infected with smitfraud.C-generic - I think...

[schmijon]

1- started hearing ads played and weird music all of a sudden; thought it was flash on webpage i had open.

2- happened again with no browser open

3- ran spybot search and destory - smitfraud.c came up; attempted to remove, said to reboot to complete process

4- rebooted

5- ran spbot s&d again

6- no smitfraud.c, but 2 other trojans, attempted to remove, said to reboot to complete process

7- rebooted

8- steps 5,6,7 keep happening

9- came to malwarebytes.org and found this thread regarding smitfraud.c

10 - read this thread and here we are...

DDS.txt

Attach.txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[schmijon]

RogueKiller V7.6.5 [08/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User: Barbara [Admin rights]

Mode: Scan -- Date: 08/06/2012 21:30:07

¤¤¤ Bad processes: 1 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 4 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\L --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD7501AALS-00E8B0 ATA Device +++++

--- User ---

[MBR] 6be7603acb5f29029c6a38bea1cf79f6

[bSP] 6edc8406c0b1ffc4eec2f98f9a508f98 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 715302 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] a33db691d5e436651b3c968f2dbee4d7

[bSP] 6edc8406c0b1ffc4eec2f98f9a508f98 : Windows 7 MBR Code

Partition table:

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 715302 Mo

+++++ PhysicalDrive1: Hitachi HDS721010CLA332 ATA Device +++++

--- User ---

[MBR] 4d06da31a3ad25adc11e6b85ded88e60

[bSP] 0e63646ce84dba51a338f6aa7192bf45 : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

You have 2 nasty infections!

------------------

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

  [*]Select Command Prompt

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

  services.exe

  [*]Now press the Search button

  [*]When the search is complete, search.txt will also be written to your USB

  [*]Type exit and reboot the computer normally

  [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[schmijon]

Farbar Recovery Scan Tool Version: 05-08-2012 03

Ran by SYSTEM at 2012-08-06 23:00:08

Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03

Ran by SYSTEM at 06-08-2012 22:55:29

Running from H:\

Windows 7 Professional (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8306208 2009-10-21] (Realtek Semiconductor)

HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKLM-x32\...\Run: [bCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [346320 2009-08-04] (DeviceVM, Inc.)

HKLM-x32\...\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [36864 2007-03-19] ()

HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-09-25] (NEC Electronics Corporation)

HKLM-x32\...\Run: [MagicRotation] C:\Program Files (x86)\MagicRotation\MagicPvt.exe [1097728 2007-08-24] (Samsung Electronics, Inc.)

HKLM-x32\...\Run: [MultiScreen] C:\Program Files (x86)\MultiScreen\MultiScreen.exe [114688 2008-06-30] ()

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-08-26] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [268640 2011-11-12] (LeapFrog Enterprises, Inc.)

HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2012-02-23] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" [135536 2010-12-13] (Microsoft Corporation)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKU\Barbara\...\Run: [Grid] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [376832 2009-08-26] ()

HKU\Barbara\...\Run: [HydraVisionMDEngine] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe" [569344 2009-08-26] (AMD)

HKU\Barbara\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17146504 2012-01-31] (Skype Technologies S.A.)

HKU\Barbara\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)

HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]

Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\GammaTray.lnk

ShortcutTarget: GammaTray.lnk -> C:\Program Files (x86)\MagicTune Premium\GammaTray.exe ()

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\NCProTray.lnk

ShortcutTarget: NCProTray.lnk -> C:\Program Files (x86)\SEC\Natural Color Pro\NCProTray.exe (Samsung)

Startup: C:\Users\Barbara\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

Startup: C:\Users\Barbara\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ======

2 BCUService; C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [219360 2009-08-04] (DeviceVM, Inc.)

2 JMB36X; C:\Windows\SysWOW64\XSrvSetup.exe [65536 2009-08-05] ()

2 MagicTuneEngine; C:\Program Files (x86)\MagicTune Premium\MagicTuneEngine.exe [45056 2007-08-23] ()

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75136 2011-10-11] ()

2 Smart TimeLock; C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe [114688 2009-10-13] (Gigabyte Technology CO., LTD.)

========================== Drivers (Whitelisted) =============

3 gdrv; \??\C:\Windows\gdrv.sys [25640 2010-03-09] (Windows ® Server 2003 DDK provider)

3 GVTDrv64; \??\C:\Windows\GVTDrv64.sys [30528 2010-03-02] ()

3 AODDriver; \??\C:\Program Files (x86)\gigabyte\ET6\amd64\AODDriver.sys [x]

3 atidgllk; \??\C:\Program Files (x86)\gigabyte\ET6\atidgllk.sys [x]

3 MagicTune; C:\Windows\System32\drivers\MTiCtwl.sys [x]

1 NCPro; C:\Windows\system32\drivers\MTictwl.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-06 22:55 - 2012-08-06 22:55 - 00000000 ____D C:\FRST

2012-08-06 17:30 - 2012-08-06 17:30 - 00002929 ____A C:\Users\Barbara\Desktop\RKreport[1].txt

2012-08-06 17:27 - 2012-08-06 17:30 - 00000000 ____D C:\Users\Barbara\Desktop\RK_Quarantine

2012-08-06 17:26 - 2012-08-06 17:26 - 01552896 ____A C:\Users\Barbara\Downloads\RogueKiller.exe

2012-08-06 17:09 - 2012-08-06 17:09 - 00018727 ____A C:\Users\Barbara\Desktop\DDS.txt

2012-08-06 17:08 - 2012-08-06 17:08 - 00011790 ____A C:\Users\Barbara\Desktop\Attach.txt

2012-08-06 16:58 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\System32\Drivers\etc\hosts.20120806-205812.backup

2012-08-06 16:51 - 2012-08-06 16:51 - 00607260 ____R (Swearware) C:\Users\Barbara\Desktop\dds.scr

2012-08-06 16:50 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-08-04 04:31 - 2012-08-06 17:58 - 00001408 ____A C:\Windows\PFRO.log

2012-08-04 03:38 - 2012-08-04 03:38 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\Malwarebytes

2012-08-04 03:38 - 2012-08-04 03:38 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-08-04 03:38 - 2012-08-04 03:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-04 03:38 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-04 03:37 - 2012-08-04 03:37 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Barbara\Downloads\mbam-setup-1.62.0.1300.exe

2012-07-30 16:45 - 2012-08-06 18:49 - 00001746 ____A C:\Windows\setupact.log

2012-07-30 16:45 - 2012-07-30 16:45 - 00000000 ____A C:\Windows\setuperr.log

2012-07-30 16:41 - 2012-07-30 16:41 - 00000085 ____A C:\Windows\wininit.ini

2012-07-30 16:09 - 2012-08-06 17:58 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy

2012-07-30 16:09 - 2012-08-06 17:07 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy

2012-07-30 16:08 - 2012-07-30 16:08 - 00000000 ____D C:\Program Files\CCleaner

2012-07-30 16:01 - 2012-07-30 16:01 - 16409960 ____A (Safer Networking Limited ) C:\Users\Barbara\Downloads\spybotsd162.exe

2012-07-30 16:00 - 2012-07-30 16:00 - 03907920 ____A (Piriform Ltd) C:\Users\Barbara\Downloads\ccsetup321.exe

2012-07-29 22:19 - 2012-07-30 00:38 - 00000000 ____D C:\Windows\Microsoft Antimalware

2012-07-29 20:55 - 2012-07-29 20:55 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-07-29 20:51 - 2012-07-29 20:51 - 00000000 ____D C:\Windows\Sun

2012-07-29 18:07 - 2012-07-29 18:09 - 253886464 ____A C:\Users\Barbara\Downloads\WDO_Media64.iso

2012-07-28 19:05 - 2012-07-28 19:05 - 00000000 ____D C:\Program Files (x86)\7-Zip

2012-07-28 16:48 - 2012-07-28 16:48 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\ImTOO

2012-07-28 16:48 - 2012-07-28 16:48 - 00000000 ____D C:\Users\Barbara\AppData\Local\ImTOO

2012-07-28 16:47 - 2012-07-28 16:47 - 00000000 ____D C:\Users\All Users\ImTOO

2012-07-28 16:47 - 2012-07-28 16:47 - 00000000 ____D C:\Program Files (x86)\ImTOO

2012-07-27 21:26 - 2012-07-27 21:26 - 31436842 ____A C:\Users\Barbara\Desktop\VIDEO0048.3gp

2012-07-20 20:39 - 2012-07-20 20:39 - 00000000 ____D C:\Users\Barbara\Documents\pjs favs

2012-07-20 15:03 - 2012-07-20 15:03 - 00002014 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk

2012-07-11 06:53 - 2012-06-11 19:02 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-11 06:50 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-07-11 06:50 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-07-11 06:50 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-07-11 06:50 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-07-11 06:50 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-07-11 06:50 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-07-11 06:50 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-07-11 06:50 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-07-11 06:50 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-07-11 06:50 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-07-11 06:50 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-07-11 06:50 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-07-11 06:50 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-07-11 06:50 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-07-11 06:50 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-07-11 06:50 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-07-11 06:50 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-07-11 06:50 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-07-11 06:50 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-07-11 06:50 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-07-11 06:50 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-07-11 06:50 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-07-11 06:50 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-07-11 06:50 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-07-11 06:50 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-07-11 06:50 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-07-11 06:50 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-07-11 06:50 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-07-11 06:35 - 2012-07-11 06:35 - 00001895 ____A C:\Users\Barbara\AppData\Local\recently-used.xbel

2012-07-11 06:32 - 2012-07-11 06:36 - 00000000 ____D C:\Users\Barbara\.gimp-2.8

2012-07-11 06:32 - 2012-07-11 06:32 - 00000000 ____D C:\Users\Barbara\AppData\Local\gegl-0.2

2012-07-11 06:30 - 2012-07-11 06:30 - 00000000 ____D C:\Program Files\GIMP 2

2012-07-11 05:47 - 2012-06-08 21:30 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-11 05:47 - 2012-06-08 20:46 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-07-11 05:47 - 2012-06-05 21:50 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-11 05:47 - 2012-06-05 21:50 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-11 05:47 - 2012-06-05 21:09 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-07-11 05:47 - 2012-06-05 21:09 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-07-11 05:47 - 2012-06-01 21:38 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-07-11 05:47 - 2012-06-01 21:38 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-11 05:47 - 2012-06-01 21:37 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-07-11 05:47 - 2012-06-01 21:27 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-11 05:47 - 2012-06-01 21:27 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-07-11 05:47 - 2012-06-01 20:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-07-11 05:47 - 2012-06-01 20:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-07-11 05:47 - 2012-06-01 20:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-07-11 05:47 - 2012-06-01 20:42 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-07-08 08:16 - 2012-08-03 17:44 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\XBMC

2012-07-08 08:16 - 2012-07-08 08:16 - 00000000 ____D C:\Program Files (x86)\XBMC

============ 3 Months Modified Files ========================

2012-08-06 18:49 - 2012-07-30 16:45 - 00001746 ____A C:\Windows\setupact.log

2012-08-06 18:49 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-06 18:45 - 2009-07-13 20:45 - 00015056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-06 18:45 - 2009-07-13 20:45 - 00015056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-06 17:58 - 2012-08-04 04:31 - 00001408 ____A C:\Windows\PFRO.log

2012-08-06 17:56 - 2009-07-13 21:13 - 00005202 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-06 17:30 - 2012-08-06 17:30 - 00002929 ____A C:\Users\Barbara\Desktop\RKreport[1].txt

2012-08-06 17:26 - 2012-08-06 17:26 - 01552896 ____A C:\Users\Barbara\Downloads\RogueKiller.exe

2012-08-06 17:09 - 2012-08-06 17:09 - 00018727 ____A C:\Users\Barbara\Desktop\DDS.txt

2012-08-06 17:08 - 2012-08-06 17:08 - 00011790 ____A C:\Users\Barbara\Desktop\Attach.txt

2012-08-06 16:59 - 2012-05-12 13:35 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-06 16:51 - 2012-08-06 16:51 - 00607260 ____R (Swearware) C:\Users\Barbara\Desktop\dds.scr

2012-08-04 03:37 - 2012-08-04 03:37 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Barbara\Downloads\mbam-setup-1.62.0.1300.exe

2012-08-04 03:20 - 2011-01-26 14:30 - 00002198 ____A C:\Windows\epplauncher.mif

2012-08-03 16:59 - 2012-05-12 13:35 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-08-03 16:59 - 2011-06-04 10:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-30 16:45 - 2012-07-30 16:45 - 00000000 ____A C:\Windows\setuperr.log

2012-07-30 16:41 - 2012-07-30 16:41 - 00000085 ____A C:\Windows\wininit.ini

2012-07-30 16:01 - 2012-07-30 16:01 - 16409960 ____A (Safer Networking Limited ) C:\Users\Barbara\Downloads\spybotsd162.exe

2012-07-30 16:00 - 2012-07-30 16:00 - 03907920 ____A (Piriform Ltd) C:\Users\Barbara\Downloads\ccsetup321.exe

2012-07-29 18:09 - 2012-07-29 18:07 - 253886464 ____A C:\Users\Barbara\Downloads\WDO_Media64.iso

2012-07-27 21:26 - 2012-07-27 21:26 - 31436842 ____A C:\Users\Barbara\Desktop\VIDEO0048.3gp

2012-07-20 15:03 - 2012-07-20 15:03 - 00002014 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk

2012-07-11 08:26 - 2009-07-13 20:45 - 00289152 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-11 06:51 - 2010-03-09 15:55 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-11 06:35 - 2012-07-11 06:35 - 00001895 ____A C:\Users\Barbara\AppData\Local\recently-used.xbel

2012-07-03 09:46 - 2012-08-04 03:38 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-02 14:28 - 2012-07-02 14:28 - 00013696 ____A C:\Users\Barbara\Desktop\hs_err_pid2932.log

2012-06-30 16:11 - 2012-07-06 22:29 - 35874591 ____A C:\Users\Barbara\Desktop\VIDEO0046.3gp

2012-06-12 15:56 - 2012-06-12 15:56 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-06-12 15:52 - 2012-06-12 15:52 - 00001845 ____A C:\Users\Public\Desktop\QuickTime Player.lnk

2012-06-11 19:02 - 2012-07-11 06:53 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 21:30 - 2012-07-11 05:47 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:46 - 2012-07-11 05:47 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 21:50 - 2012-07-11 05:47 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 21:50 - 2012-07-11 05:47 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 21:09 - 2012-07-11 05:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:09 - 2012-07-11 05:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-05 16:49 - 2012-06-05 16:49 - 00000542 ____A C:\Users\Barbara\Desktop\SABnzbd.lnk

2012-06-05 16:48 - 2012-06-05 16:48 - 10429661 ____A C:\Users\Barbara\Downloads\SABnzbd-0.6.15-win32-setup.exe

2012-06-03 15:40 - 2010-11-11 09:24 - 00001023 ____A C:\Users\Barbara\Desktop\Dropbox.lnk

2012-06-02 14:19 - 2012-06-21 20:20 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-21 20:20 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-21 20:20 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-21 20:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-21 20:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-21 20:20 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-21 20:19 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-21 20:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-21 20:19 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 04:49 - 2012-07-11 06:50 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-02 04:17 - 2012-07-11 06:50 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-02 04:12 - 2012-07-11 06:50 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-02 04:05 - 2012-07-11 06:50 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-02 04:05 - 2012-07-11 06:50 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-02 04:04 - 2012-07-11 06:50 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-02 04:04 - 2012-07-11 06:50 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-02 04:03 - 2012-07-11 06:50 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-02 04:01 - 2012-07-11 06:50 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-02 04:00 - 2012-07-11 06:50 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-02 03:59 - 2012-07-11 06:50 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-02 03:57 - 2012-07-11 06:50 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-02 03:57 - 2012-07-11 06:50 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-02 03:54 - 2012-07-11 06:50 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-02 01:07 - 2012-07-11 06:50 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-02 00:43 - 2012-07-11 06:50 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-02 00:33 - 2012-07-11 06:50 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-02 00:26 - 2012-07-11 06:50 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-02 00:25 - 2012-07-11 06:50 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-02 00:25 - 2012-07-11 06:50 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-02 00:23 - 2012-07-11 06:50 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-02 00:21 - 2012-07-11 06:50 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-02 00:20 - 2012-07-11 06:50 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-02 00:19 - 2012-07-11 06:50 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-02 00:19 - 2012-07-11 06:50 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-02 00:17 - 2012-07-11 06:50 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-02 00:16 - 2012-07-11 06:50 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-02 00:14 - 2012-07-11 06:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-01 21:38 - 2012-07-11 05:47 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:38 - 2012-07-11 05:47 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:37 - 2012-07-11 05:47 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:27 - 2012-07-11 05:47 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:27 - 2012-07-11 05:47 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:48 - 2012-07-11 05:47 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:48 - 2012-07-11 05:47 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:47 - 2012-07-11 05:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:42 - 2012-07-11 05:47 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-05-12 13:43 - 2012-05-12 13:43 - 00002491 ____A C:\Users\Public\Desktop\Safari.lnk

ZeroAccess:

C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}

C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\@

C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\L

C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U

C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U\00000001.@

C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U\80000000.@

C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b}\U\800000cb.@

Possible partition infection:

C:\Windows\svchost.exe

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%

Total physical RAM: 6142.49 MB

Available physical RAM: 5412.81 MB

Total Pagefile: 6140.64 MB

Available Pagefile: 5393.34 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:698.54 GB) (Free:595.37 GB) NTFS

3 Drive d: (New Volume) (Fixed) (Total:931.51 GB) (Free:589.25 GB) NTFS

6 Drive h: (KINGSTON) (Removable) (Total:7.44 GB) (Free:3.33 GB) FAT32

7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

8 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 698 GB 0 B

Disk 1 Online 931 GB 0 B

Disk 2 Online 7635 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 698 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C NTFS Partition 698 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 931 GB 1024 KB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 D New Volume NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7631 MB 4032 KB

==================================================================================

Disk: 2

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 H KINGSTON FAT32 Removable 7631 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-27 22:23

======================= End Of Log ==========================

Search.txt

FRST.txt

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Gone for tonight > be back tomorrow am, MrC

[schmijon]

Gone for tonight > be back tomorrow am, MrC

much appreciated!!

[schmijon]

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 03

Ran by SYSTEM at 2012-08-06 23:37:21 Run:1

Running from H:\

==============================================

C:\Windows\Installer\{0aca24c7-f98c-a34f-06e9-2963ab6de18b} moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Fixlog.txt

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[schmijon]

Ran Combofix as instructed.

System rebooted on its own.

I logged in and received the error - Illegal operation attempted on registry key that has been marked for deletion.

Combofix window still up saying not to run any programs until it is finished.

Should I wait it out or do I need to reboot until I no longer receive that message.

Thank you.

[MrCharlie]

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[schmijon]

rebooted

combofix did not restart again

attached is combofix file from first reboot which had the error

ComboFix.txt

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[schmijon]

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.08.07

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

Barbara :: THEBEAST [administrator]

8/8/2012 10:12:12 AM

mbam-log-2012-08-08 (10-12-12).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 221094

Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> 4420 -> Delete on reboot.

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

mbam-log-2012-08-08 (10-12-12).txt

[schmijon]

rebooted to complete deletion of svchost.exe

ran mbam again

same trojans appearing, need to reboot to delete

as far as how the pc is running, it's fine, no slow downs, pop ups or redirects

thank you.

[MrCharlie]

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Then reboot and scan the system with RogueKiller again and post the new log, MrC

[schmijon]

please see attached.

stepping out for a bit.

thank you for all your help thus far.

RKreport2.txt

mbam-log-2012-08-08 (11-07-21).txt

[MrCharlie]

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[schmijon]

please see attached

thank you.

TDSSKiller.2.7.48.0_08.08.2012_16.09.49_log.txt

[MrCharlie]

Please run it again and just delete this one only:

16:10:58.0331 5420 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

16:10:58.0331 5420 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

-------------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[schmijon]

please see attached

thank you again.

TDSSKiller.2.7.48.0_08.08.2012_18.48.41_log.txt

mbam-log-2012-08-08 (18-51-05).txt

[MrCharlie]

Run another quick scan with Malwarebytes and post the log.

Reboot and.....

Scan the system with RogueKiller again and post the new log, MrC

[schmijon]

please see attached files

thank you for all your efforts, they are certainly appreciated!!

mbam-log-2012-08-08 (20-16-54).txt

RKreport3.txt

[MrCharlie]

Looks Good! How's it running? MrC

[schmijon]

after my post last night i burned a dvd and shut down. [on a pc at work now].

other than my initial issues, i wasn't experiencing any pc slow downs, search engine redirects - and i'm still not experiencing anything like that.

so as long as i'm not hearing any ads played out of the blue or weird music/sounds. i guess i'm good to go??