Jump to content

svchost.exe trojan and services.exe trojan dropper - multiple viruses


Recommended Posts

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Eric [Admin rights]

Mode: Scan -- Date: 08/12/2012 16:03:54

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 9 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[sUSP PATH] [ON_F:Eric]HKCU[...]\Run : MalwarebytesUpdate (C:\Documents and Settings\mom's ipod\Application Data\Malwarebytes\MalwarebytesUpdate\Malwarebytesupdt32.exe) -> FOUND

[sUSP PATH] [ON_F:mom's ipod]HKCU[...]\Run : MalwarebytesUpdate (C:\Documents and Settings\mom's ipod\Application Data\Malwarebytes\MalwarebytesUpdate\Malwarebytesupdt32.exe) -> FOUND

[sUSP PATH] [ON_F:postgres.COMPANY-2C8D4A3]HKCU[...]\Run : MalwarebytesUpdate (C:\Documents and Settings\mom's ipod\Application Data\Malwarebytes\MalwarebytesUpdate\Malwarebytesupdt32.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 activate.adobe.com

127.0.0.1 practivate.adobe.com

127.0.0.1 ereg.adobe.com

127.0.0.1 activate.wip3.adobe.com

127.0.0.1 wip3.adobe.com

127.0.0.1 3dns-3.adobe.com

127.0.0.1 3dns-2.adobe.com

127.0.0.1 adobe-dns.adobe.com

127.0.0.1 adobe-dns-2.adobe.com

127.0.0.1 adobe-dns-3.adobe.com

127.0.0.1 ereg.wip3.adobe.com

127.0.0.1 activate-sea.adobe.com

127.0.0.1 wwis-dubc1-vip60.adobe.com

127.0.0.1 activate-sjc0.adobe.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST2000DL003-9VT166 ATA Device +++++

--- User ---

[MBR] 79188d7c26d00d0f8a0816835d9a007e

[bSP] d34c2525758c53bd652b0c8dc0cf22af : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: OCZ-VERTEX3 ATA Device +++++

--- User ---

[MBR] 149d657941f9b774e6aa8419d74fd4fa

[bSP] 36168ac97fa0c5326a5e1a7667594c9a : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 114371 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] 61f7fc0ef3a030abd5c0485a3f819f62

[bSP] 36168ac97fa0c5326a5e1a7667594c9a : Windows 7 MBR Code

Partition table:

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 114371 Mo

+++++ PhysicalDrive2: ST3750528AS ATA Device +++++

--- User ---

[MBR] 70f94cb9ec7b52a6bb473e25cd701264

[bSP] 2e7f2d0b4b2449ee616754e4b2ad2f91 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 715394 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive3: Generic USB SD Reader USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive4: Generic USB CF Reader USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive. <-------

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 12-08-2012 19:42:26

Running from L:\

Microsoft Windows XP Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

ATTENTION!:=====> THE OPERATING SYSTEM IS A X86 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X64 SYSTEM DISK.

========================== Registry (Whitelisted) =============

HKLM\...\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe [2077536 2012-01-30] (AVG Technologies CZ, s.r.o.)

HKLM\...\Run: [iSW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden" [730600 2010-05-26] (Check Point Software Technologies)

HKLM\...\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [1043968 2011-03-17] (Check Point Software Technologies LTD)

HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [982880 2012-03-12] ()

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [13918208 2009-09-27] (NVIDIA Corporation)

HKLM\...\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [928096 2012-01-18] ()

HKLM\...\Run: [MDS_Menu] "C:\Program Files\CyberLink\MediaEspresso\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\MediaEspresso" UpdateWithCreateOnce "Software\CyberLink\MediaEspresso\6.5" [222504 2009-05-19] (CyberLink Corp.)

HKU\Eric\...\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKU\Eric\...\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [3905920 2012-03-11] (SUPERAntiSpyware.com)

HKU\Eric\...\Run: [MalwarebytesUpdate] C:\Documents and Settings\mom's ipod\Application Data\Malwarebytes\MalwarebytesUpdate\Malwarebytesupdt32.exe [x]

HKU\Eric\...\Run: [PrinterShare] C:\Program Files\PrinterShare\paConsole.exe -minimized [1124352 2011-09-08] (PrinterAnywhere)

HKU\Eric\...\Run: [200F9819A9400929B2A9A341524FE82A7B3DF1F9._service_run] "C:\Documents and Settings\Eric\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --type=service [1049072 2012-02-14] (Google Inc.)

HKU\Eric\...\Run: [Google Update] "C:\Documents and Settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c [136176 2010-03-17] (Google Inc.)

HKU\mom's ipod\...\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKU\mom's ipod\...\Run: [MalwarebytesUpdate] C:\Documents and Settings\mom's ipod\Application Data\Malwarebytes\MalwarebytesUpdate\Malwarebytesupdt32.exe [x]

HKU\postgres.COMPANY-2C8D4A3\...\Run: [MalwarebytesUpdate] C:\Documents and Settings\mom's ipod\Application Data\Malwarebytes\MalwarebytesUpdate\Malwarebytesupdt32.exe [x]

HKLM-x32\...\Winlogon: [userinit] [x]

HKLM-x32\...\Winlogon: [shell] [x ] ()

Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)

Winlogon\Notify\avgrsstarter: avgrsstx.dll (AVG Technologies CZ, s.r.o.)

Winlogon\Notify\crypt32chain: crypt32.dll (Microsoft Corporation)

Winlogon\Notify\cryptnet: cryptnet.dll (Microsoft Corporation)

Winlogon\Notify\cscdll: cscdll.dll (Microsoft Corporation)

Winlogon\Notify\dimsntfy: %SystemRoot%\System32\dimsntfy.dll (Microsoft Corporation)

Winlogon\Notify\ScCertProp: wlnotify.dll (Microsoft Corporation)

Winlogon\Notify\Schedule: wlnotify.dll (Microsoft Corporation)

Winlogon\Notify\sclgntfy: sclgntfy.dll (Microsoft Corporation)

Winlogon\Notify\SensLogn: WlNotify.dll (Microsoft Corporation)

Winlogon\Notify\termsrv: wlnotify.dll (Microsoft Corporation)

Winlogon\Notify\wlballoon: wlnotify.dll (Microsoft Corporation)

Tcpip\..\Interfaces\{C6D5D5AF-C016-4EED-AE9A-6FC14560F10C}: [NameServer]4.2.2.1,4.2.2.2

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled

ShortcutTarget: Microsoft Office.lnk.disabled -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk

ShortcutTarget: Ralink Wireless Utility.lnk -> C:\Program Files\Ralink\Common\RaUI.exe (Ralink Technology, Corp.)

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Snagit 10.lnk.disabled

ShortcutTarget: Snagit 10.lnk.disabled -> C:\Program Files\TechSmith\Snagit 10\Snagit32.exe (TechSmith Corporation)

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk.disabled

ShortcutTarget: WDDMStatus.lnk.disabled -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk.disabled

ShortcutTarget: WDSmartWare.lnk.disabled -> C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)

Startup: C:\Documents and Settings\Eric\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ======

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2011-08-20] (SUPERAntiSpyware.com)

2 6to4; C:\Windows\System32\svchost.exe -k netsvcs [14336 2008-04-14] (Microsoft Corporation)

2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files\Roxio\BackOnTrack\App\SaibSVC.exe [457200 2009-06-02] ()

4 Alerter; C:\Windows\System32\alrsvc.dll [17408 2008-04-14] (Microsoft Corporation)

2 Apple Mobile Device; "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [55144 2011-10-24] (Apple Inc.)

3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [35160 2010-03-18] (Microsoft Corporation)

3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()

2 avg9wd; "C:\Program Files\AVG\AVG9\avgwdsvc.exe" [308136 2010-07-15] (AVG Technologies CZ, s.r.o.)

2 BOT4Service; "C:\Program Files\Roxio\BackOnTrack\App\BService.exe" [32240 2010-07-14] ()

3 ClipSrv; C:\Windows\System32\clipsrv.exe [33280 2008-04-14] (Microsoft Corporation)

3 dmadmin; C:\Windows\System32\dmadmin.exe /com [224768 2008-04-14] (Microsoft Corp., Veritas Software)

2 dmserver; C:\Windows\System32\dmserver.dll [23552 2008-04-14] (Microsoft Corp.)

2 ERSvc; C:\Windows\System32\ersvc.dll [23040 2008-04-14] (Microsoft Corporation)

2 ES lite Service; "C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE" [68136 2009-02-05] ()

2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)

3 FastUserSwitchingCompatibility; C:\Windows\System32\shsvcs.dll [135168 2009-07-27] (Microsoft Corporation)

3 FLEXnet Licensing Service; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [655624 2011-02-07] (Acresso Software Inc.)

3 FontCache3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [46104 2008-07-29] (Microsoft Corporation)

2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [135664 2009-12-14] (Google Inc.)

3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [135664 2009-12-14] (Google Inc.)

3 gusvc; "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [136120 2009-08-23] (Google)

2 helpsvc; C:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [38400 2008-04-14] (Microsoft Corporation)

2 HidServ; C:\Windows\System32\hidserv.dll [21504 2008-04-13] (Microsoft Corporation)

3 HTTPFilter; C:\Windows\System32\w3ssl.dll [15872 2008-04-14] (Microsoft Corporation)

3 IDriverT; "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" [69632 2005-04-03] (Macrovision Corporation)

3 idsvc; "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [881664 2008-07-29] (Microsoft Corporation)

3 ImapiService; C:\Windows\System32\imapi.exe [150528 2008-04-14] (Microsoft Corporation)

2 IswSvc; "C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe" [493032 2010-05-26] (Check Point Software Technologies)

4 Messenger; C:\Windows\System32\msgsvc.dll [33792 2008-04-14] (Microsoft Corporation)

3 mnmsrvc; C:\WINDOWS\system32\mnmsrvc.exe [32768 2008-04-14] (Microsoft Corporation)

4 NetDDE; C:\Windows\System32\netdde.exe [111104 2008-04-14] (Microsoft Corporation)

4 NetDDEdsdm; C:\Windows\System32\netdde.exe [111104 2008-04-14] (Microsoft Corporation)

4 NetTcpPortSharing; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)

3 Nla; C:\Windows\System32\mswsock.dll [245248 2008-06-20] (Microsoft Corporation)

3 nosGetPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper_3004.dll [66112 2010-09-01] (NOS Microsystems Ltd.)

3 NtLmSsp; C:\Windows\System32\lsass.exe [13312 2008-04-14] (Microsoft Corporation)

3 NtmsSvc; C:\Windows\System32\ntmssvc.dll [435200 2008-04-14] (Microsoft Corporation)

2 nvsvc; C:\WINDOWS\system32\nvsvc32.exe [172100 2009-09-27] (NVIDIA Corporation)

2 PlugPlay; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)

4 PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [66872 2009-10-09] ()

4 PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [103736 2009-10-09] ()

2 PolicyAgent; C:\Windows\System32\lsass.exe [13312 2008-04-14] (Microsoft Corporation)

2 RalinkRegistryWriter; C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe [69632 2008-05-13] (Ralink Technology, Corp.)

3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [141312 2008-04-14] (Microsoft Corporation)

3 RoxMediaDB13; "C:\Program Files\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe" [1099248 2010-07-16] (Sonic Solutions)

2 RoxWatch12; "C:\Program Files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe" [354288 2010-07-16] (Sonic Solutions)

3 RSVP; C:\Windows\System32\rsvp.exe [132608 2001-08-23] (Microsoft Corporation)

3 SCardSvr; C:\Windows\System32\SCardSvr.exe [95744 2008-04-14] (Microsoft Corporation)

2 ScsiAccess; C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe [186760 2010-10-31] ()

2 srservice; C:\Windows\System32\srsvc.dll [171008 2008-04-14] (Microsoft Corporation)

3 SwitchBoard; "C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [517096 2010-02-19] (Adobe Systems Incorporated)

3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{DD604584-C9E8-4AC7-A92D-1F636F6BD9F7} [5120 2008-04-14] (Microsoft Corporation)

3 SysmonLog; C:\Windows\System32\smlogsvc.exe [89600 2008-04-14] (Microsoft Corporation)

3 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [73216 2008-04-14] (Microsoft Corporation)

3 UPS; C:\Windows\System32\ups.exe [18432 2008-04-14] (Microsoft Corporation)

2 vsmon; C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service [2435592 2011-03-17] (Check Point Software Technologies LTD)

2 vToolbarUpdater10.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [918880 2012-03-12] ()

2 WDSmartWareBackgroundService; "C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe" [20480 2009-06-16] (Memeo)

3 WmdmPmSN; C:\WINDOWS\system32\MsPMSNSv.dll [27136 2006-10-18] (Microsoft Corporation)

3 Wmi; C:\Windows\System32\advapi32.dll [617472 2009-02-09] (Microsoft Corporation)

3 WPFFontCache_v0400; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [753504 2010-03-18] (Microsoft Corporation)

2 WZCSVC; C:\Windows\System32\wzcsvc.dll [483840 2008-04-14] (Microsoft Corporation)

3 xmlprov; C:\Windows\System32\xmlprov.dll [129024 2008-04-14] (Microsoft Corporation)

2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

2 pgsql-8.3; "C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "C:\Program Files\PostgreSQL\8.3\data\" [x]

3 rpcapd; "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" [x]

========================== Drivers (Whitelisted) =============

4 ACPIEC; C:\Windows\System32\Drivers\ACPIEC.sys [11648 2001-08-23] (Microsoft Corporation)

3 aec; C:\Windows\System32\Drivers\aec.sys [142592 2008-04-13] (Microsoft Corporation)

2 AegisP; C:\Windows\System32\Drivers\AegisP.sys [21361 2009-10-10] (Cisco Systems, Inc.)

1 AmdPPM; C:\Windows\System32\Drivers\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)

3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [104768 2010-04-07] (SlySoft, Inc.)

3 Arp1394; C:\Windows\System32\Drivers\Arp1394.sys [60800 2008-04-14] (Microsoft Corporation)

3 Atmarpc; C:\Windows\System32\Drivers\Atmarpc.sys [59904 2008-04-13] (Microsoft Corporation)

3 audstub; C:\Windows\System32\Drivers\audstub.sys [3072 2001-08-17] (Microsoft Corporation)

1 AvgLdx86; C:\Windows\System32\Drivers\AvgLdx86.sys [216400 2010-07-15] (AVG Technologies CZ, s.r.o.)

1 AvgMfx86; C:\Windows\System32\Drivers\AvgMfx86.sys [29712 2011-09-13] (AVG Technologies CZ, s.r.o.)

1 AvgTdiX; C:\Windows\System32\Drivers\AvgTdiX.sys [243152 2011-05-06] (AVG Technologies CZ, s.r.o.)

4 cbidf2k; C:\Windows\System32\Drivers\cbidf2k.sys [13952 2001-08-23] (Microsoft Corporation)

1 Cdaudio; C:\Windows\System32\Drivers\Cdaudio.sys [18688 2007-02-18] (Microsoft Corporation)

4 dmboot; C:\Windows\System32\Drivers\dmboot.sys [799744 2008-04-13] (Microsoft Corp., Veritas Software)

0 dmio; C:\Windows\System32\Drivers\dmio.sys [153344 2008-04-13] (Microsoft Corp., Veritas Software)

0 dmload; C:\Windows\System32\Drivers\dmload.sys [5888 2001-08-23] (Microsoft Corp., Veritas Software.)

3 DMusic; C:\Windows\System32\Drivers\DMusic.sys [52864 2008-04-13] (Microsoft Corporation)

1 Fips; C:\Windows\System32\Drivers\Fips.sys [44544 2008-04-13] (Microsoft Corporation)

0 Ftdisk; C:\Windows\System32\Drivers\Ftdisk.sys [125056 2001-08-23] (Microsoft Corporation)

3 gdrv; \??\C:\WINDOWS\gdrv.sys [16608 2012-03-20] (Windows ® 2000 DDK provider)

3 Gpc; C:\Windows\System32\DRIVERS\msgpc.sys [35072 2008-04-13] (Microsoft Corporation)

3 HDAudBus; C:\Windows\System32\Drivers\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)

1 Imapi; C:\Windows\System32\Drivers\Imapi.sys [42112 2008-04-13] (Microsoft Corporation)

3 IntcAzAudAddService; C:\Windows\System32\drivers\RtkHDAud.sys [5027840 2009-01-20] (Realtek Semiconductor Corp.)

3 Ip6Fw; C:\Windows\System32\Drivers\Ip6Fw.sys [36608 2008-04-13] (Microsoft Corporation)

3 IpInIp; C:\Windows\System32\Drivers\IpInIp.sys [20864 2008-04-13] (Microsoft Corporation)

1 IPSec; C:\Windows\System32\Drivers\IPSec.sys [75264 2008-04-13] (Microsoft Corporation)

2 ISWKL; \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [26352 2010-05-26] (Check Point Software Technologies)

3 kmixer; C:\Windows\System32\Drivers\kmixer.sys [172416 2008-04-13] (Microsoft Corporation)

1 mnmdd; C:\Windows\System32\Drivers\mnmdd.sys [4224 2001-08-23] (Microsoft Corporation)

3 NIC1394; C:\Windows\System32\Drivers\NIC1394.sys [61824 2008-04-14] (Microsoft Corporation)

3 nm; C:\Windows\System32\DRIVERS\NMnt.sys [40320 2008-04-13] (Microsoft Corporation)

2 NPF; C:\Windows\System32\Drivers\NPF.sys [35088 2010-06-25] (CACE Technologies, Inc.)

3 nv; C:\Windows\System32\DRIVERS\nv4_mini.sys [7655872 2009-09-27] (NVIDIA Corporation)

3 NwlnkFlt; C:\Windows\System32\Drivers\NwlnkFlt.sys [12416 2001-08-23] (Microsoft Corporation)

3 NwlnkFwd; C:\Windows\System32\Drivers\NwlnkFwd.sys [32512 2001-08-23] (Microsoft Corporation)

3 PSched; C:\Windows\System32\Drivers\PSched.sys [69120 2008-04-13] (Microsoft Corporation)

3 Ptilink; C:\Windows\System32\Drivers\Ptilink.sys [17792 2001-08-23] (Parallel Technologies, Inc.)

3 PTQHBUS; C:\Windows\System32\Drivers\PTQHBUS.sys [55056 2009-12-14] (DEVGURU Co., LTD.)

3 PTQHMDM; C:\Windows\System32\Drivers\PTQHMDM.sys [161040 2009-12-14] (DEVGURU Co., LTD.(www.devguru.co.kr))

3 PTQHVSP; C:\Windows\System32\Drivers\PTQHVSP.sys [161040 2009-12-14] (DEVGURU Co., LTD.(www.devguru.co.kr))

0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [45648 2010-03-19] (Sonic Solutions)

3 Raspti; C:\Windows\System32\Drivers\Raspti.sys [16512 2001-08-23] (Microsoft Corporation)

1 redbook; C:\Windows\System32\Drivers\redbook.sys [57600 2008-04-13] (Microsoft Corporation)

3 RT80x86; C:\Windows\System32\DRIVERS\RT2860.sys [679680 2008-07-29] (Ralink Technology, Corp.)

0 SahdIa32; C:\Windows\System32\Drivers\SahdIa32.sys [21488 2009-06-01] (Sonic Solutions)

0 SaibIa32; C:\Windows\System32\Drivers\SaibIa32.sys [15856 2009-06-01] (Sonic Solutions)

1 SaibVd32; C:\Windows\System32\Drivers\SaibVd32.sys [25584 2009-06-01] (Sonic Solutions)

1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-08-16] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-08-16] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

3 splitter; C:\Windows\System32\Drivers\splitter.sys [6272 2008-04-13] (Microsoft Corporation)

0 sptd; C:\Windows\System32\Drivers\sptd.sys [717296 2010-12-23] (Duplex Secure Ltd.)

0 sr; C:\Windows\System32\Drivers\sr.sys [73472 2008-04-13] (Microsoft Corporation)

3 swmidi; C:\Windows\System32\Drivers\swmidi.sys [56576 2008-04-13] (Microsoft Corporation)

3 sysaudio; C:\Windows\System32\Drivers\sysaudio.sys [60800 2008-04-13] (Microsoft Corporation)

3 Update; C:\Windows\System32\Drivers\Update.sys [384768 2008-04-13] (Microsoft Corporation)

3 USBAAPL; C:\Windows\System32\Drivers\USBAAPL.sys [42496 2011-05-10] (Apple, Inc.)

1 vsdatant; C:\Windows\System32\vsdatant.sys [532224 2010-05-13] (Check Point Software Technologies LTD)

3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam.sys [11520 2009-02-13] (Western Digital Technologies)

3 wdmaud; C:\Windows\System32\Drivers\wdmaud.sys [83072 2008-04-13] (Microsoft Corporation)

4 Abiosdsk; [x]

4 abp480n5; [x]

4 adpu160m; [x]

4 Aha154x; [x]

4 aic78u2; [x]

4 aic78xx; [x]

4 AliIde; [x]

4 amsint; [x]

4 asc; [x]

4 asc3350p; [x]

4 asc3550; [x]

4 Atdisk; [x]

3 catchme; \??\C:\DOCUME~1\Eric\LOCALS~1\Temp\catchme.sys [x]

4 cd20xrnt; [x]

1 Changer; [x]

4 CmdIde; [x]

4 Cpqarray; [x]

4 dac2w2k; [x]

4 dac960nt; [x]

4 dpti2o; [x]

4 hpn; [x]

1 i2omgmt; [x]

4 i2omp; [x]

4 ini910u; [x]

4 IntelIde; [x]

1 lbrtfdc; [x]

4 mraid35x; [x]

1 PCIDump; [x]

3 PDCOMP; [x]

3 PDFRAME; [x]

3 PDRELI; [x]

3 PDRFRAME; [x]

4 perc2; [x]

4 perc2hib; [x]

4 ql1080; [x]

4 Ql10wnt; [x]

4 ql12160; [x]

4 ql1240; [x]

4 ql1280; [x]

4 Simbad; [x]

4 Sparrow; [x]

0 srescan; C:\Windows\System32\ZoneLabs\srescan.sys [x]

4 symc810; [x]

4 symc8xx; [x]

4 sym_hi; [x]

4 sym_u3; [x]

4 TosIde; [x]

4 ultra; [x]

4 ViaIde; [x]

3 WDICA; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-12 19:42 - 2012-08-12 19:42 - 00000000 ____D C:\FRST

============ 3 Months Modified Files ========================

========================= Known DLLs (Whitelisted) ============

C:\Windows\SysWOW64\advapi32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\comdlg32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\gdi32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\imagehlp.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\kernel32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\lz32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\ole32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\oleaut32.dll IS MISSING <==== ATTENTION!

[2008-04-14 01:42] - [2008-04-14 01:42] - 0074752 ____A (Microsoft Corporation) C:\Windows\System32\olecli32.dll

C:\Windows\SysWOW64\olecli32.dll IS MISSING <==== ATTENTION!

[2008-04-14 01:42] - [2008-04-14 01:42] - 0037376 ____A (Microsoft Corporation) C:\Windows\System32\olecnv32.dll

C:\Windows\SysWOW64\olecnv32.dll IS MISSING <==== ATTENTION!

[2001-08-23 05:00] - [2001-08-23 05:00] - 0022016 ____A (Microsoft Corporation) C:\Windows\System32\olesvr32.dll

C:\Windows\SysWOW64\olesvr32.dll IS MISSING <==== ATTENTION!

[2001-08-23 05:00] - [2001-08-23 05:00] - 0069120 ____A (Microsoft Corporation) C:\Windows\System32\olethk32.dll

C:\Windows\SysWOW64\olethk32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\rpcrt4.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\shell32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\url.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\urlmon.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\user32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\version.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\wininet.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\wldap32.dll IS MISSING <==== ATTENTION!

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe

[2008-04-14 01:42] - [2008-04-14 01:42] - 0507904 ____A (Microsoft Corporation) ED0EF0A136DEC83DF69F04118870003E

C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\explorer.exe

[2008-04-14 01:42] - [2008-04-14 01:42] - 1033728 ____A (Microsoft Corporation) 12896823FB95BFB3DC9B46BCAEDC9923

C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\svchost.exe

[2008-04-14 01:42] - [2008-04-14 01:42] - 0014336 ____A (Microsoft Corporation) 27C6D03BCDB8CFEB96B716F3D8BE3E18

C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\services.exe

[2008-04-14 01:42] - [2009-02-06 03:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\Windows\System32\User32.dll

[2008-04-14 01:42] - [2008-04-14 01:42] - 0578560 ____A (Microsoft Corporation) B26B135FF1B9F60C9388B4A7D16F600B

C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.

C:\Windows\System32\userinit.exe

[2008-04-14 01:42] - [2008-04-14 01:42] - 0026112 ____A (Microsoft Corporation) A93AEE1928A9D7CE3E16D24EC7380F89

C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\Drivers\volsnap.sys

[2008-04-13 20:11] - [2008-04-13 20:11] - 0052352 ____A (Microsoft Corporation) 4C8FCB5CC53AAB716D810740FE59D025

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 6%

Total physical RAM: 16365.24 MB

Available physical RAM: 15235 MB

Total Pagefile: 16363.44 MB

Available Pagefile: 15248.39 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:698.63 GB) (Free:38.49 GB) NTFS

2 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive f: () (Fixed) (Total:111.69 GB) (Free:23.77 GB) NTFS

9 Drive l: (UNRAID) (Removable) (Total:3.72 GB) (Free:3.67 GB) FAT32

10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

11 Drive y: () (Fixed) (Total:1863.01 GB) (Free:1384.86 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 1863 GB 0 B

Disk 1 Online 111 GB 0 B

Disk 2 Online 698 GB 8 MB

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Disk 6 No Media 0 B 0 B

Disk 7 Online 3819 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1863 GB 1024 KB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y NTFS Partition 1863 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 111 GB 101 MB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 698 GB 31 KB

==================================================================================

Disk: 2

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 C NTFS Partition 698 GB Healthy

==================================================================================

Partitions of Disk 7:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3818 MB 16 KB

==================================================================================

Disk: 7

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 9 L UNRAID FAT32 Removable 3818 MB Healthy

==================================================================================

======================= End Of Log ==========================

Link to post
Share on other sites

Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 2012-08-12 19:44:17

Running from L:\

================== Search: "services.exe" ===================

C:\WINDOWS\system32\services.exe

[2008-04-14 01:42] - [2009-02-06 03:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\WINDOWS\system32\dllcache\services.exe

[2008-04-14 01:42] - [2009-02-06 03:11] - 0110592 ___AC (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\WINDOWS\ERDNT\cache\services.exe

[2010-09-16 08:33] - [2009-02-06 03:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\WINDOWS\$NtUninstallKB956572$\services.exe

[2009-10-11 23:03] - [2008-04-14 01:42] - 0108544 ____C (Microsoft Corporation) 0E776ED5F7CC9F94299E70461B7B8185

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe

[2009-10-11 06:36] - [2009-02-06 03:06] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6

====== End Of Search ======

Link to post
Share on other sites

You've done something wrong, your original posts were from A W7 computer.

Now this say Windows XP.

I'm not sure what's going on here?? MrC

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 12-08-2012 19:42:26

Running from L:\

Microsoft Windows XP Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

ATTENTION!:=====> THE OPERATING SYSTEM IS A X86 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X64 SYSTEM DISK.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 12-08-2012 21:41:41

Running from L:\

Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [iSW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden" [1126528 2012-03-16] (Check Point Software Technologies)

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12459112 2012-03-27] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4 [1158248 2012-03-09] (Realtek Semiconductor)

HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2780776 2011-07-19] (CANON INC.)

HKLM-x32\...\Run: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [73360 2012-03-19] (Check Point Software Technologies LTD)

HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2587008 2012-04-05] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1107552 2012-07-09] ()

HKLM-x32\...\Run: [iJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE [124512 2007-05-21] (CANON INC.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM-x32\...\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1637496 2011-08-04] (CANON INC.)

HKLM-x32\...\Run: [iJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE [468112 2011-07-25] (CANON INC.)

HKU\Eric\...\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKU\Eric\...\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart [12218904 2012-07-20] (Google)

HKU\Eric\...\Run: [8E651856056127D18A8F60579BE69991E43D0827._service_run] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=service [1229848 2012-08-06] (Google Inc.)

HKU\Mcx1-ERIC-PC\...\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKU\Mcx1-ERIC-PC\...\Winlogon: [shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 209.18.47.61 209.18.47.62

Startup: C:\Users\All Users\Start Menu\Programs\Startup\AML Device Install.lnk

ShortcutTarget: AML Device Install.lnk -> C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe ()

Startup: C:\Users\Eric\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk.disabled

ShortcutTarget: OpenOffice.org 3.3.lnk.disabled -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ======

2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [457200 2009-06-02] ()

3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe" [5161080 2012-06-13] (AVG Technologies CZ, s.r.o.)

2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)

2 BOT4Service; "C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe" [32240 2010-07-14] ()

2 ES lite Service; "C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE" [68136 2009-08-24] ()

3 Futuremark SystemInfo Service; "C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe" [130976 2011-03-01] (Futuremark Corporation)

2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140456 2011-09-06] ()

2 IswSvc; "C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe" [827520 2012-03-16] (Check Point Software Technologies)

2 PanService; C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [624856 2012-04-18] (Pandora.TV)

3 RoxMediaDB13; "C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe" [1099248 2010-07-16] (Sonic Solutions)

2 ScsiAccess; C:\Program Files (x86)\Photodex\ProShowGold\ScsiAccess.exe [186760 2012-03-26] ()

2 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe -service [2421640 2012-03-19] (Check Point Software Technologies LTD)

2 vToolbarUpdater11.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [935008 2012-07-09] ()

2 DroidExplorerService; "C:\Program Files\DroidExplorer.Service.exe" [x]

3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

========================== Drivers (Whitelisted) =============

3 AODDriver; \??\C:\Program Files (x86)\Gigabyte\ET6\amd64\AODDriver.sys [52280 2010-03-12] (Advanced Micro Devices)

2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55936 2012-01-03] (Advanced Micro Devices)

1 AppleCharger; C:\Windows\System32\Drivers\AppleCharger.sys [21104 2011-01-10] ()

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )

3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )

0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )

1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [289872 2012-02-22] (AVG Technologies CZ, s.r.o.)

1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)

0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)

1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [383808 2012-03-19] (AVG Technologies CZ, s.r.o.)

3 etdrv; \??\C:\Windows\etdrv.sys [25640 2012-07-13] (Windows ® Server 2003 DDK provider)

3 gdrv; \??\C:\Windows\gdrv.sys [25640 2012-08-12] (Windows ® Server 2003 DDK provider)

3 GVTDrv64; \??\C:\Windows\GVTDrv64.sys [30528 2012-08-12] ()

2 ISWKL; \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [33672 2012-03-16] (Check Point Software Technologies)

3 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [29808 2012-07-12] ()

3 NPF; C:\Windows\System32\Drivers\NPF.sys [35344 2010-06-25] (CACE Technologies, Inc.)

1 VirtDiskBus; C:\Windows\System32\DRIVERS\VirtDiskBus64.sys [66160 2011-02-08] (Giga-Byte Technology CO., LTD.)

1 Vsdatant; C:\Windows\System32\Drivers\Vsdatant.sys [454232 2011-05-07] (Check Point Software Technologies LTD)

3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-12 21:41 - 2012-08-12 21:41 - 00000000 ____D C:\FRST

2012-08-12 18:26 - 2012-08-12 18:26 - 00003584 ____A C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-08-12 18:00 - 2012-08-12 18:00 - 00000020 __ASH C:\Users\Administrator\ntuser.ini

2012-08-12 18:00 - 2012-08-12 18:00 - 00000000 ____D C:\users\Administrator

2012-08-12 18:00 - 2012-08-05 16:48 - 00000000 ____D C:\Users\Administrator\AppData\LocalGoogle

2012-08-12 18:00 - 2012-08-05 16:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google

2012-08-12 18:00 - 2012-04-02 14:40 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia

2012-08-12 16:14 - 2012-08-12 16:15 - 00276864 ____A C:\Windows\Minidump\081212-21356-01.dmp

2012-08-12 16:14 - 2012-08-12 16:14 - 00000000 ____D C:\Windows\Minidump

2012-08-12 13:03 - 2012-08-12 13:03 - 00004210 ____A C:\Users\Eric\Desktop\RKreport[1].txt

2012-08-12 13:03 - 2012-08-12 13:03 - 00000000 ____D C:\Users\Eric\Desktop\RK_Quarantine

2012-08-12 08:39 - 2012-08-12 08:44 - 00000000 ____D C:\Users\Eric\Desktop\Malware Remove

2012-08-12 08:28 - 2012-08-12 08:28 - 01558528 ____A C:\Users\Eric\Desktop\RogueKiller.exe

2012-08-11 14:01 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-08-11 10:28 - 2012-08-11 10:28 - 00002971 ____A C:\Users\Eric\Desktop\HiJackThis.lnk

2012-08-11 10:28 - 2012-08-11 10:28 - 00000000 ____D C:\Program Files (x86)\Trend Micro

2012-08-11 10:27 - 2012-08-11 10:27 - 01402880 ____A C:\Users\Eric\Desktop\HiJackThis.msi

2012-08-10 08:26 - 2012-08-12 11:11 - 00000004 ____A C:\Windows\SysWOW64\GVTunner.ref

2012-08-07 19:23 - 2012-08-07 19:23 - 00000000 ____D C:\Users\Mom\AppData\Roaming\Canon

2012-08-07 19:23 - 2012-08-07 19:23 - 00000000 ____D C:\Users\Mom\AppData\LocalGoogle

2012-08-06 14:30 - 2012-08-06 14:30 - 00000000 ___HD C:\Users\All Users\CanonIJEPPEX

2012-08-06 14:30 - 2012-08-06 14:30 - 00000000 ____D C:\Users\Eric\AppData\Local\Canon Easy-PhotoPrint EX

2012-08-06 14:29 - 2012-08-06 14:29 - 00000000 ___HD C:\Users\All Users\CanonIJSolutionMenuEX

2012-08-06 14:29 - 2012-08-06 14:29 - 00000000 ___HD C:\Users\All Users\CanonIJMyPrinter

2012-08-06 14:29 - 2012-08-06 14:29 - 00000000 ___HD C:\Users\All Users\CanonIJEPPEX2

2012-08-06 14:29 - 2012-08-06 14:29 - 00000000 ___HD C:\Users\All Users\CanonEPP

2012-08-06 14:29 - 2012-08-06 14:29 - 00000000 ____D C:\Users\Eric\AppData\Roaming\Canon

2012-08-06 14:21 - 2012-08-06 14:21 - 00000000 ___HD C:\Users\All Users\CanonIJFAX

2012-08-06 14:21 - 2012-08-06 14:21 - 00000000 ____D C:\Windows\medias

2012-08-06 14:21 - 2012-08-06 14:21 - 00000000 ____D C:\Users\All Users\Canon IJ Network Tool

2012-08-06 14:21 - 2011-09-21 06:19 - 00122880 ____A (CANON INC.) C:\Windows\SysWOW64\CNC_AZU.dll

2012-08-06 14:21 - 2011-09-21 05:06 - 00424448 ____A (CANON INC.) C:\Windows\SysWOW64\CNC_AZL.dll

2012-08-06 14:21 - 2011-05-31 13:48 - 00070656 ____A C:\Windows\SysWOW64\CNC175ED.TBL

2012-08-06 14:21 - 2008-08-25 15:02 - 00015872 ____A (CANON INC.) C:\Windows\SysWOW64\CNHMCA.dll

2012-08-06 14:20 - 2012-08-06 14:20 - 00002075 ____A C:\Users\Public\Desktop\Canon Solution Menu EX.lnk

2012-08-06 14:20 - 2012-08-06 14:20 - 00000000 ____D C:\Users\All Users\CanonIJWSpt

2012-08-06 14:20 - 2012-08-06 14:20 - 00000000 ____D C:\Program Files\Common Files\CANON

2012-08-06 14:19 - 2012-08-07 19:28 - 00000000 ____D C:\Users\All Users\CanonIJPLM

2012-08-06 14:18 - 2012-08-06 14:18 - 00002354 ____A C:\Users\Public\Desktop\Canon MX890 series On-screen Manual.lnk

2012-08-06 14:18 - 2011-11-03 02:00 - 00385024 ____A (CANON INC.) C:\Windows\System32\CNMLMAZ.DLL

2012-08-06 14:18 - 2011-09-29 01:23 - 00256000 ____A (CANON INC.) C:\Windows\System32\CNMIUAZ.DLL

2012-08-06 14:18 - 2011-09-21 02:00 - 00302592 ____A (CANON INC.) C:\Windows\System32\CNCALAZ.DLL

2012-08-06 14:06 - 2012-08-06 14:08 - 00000000 ____D C:\Windows\System32\STRING

2012-08-06 14:06 - 2011-08-16 00:30 - 00356864 ____A (CANON INC.) C:\Windows\System32\CNMN6PPM.DLL

2012-08-06 14:06 - 2011-08-16 00:30 - 00039424 ____A (CANON INC.) C:\Windows\System32\CNMN6UI.DLL

2012-08-05 16:48 - 2012-08-05 16:48 - 00000000 ____D C:\Users\Default\AppData\LocalGoogle

2012-08-05 16:48 - 2012-08-05 16:48 - 00000000 ____D C:\Users\Default\AppData\Local\Google

2012-08-05 16:48 - 2012-08-05 16:48 - 00000000 ____D C:\Users\Default User\AppData\LocalGoogle

2012-08-05 16:48 - 2012-08-05 16:48 - 00000000 ____D C:\Users\Default User\AppData\Local\Google

2012-08-03 12:44 - 2012-08-03 12:44 - 00000000 ____D C:\Users\All Users\Samsung

2012-07-15 09:27 - 2012-08-12 17:49 - 00000000 ___SD C:\Users\Eric\Google Drive

2012-07-15 09:27 - 2012-07-15 09:27 - 00001656 ____A C:\Users\Eric\Desktop\Google Drive.lnk

2012-07-15 09:26 - 2012-07-15 09:26 - 00000000 ____D C:\Users\Eric\AppData\LocalGoogle

============ 3 Months Modified Files ========================

2012-08-12 18:26 - 2012-08-12 18:26 - 00003584 ____A C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-08-12 18:00 - 2012-08-12 18:00 - 00000020 __ASH C:\Users\Administrator\ntuser.ini

2012-08-12 17:57 - 2009-07-13 21:13 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-12 17:52 - 2012-03-21 13:34 - 00000236 ____A C:\service.log

2012-08-12 17:49 - 2012-03-30 05:18 - 00038473 ____A C:\Windows\setupact.log

2012-08-12 17:49 - 2012-03-21 14:20 - 00025640 ____A (Windows ® Server 2003 DDK provider) C:\Windows\gdrv.sys

2012-08-12 17:49 - 2012-03-21 11:39 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-08-12 17:49 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-12 17:11 - 2009-07-13 20:45 - 00022112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-12 17:11 - 2009-07-13 20:45 - 00022112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-12 16:15 - 2012-08-12 16:14 - 00276864 ____A C:\Windows\Minidump\081212-21356-01.dmp

2012-08-12 13:03 - 2012-08-12 13:03 - 00004210 ____A C:\Users\Eric\Desktop\RKreport[1].txt

2012-08-12 11:11 - 2012-08-10 08:26 - 00000004 ____A C:\Windows\SysWOW64\GVTunner.ref

2012-08-12 11:11 - 2012-03-21 19:30 - 00030528 ____A C:\Windows\GVTDrv64.sys

2012-08-12 10:48 - 2012-03-21 11:39 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-08-12 08:28 - 2012-08-12 08:28 - 01558528 ____A C:\Users\Eric\Desktop\RogueKiller.exe

2012-08-11 14:00 - 2012-04-02 20:03 - 00010274 ____A C:\Windows\PFRO.log

2012-08-11 10:28 - 2012-08-11 10:28 - 00002971 ____A C:\Users\Eric\Desktop\HiJackThis.lnk

2012-08-11 10:27 - 2012-08-11 10:27 - 01402880 ____A C:\Users\Eric\Desktop\HiJackThis.msi

2012-08-10 04:14 - 2012-03-27 11:36 - 00000362 _RASH C:\Users\All Users\ntuser.pol

2012-08-09 11:49 - 2012-03-21 11:39 - 00002340 ____A C:\Users\Public\Desktop\Google Chrome.lnk

2012-08-09 09:00 - 2012-03-21 22:49 - 01717507 ____A C:\Windows\WindowsUpdate.log

2012-08-06 14:20 - 2012-08-06 14:20 - 00002075 ____A C:\Users\Public\Desktop\Canon Solution Menu EX.lnk

2012-08-06 14:18 - 2012-08-06 14:18 - 00002354 ____A C:\Users\Public\Desktop\Canon MX890 series On-screen Manual.lnk

2012-07-25 16:10 - 2012-03-26 16:01 - 00058368 ____A C:\Users\Eric\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-07-15 09:28 - 2012-06-22 08:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-07-15 09:28 - 2012-03-21 18:52 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-15 09:27 - 2012-07-15 09:27 - 00001656 ____A C:\Users\Eric\Desktop\Google Drive.lnk

2012-07-13 09:34 - 2012-03-24 14:06 - 00025640 ____A (Windows ® Server 2003 DDK provider) C:\Windows\etdrv.sys

2012-07-12 20:26 - 2012-07-12 20:23 - 00029808 ____A C:\Windows\System32\Drivers\mbamchameleon.sys

2012-07-12 00:19 - 2009-07-13 20:45 - 04927872 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-12 00:01 - 2012-04-01 11:39 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-08 10:47 - 2012-07-08 10:47 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ssadadb_01005.Wdf

2012-07-06 12:10 - 2012-07-06 12:10 - 00000943 ____A C:\Users\Mom\Desktop\Audacity.lnk

2012-07-06 12:10 - 2012-07-06 12:10 - 00000943 ____A C:\Users\Mcx1-ERIC-PC\Desktop\Audacity.lnk

2012-07-06 12:10 - 2012-07-06 12:10 - 00000943 ____A C:\Users\Eric\Desktop\Audacity.lnk

2012-07-06 12:04 - 2012-07-06 12:04 - 00001129 ____A C:\Users\Eric\Desktop\Free Sound Recorder.lnk

2012-07-05 07:26 - 2012-03-21 12:38 - 00000965 ____A C:\Users\Public\Desktop\AVG 2012.lnk

2012-07-03 10:46 - 2012-03-21 16:52 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-11 19:08 - 2012-07-12 00:03 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 21:43 - 2012-07-11 08:03 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:41 - 2012-07-11 08:03 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 22:06 - 2012-07-11 08:03 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 22:06 - 2012-07-11 08:03 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 22:02 - 2012-07-11 08:03 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-06-05 21:05 - 2012-07-11 08:03 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:05 - 2012-07-11 08:03 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-05 21:03 - 2012-07-11 08:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-06-05 09:37 - 2012-06-05 09:37 - 00001225 ____A C:\Users\Eric\Desktop\AVS Audio Recorder.lnk

2012-06-05 09:37 - 2012-03-21 13:54 - 00001293 ____A C:\Users\Eric\Desktop\AVS4YOU Software Navigator.lnk

2012-06-02 14:19 - 2012-06-23 07:40 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-23 07:40 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-23 07:40 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-23 07:40 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-23 07:40 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-23 07:40 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-23 07:40 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 12:19 - 2012-06-23 07:40 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 12:15 - 2012-06-23 07:40 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 04:49 - 2012-07-12 00:00 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-02 04:17 - 2012-07-12 00:00 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-02 04:12 - 2012-07-12 00:00 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-02 04:05 - 2012-07-12 00:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-02 04:05 - 2012-07-12 00:00 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-02 04:04 - 2012-07-12 00:00 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-02 04:04 - 2012-07-12 00:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-02 04:03 - 2012-07-12 00:00 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-02 04:01 - 2012-07-12 00:00 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-02 04:00 - 2012-07-12 00:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-02 03:59 - 2012-07-12 00:00 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-02 03:57 - 2012-07-12 00:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-02 03:57 - 2012-07-12 00:00 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-02 03:54 - 2012-07-12 00:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-02 01:07 - 2012-07-12 00:00 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-02 00:43 - 2012-07-12 00:00 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-02 00:33 - 2012-07-12 00:00 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-02 00:26 - 2012-07-12 00:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-02 00:25 - 2012-07-12 00:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-02 00:25 - 2012-07-12 00:00 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-02 00:23 - 2012-07-12 00:00 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-02 00:21 - 2012-07-12 00:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-02 00:20 - 2012-07-12 00:00 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-02 00:19 - 2012-07-12 00:00 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-02 00:19 - 2012-07-12 00:00 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-02 00:17 - 2012-07-12 00:00 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-02 00:16 - 2012-07-12 00:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-02 00:14 - 2012-07-12 00:00 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-01 21:50 - 2012-07-11 08:03 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:48 - 2012-07-11 08:03 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:48 - 2012-07-11 08:03 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:45 - 2012-07-11 08:03 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:44 - 2012-07-11 08:03 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:40 - 2012-07-11 08:03 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:40 - 2012-07-11 08:03 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:39 - 2012-07-11 08:03 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:34 - 2012-07-11 08:03 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-05-28 08:44 - 2012-05-28 08:44 - 00002035 ____A C:\Users\Eric\Desktop\VideoClone.lnk

2012-05-28 08:44 - 2012-04-14 14:54 - 00002067 ____A C:\Users\Eric\Desktop\WM Converter.lnk

2012-05-28 08:44 - 2012-04-14 14:54 - 00001868 ____A C:\Users\Eric\Desktop\WM Recorder 14.lnk

2012-05-18 22:22 - 2012-04-02 14:48 - 00001234 ____A C:\Users\Eric\Desktop\Adobe Photoshop CS5 (64 Bit).lnk

2012-05-16 18:18 - 2012-05-16 16:36 - 06198837 ____A C:\xvid.pass

ZeroAccess:

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\@

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\L

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\U

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\L\00000004.@

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\L\201d3dde

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\U\00000004.@

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\U\00000008.@

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\U\000000cb.@

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\U\80000000.@

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\U\80000032.@

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a}\U\80000064.@

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

Type 00 partition infection:

C:\Windows\svchost.exe

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 7%

Total physical RAM: 16365.24 MB

Available physical RAM: 15166.29 MB

Total Pagefile: 16363.44 MB

Available Pagefile: 15165.73 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:111.69 GB) (Free:23.79 GB) NTFS

2 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive e: () (Fixed) (Total:698.63 GB) (Free:42.7 GB) NTFS

9 Drive l: (UNRAID) (Removable) (Total:3.72 GB) (Free:3.67 GB) FAT32

10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

11 Drive y: () (Fixed) (Total:1863.01 GB) (Free:1384.86 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 1863 GB 0 B

Disk 1 Online 111 GB 0 B

Disk 2 Online 698 GB 8 MB

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Disk 6 No Media 0 B 0 B

Disk 7 Online 3819 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1863 GB 1024 KB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y NTFS Partition 1863 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 111 GB 101 MB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 698 GB 31 KB

==================================================================================

Disk: 2

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E NTFS Partition 698 GB Healthy

==================================================================================

Partitions of Disk 7:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3818 MB 16 KB

==================================================================================

Disk: 7

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 9 L UNRAID FAT32 Removable 3818 MB Healthy

==================================================================================

Last Boot: 2012-08-06 21:45

======================= End Of Log ==========================

Link to post
Share on other sites

Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 2012-08-12 21:42:35

Running from L:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012

Ran by SYSTEM at 2012-08-14 10:31:28 Run:1

Running from L:\

==============================================

C:\Windows\Installer\{998f444d-05ef-26a6-2d1e-2f9dd52a008a} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

The operation completed successfully.

The operation completed successfully.

==== End of Fixlog ====

Link to post
Share on other sites

A couple of more scans to run.........

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

12:16:41.0316 3692 TDSS rootkit removing tool 2.8.6.0 Aug 13 2012 17:24:05

12:16:41.0851 3692 ============================================================

12:16:41.0851 3692 Current date / time: 2012/08/14 12:16:41.0851

12:16:41.0851 3692 SystemInfo:

12:16:41.0851 3692

12:16:41.0851 3692 OS Version: 6.1.7601 ServicePack: 1.0

12:16:41.0851 3692 Product type: Workstation

12:16:41.0851 3692 ComputerName: ERIC-PC

12:16:41.0851 3692 UserName: Eric

12:16:41.0851 3692 Windows directory: C:\Windows

12:16:41.0852 3692 System windows directory: C:\Windows

12:16:41.0852 3692 Running under WOW64

12:16:41.0852 3692 Processor architecture: Intel x64

12:16:41.0852 3692 Number of processors: 8

12:16:41.0852 3692 Page size: 0x1000

12:16:41.0852 3692 Boot type: Normal boot

12:16:41.0852 3692 ============================================================

12:16:41.0915 3692 BG loaded

12:16:42.0093 3692 Drive \Device\Harddisk1\DR1 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3C91, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040

12:16:42.0112 3692 Drive \Device\Harddisk2\DR2 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

12:16:42.0122 3692 Drive \Device\Harddisk0\DR0 - Size: 0x1D1C1116000 (1863.02 Gb), SectorSize: 0x200, Cylinders: 0x3B601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

12:16:42.0152 3692 ============================================================

12:16:42.0152 3692 \Device\Harddisk1\DR1:

12:16:42.0154 3692 MBR partitions:

12:16:42.0154 3692 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000

12:16:42.0154 3692 \Device\Harddisk1\DR1\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0xDF61800

12:16:42.0154 3692 \Device\Harddisk2\DR2:

12:16:42.0154 3692 MBR partitions:

12:16:42.0154 3692 \Device\Harddisk2\DR2\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x57541401

12:16:42.0154 3692 \Device\Harddisk0\DR0:

12:16:42.0154 3692 MBR partitions:

12:16:42.0154 3692 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0xE8E07800

12:16:42.0154 3692 ============================================================

12:16:42.0155 3692 C: <-> \Device\Harddisk1\DR1\Partition2

12:16:42.0171 3692 F: <-> \Device\Harddisk2\DR2\Partition1

12:16:42.0190 3692 E: <-> \Device\Harddisk0\DR0\Partition1

12:16:42.0190 3692 ============================================================

12:16:42.0190 3692 Initialize success

12:16:42.0190 3692 ============================================================

Link to post
Share on other sites

That's better....

Just run it again and choose Delete for these only: (you don't have to post the log)

12:14:46.0186 3092 \Device\Harddisk1\DR1 ( TDSS File System ) - skipped by user <---------

12:14:46.0186 3092 \Device\Harddisk1\DR1 ( TDSS File System ) - User select action: Skip

12:14:46.0187 3092 \Device\Harddisk2\DR2 ( TDSS File System ) - skipped by user <---------

12:14:46.0187 3092 \Device\Harddisk2\DR2 ( TDSS File System ) - User select action: Skip

--------------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.15.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Eric :: ERIC-PC [administrator]

8/15/2012 4:45:29 PM

mbam-log-2012-08-15 (16-45-29).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 261051

Time elapsed: 59 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Great thumbsup.gif

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassociates.com/OT-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.