Jump to content

Trojan.Dropper.BCMiner and Rootkit.0Access

Vegeta912
 Share

Recommended Posts

Vegeta912

Vegeta912

Posted
Posted

I have recently gotten infected with Trojan.Dropper.BCMiner and Rootkit.0Access and whenever I try to remove it, it just comes back when I scan it again. I looked around on the forum, but it seems that the solutions were made specifically for that person. Please help me, because I'm not too sure what to do here. :(

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Being you have Vista, you may or may not be able to do this but please try,

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites
Vegeta912

Vegeta912

Posted
  • Author
Posted

Yeah, it worked perfectly fine with Vista.

Here are the files:

FRST.txt

[spoiler

Scan result of Farbar Recovery Scan Tool Version: 15-08-2012

Ran by SYSTEM at 16-08-2012 13:26:49

Running from D:\

Windows Vista Home Premium Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [6975520 2009-02-24] (Realtek Semiconductor)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2009-02-13] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [250192 2009-04-24] (Microsoft Corporation)

HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128232 2009-02-04] (CyberLink Corp.)

HKLM-x32\...\Run: [brMfcWnd] "C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN [x]

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [sSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM-x32\...\Run: [bSDAppUpdater] "C:\Program Files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe" [1660232 2011-05-11] (Bootstrap Software Development)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)

HKU\Default\...\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)

HKU\Default User\...\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)

HKU\MS3CORP\...\Run: [MediaGet2] C:\Users\MS3CORP\AppData\Local\MediaGet2\mediaget.exe --minimized [x]

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WNDA3100 Smart Wizard.lnk

ShortcutTarget: NETGEAR WNDA3100 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WNDA3100\WNDA3100.exe (NETGEAR)

Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ======

3 jswpsapi; C:\Program Files (x86)\NETGEAR\WNDA3100\jswpsapi.exe [942080 2008-02-28] (Atheros Communications, Inc.)

2 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)

2 MSSQL$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [58345832 2011-09-22] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

4 SQLAgent$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [431464 2011-09-22] (Microsoft Corporation)

3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74384 2008-03-24] (MicroVision Development, Inc.)

3 rpcapd; "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" [x]

========================== Drivers (Whitelisted) =============

1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-01-29] (DT Soft Ltd)

3 NAL; \??\C:\Windows\system32\Drivers\iqvw64e.sys [33888 2008-05-23] (Intel Corporation )

3 NPF; C:\Windows\SysWow64\Drivers\NPF.sys [30336 2003-04-04] (Politecnico di Torino)

3 PCAMp50a64; C:\Windows\System32\Drivers\PCAMp50a64.sys [43328 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))

3 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))

3 WNDA3100; C:\Windows\System32\DRIVERS\WNDA31vx.sys [553472 2008-09-29] (Atheros Communications, Inc.)

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [x]

3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [x]

3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-16 13:26 - 2012-08-16 13:26 - 00000000 ____D C:\FRST

2012-08-16 08:12 - 2012-08-16 08:15 - 00000000 ____D C:\Users\MS3CORP\Desktop\RK_Quarantine

2012-08-14 02:52 - 2012-08-14 02:52 - 00000984 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-14 02:51 - 2012-08-14 02:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-14 02:51 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-12 13:40 - 2012-08-12 13:58 - 03317584 ____A C:\Users\MS3CORP\Desktop\Zenonia4_iPhone

2012-08-11 17:58 - 2012-08-11 17:59 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-08-11 17:58 - 2012-08-11 17:58 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2012-08-11 17:30 - 2012-08-11 17:30 - 00000000 ____D C:\Users\MS3CORP\AppData\Roaming\ExpressFiles

2012-08-09 13:46 - 2012-08-09 13:46 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-08-02 13:19 - 2012-08-02 13:19 - 00000816 ____A C:\Users\MS3CORP\Desktop\IDA Demo.lnk

2012-08-02 13:19 - 2012-08-02 13:19 - 00000000 ____D C:\Program Files (x86)\IDA Demo 6.3

2012-07-30 11:34 - 2012-07-30 11:34 - 00000436 ____A C:\Windows\System32\Drivers\etc\hosts.ics

2012-07-29 20:17 - 2012-07-29 20:17 - 00000970 ____A C:\Users\Public\Desktop\Paint.NET.lnk

2012-07-29 20:17 - 2012-07-29 20:17 - 00000000 ____D C:\Program Files\Paint.NET

2012-07-29 20:16 - 2012-08-07 14:32 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\Paint.NET

2012-07-29 20:13 - 2012-07-29 20:13 - 00000978 ____A C:\Users\MS3CORP\Desktop\Cheat Engine 6.2.lnk

2012-07-29 20:10 - 2012-07-29 20:11 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\dealcabby

2012-07-29 20:10 - 2012-07-29 20:10 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\Shopping Sidekick

2012-07-29 20:09 - 2012-07-29 20:09 - 00000304 ____A C:\user.js

2012-07-29 20:09 - 2012-07-29 20:09 - 00000258 _RASH C:\Users\MS3CORP\ntuser.pol

2012-07-29 13:21 - 2012-07-29 13:21 - 00461998 ____A C:\Windows\dd_vcredistMSI4C9A.txt

2012-07-29 13:21 - 2012-07-29 13:21 - 00011526 ____A C:\Windows\dd_vcredistUI4C9A.txt

2012-07-28 13:27 - 2012-07-28 13:27 - 00000000 ____D C:\Users\MS3CORP\AppData\Roaming\PDAppFlex

2012-07-28 13:19 - 2012-07-28 13:19 - 00439174 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistMSI7D1B.txt

2012-07-28 13:19 - 2012-07-28 13:19 - 00011686 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistUI7D1B.txt

2012-07-28 13:18 - 2012-07-28 13:33 - 00000000 ____D C:\Program Files\Common Files\Adobe

2012-07-28 13:18 - 2012-07-28 13:19 - 00441260 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistMSI7CA2.txt

2012-07-28 13:18 - 2012-07-28 13:19 - 00011686 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistUI7CA2.txt

2012-07-28 11:58 - 2012-07-28 11:58 - 00000000 ____D C:\Users\MS3CORP\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant

2012-07-28 11:57 - 2012-07-28 11:58 - 00000000 ____D C:\Program Files (x86)\Adobe Download Assistant

2012-07-26 10:27 - 2012-07-26 10:27 - 00000000 ____D C:\Program Files (x86)\Cheat Engine 6.2

2012-07-26 09:56 - 2012-07-26 09:57 - 00002392 ____N C:\Users\Public\Desktop\WildTangent Games App - wildgames.lnk

2012-07-26 07:03 - 2012-07-26 07:03 - 00000924 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-07-25 17:09 - 2012-07-25 17:09 - 00001830 ____A C:\Users\MS3CORP\Desktop\YTD YouTube Downloader & Converter.lnk

2012-07-21 11:36 - 2012-08-12 17:35 - 00002667 ____A C:\Users\MS3CORP\Desktop\Microsoft Photo Editor.lnk

2012-07-21 11:36 - 2012-07-21 11:36 - 00001846 ____A C:\Users\MS3CORP\Desktop\Chess.lnk

2012-07-21 11:35 - 2012-07-21 11:35 - 00000954 ____A C:\Users\MS3CORP\Desktop\DAEMON Tools Lite.lnk

2012-07-21 11:34 - 2012-07-21 11:34 - 00002629 ____A C:\Users\MS3CORP\Desktop\Microsoft Office PowerPoint 2007.lnk

2012-07-21 11:34 - 2012-07-21 11:34 - 00002425 ____A C:\Users\MS3CORP\Desktop\Adobe Reader 9.lnk

2012-07-21 11:33 - 2012-07-21 11:33 - 00000852 ____A C:\Users\MS3CORP\Desktop\WinRAR.lnk

2012-07-21 11:31 - 2012-07-21 11:31 - 00001751 ____A C:\Users\MS3CORP\Desktop\iTunes.lnk

2012-07-21 11:31 - 2012-07-21 11:31 - 00000975 ____A C:\Users\MS3CORP\Desktop\Platinum Hide IP.lnk

2012-07-21 11:29 - 2012-07-21 11:29 - 00000952 ____A C:\Users\MS3CORP\Desktop\iFunbox.lnk

2012-07-21 11:28 - 2012-07-21 11:28 - 00000759 ____A C:\Users\Public\Desktop\HxD.lnk

2012-07-21 11:21 - 2012-07-21 11:21 - 00001036 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk

2012-07-20 14:06 - 2012-07-20 14:06 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\patcher_dl

2012-07-19 16:33 - 2012-07-20 13:37 - 00000000 __SHD C:\Windows\SysWOW64\AI_RecycleBin

2012-07-18 19:50 - 2012-07-18 19:50 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\Macromedia

2012-07-18 19:42 - 2012-07-18 19:42 - 00000000 ____D C:\Users\All Users\Mozilla

2012-07-18 18:58 - 2012-07-18 18:58 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\APN

2012-07-18 18:58 - 2012-07-18 18:58 - 00000000 ____D C:\Program Files (x86)\PlatinumHideIP

2012-07-18 18:40 - 2012-07-18 18:40 - 00000000 ____D C:\Users\MS3CORP\AppData\Roaming\C__Users_MS3CORP_Desktop_Platinum Hide IP 3.1.9.6_Crack_PlatinumHideIP.exe

2012-07-18 18:40 - 2012-07-18 18:40 - 00000000 ____D C:\Users\All Users\C__Users_MS3CORP_Desktop_Platinum Hide IP 3.1.9.6_Crack_PlatinumHideIP.exe

============ 3 Months Modified Files ========================

2012-08-16 09:24 - 2006-11-02 07:42 - 00032646 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-08-16 09:24 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-16 09:22 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-16 09:22 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-16 09:04 - 2006-11-02 04:46 - 00922900 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-16 07:46 - 2012-07-02 10:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-16 07:46 - 2011-12-11 13:58 - 00098220 ____A C:\Windows\PFRO.log

2012-08-16 06:55 - 2012-04-22 08:26 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-08-16 06:55 - 2011-05-20 12:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-08-16 06:37 - 2011-08-30 00:09 - 00000600 ____A C:\Users\MS3CORP\AppData\Roaming\winscp.rnd

2012-08-14 02:52 - 2012-08-14 02:52 - 00000984 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-13 05:31 - 2009-07-25 00:18 - 01444696 ____A C:\Windows\WindowsUpdate.log

2012-08-12 17:35 - 2012-07-21 11:36 - 00002667 ____A C:\Users\MS3CORP\Desktop\Microsoft Photo Editor.lnk

2012-08-12 14:15 - 2009-07-30 17:40 - 00006836 ____A C:\Users\MS3CORP\AppData\Local\d3d9caps.dat

2012-08-12 13:58 - 2012-08-12 13:40 - 03317584 ____A C:\Users\MS3CORP\Desktop\Zenonia4_iPhone

2012-08-11 18:02 - 2011-06-09 08:42 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe

2012-08-11 17:59 - 2011-07-23 04:55 - 00001945 ____A C:\Windows\epplauncher.mif

2012-08-11 17:58 - 2010-07-09 11:49 - 00937748 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-08-09 13:19 - 2011-10-02 14:22 - 00000600 ____A C:\Users\MS3CORP\AppData\Local\PUTTY.RND

2012-08-02 13:19 - 2012-08-02 13:19 - 00000816 ____A C:\Users\MS3CORP\Desktop\IDA Demo.lnk

2012-07-30 11:34 - 2012-07-30 11:34 - 00000436 ____A C:\Windows\System32\Drivers\etc\hosts.ics

2012-07-29 20:17 - 2012-07-29 20:17 - 00000970 ____A C:\Users\Public\Desktop\Paint.NET.lnk

2012-07-29 20:13 - 2012-07-29 20:13 - 00000978 ____A C:\Users\MS3CORP\Desktop\Cheat Engine 6.2.lnk

2012-07-29 20:09 - 2012-07-29 20:09 - 00000304 ____A C:\user.js

2012-07-29 20:09 - 2012-07-29 20:09 - 00000258 _RASH C:\Users\MS3CORP\ntuser.pol

2012-07-29 13:21 - 2012-07-29 13:21 - 00461998 ____A C:\Windows\dd_vcredistMSI4C9A.txt

2012-07-29 13:21 - 2012-07-29 13:21 - 00011526 ____A C:\Windows\dd_vcredistUI4C9A.txt

2012-07-28 23:21 - 2006-11-02 07:21 - 05023928 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-28 13:27 - 2009-07-30 15:49 - 00107424 ____A C:\Users\MS3CORP\AppData\Local\GDIPFONTCACHEV1.DAT

2012-07-28 13:19 - 2012-07-28 13:19 - 00439174 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistMSI7D1B.txt

2012-07-28 13:19 - 2012-07-28 13:19 - 00011686 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistUI7D1B.txt

2012-07-28 13:19 - 2012-07-28 13:18 - 00441260 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistMSI7CA2.txt

2012-07-28 13:19 - 2012-07-28 13:18 - 00011686 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistUI7CA2.txt

2012-07-26 09:57 - 2012-07-26 09:56 - 00002392 ____N C:\Users\Public\Desktop\WildTangent Games App - wildgames.lnk

2012-07-26 07:03 - 2012-07-26 07:03 - 00000924 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-07-25 17:09 - 2012-07-25 17:09 - 00001830 ____A C:\Users\MS3CORP\Desktop\YTD YouTube Downloader & Converter.lnk

2012-07-21 11:36 - 2012-07-21 11:36 - 00001846 ____A C:\Users\MS3CORP\Desktop\Chess.lnk

2012-07-21 11:35 - 2012-07-21 11:35 - 00000954 ____A C:\Users\MS3CORP\Desktop\DAEMON Tools Lite.lnk

2012-07-21 11:34 - 2012-07-21 11:34 - 00002629 ____A C:\Users\MS3CORP\Desktop\Microsoft Office PowerPoint 2007.lnk

2012-07-21 11:34 - 2012-07-21 11:34 - 00002425 ____A C:\Users\MS3CORP\Desktop\Adobe Reader 9.lnk

2012-07-21 11:33 - 2012-07-21 11:33 - 00000852 ____A C:\Users\MS3CORP\Desktop\WinRAR.lnk

2012-07-21 11:31 - 2012-07-21 11:31 - 00001751 ____A C:\Users\MS3CORP\Desktop\iTunes.lnk

2012-07-21 11:31 - 2012-07-21 11:31 - 00000975 ____A C:\Users\MS3CORP\Desktop\Platinum Hide IP.lnk

2012-07-21 11:29 - 2012-07-21 11:29 - 00000952 ____A C:\Users\MS3CORP\Desktop\iFunbox.lnk

2012-07-21 11:28 - 2012-07-21 11:28 - 00000759 ____A C:\Users\Public\Desktop\HxD.lnk

2012-07-21 11:21 - 2012-07-21 11:21 - 00001036 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk

2012-07-13 21:19 - 2010-07-09 12:38 - 00002651 ____A C:\Users\MS3CORP\Desktop\Microsoft Office Word 2007.lnk

2012-07-11 10:00 - 2006-11-02 04:34 - 00000302 ____A C:\Windows\win.ini

2012-07-11 09:57 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2012-07-04 12:54 - 2012-07-04 12:54 - 00270360 ____A C:\Windows\Minidump\Mini070412-01.dmp

2012-07-04 12:54 - 2012-01-30 18:42 - 544972947 ____A C:\Windows\MEMORY.DMP

2012-07-03 09:46 - 2012-08-14 02:51 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-30 11:51 - 2011-12-14 12:35 - 00002079 ____A C:\Windows\setupact.log

2012-06-17 08:58 - 2012-06-17 08:58 - 00270360 ____A C:\Windows\Minidump\Mini061712-01.dmp

2012-06-13 05:58 - 2012-07-11 09:55 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 09:59 - 2012-07-11 08:39 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 09:47 - 2012-07-11 08:39 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 08:47 - 2012-07-11 08:39 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 08:47 - 2012-07-11 08:39 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-05 08:22 - 2012-07-11 08:39 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 08:22 - 2012-07-11 08:39 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-04 07:29 - 2012-07-11 08:39 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-02 14:19 - 2012-06-22 09:22 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-22 09:22 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-22 09:22 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll

2012-06-02 14:19 - 2012-06-22 09:22 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-22 09:22 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-22 09:22 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:19 - 2012-06-22 09:22 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll

2012-06-02 14:15 - 2012-06-22 09:22 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-22 09:22 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 14:12 - 2012-06-22 09:22 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll

2012-06-02 11:19 - 2012-06-22 09:22 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:19 - 2012-06-22 09:22 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll

2012-06-02 11:15 - 2012-06-22 09:22 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 11:12 - 2012-06-22 09:22 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

2012-06-02 04:49 - 2012-07-11 09:55 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-02 04:17 - 2012-07-11 09:55 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-02 04:12 - 2012-07-11 09:55 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-02 04:05 - 2012-07-11 09:55 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-02 04:05 - 2012-07-11 09:55 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-02 04:04 - 2012-07-11 09:55 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-02 04:04 - 2012-07-11 09:55 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-02 04:03 - 2012-07-11 09:55 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-02 04:01 - 2012-07-11 09:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-02 04:00 - 2012-07-11 09:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-02 03:59 - 2012-07-11 09:55 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-02 03:57 - 2012-07-11 09:55 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-02 03:57 - 2012-07-11 09:55 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-02 03:54 - 2012-07-11 09:55 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-02 01:07 - 2012-07-11 09:55 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-02 00:43 - 2012-07-11 09:55 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-02 00:33 - 2012-07-11 09:55 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-02 00:26 - 2012-07-11 09:55 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-02 00:25 - 2012-07-11 09:55 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-02 00:25 - 2012-07-11 09:55 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-02 00:23 - 2012-07-11 09:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-02 00:21 - 2012-07-11 09:55 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-02 00:20 - 2012-07-11 09:55 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-02 00:19 - 2012-07-11 09:55 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-02 00:19 - 2012-07-11 09:55 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-02 00:17 - 2012-07-11 09:55 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-02 00:16 - 2012-07-11 09:55 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-02 00:14 - 2012-07-11 09:55 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-01 16:22 - 2012-07-11 08:39 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 16:22 - 2012-07-11 08:39 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 16:05 - 2012-07-11 08:39 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 16:04 - 2012-07-11 08:39 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 16:03 - 2012-07-11 08:39 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

ZeroAccess:

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\@

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\L

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\L\00000004.@

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\L\201d3dde

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\00000004.@

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\00000008.@

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\000000cb.@

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\80000000.@

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\80000032.@

C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\80000064.@

ZeroAccess:

C:\Users\MS3CORP\AppData\Local\807b2a71

C:\Users\MS3CORP\AppData\Local\807b2a71\@

C:\Users\MS3CORP\AppData\Local\807b2a71\loader.tlb

ZeroAccess:

C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}

C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\@

C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\L

C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U

C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\00000004.@

C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\80000000.@

ZeroAccess:

C:\Windows\assembly\tmp\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%

Total physical RAM: 6134.26 MB

Available physical RAM: 5569.32 MB

Total Pagefile: 5944.15 MB

Available Pagefile: 5539.14 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:581.1 GB) (Free:458.04 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: () (Removable) (Total:3.82 GB) (Free:0 GB) FAT32

5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

6 Drive x: (RECOVERY) (Fixed) (Total:15 GB) (Free:8.27 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 596 GB 0 B

Disk 1 Online 3913 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 71 MB 32 KB

Partition 2 Primary 15 GB 71 MB

Partition 3 Primary 581 GB 15 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 FAT Partition 71 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 X RECOVERY NTFS Partition 15 GB Healthy Boot

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 C OS NTFS Partition 581 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 3913 MB 0 B

==================================================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

==================================================================================

Last Boot: 2012-08-16 09:08

======================= End Of Log ==========================

Search.txt

Farbar Recovery Scan Tool Version: 15-08-2012

Ran by SYSTEM at 2012-08-16 13:28:52

Running from D:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

[2011-06-09 08:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe

[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe

[2011-06-09 08:42] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe

[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe

[2011-06-09 08:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe

[2011-06-09 08:42] - [2012-08-11 18:02] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

====== End Of Search ======

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites
Vegeta912

Vegeta912

Posted
  • Author
Posted

ComboFix.txt

ComboFix 12-08-16.01 - MS3CORP 08/16/2012 14:39:35.1.8 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6134.4049 [GMT -4:00]

Running from: c:\users\MS3CORP\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\WinPCap

c:\program files (x86)\WinPCap\daemon_mgm.exe

c:\program files (x86)\WinPCap\INSTALL.LOG

c:\program files (x86)\WinPCap\npf_mgm.exe

c:\program files (x86)\WinPCap\rpcapd.exe

c:\program files (x86)\WinPCap\Uninstall.exe

c:\windows\SysWow64\drivers\npf.sys

c:\windows\SysWow64\Packet.dll

c:\windows\SysWow64\pthreadVC.dll

c:\windows\SysWow64\wpcap.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2012-07-16 to 2012-08-16 )))))))))))))))))))))))))))))))

.

.

2012-08-16 21:26 . 2012-08-16 21:26 -------- d-----w- C:\FRST

2012-08-16 18:50 . 2012-08-16 18:50 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-16 18:32 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BAC49EEB-42A5-481E-8BBE-24A67DE92DD0}\gapaengine.dll

2012-08-16 18:32 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA185178-0238-459B-A31E-812C10602522}\mpengine.dll

2012-08-16 18:30 . 2012-08-16 18:30 -------- d-----w- c:\program files (x86)\Microsoft Security Client

2012-08-16 18:30 . 2012-08-16 18:30 -------- d-----w- c:\program files\Microsoft Security Client

2012-08-14 10:51 . 2012-08-14 10:52 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-08-14 10:51 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-12 01:30 . 2012-08-12 01:30 -------- d-----w- c:\users\MS3CORP\AppData\Roaming\ExpressFiles

2012-08-09 21:46 . 2012-08-09 21:46 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-08-02 21:19 . 2012-08-02 21:19 -------- d-----w- c:\program files (x86)\IDA Demo 6.3

2012-07-30 04:17 . 2012-07-30 04:17 -------- d-----w- c:\program files\Paint.NET

2012-07-30 04:16 . 2012-08-07 22:32 -------- d-----w- c:\users\MS3CORP\AppData\Local\Paint.NET

2012-07-30 04:10 . 2012-07-30 04:10 -------- d-----w- c:\users\MS3CORP\AppData\Local\Shopping Sidekick

2012-07-30 04:10 . 2012-07-30 04:11 -------- d-----w- c:\users\MS3CORP\AppData\Local\dealcabby

2012-07-30 04:09 . 2012-07-30 04:09 304 ----a-w- C:\user.js

2012-07-28 21:27 . 2012-07-28 21:27 -------- d-----w- c:\users\MS3CORP\AppData\Roaming\PDAppFlex

2012-07-28 21:18 . 2012-07-28 21:33 -------- d-----w- c:\program files\Common Files\Adobe

2012-07-28 19:58 . 2012-07-28 19:58 -------- d-----w- c:\users\MS3CORP\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant

2012-07-28 19:57 . 2012-07-28 19:58 -------- d-----w- c:\program files (x86)\Adobe Download Assistant

2012-07-26 18:27 . 2012-07-26 18:27 -------- d-----w- c:\program files (x86)\Cheat Engine 6.2

2012-07-26 02:36 . 2012-07-30 02:49 -------- d-----w- C:\Downloads

2012-07-20 22:06 . 2012-07-20 22:06 -------- d-----w- c:\users\MS3CORP\AppData\Local\patcher_dl

2012-07-20 00:33 . 2012-07-20 21:37 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin

2012-07-19 03:50 . 2012-07-19 03:50 -------- d-----w- c:\users\MS3CORP\AppData\Local\Macromedia

2012-07-19 02:58 . 2012-07-19 02:58 -------- d-----w- c:\users\MS3CORP\AppData\Local\APN

2012-07-19 02:58 . 2012-07-19 02:58 -------- d-----w- c:\program files (x86)\PlatinumHideIP

2012-07-19 02:40 . 2012-07-19 02:40 -------- d-----w- c:\users\MS3CORP\AppData\Roaming\C__Users_MS3CORP_Desktop_Platinum Hide IP 3.1.9.6_Crack_PlatinumHideIP.exe

2012-07-19 02:40 . 2012-07-19 02:40 -------- d-----w- c:\programdata\C__Users_MS3CORP_Desktop_Platinum Hide IP 3.1.9.6_Crack_PlatinumHideIP.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-16 18:56 . 2012-04-22 16:26 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-08-16 18:56 . 2011-05-20 20:21 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-16 18:55 . 2012-08-16 18:55 9826504 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2012-07-11 17:57 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe

2012-06-13 13:58 . 2012-07-11 17:55 2769408 ----a-w- c:\windows\system32\win32k.sys

2012-06-08 17:59 . 2012-07-11 16:39 12899840 ----a-w- c:\windows\system32\shell32.dll

2012-06-05 16:47 . 2012-07-11 16:39 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll

2012-06-05 16:47 . 2012-07-11 16:39 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll

2012-06-05 16:22 . 2012-07-11 16:39 1797120 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 16:22 . 2012-07-11 16:39 1869824 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 15:29 . 2012-07-11 16:39 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 22:19 . 2012-06-22 17:22 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-22 17:22 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-22 17:22 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-22 17:22 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-22 17:22 35864 ----a-w- c:\windows\SysWow64\wups.dll

2012-06-02 22:19 . 2012-06-22 17:22 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-22 17:22 577048 ----a-w- c:\windows\SysWow64\wuapi.dll

2012-06-02 22:15 . 2012-06-22 17:22 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-22 17:22 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 22:12 . 2012-06-22 17:22 88576 ----a-w- c:\windows\SysWow64\wudriver.dll

2012-06-02 19:19 . 2012-06-22 17:22 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:19 . 2012-06-22 17:22 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll

2012-06-02 19:15 . 2012-06-22 17:22 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 19:12 . 2012-06-22 17:22 33792 ----a-w- c:\windows\SysWow64\wuapp.exe

2012-06-02 12:49 . 2012-07-11 17:55 17807360 ----a-w- c:\windows\system32\mshtml.dll

2012-06-02 12:17 . 2012-07-11 17:55 10924032 ----a-w- c:\windows\system32\ieframe.dll

2012-06-02 12:12 . 2012-07-11 17:55 2311680 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 12:05 . 2012-07-11 17:55 1346048 ----a-w- c:\windows\system32\urlmon.dll

2012-06-02 12:05 . 2012-07-11 17:55 1392128 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 12:04 . 2012-07-11 17:55 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 12:04 . 2012-07-11 17:55 237056 ----a-w- c:\windows\system32\url.dll

2012-06-02 12:03 . 2012-07-11 17:55 85504 ----a-w- c:\windows\system32\jsproxy.dll

2012-06-02 12:01 . 2012-07-11 17:55 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 12:00 . 2012-07-11 17:55 818688 ----a-w- c:\windows\system32\jscript.dll

2012-06-02 11:59 . 2012-07-11 17:55 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-06-02 11:57 . 2012-07-11 17:55 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-06-02 11:57 . 2012-07-11 17:55 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 11:54 . 2012-07-11 17:55 248320 ----a-w- c:\windows\system32\ieui.dll

2012-06-02 08:33 . 2012-07-11 17:55 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-06-02 08:25 . 2012-07-11 17:55 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

2012-06-02 08:25 . 2012-07-11 17:55 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-06-02 08:20 . 2012-07-11 17:55 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-06-02 08:16 . 2012-07-11 17:55 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-06-02 00:22 . 2012-07-11 16:39 347136 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 00:22 . 2012-07-11 16:39 254464 ----a-w- c:\windows\system32\ncrypt.dll

2012-06-02 00:05 . 2012-07-11 16:39 77312 ----a-w- c:\windows\SysWow64\secur32.dll

2012-06-02 00:04 . 2012-07-11 16:39 278528 ----a-w- c:\windows\SysWow64\schannel.dll

2012-06-02 00:03 . 2012-07-11 16:39 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll

2012-05-18 20:51 . 2012-01-08 20:37 188128 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-14 61440]

"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"BSDAppUpdater"="c:\program files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe" [2011-05-11 1660232]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]

"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

NETGEAR WNDA3100 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WNDA3100\WNDA3100.exe [2008-4-1 1716224]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-16 250056]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-02-24 88576]

.

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-16 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 18:56]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-24 6975520]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]

"combofix"="c:\combofix\CF19785.3XE" [2008-01-21 363008]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyServer = http=;ftp=;https=;

IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\MS3CORP\AppData\Roaming\Mozilla\Firefox\Profiles\d0p6sk9w.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113959&tt=3112_7

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=

FF - user.js: extensions.BabylonToolbar.id - 0e891e5100000000000000223f0b5fa8

FF - user.js: extensions.BabylonToolbar.instlDay - 15551

FF - user.js: extensions.BabylonToolbar.vrsn - 1.5.29.1

FF - user.js: extensions.BabylonToolbar.vrsni - 1.5.29.1

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.29.10:09

FF - user.js: extensions.BabylonToolbar.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar.tlbrId - base

FF - user.js: extensions.BabylonToolbar.instlRef - sst

FF - user.js: extensions.BabylonToolbar.dfltLng - en

FF - user.js: extensions.BabylonToolbar.excTlbr - false

FF - user.js: extensions.BabylonToolbar.admin - false

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)

Wow6432Node-HKCU-Run-MediaGet2 - c:\users\MS3CORP\AppData\Local\MediaGet2\mediaget.exe

Wow6432Node-HKLM-Run-BrMfcWnd - c:\program files (x86)\Brother\Brmfcmon\BrMfcWnd.exe

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)

AddRemove-WinPcapInst - c:\program files (x86)\WinPcap\Uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Dell\DellDock\DockLogin.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE

c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE

c:\program files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe

.

**************************************************************************

.

Completion time: 2012-08-16 15:05:45 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-16 19:05

.

Pre-Run: 491,191,570,432 bytes free

Post-Run: 491,575,005,184 bytes free

.

- - End Of File - - 189318768D4B89C3FAFB26BDD7E10AA9

Link to post
Share on other sites
Vegeta912

Vegeta912

Posted
  • Author
Posted

2l0d4.jpg

I can finally open a link in my browser without it redirecting to some ad page :D

There is one problem, though. Whenever I tried to turn on Security Center, it said it couldn't turn it on. Since the infection is removed, I just uninstalled and reinstalled, and now it is fine, but whenever I try to update something I get this error:

http://i46.tinypic.com/15xpml0.jpg

And whenever I try to turn on automatic updating, I get a popup saying Security Center can't change your automatic updating settings.

Do you know any fix for this?

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

MrC

Link to post
Share on other sites
Vegeta912

Vegeta912

Posted
  • Author
Posted

FSS.txt

Farbar Service Scanner Version: 06-08-2012

Ran by MS3CORP (administrator) on 16-08-2012 at 22:36:20

Running from "C:\Users\MS3CORP\Desktop"

Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

BITS Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcsvc.dll

[2011-06-09 12:42] - [2009-04-11 03:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys

[2012-02-16 18:12] - [2012-01-03 10:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys

[2012-05-09 20:24] - [2012-03-30 08:45] - 1422720 ____A (Microsoft Corporation) AC8D5728E6AD6A7C4819D9A67008337A

C:\Windows\System32\dnsrslvr.dll

[2011-05-20 16:33] - [2011-03-02 12:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll

[2011-06-09 12:42] - [2009-04-11 03:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll

[2011-06-09 12:42] - [2009-04-11 03:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe

[2011-06-09 12:42] - [2009-04-11 03:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll

[2011-06-09 12:41] - [2009-04-11 03:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll

[2011-06-09 12:42] - [2009-04-11 03:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll

[2011-06-09 12:42] - [2009-04-11 03:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll

[2011-06-09 12:42] - [2009-04-11 03:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll

[2012-06-12 15:17] - [2012-04-23 12:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll

[2011-06-09 12:42] - [2009-04-11 03:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF

**** End of log ****

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Great thumbsup.gif

A magician never tells his secrets!

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept