Trojans dropper.bcminer and 0.access and rootkits!

IXstalker · August 19, 2012

So I started getting my links redirected with no proxy changes to my browser so I scanned for a virus and hey what do you know. So now I cannot figure out for the life of me how to remove them, but then agin I am a newb. Can someone please help? Everytime I use a anti-virus to remove them they come back on restart, even when I scan in safe mode after changeing their reg values.

Logs:

Malwarebytes log (quickscan because it finds the same trojans and I didn't save full scan log, sorry!):

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.19.01

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 8.0.7601.17514

Kara :: KPC [administrator]

8/19/2012 9:38:43 AM

mbam-log-2012-08-19 (09-38-43).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 179813

Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 6

C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\00000004.@ (Rootkit.Zaccess) -> Quarantined and deleted successfully.

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\80000000.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

DDS Log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.4.1

Run by Kara at 9:51:31 on 2012-08-19

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3070.1598 [GMT -5:00]

.

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Froyo_Android_Driver\Bin\MonServiceUDisk.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Users\Kara\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\WUDFHost.exe

C:\Program Files\AVG\AVG2012\avgcfgex.exe

C:\Windows\system32\svchost.exe -k netsvcs

"C:\Windows\System32\svchost.exe" -k LocalServiceDns

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.ask.com/?l=dis&o=14196

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat

\activex\AcroIEHelperShim.dll

BHO: Wincore Mediabar: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - c:\progra~1\imesha~1\mediabar\datamngr\toolbar

\wincoreimdtx.dll

BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1

runtime\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1

runtime\bin\jp2ssv.dll

TB: Wincore Mediabar: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - c:\progra~1\imesha~1\mediabar\datamngr\toolbar

\wincoreimdtx.dll

uRun: [spotify Web Helper] "c:\users\kara\appdata\roaming\spotify\data\SpotifyWebHelper.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-

malware\cleanup.dll",ProcessCleanupScript

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg

\avg2012\avgdtiex.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:

\progra~1\spybot~1\SDHelper.dll

LSP: mswsock.dll

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{041D37FA-8B15-475C-B229-179F30E2BDF1} : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{041D37FA-8B15-475C-B229-179F30E2BDF1}\D696D696 : DhcpNameServer = 192.168.0.1 192.168.0.1

192.168.1.1 192.168.0.1 192.168.0.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\kara\appdata\roaming\mozilla\firefox\profiles\gsz9u1lh.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-4-4

63928]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]

R2 UDisk Monitor;UDisk Monitor;c:\program files\froyo_android_driver\bin\MonServiceUDisk.exe [2012-6-8 512000]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows

\system32\drivers\netw5v32.sys [2009-6-10 4231168]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-7-4 5160568]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13

229888]

S3 BITCOMET_HELPER_SERVICE;BitComet Disk Boost Service;c:\program files\bitcomet\tools\bitcometservice.exe -

service --> c:\program files\bitcomet\tools\BitCometService.exe -service [?]

S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]

S3 Generalusbserialser20675;USB Legacy Serial Communication 20675;c:\windows\system32\drivers\CT_U_USBSER.sys

[2012-6-8 106496]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service

\maintenanceservice.exe [2012-5-31 113120]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-

11-20 15872]

S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-11 77184]

S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-11 25600]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]

S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]

S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-11 112640]

.

=============== Created Last 30 ================

.

2012-08-19 14:48:37 54016 ----a-w- c:\windows\system32\drivers\tiln.sys

2012-07-29 01:17:55 -------- d-----w- c:\users\kara\appdata\roaming\Malwarebytes

2012-07-29 01:17:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-29 01:17:42 -------- d-----w- c:\programdata\Malwarebytes

2012-07-29 01:17:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-28 17:22:35 110080 ----a-r- c:\users\kara\appdata\roaming\microsoft\installer\{cc1f6da0-21d2-

425a-b1b6-5b164a598450}\IconF7A21AF7.exe

2012-07-28 17:22:35 110080 ----a-r- c:\users\kara\appdata\roaming\microsoft\installer\{cc1f6da0-21d2-

425a-b1b6-5b164a598450}\IconD7F16134.exe

2012-07-28 17:22:35 110080 ----a-r- c:\users\kara\appdata\roaming\microsoft\installer\{cc1f6da0-21d2-

425a-b1b6-5b164a598450}\IconCF33A0CE.exe

2012-07-28 17:22:34 -------- d-----w- C:\sh4ldr

2012-07-28 17:21:52 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP

2012-07-28 17:21:51 -------- d-----w- c:\program files\common files\Wise Installation Wizard

2012-07-28 17:04:02 -------- d-----w- c:\users\kara\appdata\roaming\SpeedyPC Software

2012-07-28 17:04:02 -------- d-----w- c:\users\kara\appdata\roaming\DriverCure

2012-07-28 17:03:53 -------- d-----w- c:\programdata\SpeedyPC Software

2012-07-28 17:03:53 -------- d-----w- c:\program files\common files\SpeedyPC Software

2012-07-28 16:02:07 -------- d-----w- c:\users\kara\How+Remove+Trojan+horse+Patched_c+LYU

+Manually_files

2012-07-28 03:31:44 -------- d-----w- c:\users\kara\appdata\roaming\AVG

2012-07-27 23:23:32 -------- d-----w- c:\users\kara\appdata\roaming\AVG2012

2012-07-27 23:22:03 -------- d--h--w- C:\$AVG

2012-07-27 23:22:03 -------- d-----w- c:\windows\system32\drivers\AVG

2012-07-27 23:22:03 -------- d-----w- c:\programdata\AVG2012

2012-07-27 21:50:59 -------- d-sh--w- c:\windows\system32\%APPDATA%

.

==================== Find3M ====================

.

2012-07-27 21:46:27 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-27 21:46:27 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-01 02:30:15 0 ----a-w- c:\windows\ativpsrm.bin

.

============= FINISH: 9:52:21.78 ===============

Attach log:.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume2

Install Date: 5/31/2012 7:47:24 PM

System Uptime: 8/19/2012 9:18:28 AM (0 hours ago)

.

Motherboard: TOSHIBA | | Portable PC

Processor: Intel® Core2 Duo CPU T6400 @ 2.00GHz | CPU | 2000/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 289 GiB total, 153.655 GiB free.

D: is CDROM (UDF)

E: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: Base System Device

Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_FF1E1179&REV_12\4&22FF54F3&0&33F0

Manufacturer:

Name: Base System Device

PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_FF1E1179&REV_12\4&22FF54F3&0&33F0

Service:

.

Class GUID:

Description: Base System Device

Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_FF1E1179&REV_12\4&22FF54F3&0&32F0

Manufacturer:

Name: Base System Device

PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_FF1E1179&REV_12\4&22FF54F3&0&32F0

Service:

.

Class GUID:

Description:

Device ID: ACPI\TOS1900\2&DABA3FF&2

Manufacturer:

Name:

PNP Device ID: ACPI\TOS1900\2&DABA3FF&2

Service:

.

Class GUID:

Description: Base System Device

Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_FF1E1179&REV_12\4&22FF54F3&0&34F0

Manufacturer:

Name: Base System Device

PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_FF1E1179&REV_12\4&22FF54F3&0&34F0

Service:

.

Class GUID:

Description:

Device ID: ACPI\TOS1901\2&DABA3FF&2

Manufacturer:

Name:

PNP Device ID: ACPI\TOS1901\2&DABA3FF&2

Service:

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.3)

Android USB Driver

AVG 2012

AVG PC Tuneup

BitComet 1.32

FrostWire 5.3.6

Java Auto Updater

Java 7 Update 4

JavaFX 2.1.0

LMMS 0.4.13

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft Silverlight

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Mixxx 1.10.0

Mozilla Firefox 14.0.1 (x86 en-US)

Mozilla Maintenance Service

SpeedyPC Pro

Spotify

Spybot - Search & Destroy

SpyHunter

Wincore MediaBar

WinRAR 4.11 (32-bit)

.

==== Event Viewer Messages From Past Week ========

.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

8/19/2012 9:38:58 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

8/19/2012 9:20:10 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

8/19/2012 9:20:10 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

8/19/2012 9:19:25 AM, Error: Service Control Manager [7000] - The Spooler service failed to start due to the following error: The system cannot find the file specified.

8/18/2012 10:57:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

8/18/2012 10:53:30 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

8/18/2012 10:53:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

8/18/2012 10:53:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

8/18/2012 10:53:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

8/18/2012 10:53:17 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 discache spldr Wanarpv6

8/18/2012 10:53:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

8/12/2012 3:33:25 PM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.

8/12/2012 2:34:21 PM, Error: AeLookupSvc [1] - The Application Experience Lookup service failed to initialize.

.

==== End Of File ===========================

Thank you for your time.

MrCharlie · August 19, 2012

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

IXstalker · August 19, 2012

Thanks for the help, heres the log:

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User: Kara [Admin rights]

Mode: Scan -- Date: 08/19/2012 14:07:54

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\kara\appdata\local\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\kara\appdata\local\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\kara\appdata\local\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> FOUND

[ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHZ2320BH G1 ATA Device +++++

--- User ---

[MBR] e170a1015a771beaf8f0fe48bb30065f

[bSP] a4c6be7887a9e2071ffb018efd3f21ea : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 295622 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 608507904 | Size: 8122 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] 87a6f986055495c12edf224cbb509716

[bSP] a4c6be7887a9e2071ffb018efd3f21ea : Windows 7 MBR Code

Partition table:

1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 295622 Mo

3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 608507904 | Size: 8122 Mo

Finished : << RKreport[1].txt >>

RKreport[1].txt

MrCharlie · August 19, 2012

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.
BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.
I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]Now press the Search button
[*]When the search is complete, search.txt will also be written to your USB
[*]Type exit and reboot the computer normally
[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

IXstalker · August 19, 2012

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 19-08-2012

Ran by SYSTEM at 19-08-2012 14:59:03

Running from F:\

Windows 7 Ultimate Service Pack 1 (X86) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)

HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2587008 2012-04-05] (AVG Technologies CZ, s.r.o.)

HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1174016 2010-11-20] (Microsoft Corporation)

HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1174016 2010-11-20] (Microsoft Corporation)

HKU\Kara\...\Run: [spotify Web Helper] "C:\Users\Kara\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1192664 2012-07-23] ()

HKU\Kara\...\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1085000 2012-07-03] (Malwarebytes Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

================================ Services (Whitelisted) ==================

2 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\avgidsagent.exe" [5160568 2012-07-04] (AVG Technologies CZ, s.r.o.)

2 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)

3 BITCOMET_HELPER_SERVICE; C:\Program Files\BitComet\tools\BitCometService.exe -service [1296728 2010-12-28] (www.BitComet.com)

2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)

2 UDisk Monitor; C:\Program Files\Froyo_Android_Driver\Bin\MonServiceUDisk.exe [512000 2011-05-12] ()

2 Spooler; C:\Windows\System32\spoolsv.exe [x]

========================== Drivers (Whitelisted) =============

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [139856 2011-12-23] (AVG Technologies CZ, s.r.o. )

3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )

0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )

3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )

1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [235216 2012-02-22] (AVG Technologies CZ, s.r.o.)

1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)

0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)

3 Generalusbserialser20675; C:\Windows\System32\DRIVERS\CT_U_USBSER.sys [106496 2011-05-09] (Incorporated)

0 snhgjdr; C:\Windows\System32\drivers\tiln.sys [54016 2012-08-19] ()

3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-19 14:58 - 2012-08-19 14:59 - 00000000 ____D C:\FRST

2012-08-19 11:07 - 2012-08-19 11:07 - 00002531 ____A C:\Users\Kara\Desktop\RKreport[1].txt

2012-08-19 11:06 - 2012-08-19 11:07 - 00000000 ____D C:\Users\Kara\Desktop\RK_Quarantine

2012-08-19 11:05 - 2012-08-19 11:05 - 01558528 ____A C:\Users\Kara\Downloads\RogueKiller.exe

2012-08-19 07:00 - 2012-08-19 07:00 - 00007750 ____A C:\Users\Kara\Documents\Attach.txt

2012-08-19 06:54 - 2012-08-19 06:54 - 00009743 ____A C:\Users\Kara\Documents\DDS.txt

2012-08-19 06:48 - 2012-08-19 06:48 - 00054016 ____A C:\Windows\System32\Drivers\tiln.sys

2012-08-19 06:39 - 2012-08-19 06:40 - 00607260 ____R (Swearware) C:\Users\Kara\Downloads\dds.scr

2012-08-19 06:22 - 2012-08-19 06:23 - 00000000 ____D C:\Users\Kara\Desktop\New folder

2012-08-19 06:21 - 2012-08-19 06:22 - 00898318 ____A (Farbar) C:\Users\Kara\Downloads\FRST.exe

2012-08-07 19:04 - 2012-08-07 19:05 - 00143680 ____A C:\Windows\Minidump\080712-51573-01.dmp

2012-08-06 19:40 - 2012-08-06 19:40 - 00000000 ____D C:\Windows\Sun

2012-07-28 17:17 - 2012-07-28 17:17 - 00001078 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-28 17:17 - 2012-07-28 17:17 - 00000000 ____D C:\Users\Kara\AppData\Roaming\Malwarebytes

2012-07-28 17:17 - 2012-07-28 17:17 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-07-28 17:17 - 2012-07-28 17:17 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-07-28 17:17 - 2012-07-03 10:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-28 17:09 - 2012-07-28 17:12 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Kara\Downloads\mbam-setup-1.62.0.1300.exe

2012-07-28 09:22 - 2012-07-28 09:30 - 00000000 ____D C:\sh4ldr

2012-07-28 09:21 - 2012-08-07 21:39 - 00000000 ____D C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP

2012-07-28 09:21 - 2012-07-28 09:21 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard

2012-07-28 09:04 - 2012-08-04 20:54 - 00000466 ____A C:\Windows\Tasks\SpeedyPC Registration3.job

2012-07-28 09:04 - 2012-07-28 09:05 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Kara\Downloads\SpyHunter-Installer.exe

2012-07-28 09:04 - 2012-07-28 09:04 - 00000000 ____D C:\Users\Kara\AppData\Roaming\SpeedyPC Software

2012-07-28 09:04 - 2012-07-28 09:04 - 00000000 ____D C:\Users\Kara\AppData\Roaming\DriverCure

2012-07-28 09:03 - 2012-07-28 09:03 - 00000000 ____D C:\Users\All Users\SpeedyPC Software

2012-07-28 09:03 - 2012-07-28 09:03 - 00000000 ____D C:\Program Files\Common Files\SpeedyPC Software

2012-07-28 09:01 - 2012-07-28 09:02 - 04819616 ____A (SpeedyPC Software Inc.) C:\Users\Kara\Downloads\SpeedyPC Pro Installer.exe

2012-07-28 09:00 - 2012-07-28 09:00 - 00001205 ____A C:\Users\Kara\Downloads\FixNCR.reg

2012-07-28 08:35 - 2012-07-28 08:35 - 00000369 ____A C:\Users\Kara\Desktop\exefix.reg

2012-07-28 08:34 - 2012-07-28 08:34 - 00000000 ____A C:\Users\Kara\Desktop\New Text Document (3).txt

2012-07-28 08:30 - 2012-07-28 08:34 - 00001328 ____A C:\Users\Kara\Desktop\New Text Document (2).txt

2012-07-28 08:02 - 2012-07-28 08:02 - 00061705 ____A C:\Users\Kara\How+Remove+Trojan+horse+Patched_c+LYU+Manually.htm

2012-07-28 08:02 - 2012-07-28 08:02 - 00000000 ____D C:\Users\Kara\How+Remove+Trojan+horse+Patched_c+LYU+Manually_files

2012-07-27 19:31 - 2012-07-27 19:34 - 00000000 ____D C:\Users\Kara\AppData\Roaming\AVG

2012-07-27 19:30 - 2012-07-27 19:30 - 00001111 ____A C:\Users\Kara\Desktop\AVG PC Tuneup 2011.lnk

2012-07-27 19:27 - 2012-07-27 19:29 - 08351056 ____A (AVG ) C:\Users\Kara\Downloads\avg_pct_stf_all_10_27_c1.exe

2012-07-27 18:22 - 2012-07-27 18:22 - 00003304 ____N C:\bootsqm.dat

2012-07-27 17:10 - 2012-07-28 08:17 - 00019558 ____A C:\Users\Kara\Desktop\avgrep.txt

2012-07-27 17:09 - 2012-07-27 17:09 - 00149856 ____A C:\Windows\Minidump\072712-36270-01.dmp

2012-07-27 16:20 - 2012-07-27 16:20 - 00149856 ____A C:\Windows\Minidump\072712-37128-01.dmp

2012-07-27 15:23 - 2012-07-27 15:23 - 00000000 ____D C:\Users\Kara\AppData\Roaming\AVG2012

2012-07-27 15:22 - 2012-08-19 06:25 - 00000000 ____D C:\Windows\System32\Drivers\AVG

2012-07-27 15:22 - 2012-08-19 06:19 - 00000000 ____D C:\Users\All Users\AVG2012

2012-07-27 15:22 - 2012-07-27 15:22 - 00000946 ____A C:\Users\Public\Desktop\AVG 2012.lnk

2012-07-27 15:22 - 2012-07-27 15:22 - 00000000 ___HD C:\$AVG

2012-07-27 13:50 - 2012-07-27 13:50 - 00000000 __SHD C:\Windows\System32\%APPDATA%

============ 3 Months Modified Files ========================

2012-08-19 11:07 - 2012-08-19 11:07 - 00002531 ____A C:\Users\Kara\Desktop\RKreport[1].txt

2012-08-19 11:05 - 2012-08-19 11:05 - 01558528 ____A C:\Users\Kara\Downloads\RogueKiller.exe

2012-08-19 07:00 - 2012-08-19 07:00 - 00007750 ____A C:\Users\Kara\Documents\Attach.txt

2012-08-19 06:54 - 2012-08-19 06:54 - 00009743 ____A C:\Users\Kara\Documents\DDS.txt

2012-08-19 06:48 - 2012-08-19 06:48 - 00054016 ____A C:\Windows\System32\Drivers\tiln.sys

2012-08-19 06:40 - 2012-08-19 06:39 - 00607260 ____R (Swearware) C:\Users\Kara\Downloads\dds.scr

2012-08-19 06:39 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-19 06:38 - 2009-07-13 20:53 - 00029404 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-08-19 06:27 - 2010-11-20 13:01 - 00747786 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-19 06:26 - 2009-07-13 20:34 - 00023680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-19 06:26 - 2009-07-13 20:34 - 00023680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-19 06:22 - 2012-08-19 06:21 - 00898318 ____A (Farbar) C:\Users\Kara\Downloads\FRST.exe

2012-08-19 06:19 - 2009-07-13 20:39 - 00031401 ____A C:\Windows\setupact.log

2012-08-18 21:16 - 2010-11-20 13:48 - 00020122 ____A C:\Windows\PFRO.log

2012-08-07 19:05 - 2012-08-07 19:04 - 00143680 ____A C:\Windows\Minidump\080712-51573-01.dmp

2012-08-07 19:04 - 2012-06-02 17:38 - 226631109 ____A C:\Windows\MEMORY.DMP

2012-08-04 20:54 - 2012-07-28 09:04 - 00000466 ____A C:\Windows\Tasks\SpeedyPC Registration3.job

2012-07-28 17:17 - 2012-07-28 17:17 - 00001078 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-28 17:12 - 2012-07-28 17:09 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Kara\Downloads\mbam-setup-1.62.0.1300.exe

2012-07-28 09:05 - 2012-07-28 09:04 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Kara\Downloads\SpyHunter-Installer.exe

2012-07-28 09:02 - 2012-07-28 09:01 - 04819616 ____A (SpeedyPC Software Inc.) C:\Users\Kara\Downloads\SpeedyPC Pro Installer.exe

2012-07-28 09:00 - 2012-07-28 09:00 - 00001205 ____A C:\Users\Kara\Downloads\FixNCR.reg

2012-07-28 08:35 - 2012-07-28 08:35 - 00000369 ____A C:\Users\Kara\Desktop\exefix.reg

2012-07-28 08:34 - 2012-07-28 08:34 - 00000000 ____A C:\Users\Kara\Desktop\New Text Document (3).txt

2012-07-28 08:34 - 2012-07-28 08:30 - 00001328 ____A C:\Users\Kara\Desktop\New Text Document (2).txt

2012-07-28 08:17 - 2012-07-27 17:10 - 00019558 ____A C:\Users\Kara\Desktop\avgrep.txt

2012-07-28 08:02 - 2012-07-28 08:02 - 00061705 ____A C:\Users\Kara\How+Remove+Trojan+horse+Patched_c+LYU+Manually.htm

2012-07-27 19:30 - 2012-07-27 19:30 - 00001111 ____A C:\Users\Kara\Desktop\AVG PC Tuneup 2011.lnk

2012-07-27 19:29 - 2012-07-27 19:27 - 08351056 ____A (AVG ) C:\Users\Kara\Downloads\avg_pct_stf_all_10_27_c1.exe

2012-07-27 18:22 - 2012-07-27 18:22 - 00003304 ____N C:\bootsqm.dat

2012-07-27 17:09 - 2012-07-27 17:09 - 00149856 ____A C:\Windows\Minidump\072712-36270-01.dmp

2012-07-27 16:20 - 2012-07-27 16:20 - 00149856 ____A C:\Windows\Minidump\072712-37128-01.dmp

2012-07-27 15:22 - 2012-07-27 15:22 - 00000946 ____A C:\Users\Public\Desktop\AVG 2012.lnk

2012-07-27 13:46 - 2012-06-03 01:21 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-07-27 13:46 - 2012-06-03 01:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-07-27 13:45 - 2012-05-31 18:30 - 00439080 ____A C:\Windows\WindowsUpdate.log

2012-07-03 10:46 - 2012-07-28 17:17 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-02 08:32 - 2012-06-04 23:17 - 00001761 ____A C:\Users\Kara\.lmmsrc.xml

2012-06-19 21:51 - 2012-06-19 21:51 - 00020919 ____A C:\Users\Kara\Downloads\hydrocal.zip

2012-06-18 05:30 - 2012-06-17 18:01 - 00001142 ____A C:\Users\Kara\Desktop\New Text Document.txt

2012-06-07 15:56 - 2012-06-07 15:41 - 00001196 ____A C:\Users\Kara\Desktop\FrostWire 5.3.6.lnk

2012-06-07 15:51 - 2012-06-07 15:51 - 00174024 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe

2012-06-07 15:51 - 2012-06-07 15:51 - 00174024 ____A (Oracle Corporation) C:\Windows\System32\java.exe

2012-06-07 15:48 - 2012-06-07 15:47 - 00892912 ____A (Oracle Corporation) C:\Users\Kara\Downloads\jre-7u4-windows-i586-iftw.exe

2012-06-07 15:38 - 2012-06-07 15:36 - 07840560 ____A (FrostWire Team) C:\Users\Kara\Downloads\frostwire-5.3.6.windows(1).exe

2012-06-07 15:35 - 2012-06-07 15:34 - 07840560 ____A (FrostWire Team) C:\Users\Kara\Downloads\frostwire-5.3.6.windows.exe

2012-06-07 05:47 - 2012-06-07 05:46 - 06955968 ____A (Microsoft Corporation) C:\Users\Kara\Downloads\Silverlight(1).exe

2012-06-07 05:45 - 2012-06-07 05:45 - 06955968 ____A (Microsoft Corporation) C:\Users\Kara\Downloads\Silverlight.exe

2012-06-06 10:38 - 2012-06-06 10:38 - 00001786 ____A C:\Users\Public\Desktop\Mixxx.lnk

2012-06-06 10:35 - 2012-06-06 10:32 - 20031304 ____A C:\Users\Kara\Downloads\mixxx-1.10.0-win32.exe

2012-06-06 06:22 - 2012-06-06 06:22 - 00002000 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk

2012-06-06 06:01 - 2012-06-06 06:01 - 01506653 ____A C:\Users\Kara\Downloads\wrar411.exe

2012-06-06 04:02 - 2012-06-06 04:02 - 00057560 ____A C:\Users\Kara\AppData\Local\GDIPFONTCACHEV1.DAT

2012-06-06 04:01 - 2012-06-06 04:01 - 00000976 ____A C:\Users\Public\Desktop\BitComet.lnk

2012-06-06 03:59 - 2012-06-06 03:58 - 09505616 ____A C:\Users\Kara\Downloads\BitComet_1.32_x86_setup.exe

2012-06-06 03:57 - 2012-06-06 03:57 - 00010731 ____A C:\Users\Kara\Downloads\ArtyTorrent_Pack_61-Ueberschall_House_Essentials_Vocals_1-WAV.4029042.TPB.torrent

2012-06-04 20:59 - 2012-06-04 20:56 - 22653670 ____A C:\Users\Kara\Downloads\lmms-0.4.13-win32.exe

2012-06-04 20:54 - 2012-06-04 20:54 - 03879712 ____A (AVG Technologies) C:\Users\Kara\Downloads\avg_free_stb_all_2012_2178_cnet(1).exe

2012-06-04 19:26 - 2012-06-04 19:26 - 00001227 ____A C:\Users\Kara\Desktop\Spybot - Search & Destroy.lnk

2012-06-04 19:24 - 2012-06-04 19:22 - 16409960 ____A (Safer Networking Limited ) C:\Users\Kara\Downloads\spybotsd162.exe

2012-06-03 23:51 - 2012-06-03 23:51 - 00149856 ____A C:\Windows\Minidump\060412-43820-01.dmp

2012-06-03 17:44 - 2012-06-03 17:44 - 00001807 ____A C:\Users\Kara\Desktop\Spotify.lnk

2012-06-03 17:41 - 2012-06-03 17:41 - 00085784 ____A (Spotify Ltd) C:\Users\Kara\Downloads\SpotifySetup.exe

2012-06-03 17:41 - 2012-06-03 17:41 - 00085784 ____A (Spotify Ltd) C:\Users\Kara\Downloads\SpotifySetup(1).exe

2012-06-02 18:31 - 2012-06-02 18:31 - 02428472 ____A (iMesh Inc. ) C:\Users\Kara\Downloads\iMeshV11.exe

2012-06-02 17:39 - 2012-06-02 17:39 - 00149856 ____A C:\Windows\Minidump\060212-47408-01.dmp

2012-06-02 16:54 - 2012-06-02 16:53 - 08351056 ____A (AVG ) C:\Users\Kara\Downloads\avg_pct_stf_all_10_27_c5(1).exe

2012-06-02 16:51 - 2012-06-02 16:51 - 08351056 ____A (AVG ) C:\Users\Kara\Downloads\avg_pct_stf_all_10_27_c5.exe

2012-05-31 19:26 - 2009-07-13 20:57 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG

2012-05-31 19:26 - 2009-07-13 20:52 - 00028672 ____A C:\Windows\System32\config\BCD-Template

2012-05-31 19:26 - 2008-08-14 11:27 - 00008192 _RASH C:\BOOTSECT.BAK

2012-05-31 18:33 - 2009-07-13 20:33 - 00266808 ____A C:\Windows\System32\FNTCACHE.DAT

2012-05-31 18:31 - 2012-05-31 18:27 - 00001355 ____A C:\Windows\TSSysprep.log

2012-05-31 18:30 - 2012-05-31 18:30 - 00000000 ____A C:\Windows\System32\atiicdxx.dat

2012-05-31 18:30 - 2012-05-31 18:30 - 00000000 ____A C:\Windows\ativpsrm.bin

2012-05-31 18:29 - 2012-05-31 18:29 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2012-05-31 18:27 - 2009-07-13 20:34 - 00002790 ____A C:\Windows\DtcInstall.log

2012-05-31 17:26 - 2012-05-31 17:25 - 03006984 ____A C:\Users\Kara\Downloads\aresregular218_installer.exe

2012-05-31 17:22 - 2012-05-31 17:22 - 00000074 ____A C:\Users\Public\sdelevURL.tmp

2012-05-31 16:57 - 2012-05-31 16:57 - 03879712 ____A (AVG Technologies) C:\Users\Kara\Downloads\avg_free_stb_all_2012_2178_cnet.exe

2012-05-31 16:56 - 2012-05-31 16:56 - 00001099 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-05-31 16:55 - 2012-05-31 16:55 - 16339280 ____A (Mozilla) C:\Users\Kara\Downloads\Firefox Setup 12.0.exe

2012-05-31 16:48 - 2012-05-31 16:48 - 00000020 ___SH C:\Users\Kara\ntuser.ini

2012-05-31 16:47 - 2012-05-31 16:47 - 00000000 _RASH C:\win7ldr

2012-05-31 15:34 - 2012-05-31 16:47 - 00206312 _RASH C:\grldr

ZeroAccess:

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\@

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\L

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\L\00000004.@

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\L\201d3dde

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\00000004.@

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\00000008.@

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\000000cb.@

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\80000000.@

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U\80000032.@

ZeroAccess:

C:\Users\Kara\AppData\Local\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}

C:\Users\Kara\AppData\Local\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\@

C:\Users\Kara\AppData\Local\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\L

C:\Users\Kara\AppData\Local\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c}\U

ZeroAccess:

C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%

Total physical RAM: 4093.99 MB

Available physical RAM: 3652.74 MB

Total Pagefile: 4092.28 MB

Available Pagefile: 3657.19 MB

Total Virtual: 2047.88 MB

Available Virtual: 1970.29 MB

======================= Partitions =========================

1 Drive c: (SQ004830V03) (Fixed) (Total:288.69 GB) (Free:153.51 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.3 GB) NTFS

3 Drive e: (THE_HANGOVER) (CDROM) (Total:7.5 GB) (Free:0 GB) UDF

4 Drive f: () (Removable) (Total:7.65 GB) (Free:7.58 GB) NTFS

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 7839 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 1500 MB 1024 KB

Partition 2 Primary 288 GB 1501 MB

Partition 3 Primary 8122 MB 290 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C SQ004830V03 NTFS Partition 288 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7835 MB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F NTFS Removable 7835 MB Healthy

==================================================================================

Last Boot: 2012-07-08 13:27

======================= End Of Log ==========================

IXstalker · August 19, 2012

Oops gotta go back and get the save.txt

IXstalker · August 19, 2012

Farbar Recovery Scan Tool Version: 19-08-2012

Ran by SYSTEM at 2012-08-19 15:20:05

Running from F:\

================== Search: "services.exe" ===================

C:\Windows.old.000\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows.old.000\Windows\System32\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows.old\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe

[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows.old\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe

[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows.old\Windows\SysWOW64\services.exe

[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows.old\Windows\System32\services.exe

[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

MrCharlie · August 19, 2012

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

IXstalker · August 19, 2012

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 19-08-2012

Ran by SYSTEM at 2012-08-19 15:56:00 Run:1

Running from F:\

==============================================

C:\Windows\Installer\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c} moved successfully.

C:\Users\Kara\AppData\Local\{e1c3cda2-4c7f-dbf8-e5d8-7a8df2cad91c} moved successfully.

C:\Windows\assembly\GAC\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

MrCharlie · August 19, 2012

Well Done....A couple of more scans to run.......

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

IXstalker · August 19, 2012

TDSSkiller logs

TDSSKiller.2.8.6.0_19.08.2012_16.12.19_log.txt

TDSSKiller.2.8.6.0_19.08.2012_16.13.08_log.txt

MrCharlie · August 19, 2012

Run TDSSKiller again and choose Delete for this one only: (no need to post the log)

16:15:37.0043 2976 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
16:15:37.0043 2976 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~~~~~

Then...................

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

IXstalker · August 19, 2012

ComboFix 12-08-18.03 - Kara 08/19/2012 17:05:16.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3070.2364 [GMT -5:00]

Running from: c:\users\Kara\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Public\sdelevURL.tmp

.

((((((((((((((((((((((((( Files Created from 2012-07-19 to 2012-08-19 )))))))))))))))))))))))))))))))

.

2012-08-19 22:58 . 2012-08-19 22:59 -------- d-----w- C:\FRST

2012-08-19 21:15 . 2012-08-19 21:59 -------- d-----w- C:\TDSSKiller_Quarantine

2012-08-07 03:40 . 2012-08-07 03:40 -------- d-----w- c:\windows\Sun

2012-07-29 01:17 . 2012-07-29 01:17 -------- d-----w- c:\users\Kara\AppData\Roaming\Malwarebytes

2012-07-29 01:17 . 2012-07-29 01:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-29 01:17 . 2012-07-29 01:17 -------- d-----w- c:\programdata\Malwarebytes

2012-07-29 01:17 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-28 17:22 . 2012-07-28 17:22 110080 ----a-r- c:\users\Kara\AppData\Roaming\Microsoft\Installer\{CC1F6DA0-21D2-425A-B1B6-5B164A598450}\IconF7A21AF7.exe

2012-07-28 17:22 . 2012-07-28 17:22 110080 ----a-r- c:\users\Kara\AppData\Roaming\Microsoft\Installer\{CC1F6DA0-21D2-425A-B1B6-5B164A598450}\IconD7F16134.exe

2012-07-28 17:22 . 2012-07-28 17:22 110080 ----a-r- c:\users\Kara\AppData\Roaming\Microsoft\Installer\{CC1F6DA0-21D2-425A-B1B6-5B164A598450}\IconCF33A0CE.exe

2012-07-28 17:22 . 2012-07-28 17:30 -------- d-----w- C:\sh4ldr

2012-07-28 17:21 . 2012-08-08 05:39 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP

2012-07-28 17:21 . 2012-07-28 17:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2012-07-28 17:04 . 2012-07-28 17:04 -------- d-----w- c:\users\Kara\AppData\Roaming\SpeedyPC Software

2012-07-28 17:04 . 2012-07-28 17:04 -------- d-----w- c:\users\Kara\AppData\Roaming\DriverCure

2012-07-28 17:03 . 2012-07-28 17:03 -------- d-----w- c:\programdata\SpeedyPC Software

2012-07-28 17:03 . 2012-07-28 17:03 -------- d-----w- c:\program files\Common Files\SpeedyPC Software

2012-07-28 16:02 . 2012-07-28 16:02 -------- d-----w- c:\users\Kara\How+Remove+Trojan+horse+Patched_c+LYU+Manually_files

2012-07-28 03:31 . 2012-07-28 03:34 -------- d-----w- c:\users\Kara\AppData\Roaming\AVG

2012-07-27 23:22 . 2012-08-19 14:25 -------- d-----w- c:\windows\system32\drivers\AVG

2012-07-27 23:22 . 2012-08-19 14:19 -------- d-----w- c:\programdata\AVG2012

2012-07-27 23:22 . 2012-07-27 23:22 -------- d-----w- C:\$AVG

2012-07-27 21:50 . 2012-07-27 21:50 -------- d-sh--w- c:\windows\system32\%APPDATA%

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-27 21:46 . 2012-06-03 09:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-27 21:46 . 2012-06-03 09:21 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-19 02:22 . 2012-06-01 00:56 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2010-11-20 . 866A43013535DC8587C258E43579C764 . 317440 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_d8530d0d1fcade21\spoolsv.exe

.

c:\windows\System32\spoolsv.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]

2012-02-27 08:49 89008 ----a-w- c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{28387537-e3f9-4ed7-860c-11e69af4a8a0}"= "c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll" [2012-02-27 89008]

.

[HKEY_CLASSES_ROOT\clsid\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Spotify Web Helper"="c:\users\Kara\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-07-23 1192664]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

R3 BITCOMET_HELPER_SERVICE;BitComet Disk Boost Service;c:\program files\BitComet\tools\BitCometService.exe [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]

R3 Generalusbserialser20675;USB Legacy Serial Communication 20675;c:\windows\system32\DRIVERS\CT_U_USBSER.sys [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]

S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [x]

S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]

S2 UDisk Monitor;UDisk Monitor;c:\program files\Froyo_Android_Driver\Bin\MonServiceUDisk.exe [x]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [x]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-05 c:\windows\Tasks\SpeedyPC Registration3.job

- c:\program files\Common Files\SpeedyPC Software\UUS3\UUS3.dll [2012-01-30 22:17]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ask.com/?l=dis&o=14196

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\users\Kara\AppData\Roaming\Mozilla\Firefox\Profiles\gsz9u1lh.default\

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-61724736.sys

AddRemove-{604CD5A1-4520-4844-B064-A3D884B77E91} - c:\program files\SpeedyPC Software\SpeedyPC\uninstall.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\AVG\AVG2012\avgrsx.exe

c:\program files\AVG\AVG2012\avgcsrvx.exe

c:\windows\system32\taskhost.exe

c:\windows\System32\rundll32.exe

c:\windows\system32\conhost.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\sppsvc.exe

c:\windows\system32\taskhost.exe

.

**************************************************************************

.

Completion time: 2012-08-19 17:16:16 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-19 22:16

.

Pre-Run: 164,273,336,320 bytes free

Post-Run: 164,496,556,032 bytes free

.

- - End Of File - - 2A6A1CF6E96D030D4E2454A1C492D185

MrCharlie · August 19, 2012

ComboFix spotted a missing file:

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-20 . 866A43013535DC8587C258E43579C764 . 317440 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_d8530d0d1fcade21\spoolsv.exe
.
c:\windows\System32\spoolsv.exe ... is missing !!

Please do this......

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:Filefind
spoolsv.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

IXstalker · August 19, 2012

SystemLook 30.07.11 by jpshortstuff

Log created at 17:32 on 19/08/2012 by Kara

Administrator - Elevation successful

========== Filefind ==========

Searching for "spoolsv.exe"

C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_d8530d0d1fcade21\spoolsv.exe --a---- 317440 bytes [21:29 20/11/2010] [21:29 20/11/2010] 866A43013535DC8587C258E43579C764

C:\Windows.old\Windows\System32\spoolsv.exe --a---- 267776 bytes [21:11 14/09/2010] [14:04 17/08/2010] 92E6738D25C2123BE9515C0EAC0776CD

C:\Windows.old\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18000_none_326a3ea579e6364c\spoolsv.exe --a---- 267264 bytes [02:49 21/01/2008] [02:49 21/01/2008] E6519A9E756D74DC51C697BA62162F51

C:\Windows.old\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18511_none_3260788179ed5d57\spoolsv.exe --a---- 267776 bytes [21:11 14/09/2010] [14:04 17/08/2010] 92E6738D25C2123BE9515C0EAC0776CD

C:\Windows.old\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.22743_none_32cba802932180c9\spoolsv.exe --a---- 270848 bytes [21:11 14/09/2010] [14:02 17/08/2010] 7F59AA690212241B398D6DBE4071EE3C

C:\Windows.old\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6002.18294_none_33f36be77751de08\spoolsv.exe --a---- 273920 bytes [21:11 14/09/2010] [14:54 17/08/2010] F66FF751E7EFC816D266977939EF5DC3

C:\Windows.old\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6002.22468_none_34a17b8490538c82\spoolsv.exe --a---- 273920 bytes [21:11 14/09/2010] [14:54 17/08/2010] 439017BE66398AB809D81B3AE8393883

C:\Windows.old.000\Windows\System32\spoolsv.exe --a---- 317440 bytes [21:29 20/11/2010] [21:29 20/11/2010] 866A43013535DC8587C258E43579C764

C:\Windows.old.000\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_d8530d0d1fcade21\spoolsv.exe --a---- 317440 bytes [21:29 20/11/2010] [21:29 20/11/2010] 866A43013535DC8587C258E43579C764

-= EOF =-

My windows.old is my old vista data from when I updated to 7, if that helps.

MrCharlie · August 19, 2012

Using ComboFix.......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

FCopy::
C:\Windows.old.000\Windows\System32\spoolsv.exe | c:\windows\System32\spoolsv.exe
ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

IXstalker · August 19, 2012

ComboFix 12-08-18.03 - Kara 08/19/2012 18:01:47.2.2 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3070.1979 [GMT -5:00]

Running from: c:\users\Kara\Desktop\ComboFix.exe

Command switches used :: c:\users\Kara\Desktop\CFScript.txt

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

--------------- FCopy ---------------

.

c:\windows.old.000\Windows\System32\spoolsv.exe --> c:\windows\System32\spoolsv.exe

.

((((((((((((((((((((((((( Files Created from 2012-07-19 to 2012-08-19 )))))))))))))))))))))))))))))))

.

2012-08-19 23:05 . 2012-08-19 23:05 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-19 23:01 . 2010-11-20 21:29 317440 ----a-w- c:\windows\system32\spoolsv.exe