Jump to content

Rootkit.0Access and Trojan.Dropper.BCMiner

FaGian

By FaGian
in Resolved Malware Removal Logs

 Share

Recommended Posts

MrCharlie

MrCharlie

Posted
Posted

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]Now press the Search button

[*]When the search is complete, search.txt will also be written to your USB

[*]Type exit and reboot the computer normally

[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites
FaGian

FaGian

Posted
  • Author
Posted

First, thanks for quick reply.

This is what I got from the suggested procedure

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 12-08-2012 22:03:34

Running from H:\

Windows 7 Ultimate Service Pack 1 (X64) OS Language: Italian Standard

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation)

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [170264 2012-03-19] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [398616 2012-03-19] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [439064 2012-03-19] (Intel Corporation)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [OpwareSE2] "C:\Program Files (x86)\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [49152 2003-05-08] (ScanSoft, Inc.)

HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-07-18] (Avira Operations GmbH & Co. KG)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)

HKU\250\...\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe" [495616 2007-09-02] ()

HKU\250\...\Run: [EPSON S21 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFAE.EXE /FU "C:\Windows\TEMP\E_S705.tmp" /EF "HKCU" [223232 2008-09-12] (SEIKO EPSON CORPORATION)

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1

Tcpip\..\Interfaces\{2144F76C-475E-4820-B897-011969B472BE}: [NameServer]208.67.222.222,208.67.220.220

==================== Services (Whitelisted) ======

2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [86224 2012-07-18] (Avira Operations GmbH & Co. KG)

2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [110032 2012-07-18] (Avira Operations GmbH & Co. KG)

2 CLHNServiceForPowerDVD; C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [83240 2011-04-20] ()

2 CyberLink PowerDVD 11.0 Monitor Service; "C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe" [70952 2011-03-31] (CyberLink)

2 CyberLink PowerDVD 11.0 Service; "C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe" [312616 2011-03-31] (CyberLink)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

========================== Drivers (Whitelisted) =============

2 avgntflt; C:\Windows\System32\Drivers\avgntflt.sys [98848 2012-07-18] (Avira GmbH)

1 avipbb; C:\Windows\System32\Drivers\avipbb.sys [132832 2012-07-18] (Avira GmbH)

1 avkmgr; C:\Windows\System32\Drivers\avkmgr.sys [27760 2012-07-18] (Avira GmbH)

1 ISODrive; \??\C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [115600 2010-01-29] (EZB Systems, Inc.)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)

0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2010-11-26] ()

2 {329F96B6-DF1E-4328-BFDA-39EA953C1312}; \??\C:\Program Files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [148976 2011-04-12] (CyberLink Corp.)

3 MSICDSetup; \??\E:\CDriver64.sys [x]

3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-12 22:03 - 2012-08-12 22:03 - 00000000 ____D C:\FRST

2012-08-12 15:22 - 2012-08-12 20:23 - 00011526 ____A C:\Windows\PFRO.log

2012-08-12 15:15 - 2012-08-12 15:15 - 00000000 ____D C:\Users\250\AppData\Roaming\Malwarebytes

2012-08-12 15:14 - 2012-08-12 15:14 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-08-12 15:14 - 2012-08-12 15:14 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-12 15:14 - 2012-07-03 12:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-12 06:38 - 2012-08-12 06:38 - 00122992 ____A C:\Users\250\AppData\Local\GDIPFONTCACHEV1.DAT

2012-08-12 06:37 - 2012-08-12 20:23 - 00000336 ____A C:\Windows\setupact.log

2012-08-12 06:37 - 2012-08-12 06:38 - 05017296 ____A C:\Windows\System32\FNTCACHE.DAT

2012-08-12 06:37 - 2012-08-12 06:37 - 00000000 ____A C:\Windows\setuperr.log

2012-08-11 18:52 - 2012-08-11 19:06 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-08-11 17:49 - 2012-08-11 17:49 - 00000000 ____D C:\Users\250\AppData\Roaming\Avira

2012-08-11 17:43 - 2012-08-11 17:43 - 00000000 ____D C:\Users\All Users\Avira

2012-08-11 17:43 - 2012-08-11 17:43 - 00000000 ____D C:\Program Files (x86)\Avira

2012-08-11 17:43 - 2012-07-18 17:05 - 00132832 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys

2012-08-11 17:43 - 2012-07-18 17:05 - 00098848 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys

2012-08-11 17:43 - 2012-07-18 17:05 - 00027760 ____A (Avira GmbH) C:\Windows\System32\Drivers\avkmgr.sys

2012-08-10 16:11 - 2012-08-10 16:11 - 01568048 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-08-10 15:57 - 2012-08-10 15:57 - 00000000 ____D C:\Users\All Users\MSScanAppDataDir

2012-08-10 15:28 - 2012-08-10 15:50 - 00000424 ____A C:\Windows\ODBC.INI

2012-08-04 07:13 - 2012-08-04 07:13 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-07-29 17:25 - 2012-07-29 18:28 - 00000079 ____A C:\Windows\showcalc.ini

2012-07-26 21:03 - 2012-07-26 21:03 - 00000000 ____D C:\Users\250\Application Data\Adobe

2012-07-26 19:53 - 2012-07-26 21:38 - 00000000 ____D C:\Users\250\AppData\Local\Microsoft Games

2012-07-25 17:13 - 2012-07-25 17:13 - 00000000 ____D C:\Windows\Sun

2012-07-24 22:17 - 2012-07-24 22:17 - 00000000 ____D C:\Users\All Users\ScanSoft

2012-07-24 17:16 - 2012-07-24 17:25 - 00000000 ____D C:\Users\All Users\SpeedyPC Software

2012-07-24 17:16 - 2012-07-24 17:16 - 00000000 ____D C:\Users\250\AppData\Roaming\SpeedyPC Software

2012-07-24 17:16 - 2012-07-24 17:16 - 00000000 ____D C:\Users\250\AppData\Roaming\DriverCure

2012-07-24 16:58 - 2012-07-24 17:51 - 00000000 ____D C:\Users\All Users\SSScanWizard

2012-07-24 16:58 - 2012-07-24 17:41 - 00000000 ____D C:\Users\All Users\SSScanAppDataDir

2012-07-24 16:58 - 2012-07-24 16:58 - 00000556 ____A C:\Windows\MAXLINK.INI

2012-07-24 16:58 - 2012-07-24 16:58 - 00000000 ____D C:\Users\250\AppData\Roaming\ScanSoft

2012-07-24 16:57 - 2012-07-24 16:57 - 00000000 ____D C:\Program Files (x86)\ScanSoft

2012-07-24 16:46 - 2012-07-24 17:30 - 00000000 ___HD C:\CanoScan

2012-07-22 12:49 - 2012-08-11 21:17 - 00000000 ____D C:\Windows\Minidump

2012-07-21 19:44 - 2012-07-22 12:51 - 00000000 ____D C:\Program Files (x86)\Elaborate Bytes

2012-07-21 19:42 - 2012-07-22 12:51 - 00000000 ____D C:\Program Files (x86)\SlySoft

2012-07-21 19:36 - 2012-07-21 19:36 - 00000000 ____D C:\Users\All Users\UDL

2012-07-21 19:35 - 2012-07-21 19:35 - 00000000 ____D C:\Users\All Users\EPSON

2012-07-21 19:35 - 2012-07-21 19:35 - 00000000 ____D C:\Users\250\AppData\Roaming\InstallShield

2012-07-21 19:35 - 2008-08-08 12:09 - 00108032 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\E_ILMFAE.DLL

2012-07-21 19:35 - 2007-12-07 12:01 - 00081408 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\E_IBCBFAE.DLL

2012-07-21 19:35 - 2007-06-21 23:10 - 00501912 ____A (SEIKO EPSON CORPORATION) C:\Windows\SysWOW64\PICSDK2.dll

2012-07-21 19:35 - 2007-06-21 23:10 - 00000097 ____A C:\Windows\SysWOW64\PICSDK.ini

2012-07-21 19:35 - 2007-04-10 11:06 - 00010752 ____A (SEIKO EPSON CORP.) C:\Windows\System32\E_GCINST.DLL

2012-07-21 19:35 - 2006-10-30 23:10 - 00120992 ____A (SEIKO EPSON CORPORATION) C:\Windows\SysWOW64\EpPicPrt.dll

2012-07-21 19:35 - 2006-10-30 23:10 - 00071840 ____A (SEIKO EPSON CORPORATION) C:\Windows\SysWOW64\EPPicMgr.dll

2012-07-21 19:35 - 2006-10-19 23:10 - 00108704 ____A (SEIKO EPSON CORPORATION) C:\Windows\SysWOW64\PICEntry.dll

2012-07-21 19:35 - 2006-10-19 23:10 - 00080024 ____A (SEIKO EPSON CORPORATION) C:\Windows\SysWOW64\PICSDK.dll

2012-07-21 19:35 - 2005-05-31 23:20 - 00111932 ____A C:\Windows\SysWOW64\EPPICPrinterDB.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00031053 ____A C:\Windows\SysWOW64\EPPICPattern131.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00027417 ____A C:\Windows\SysWOW64\EPPICPattern121.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00026154 ____A C:\Windows\SysWOW64\EPPICPattern1.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00024903 ____A C:\Windows\SysWOW64\EPPICPattern3.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00021390 ____A C:\Windows\SysWOW64\EPPICPattern5.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00020148 ____A C:\Windows\SysWOW64\EPPICPattern2.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00013732 ____A C:\Windows\SysWOW64\EPPICLocal_EN.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00011811 ____A C:\Windows\SysWOW64\EPPICPattern4.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00006442 ____A C:\Windows\SysWOW64\EPPICLocal_IT.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00006347 ____A C:\Windows\SysWOW64\EPPICLocal_PT.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00006347 ____A C:\Windows\SysWOW64\EPPICLocal_BP.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00006335 ____A C:\Windows\SysWOW64\EPPICLocal_GE.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00006195 ____A C:\Windows\SysWOW64\EPPICLocal_FR.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00006195 ____A C:\Windows\SysWOW64\EPPICLocal_CF.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00006122 ____A C:\Windows\SysWOW64\EPPICLocal_DU.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00006103 ____A C:\Windows\SysWOW64\EPPICLocal_ES.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00005817 ____A C:\Windows\SysWOW64\EPPICLocal_KO.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00005436 ____A C:\Windows\SysWOW64\EPPICLocal_SC.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00004943 ____A C:\Windows\SysWOW64\EPPICPattern6.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00002889 ____A C:\Windows\SysWOW64\EPPICLocal_RU.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00002426 ____A C:\Windows\SysWOW64\EPPICLocal_TC.cfg

2012-07-21 19:35 - 2004-03-03 05:10 - 00001146 ____A C:\Windows\SysWOW64\EPPICPresetData_DU.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00001139 ____A C:\Windows\SysWOW64\EPPICPresetData_PT.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00001139 ____A C:\Windows\SysWOW64\EPPICPresetData_BP.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00001136 ____A C:\Windows\SysWOW64\EPPICPresetData_ES.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00001129 ____A C:\Windows\SysWOW64\EPPICPresetData_FR.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00001129 ____A C:\Windows\SysWOW64\EPPICPresetData_CF.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00001120 ____A C:\Windows\SysWOW64\EPPICPresetData_IT.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00001107 ____A C:\Windows\SysWOW64\EPPICPresetData_GE.dat

2012-07-21 19:35 - 2004-03-03 05:10 - 00001104 ____A C:\Windows\SysWOW64\EPPICPresetData_EN.dat

2012-07-21 16:36 - 2012-07-21 16:36 - 00000000 ____D C:\Windows\Options

2012-07-21 16:36 - 2012-07-21 16:36 - 00000000 ____D C:\Users\All Users\TP-LINK

2012-07-21 16:36 - 2010-05-13 08:58 - 00007484 ____A C:\Windows\System32\athurextx.cat

2012-07-21 16:36 - 2010-01-05 18:23 - 01847296 ___RA (Atheros Communications, Inc.) C:\Windows\System32\athurx.sys

2012-07-21 16:36 - 2010-01-05 18:23 - 01847296 ____A (Atheros Communications, Inc.) C:\Windows\System32\Drivers\athurx.sys

2012-07-21 16:30 - 2012-07-21 16:30 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2012-07-21 07:06 - 2012-07-21 07:06 - 00000991 ____A C:\Users\Public\Desktop\eMule.lnk

2012-07-21 07:05 - 2012-08-11 17:51 - 00000000 ____D C:\Program Files (x86)\eMule

2012-07-20 16:18 - 2012-07-20 16:18 - 00000000 ____A C:\Windows\SysWOW64\Progr3ml.txt

2012-07-13 17:30 - 2012-06-12 04:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-13 17:09 - 2012-07-13 17:09 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0

2012-07-13 16:49 - 2010-02-23 09:16 - 00294912 ____A (Microsoft Corporation) C:\Windows\System32\browserchoice.exe

2012-07-13 16:27 - 2012-06-02 13:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-07-13 16:27 - 2012-06-02 13:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-07-13 16:27 - 2012-06-02 12:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-07-13 16:27 - 2012-06-02 12:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-07-13 16:27 - 2012-06-02 12:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-07-13 16:27 - 2012-06-02 09:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-07-13 16:27 - 2012-06-02 09:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-07-13 16:27 - 2012-06-02 09:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-07-13 16:27 - 2012-06-02 09:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-07-13 16:27 - 2012-06-02 09:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-07-13 16:26 - 2012-06-02 13:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-07-13 16:26 - 2012-06-02 13:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-07-13 16:26 - 2012-06-02 13:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-07-13 16:26 - 2012-06-02 13:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-07-13 16:26 - 2012-06-02 13:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-07-13 16:26 - 2012-06-02 13:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-07-13 16:26 - 2012-06-02 13:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-07-13 16:26 - 2012-06-02 13:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-07-13 16:26 - 2012-06-02 12:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-07-13 16:26 - 2012-06-02 10:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-07-13 16:26 - 2012-06-02 09:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-07-13 16:26 - 2012-06-02 09:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-07-13 16:26 - 2012-06-02 09:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-07-13 16:26 - 2012-06-02 09:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-07-13 16:26 - 2012-06-02 09:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-07-13 16:26 - 2012-06-02 09:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-07-13 16:26 - 2012-06-02 09:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-07-13 16:26 - 2012-06-02 09:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-07-13 16:22 - 2012-04-24 06:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-07-13 16:22 - 2012-04-24 06:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-07-13 16:22 - 2012-04-24 06:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-07-13 16:22 - 2012-04-24 05:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-07-13 16:22 - 2012-04-24 05:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-07-13 16:22 - 2012-04-24 05:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2012-07-13 16:22 - 2012-03-03 07:35 - 01544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2012-07-13 16:22 - 2012-03-03 06:31 - 01077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll

2012-07-13 16:21 - 2012-06-09 06:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-13 16:21 - 2012-06-09 05:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-07-13 16:21 - 2012-06-06 07:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-13 16:21 - 2012-06-06 07:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-13 16:21 - 2012-06-06 06:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-07-13 16:21 - 2012-06-06 06:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-07-13 16:21 - 2012-06-02 06:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-07-13 16:21 - 2012-06-02 06:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-07-13 16:21 - 2012-06-02 06:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-13 16:21 - 2012-06-02 06:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-13 16:21 - 2012-06-02 06:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-07-13 16:21 - 2012-06-02 05:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-07-13 16:21 - 2012-06-02 05:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-07-13 16:21 - 2012-06-02 05:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-07-13 16:21 - 2012-06-02 05:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-07-13 16:21 - 2012-05-04 12:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-07-13 16:21 - 2012-05-04 12:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll

2012-07-13 16:21 - 2012-05-04 11:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-07-13 16:21 - 2012-05-04 11:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-07-13 16:21 - 2012-05-04 10:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll

2012-07-13 16:21 - 2012-05-01 06:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-07-13 16:21 - 2012-04-26 06:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-07-13 16:21 - 2012-04-26 06:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-07-13 16:21 - 2012-04-26 06:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-07-13 16:21 - 2012-04-07 13:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

2012-07-13 16:21 - 2012-04-07 12:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

2012-07-13 16:21 - 2012-03-30 12:35 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-07-13 16:21 - 2012-03-17 08:58 - 00075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

2012-07-13 16:21 - 2010-06-26 04:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll

2012-07-13 16:21 - 2010-06-26 04:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll

2012-07-13 16:20 - 2012-04-28 06:32 - 01112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll

2012-07-13 16:20 - 2012-04-28 04:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-07-13 16:16 - 2012-06-06 07:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-07-13 16:16 - 2012-06-06 06:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-07-13 16:13 - 2012-07-13 16:13 - 00014250 ____A C:\Windows\System32\results.xml

2012-07-13 16:04 - 2012-06-02 23:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-07-13 16:04 - 2012-06-02 23:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-07-13 16:04 - 2012-06-02 23:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-07-13 16:04 - 2012-06-02 23:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-07-13 16:03 - 2012-06-02 23:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-07-13 16:03 - 2012-06-02 23:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-07-13 16:03 - 2012-06-02 23:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-07-13 16:03 - 2012-06-02 14:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-07-13 16:03 - 2012-06-02 14:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-07-13 15:56 - 2011-06-10 07:34 - 00539240 ____A (Realtek ) C:\Windows\System32\Drivers\Rt64win7.sys

2012-07-13 15:56 - 2011-06-10 07:34 - 00107552 ____A (Realtek Semiconductor Corporation) C:\Windows\System32\RTNUninst64.dll

2012-07-13 15:56 - 2011-06-10 07:34 - 00074272 ____A C:\Windows\System32\RtNicProp64.dll

2012-07-13 09:37 - 2012-07-13 09:37 - 00000000 ____D C:\Program Files\Common Files\Intel

2012-07-13 09:36 - 2012-03-19 22:22 - 09605632 ____A (Intel Corporation) C:\Windows\System32\igd10umd64.dll

2012-07-13 09:36 - 2012-03-19 21:18 - 00386560 ____A (Intel Corporation) C:\Windows\System32\igfxpph.dll

2012-07-13 09:36 - 2012-03-19 21:17 - 00110592 ____A (Intel Corporation) C:\Windows\System32\hccutils.dll

2012-07-13 09:36 - 2012-03-19 21:17 - 00063488 ____A (Intel Corporation) C:\Windows\System32\igfxsrvc.dll

2012-07-13 09:36 - 2012-03-19 21:16 - 09007616 ____A (Intel Corporation) C:\Windows\System32\igfxress.dll

2012-07-13 09:36 - 2011-05-21 04:28 - 00090112 ____A (Intel Corporation) C:\Windows\System32\igfxCoIn_v2401.dll

2012-07-13 09:36 - 2011-05-21 04:19 - 00145804 ____A C:\Windows\SysWOW64\igcompkrng600.bin

2012-07-13 09:36 - 2011-05-21 04:19 - 00145804 ____A C:\Windows\System32\igcompkrng600.bin

2012-07-13 09:36 - 2011-05-21 04:10 - 00577024 ____A (Intel Corporation) C:\Windows\SysWOW64\igdumdx32.dll

2012-07-13 09:36 - 2011-05-21 03:32 - 01981696 ____A C:\Windows\System32\iglhxa64.cpa

2012-07-13 09:36 - 2011-05-21 03:32 - 00094208 ____A C:\Windows\System32\IccLibDll_x64.dll

2012-07-13 09:11 - 2012-07-13 09:36 - 00000000 ____D C:\Program Files (x86)\Intel

2012-07-13 09:11 - 2011-04-15 15:00 - 00053248 ____A (Windows XP Bundled build C-Centric Single User) C:\Windows\SysWOW64\CSVer.dll

2012-07-13 09:06 - 2012-07-13 09:35 - 00000000 ____D C:\Intel

============ 3 Months Modified Files ========================

2012-08-12 20:53 - 2009-07-14 05:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-12 20:53 - 2009-07-14 05:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-12 20:52 - 2012-04-16 09:05 - 00000978 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-12 20:52 - 2010-11-21 16:30 - 00701188 ____A C:\Windows\System32\perfh010.dat

2012-08-12 20:52 - 2010-11-21 16:30 - 00128534 ____A C:\Windows\System32\perfc010.dat

2012-08-12 20:52 - 2009-07-14 06:13 - 01549120 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-12 20:23 - 2012-08-12 15:22 - 00011526 ____A C:\Windows\PFRO.log

2012-08-12 20:23 - 2012-08-12 06:37 - 00000336 ____A C:\Windows\setupact.log

2012-08-12 20:23 - 2012-04-16 10:49 - 00000196 ____A C:\Windows\Tasks\AutoKMS.job

2012-08-12 20:23 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-12 06:38 - 2012-08-12 06:38 - 00122992 ____A C:\Users\250\AppData\Local\GDIPFONTCACHEV1.DAT

2012-08-12 06:38 - 2012-08-12 06:37 - 05017296 ____A C:\Windows\System32\FNTCACHE.DAT

2012-08-12 06:37 - 2012-08-12 06:37 - 00000000 ____A C:\Windows\setuperr.log

2012-08-10 16:11 - 2012-08-10 16:11 - 01568048 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-08-10 15:50 - 2012-08-10 15:28 - 00000424 ____A C:\Windows\ODBC.INI

2012-08-10 15:49 - 2009-07-14 03:34 - 00000499 ____A C:\Windows\win.ini

2012-08-02 20:52 - 2012-04-16 09:05 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-08-02 20:52 - 2012-04-16 09:05 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-29 18:28 - 2012-07-29 17:25 - 00000079 ____A C:\Windows\showcalc.ini

2012-07-24 16:58 - 2012-07-24 16:58 - 00000556 ____A C:\Windows\MAXLINK.INI

2012-07-21 16:30 - 2012-07-21 16:30 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2012-07-21 07:06 - 2012-07-21 07:06 - 00000991 ____A C:\Users\Public\Desktop\eMule.lnk

2012-07-20 16:18 - 2012-07-20 16:18 - 00000000 ____A C:\Windows\SysWOW64\Progr3ml.txt

2012-07-18 17:05 - 2012-08-11 17:43 - 00132832 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys

2012-07-18 17:05 - 2012-08-11 17:43 - 00098848 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys

2012-07-18 17:05 - 2012-08-11 17:43 - 00027760 ____A (Avira GmbH) C:\Windows\System32\Drivers\avkmgr.sys

2012-07-13 16:13 - 2012-07-13 16:13 - 00014250 ____A C:\Windows\System32\results.xml

2012-07-03 12:46 - 2012-08-12 15:14 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-03 02:19 - 2012-04-16 09:21 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-06-12 04:08 - 2012-07-13 17:30 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-09 06:43 - 2012-07-13 16:21 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-09 05:41 - 2012-07-13 16:21 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-06 07:06 - 2012-07-13 16:21 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-06 07:06 - 2012-07-13 16:21 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-06 07:02 - 2012-07-13 16:16 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-06-06 06:05 - 2012-07-13 16:21 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-06 06:05 - 2012-07-13 16:21 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-06 06:03 - 2012-07-13 16:16 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-06-02 23:19 - 2012-07-13 16:04 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 23:19 - 2012-07-13 16:04 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 23:19 - 2012-07-13 16:04 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 23:19 - 2012-07-13 16:03 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 23:19 - 2012-07-13 16:03 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 23:15 - 2012-07-13 16:04 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 23:15 - 2012-07-13 16:03 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 14:19 - 2012-07-13 16:03 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 14:15 - 2012-07-13 16:03 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 13:49 - 2012-07-13 16:26 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-02 13:17 - 2012-07-13 16:26 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-02 13:12 - 2012-07-13 16:26 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-02 13:05 - 2012-07-13 16:27 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-02 13:05 - 2012-07-13 16:26 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-02 13:04 - 2012-07-13 16:27 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-02 13:04 - 2012-07-13 16:26 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-02 13:03 - 2012-07-13 16:26 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-02 13:01 - 2012-07-13 16:26 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-02 13:00 - 2012-07-13 16:26 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-02 12:59 - 2012-07-13 16:27 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-02 12:57 - 2012-07-13 16:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-02 12:57 - 2012-07-13 16:27 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-02 12:54 - 2012-07-13 16:26 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-02 10:07 - 2012-07-13 16:26 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-02 09:43 - 2012-07-13 16:26 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-02 09:33 - 2012-07-13 16:26 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-02 09:26 - 2012-07-13 16:27 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-02 09:25 - 2012-07-13 16:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-02 09:25 - 2012-07-13 16:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-02 09:23 - 2012-07-13 16:27 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-02 09:21 - 2012-07-13 16:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-02 09:20 - 2012-07-13 16:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-02 09:19 - 2012-07-13 16:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-02 09:19 - 2012-07-13 16:26 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-02 09:17 - 2012-07-13 16:27 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-02 09:16 - 2012-07-13 16:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-02 09:14 - 2012-07-13 16:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-02 06:50 - 2012-07-13 16:21 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-02 06:48 - 2012-07-13 16:21 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-02 06:48 - 2012-07-13 16:21 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-02 06:45 - 2012-07-13 16:21 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-02 06:44 - 2012-07-13 16:21 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-02 05:40 - 2012-07-13 16:21 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-02 05:40 - 2012-07-13 16:21 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-02 05:39 - 2012-07-13 16:21 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-02 05:34 - 2012-07-13 16:21 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

ZeroAccess:

C:\Windows\Installer\{c8048293-a025-5c0c-a797-697833a2ba72}

C:\Windows\Installer\{c8048293-a025-5c0c-a797-697833a2ba72}\@

C:\Windows\Installer\{c8048293-a025-5c0c-a797-697833a2ba72}\L

C:\Windows\Installer\{c8048293-a025-5c0c-a797-697833a2ba72}\U

C:\Windows\Installer\{c8048293-a025-5c0c-a797-697833a2ba72}\L\00000004.@

C:\Windows\Installer\{c8048293-a025-5c0c-a797-697833a2ba72}\L\201d3dde

C:\Windows\Installer\{c8048293-a025-5c0c-a797-697833a2ba72}\U\00000004.@

C:\Windows\Installer\{c8048293-a025-5c0c-a797-697833a2ba72}\U\80000000.@

C:\Windows\Installer\{c8048293-a025-5c0c-a797-697833a2ba72}\U\80000064.@

ZeroAccess:

C:\Users\250\AppData\Local\{c8048293-a025-5c0c-a797-697833a2ba72}

C:\Users\250\AppData\Local\{c8048293-a025-5c0c-a797-697833a2ba72}\@

C:\Users\250\AppData\Local\{c8048293-a025-5c0c-a797-697833a2ba72}\L

C:\Users\250\AppData\Local\{c8048293-a025-5c0c-a797-697833a2ba72}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 27%

Total physical RAM: 1895.94 MB

Available physical RAM: 1377.2 MB

Total Pagefile: 1895.94 MB

Available Pagefile: 1367.79 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (SYS_W7_X64) (Fixed) (Total:112.01 GB) (Free:78.05 GB) NTFS

2 Drive e: (FABIO®_ARCHIVE) (Fixed) (Total:120.77 GB) (Free:119.69 GB) NTFS

4 Drive g: () (Fixed) (Total:298.09 GB) (Free:40.38 GB) NTFS

5 Drive h: () (Removable) (Total:1 GB) (Free:0.54 GB) FAT

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

7 Drive y: (Riservato per il sistema) (Fixed) (Total:0.1 GB) (Free:0.05 GB) NTFS ==>[system with boot components (obtained from reading drive)]

N. disco Stato Dimensioni Disponibile Din GPT

-------- ------------- ------------- ------------- --- ---

Disco 0 Online 232 Gbytes 0 byte

Disco 1 Online 298 Gbytes 1024 Kbytes

Disco 2 Online 1024 Mbytes 0 byte

Partitions of Disk 0:

===============

Partizione ### Tipo Dim. Offset

--------------- ---------------- ------- -------

Partizione 1 Primario 100 Mb 1024 Kb

Partizione 2 Primario 112 Gb 101 Mb

Partizione 3 Primario 120 Gb 112 Gb

==================================================================================

Disk: 0

Partizione 1

Tipo : 07

Nascosta: No

Attiva: Si

Volume ### Let. Etichetta Fs Tipo Dim. Stato Info

--------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y Riservato p NTFS Partizione 100 Mb Integro

==================================================================================

Disk: 0

Partizione 2

Tipo : 07

Nascosta: No

Attiva: No

Volume ### Let. Etichetta Fs Tipo Dim. Stato Info

--------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C SYS_W7_X64 NTFS Partizione 112 Gb Integro

==================================================================================

Disk: 0

Partizione 3

Tipo : 07

Nascosta: No

Attiva: No

Volume ### Let. Etichetta Fs Tipo Dim. Stato Info

--------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E FABIO©_ARCH NTFS Partizione 120 Gb Integro

==================================================================================

Partitions of Disk 1:

===============

Partizione ### Tipo Dim. Offset

--------------- ---------------- ------- -------

Partizione 1 Primario 298 Gb 31 Kb

==================================================================================

Disk: 1

Partizione 1

Tipo : 07

Nascosta: No

Attiva: Si

Volume ### Let. Etichetta Fs Tipo Dim. Stato Info

--------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G NTFS Partizione 298 Gb Integro

==================================================================================

Partitions of Disk 2:

===============

Partizione ### Tipo Dim. Offset

--------------- ---------------- ------- -------

Partizione 1 Primario 1023 Mb 137 Kb

==================================================================================

Disk: 2

Partizione 1

Tipo : 06

Nascosta: No

Attiva: No

Volume ### Let. Etichetta Fs Tipo Dim. Stato Info

--------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 H FAT Rimovibile 1023 Mb Integro

==================================================================================

Last Boot: 2012-08-07 19:28

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 2012-08-12 22:05:53

Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please don't put the logs in code, they're too hard to read.

~~~~~~~~~~~~~~~~~~~~~

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

I prefer that you just post the logs, just don't put them in code or quotes.

A couple of more scans to run..........

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

No, that scan was clean........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Run the appropriate uninstaller tool for your version of AVG:

http://www.avg.com/ww-en/utilities

Then using ComboFix........

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

SecCenter::

AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Now CF shows just Avira:

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

------------------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Great thumbsup.gif

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassociates.com/OT-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.