Infected copy of c:\windows\System32\winver.exe was found and disinfected

Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_b627d45ffdcc6f00\winver.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))

.

.

2012-07-27 22:00 . 2012-07-27 22:01 -------- d-----w- C:\FRST

2012-07-27 21:55 . 2012-07-27 21:55 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B23C0C53-AA04-4350-B47A-811F61C4B9A9}\offreg.dll

2012-07-27 21:53 . 2012-07-27 21:53 -------- d-----w- c:\users\Park Family\AppData\Local\temp

2012-07-27 21:53 . 2012-07-27 21:55 -------- d-----w- c:\users\William\AppData\Local\temp

2012-07-27 21:53 . 2012-07-27 21:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-27 18:02 . 2012-07-27 18:02 -------- d-----w- c:\program files\Safari

2012-07-26 11:56 . 2012-07-26 11:56 -------- d-----w- c:\users\William\AppData\Local\Macromedia

2012-07-25 21:19 . 2012-07-27 17:44 -------- d-----w- c:\users\William\AppData\Roaming\.techniclauncher

2012-07-23 19:07 . 2012-07-27 21:55 -------- d-----w- c:\users\William\AppData\Local\LogMeIn Hamachi

2012-07-23 19:06 . 2012-07-23 19:06 -------- d-----w- c:\program files\LogMeIn Hamachi

2012-07-13 19:27 . 2012-07-13 19:27 -------- d-----w- C:\TDSSKiller_Quarantine

2012-07-11 18:49 . 2012-07-11 18:49 -------- d-----w- c:\program files\AMD APP

2012-07-11 18:45 . 2012-07-11 18:45 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-07-11 18:45 . 2012-07-11 18:44 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-07-11 18:44 . 2012-07-11 18:44 -------- d-----w- c:\program files\Java

2012-07-11 18:43 . 2012-07-11 18:43 -------- d-----w- c:\programdata\McAfee

2012-07-04 10:34 . 2012-07-04 10:34 -------- d-----w- c:\users\William\AppData\Local\ECRSC

2012-07-04 10:34 . 2012-07-04 10:51 -------- d-----w- c:\users\William\AppData\Roaming\ESTsoft

2012-07-04 10:34 . 2012-07-11 21:33 -------- d-----w- c:\program files\ESTsoft

2012-07-04 10:34 . 2012-07-04 10:34 -------- d-----w- c:\programdata\ESTsoft

2012-06-29 22:13 . 2012-06-29 22:13 -------- d-----w- c:\users\William\AppData\Roaming\DivX

2012-06-29 22:13 . 2012-06-29 22:18 -------- d-----w- c:\program files\Common Files\PX Storage Engine

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-27 13:44 . 2011-10-31 02:01 140800 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2012-07-27 13:44 . 2011-10-31 02:07 283304 ----a-w- c:\windows\system32\PnkBstrB.xtr

2012-07-27 13:44 . 2011-10-31 02:01 283304 ----a-w- c:\windows\system32\PnkBstrB.exe

2012-07-27 13:44 . 2011-10-31 02:01 280904 ----a-w- c:\windows\system32\PnkBstrB.ex0

2012-07-26 11:16 . 2012-04-04 11:58 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-26 11:16 . 2011-10-30 12:31 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-11 18:44 . 2011-10-30 16:40 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-03 18:46 . 2012-04-07 02:11 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-25 11:17 . 2011-10-31 02:01 76888 ----a-w- c:\windows\system32\PnkBstrA.exe

2012-06-25 00:50 . 2011-12-06 23:44 138056 ----a-w- c:\users\William\AppData\Roaming\PnkBstrK.sys

2012-06-25 00:49 . 2012-06-25 00:49 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe

2012-06-11 18:50 . 2012-06-11 18:50 159232 ----a-w- c:\windows\system32\clinfo.exe

2012-06-11 18:50 . 2012-06-11 18:50 65024 ----a-w- c:\windows\system32\OpenVideo.dll

2012-06-11 18:50 . 2012-06-11 18:50 56320 ----a-w- c:\windows\system32\OVDecode.dll

2012-06-11 18:49 . 2012-06-11 18:49 13008896 ----a-w- c:\windows\system32\amdocl.dll

2012-06-02 22:19 . 2012-06-22 20:21 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-22 20:21 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-22 20:21 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-22 20:21 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-22 20:21 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-22 20:21 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-22 20:21 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 20:19 . 2012-06-22 20:21 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 20:12 . 2012-06-22 20:21 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-17 22:45 . 2012-06-13 13:45 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35 . 2012-06-13 13:45 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35 . 2012-06-13 13:45 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29 . 2012-06-13 13:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24 . 2012-06-13 13:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-15 01:05 . 2012-06-13 10:44 2343936 ----a-w- c:\windows\system32\win32k.sys

2012-05-04 09:59 . 2012-06-13 13:44 514560 ----a-w- c:\windows\system32\qdvd.dll

2012-05-01 04:44 . 2012-06-13 10:44 164352 ----a-w- c:\windows\system32\profsvc.dll

2012-06-16 01:15 . 2011-10-30 04:23 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll

[-] 2010-11-19 . BE8C64439F1E2AF088063218C16EB9FE . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll

[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-30 39408]

"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

"HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2008-12-01 380928]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2012-01-19 114992]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-06-27 1996200]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

D-Link AirPlus G Configuration Utility.lnk - c:\program files\D-Link AirPlus G\AirPlus.exe [2012-1-8 294912]

NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111v2.exe [2009-10-10 1728512]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]

R2 NTAService;Nate Address Search Service;c:\program files\Nate\AddressSearch\ntasvr.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]

R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys [x]

R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys [x]

R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys [x]

R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys [x]

R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]

R3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\DRIVERS\PRISMNDS.sys [x]

R3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WN111v2w7.sys [x]

R3 XDva391;XDva391;c:\windows\system32\XDva391.sys [x]

R3 XDva392;XDva392;c:\windows\system32\XDva392.sys [x]

R3 XDva393;XDva393;c:\windows\system32\XDva393.sys [x]

R3 XDva397;XDva397;c:\windows\system32\XDva397.sys [x]

R3 XDva398;XDva398;c:\windows\system32\XDva398.sys [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]

S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [x]

S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [x]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 npkakl;npkakl;c:\windows\system32\npkakl.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-30 04:16]

.

2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-30 04:16]

.

2012-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311700126-1893408969-2311707057-1003Core.job

- c:\users\William\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-08 04:16]

.

2012-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311700126-1893408969-2311707057-1003UA.job

- c:\users\William\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-08 04:16]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.blackl.com/black-google.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

DPF: {24F6E6A8-852C-45A8-ADD3-C4AB0D6FD231} - hxxp://plugin.inicis.com/wallet61/INIwallet61_vista.cab

DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://vbv.samsungcard.co.kr/XecureObject/xw_install.cab

DPF: {811AD393-A55A-4FB8-B13C-9BCC0C3CA86A} - hxxps://vbv.samsungcard.co.kr/besoft/safeon/UsafeOnSamSungCard.cab

DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg8.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124

DPF: {9709739B-4909-489B-A1F7-148C74F16EEE} - hxxp://s.nx.com/ActiveX/ocx/nxsysinfo.cab

DPF: {B128EFF9-0B1C-4C65-A162-28165A3A0A18} - hxxp://ssl.makeshop.co.kr/ssl/MSecure.cab

DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://id.hangame.com/common/activex/HanSetup1040.cab

DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://comic.naver.com/common/cab/NaverAXGuide.cab

FF - ProfilePath - c:\users\William\AppData\Roaming\Mozilla\Firefox\Profiles\17br2dth.default\

FF - prefs.js: browser.search.defaulturl -

FF - prefs.js: network.proxy.type - 0

FF - user.js: extentions.y2layers.installId - b97b0ce6-7c59-45e7-8c0a-9197d3d4d5f2

FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe

HKCU-Run-Spotify - c:\users\William\AppData\Roaming\Spotify\Spotify.exe

HKLM-Run-jswtrayutil - c:\program files\NETGEAR\WN111v2\jswtrayutil.exe

SafeBoot-53987127.sys

SafeBoot-78182580.sys

AddRemove-Battlelog Web Plugins - c:\program files\Battlelog Web Plugins\uninstall.exe

AddRemove-SoftcampSCSK - c:\windows\system32\UnSCSK.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(3980)

c:\program files\ATI Technologies\HydraVision\HydraDMH.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\atieclxx.exe

c:\windows\system32\brsvc01a.exe

c:\windows\system32\brss01a.exe

c:\windows\system32\npkcmsvc.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\windows\System32\rundll32.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\windows\system32\WUDFHost.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\system32\sppsvc.exe

c:\windows\system32\AUDIODG.EXE

c:\windows\system32\taskhost.exe

.

**************************************************************************

.

Completion time: 2012-07-27 17:02:32 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-27 22:02

.

Pre-Run: 242,427,170,816 bytes free

Post-Run: 249,222,180,864 bytes free

.

- - End Of File - - 483CA60C71EE8A14E7C90AFC754D7563

Link to post
Share on other sites

Great thumbsup.gif

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Please remove any usb or external drives from the computer before you run these scan!

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

MrC

Link to post
Share on other sites

Farbar Service Scanner Version: 26-07-2012

Ran by William (administrator) on 27-07-2012 at 17:44:14

Running from "C:\Users\William\Desktop"

Microsoft Windows 7 Professional Service Pack 1 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

Windows Update:

============

BITS Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

Other Services:

==============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is set to Auto

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcore.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.