Computer infected with "trojan.dropper.bcminer"

[K_Krupa]

I read the MrC forum who solved this problem for member "mats_mats". I have the same problem. I followed his instructions for running FRST64.exe and have the logs for the results. Can anybody help solve this for me. Thank you!

Logs:

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01

Ran by SYSTEM at 28-07-2012 20:20:49

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKLM-x32\...\Run: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload [1733120 2011-04-10] (Dominik Reichl)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)

HKU\Default\...\Run: [EasyLinkAdvisor] "C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)

HKU\Default User\...\Run: [EasyLinkAdvisor] "C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)

HKU\KJK\...\Run: [EasyLinkAdvisor] "C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)

HKU\KJK\...\Run: [FreeApp] "C:\Program Files (x86)\FreeApps\FreeApps.exe" /autorun [814496 2011-04-10] (VTools)

HKU\KJK\...\Run: [Advanced SystemCare 4] C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCTray.exe [402832 2011-04-21] (IObit)

HKU\KJK\...\Run: [EPSON Artisan 830 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGXA.EXE /FU "C:\Windows\TEMP\E_S82DC.tmp" /EF "HKCU" [224768 2010-01-12] (SEIKO EPSON CORPORATION)

HKU\KJK\...\Run: [EPSON9A935B (Artisan 830)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGXA.EXE /FU "C:\Windows\TEMP\E_SAF51.tmp" /EF "HKCU" [224768 2010-01-12] (SEIKO EPSON CORPORATION)

HKU\KJK\...\Run: [dogses] "C:\Windows\System32\rundll32.exe" "C:\Users\KJK\AppData\Roaming\dogses.dll",_SetItem [477184 2012-07-26] (C-Media Electronics Inc.)

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1085000 2012-07-03] (Malwarebytes Corporation)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

==================== Services (Whitelisted) ======

2 AdvancedSystemCareService; C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCService.exe [352656 2011-04-21] (IObit)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

2 SplashtopRemoteService; "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" [548264 2012-06-15] (Splashtop Inc.)

2 SSUService; C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [370504 2012-03-14] (Splashtop Inc.)

========================== Drivers (Whitelisted) =============

2 elagopro; C:\Windows\System32\DRIVERS\elagop64.sys [42496 2007-03-22] (Gteko Ltd.)

2 elaunidr; C:\Windows\System32\DRIVERS\elauni64.sys [7680 2007-03-22] (Gteko Ltd.)

3 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [36168 2012-07-28] ()

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-28 20:17 - 2012-07-28 20:17 - 00000000 ____D C:\FRST

2012-07-28 14:04 - 2012-07-28 15:59 - 00000850 ____A C:\Windows\setupact.log

2012-07-28 14:04 - 2012-07-28 14:04 - 00000000 ____A C:\Windows\setuperr.log

2012-07-28 14:01 - 2012-07-28 14:02 - 00030464 ____A C:\Users\KJK\Documents\cc_20120728_180151.reg

2012-07-28 06:07 - 2012-07-28 06:07 - 00036168 ____A C:\Windows\System32\Drivers\mbamchameleon.sys

2012-07-28 06:06 - 2012-07-28 06:06 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-26 06:05 - 2012-07-26 06:05 - 00477184 ____A (C-Media Electronics Inc.) C:\Users\KJK\AppData\Roaming\dogses.dll

2012-07-26 06:05 - 2012-07-26 06:05 - 00000000 ____D C:\Users\KJK\AppData\Local\{EF33015D-D72A-11E1-8270-B8AC6F996F26}

2012-07-26 06:04 - 2012-07-28 06:12 - 00000000 ____D C:\Users\KJK\AppData\Roaming\xsecva

2012-07-26 05:23 - 2012-07-26 05:23 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-07-13 12:48 - 2012-07-13 12:48 - 01212275 ____A C:\Users\KJK\Documents\HStreaming.pptx

2012-07-13 12:48 - 2012-07-13 12:48 - 00000165 ___AH C:\Users\KJK\Documents\~$HStreaming.pptx

2012-07-13 11:59 - 2012-07-13 11:59 - 00000000 ____D C:\Users\KJK\AppData\Roaming\webex

2012-07-13 11:59 - 2012-07-13 11:59 - 00000000 ____D C:\Users\All Users\WebEx

2012-07-11 10:09 - 2012-07-11 10:09 - 00000000 ____D C:\Users\KJK\Documents\1147_Mattox

2012-07-10 23:04 - 2012-06-11 19:02 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-10 16:19 - 2012-06-08 21:30 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-10 16:19 - 2012-06-08 20:46 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-07-10 16:19 - 2012-06-05 21:50 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-10 16:19 - 2012-06-05 21:50 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-10 16:19 - 2012-06-05 21:09 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-07-10 16:19 - 2012-06-05 21:09 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-07-10 16:19 - 2012-06-01 21:38 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-07-10 16:19 - 2012-06-01 21:38 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-10 16:19 - 2012-06-01 21:37 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-07-10 16:19 - 2012-06-01 21:27 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-10 16:19 - 2012-06-01 21:27 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-07-10 16:19 - 2012-06-01 20:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-07-10 16:19 - 2012-06-01 20:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-07-10 16:19 - 2012-06-01 20:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-07-10 16:19 - 2012-06-01 20:42 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-07-10 16:19 - 2012-04-23 21:59 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-07-10 16:19 - 2012-04-23 21:59 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-07-10 16:19 - 2012-04-23 21:59 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-07-10 16:19 - 2012-04-23 20:47 - 01156608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-07-10 16:19 - 2012-04-23 20:47 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-07-10 16:19 - 2012-04-23 20:47 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2012-07-03 09:19 - 2012-03-15 17:41 - 00061088 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\Drivers\TMUSB64.sys

2012-07-03 09:17 - 2012-07-03 09:17 - 13969304 ____A C:\Users\KJK\Downloads\epson14652.exe

2012-07-03 08:58 - 2012-07-28 15:38 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-07-02 05:52 - 2012-07-02 05:52 - 00000000 ____D C:\Users\KJK\AppData\Local\{BD52D38F-4F0D-4325-BB9E-32223CCB54AA}

============ 3 Months Modified Files ========================

2012-07-28 15:59 - 2012-07-28 14:04 - 00000850 ____A C:\Windows\setupact.log

2012-07-28 15:55 - 2011-09-07 07:17 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-07-28 15:38 - 2012-07-03 08:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-07-28 14:11 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-28 14:11 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-28 14:08 - 2009-07-13 21:13 - 00717086 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-28 14:04 - 2012-07-28 14:04 - 00000000 ____A C:\Windows\setuperr.log

2012-07-28 14:04 - 2011-09-07 07:17 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-07-28 14:04 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-28 14:02 - 2012-07-28 14:01 - 00030464 ____A C:\Users\KJK\Documents\cc_20120728_180151.reg

2012-07-28 06:07 - 2012-07-28 06:07 - 00036168 ____A C:\Windows\System32\Drivers\mbamchameleon.sys

2012-07-28 06:06 - 2012-07-28 06:06 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-27 08:38 - 2012-04-02 18:06 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-07-27 08:38 - 2011-06-08 14:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-26 06:05 - 2012-07-26 06:05 - 00477184 ____A (C-Media Electronics Inc.) C:\Users\KJK\AppData\Roaming\dogses.dll

2012-07-13 12:48 - 2012-07-13 12:48 - 01212275 ____A C:\Users\KJK\Documents\HStreaming.pptx

2012-07-13 12:48 - 2012-07-13 12:48 - 00000165 ___AH C:\Users\KJK\Documents\~$HStreaming.pptx

2012-07-11 12:52 - 2011-09-07 07:17 - 00002340 ____A C:\Users\Public\Desktop\Google Chrome.lnk

2012-07-10 23:22 - 2009-07-13 20:45 - 00417616 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-10 23:01 - 2011-12-17 09:15 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-03 09:46 - 2011-04-10 06:31 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-03 09:17 - 2012-07-03 09:17 - 13969304 ____A C:\Users\KJK\Downloads\epson14652.exe

2012-06-28 18:46 - 2012-01-04 13:48 - 00030144 ____A C:\Users\KJK\Documents\2012 OGS Time Tracking Workbook.xlsx

2012-06-11 19:02 - 2012-07-10 23:04 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 21:30 - 2012-07-10 16:19 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:46 - 2012-07-10 16:19 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 21:50 - 2012-07-10 16:19 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 21:50 - 2012-07-10 16:19 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 21:09 - 2012-07-10 16:19 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:09 - 2012-07-10 16:19 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-02 14:19 - 2012-06-25 04:09 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-25 04:09 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-25 04:09 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-25 04:09 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-25 04:09 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-25 04:09 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-25 04:09 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-25 04:09 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-25 04:09 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-01 21:38 - 2012-07-10 16:19 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:38 - 2012-07-10 16:19 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:37 - 2012-07-10 16:19 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:27 - 2012-07-10 16:19 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:27 - 2012-07-10 16:19 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:48 - 2012-07-10 16:19 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:48 - 2012-07-10 16:19 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:47 - 2012-07-10 16:19 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:42 - 2012-07-10 16:19 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-05-24 08:17 - 2012-05-24 08:17 - 00077326 ____A C:\Users\KJK\Downloads\FUSE_SIRIS_NVS.pptx

2012-05-14 19:56 - 2012-06-13 15:08 - 01197568 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-14 19:52 - 2012-06-13 15:08 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-14 19:08 - 2012-06-13 15:08 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-05-14 19:06 - 2012-06-13 15:08 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-05-07 12:58 - 2012-05-07 12:57 - 12932000 ____A (Splashtop Inc.) C:\Users\KJK\Downloads\Splashtop_Streamer_Win_v1.7.5.6.EXE

2012-05-07 12:56 - 2012-05-07 12:56 - 00002779 ____A C:\Users\Public\Desktop\Splashtop Remote Client.lnk

2012-05-07 12:54 - 2012-05-07 12:53 - 12494104 ____A (Splashtop Inc. ) C:\Users\KJK\Downloads\Splashtop_Remote_Desktop_Win_v1.1.4.0.exe

2012-05-04 02:52 - 2012-06-13 15:07 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-04 02:08 - 2012-06-13 15:07 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-05-04 02:08 - 2012-06-13 15:07 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

ZeroAccess:

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\@

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\L

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\L\00000004.@

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\L\201d3dde

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\00000004.@

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\000000cb.@

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\80000000.@

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\80000032.@

C:\Windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\80000064.@

ZeroAccess:

C:\Users\KJK\AppData\Local\{c0ae4208-160f-e164-f6bf-6043fd47aca9}

C:\Users\KJK\AppData\Local\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\@

C:\Users\KJK\AppData\Local\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\L

C:\Users\KJK\AppData\Local\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%

Total physical RAM: 4094.55 MB

Available physical RAM: 3366.14 MB

Total Pagefile: 4092.7 MB

Available Pagefile: 3447.48 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:931.4 GB) (Free:877.44 GB) NTFS

2 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

4 Drive g: () (Removable) (Total:3.87 GB) (Free:0.67 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: () (Fixed) (Total:76.32 GB) (Free:29.19 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 76 GB 13 MB

Disk 1 Online 931 GB 10 MB

Disk 2 Online 3974 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 76 GB 31 KB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y NTFS Partition 76 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 0 Extended 931 GB 103 MB

Partition 2 Logical 931 GB 103 MB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3973 MB 272 KB

==================================================================================

Disk: 2

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G FAT32 Removable 3973 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-28 08:45

======================= End Of Log ==========================

Search Log:

Farbar Recovery Scan Tool Version: 25-07-2012 01

Ran by SYSTEM at 2012-07-28 20:19:48

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Open notepad. Make sure "word wrap" under Format is unchecked! Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Users\KJK\AppData\Local\{c0ae4208-160f-e164-f6bf-6043fd47aca9}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[K_Krupa]

MrC, Thanks! I would like to ensure I don't make a mistake, I'm a novice. I'm using a laptop to interact w/ the internet, not the infected PC. Can I move this script to the PC via flashdrive and then follow your instructions?

[MrCharlie]

Yes you can, MrC

[K_Krupa]

Doing that now. One last note, I have an old hard drive w/ WinXP (the D: drive, where C: is the Win7 normal boot) on the PC. FRST is asking which OS and I'm telling it to scan/fix/search on the C: drive. FYI. The fixlog (vice fixlist?) is:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01

Ran by SYSTEM at 2012-07-28 21:16:38 Run:1

Running from G:\

==============================================

C:\Users\KJK\AppData\Local\{c0ae4208-160f-e164-f6bf-6043fd47aca9} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers. (if you can)

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[K_Krupa]

MrC,

This is copied from flashdrive from desktop run of Combo report:

ComboFix 12-07-27.03 - KJK 07/28/2012 21:38:03.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4095.3022 [GMT -4:00]

Running from: c:\users\KJK\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\KJK\AppData\Roaming\dogses.dll

c:\windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\@

c:\windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\L\00000004.@

c:\windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\L\201d3dde

c:\windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\00000004.@

c:\windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\00000008.@

c:\windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\000000cb.@

c:\windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\80000000.@

c:\windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\80000032.@

c:\windows\Installer\{c0ae4208-160f-e164-f6bf-6043fd47aca9}\U\80000064.@

.

.

((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-29 )))))))))))))))))))))))))))))))

.

.

2012-07-29 04:17 . 2012-07-29 04:17 -------- d-----w- C:\FRST

2012-07-28 14:07 . 2012-07-28 14:07 36168 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-07-26 14:05 . 2012-07-26 14:05 -------- d-----w- c:\users\KJK\AppData\Local\{EF33015D-D72A-11E1-8270-B8AC6F996F26}

2012-07-26 14:04 . 2012-07-28 14:12 -------- d-----w- c:\users\KJK\AppData\Roaming\xsecva

2012-07-26 13:23 . 2012-07-26 13:23 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-07-26 12:40 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA4368A8-144A-4A79-98E6-D846D320F1E4}\mpengine.dll

2012-07-25 12:07 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-07-13 19:59 . 2012-07-13 19:59 -------- d-----w- c:\users\KJK\AppData\Roaming\webex

2012-07-13 19:59 . 2012-07-13 19:59 -------- d-----w- c:\programdata\WebEx

2012-07-11 07:04 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys

2012-07-04 17:35 . 2012-02-10 08:24 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{54A032C2-5EB5-4847-99F5-69478B9C5900}\gapaengine.dll

2012-07-03 17:19 . 2012-03-16 01:41 61088 ----a-w- c:\windows\system32\drivers\TMUSB64.sys

2012-07-02 13:52 . 2012-07-02 13:52 -------- d-----w- c:\users\KJK\AppData\Local\{BD52D38F-4F0D-4325-BB9E-32223CCB54AA}

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-27 16:38 . 2012-04-03 02:06 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-27 16:38 . 2011-06-08 22:21 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-11 07:01 . 2011-12-17 17:15 59701280 ----a-w- c:\windows\system32\MRT.exe

2012-07-03 17:46 . 2011-04-10 14:31 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-02 22:19 . 2012-06-25 12:09 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-25 12:09 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-25 12:09 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-25 12:09 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-25 12:09 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-06-25 12:09 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-25 12:09 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19 . 2012-06-25 12:09 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:15 . 2012-06-25 12:09 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-05-15 03:56 . 2012-06-13 23:08 1197568 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 03:52 . 2012-06-13 23:08 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-05-15 03:08 . 2012-06-13 23:08 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-05-04 10:52 . 2012-06-13 23:07 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 10:08 . 2012-06-13 23:07 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:08 . 2012-06-13 23:07 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

"FreeApp"="c:\program files (x86)\FreeApps\FreeApps.exe" [2011-04-10 814496]

"Advanced SystemCare 4"="c:\program files (x86)\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-04-21 402832]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2011-04-10 1733120]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-07 136176]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 250056]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-07 136176]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-07-28 36168]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-19 113120]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-10 1255736]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files (x86)\IObit\Advanced SystemCare 4\ASCService.exe [2011-04-21 352656]

S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400]

S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512]

S2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe [2012-06-15 548264]

S2 SSUService;Splashtop Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [2012-03-15 370504]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]

S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 25088]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-29 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 16:38]

.

2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-07 15:17]

.

2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-07 15:17]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

FF - ProfilePath - c:\users\KJK\AppData\Roaming\Mozilla\Firefox\Profiles\byqkd7pr.default\

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-dogses - c:\users\KJK\AppData\Roaming\dogses.dll

SafeBoot-mbamchameleon

SafeBoot-MsMpSvc

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\IObit\Advanced SystemCare 4\PMonitor.exe

c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe

c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

.

**************************************************************************

.

Completion time: 2012-07-28 21:47:10 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-29 01:47

.

Pre-Run: 946,307,772,416 bytes free

Post-Run: 945,791,275,008 bytes free

.

- - End Of File - - 52A2CD178BB07BB18E01877E91AA0483

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[K_Krupa]

MrC,

Thanks again! Scan found nothing (report below) and computer is running normal.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.28.07

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

KJK :: ZEUS [administrator]

7/29/2012 5:34:39 PM

mbam-log-2012-07-29 (17-34-39).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 442810

Time elapsed: 51 minute(s), 56 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

Great

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!