UuU.uUu & XxX.xXx

[prezd976]

cant seem to get rid of these 2. any help would be appreciated.

heres the mbam report

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.23.07

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Home :: HOME-PC [administrator]

8/23/2012 2:29:23 PM

mbam-log-2012-08-23 (14-29-23).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 215624

Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Users\Home\AppData\Local\temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.

C:\Users\Home\AppData\Local\temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.

(end)

[MrCharlie]

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[prezd976]

DDS report

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1

Run by Home at 14:44:00 on 2012-08-23

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2036 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\mobsync.exe

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Windows\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://yahoo.com/

mStart Page = about:blank

uInternet Settings,ProxyOverride = <local>;*.local

uRun: [Java suns] c:\users\home\appdata\roaming\java suns\Jqsx.exe

uExplorerRun: [Java suns] c:\users\home\appdata\roaming\java suns\Jqsx.exe

mExplorerRun: [Java suns] c:\users\home\appdata\roaming\java suns\Jqsx.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{65CB202F-C53A-47EC-A58C-BF660DF2134C} : DhcpNameServer = 192.168.1.1

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SecurityProviders: credssp.dll, msansspc.dll

mASetup: {1AA7FEAB-AE1B-F7DF-ACAF-2D5205B4C494} - c:\users\home\appdata\roaming\java\wlcomm.exe

mASetup: {6665855C-7F74-613M-P4E2-2KKQY0VBT4KP} - c:\users\home\appdata\roaming\java suns\Jqsx.exe

.

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-7-18 383368]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-7-18 342168]

R1 ndisrd;WinpkFilter LightWeight Filter;c:\windows\system32\drivers\ndisrd.sys [2011-2-22 26208]

R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-7-18 203088]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]

R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2012-5-14 21504]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-11-26 2253120]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 250056]

S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-5-18 80824]

S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2012-5-18 20032]

S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [2011-8-27 51712]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]

S3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-7-18 70768]

S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [2007-8-14 18048]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\pc tools security\pctsAuxs.exe [2012-7-18 402336]

S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools\pc tools security\pctsSvc.exe [2012-7-18 1118648]

S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-5-18 181432]

S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2012-7-18 575448]

S4 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2011-10-22 5154680]

.

=============== Created Last 30 ================

.

2012-08-23 21:38:05 -------- d--h--w- c:\windows\PIF

2012-08-23 17:54:55 -------- d-----w- c:\users\home\appdata\roaming\Java suns

2012-08-19 23:11:57 -------- d-----w- c:\users\home\appdata\local\temp

2012-08-19 23:11:12 -------- d-sh--w- C:\$RECYCLE.BIN

2012-08-19 22:49:50 -------- d-----w- C:\ComboFix

2012-08-19 22:34:29 -------- d-----w- c:\windows\pss

2012-08-19 19:58:58 -------- d-----w- c:\program files\Oracle

2012-08-14 19:10:53 -------- d-----w- c:\programdata\4Videosoft Studio

2012-08-14 19:10:47 -------- d-----w- c:\program files\WinPcap

2012-08-14 19:10:24 -------- d-----w- c:\program files\4Videosoft Studio

2012-08-12 00:35:50 -------- d-----w- c:\program files\GetFLV

2012-08-11 17:47:16 -------- d-----w- c:\program files\Hidden Identity - Chicago Blackout

.

==================== Find3M ====================

.

2012-08-15 20:02:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-15 20:02:13 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-18 21:13:21 17800 ----a-w- c:\windows\system32\drivers\ZeroAccess.sys

2012-07-06 05:06:30 772544 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-07-06 05:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-03 20:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-14 19:31:38 70768 ----a-w- c:\windows\system32\drivers\PCTBD.sys

2012-06-14 19:31:22 2267096 ----a-w- c:\windows\PCTBDCore.dll

2012-06-14 19:31:22 1681368 ----a-w- c:\windows\PCTBDRes.dll

2012-06-14 19:31:22 149464 ----a-w- c:\windows\SGDetectionTool.dll

2012-06-14 19:31:00 767960 ----a-w- c:\windows\BDTSupport.dll

2012-05-27 19:31:53 99512 ----a-w- c:\windows\system32\kbPTXJTR4T.exe

.

============= FINISH: 14:44:49.29 ===============

[prezd976]

Attach file

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 2/16/2007 3:43:35 PM

System Uptime: 8/23/2012 2:26:22 PM (0 hours ago)

.

Motherboard: ASUSTek Computer INC. | | NODUSM3

Processor: AMD Athlon 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2200/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 292 GiB total, 19.564 GiB free.

D: is FIXED (NTFS) - 6 GiB total, 0.877 GiB free.

E: is CDROM ()

F: is FIXED (NTFS) - 466 GiB total, 285.258 GiB free.

G: is Removable

H: is Removable

I: is Removable

J: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

001 Joiner

7-Zip 4.42

7Canaries 1.0 Professional

Abra Academy

AC3Filter 1.63b

Ad-Aware 2007

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Photoshop CS

Adobe Reader 7.0.9

Adobe Shockwave Player 11.6

Agatha Christie Death On The Nile

Agatha Christie: 4:50 from Paddington

Agatha Christie: Dead Man's Folly

Alabama Smith in Escape from Pompeii

Amazing Adventures The Lost Tomb

Amazing Adventures: Around the World

Amazing Adventures: The Caribbean Secret

Amazon MP3 Downloader 1.0.15

AnyDVD

AoA DVD Ripper

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AudioCatalyst

AVI Joiner

Avidemux 2.5 (32-bit)

AviSynth 2.5

Big City Adventure San Francisco

Big City Adventures-Sydney Australia

Big Fish Games: Game Manager

Bonjour

Browser Guard 4.0

Build-a-lot 2: Town of the Year

Build-a-lot 3: Passport to Europe

Buried in Time

Cajun Cop: The French Quarter Caper

Casio SMF Conveter

CBR Reader

CCleaner

Coby Media Manager

Columbus: Ghost of the Mystery Stone

Cooking Dash (remove only)

Cool Edit Pro 2.0

CopyTrans Suite Remove Only

Curse of the Pharaoh - The Quest for Nefertiti

Curse of the Pharaoh: Napoleon's Secret ™

Curse of the Pharaoh: The Quest for Nefertiti

Data Lifeguard Diagnostic for Windows 1.22

DC++ 0.750

DivX Setup

DNA

Dream Chronicles: The Book of Air Collector's Edition

DVD Decrypter (Remove Only)

DVD Shrink 3.2

DVDFab Decrypter 2.9.8.3

DVDFab HD Decrypter 4.0.1.2

dvdSanta 4.00

Egypt: Secret of five Gods

eMule

Escape From Paradise (remove only)

Farm Tribe

Finale NotePad 2007

Fisher's Family Farm

Flux Family Secrets: The Ripple Effect

FLV Player 1.3.3

G.H.O.S.T. Hunters

Ghost in the Sheet

Guitar Guru Version 2.2.5.0

Guitar Pro 5.2

Haali Media Splitter

Hardware Diagnostic Tools

Haunted Hotel: Lonely Dream

Haunted Manor: Lord of Mirrors

Hawaiian Explorer Pearl Harbor

Heroes Of Hellas

Hidden Expedition - Amazon v1.0 by downTURK

Hidden Expedition ® - Devil's Triangle

Hidden Identity: Chicago Blackout

Hidden in Time: Mirror Mirror

Hidden Mysteries®: Return to Titanic

Hidden Mysteries®: Vampire Secrets

Hidden Mysteries: Buckingham Palace ™

Hidden Mysteries: Civil War

Hidden Mysteries: Royal Family Secrets

Hidden Mysteries: The Fateful Voyage - Titanic

Hidden Secrets - The Nightmare

HijackThis 1.99.1

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Connections (remove only)

HP Customer Experience Enhancements

HP Customer Feedback

HP Easy Setup - Core

HP Easy Setup - Frontend

HP Total Care Advisor

HP Update

Interpol 2: Most Wanted

iTunes

Java Auto Updater

Java 7 Update 5

JavaFX 2.1.1

K-Lite Codec Pack 3.9.0 Full

Letters from Nowhere

LG Verizon United Drivers

LightScribe 1.4.124.1

LiveUpdate 3.2 (Symantec Corporation)

LiveUpdate Notice (Symantec Corporation)

Lost Lagoon 2: Cursed & Forgotten

Lost Lagoon: The Trail of Destiny

Love Story: The Beach Cottage

Luxor

Mahjong Escape Ancient Japan

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft .NET Framework 3.5 SP1

Microsoft Age of Empires II

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

MKVtoolnix 5.0.1

MobileMe Control Panel

Monkey's Audio

MotioninJoy ds3 driver version 0.5.0000

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Mummy Maze Deluxe 1.1

Musicnotes Player V1.23.1

muvee autoProducer 5.0

My HP Games

My Kingdom for the Princess II

My Tribe

Mystery Case Files - Madame Fate

Mystery Case Files ®: 13th Skull ™ Collector's Edition

Mystery Case Files Huntsville

Mystery Case Files®: Dire Grove™

Mystery Case Files: Prime Suspects ™

Mystery Case Files: Ravenhearst (remove only)

Mystery Case Files: Return to Ravenhearst ™

Mystery Cookbook

Mystery in London (remove only)

Mystery Legends: The Phantom of the Opera

Mystery P.I. - The Lottery Ticket

Mystery P.I.: Lost in Los Angeles

Mystery P.I.: Stolen in San Francisco

Mystery P.I.: The Curious Case of Counterfeit Cove

Mystery P.I.: The London Caper

Mystery P.I.: The New York Fortune

Mystery P.I.: The Vegas Heist

Mystery Trackers: The Void

Mystic Gateways: The Celestial Quest

Nero 8 Demo

neroxml

Notation Musician 2.6.3 (Trial Version)

NVIDIA Control Panel 285.62

NVIDIA Graphics Driver 285.62

NVIDIA Install Application

NVIDIA Update 1.5.20

NVIDIA Update Components

OcxSetup

OpenAL

Paros 3.2.13

Pathfinders: Lost at Sea

PC Tools Spyware Doctor 9.0

Philips Songbird

PlayOn

Project64 1.6

PS3 Media Server

PS3 Video 9 6

PuppetShow: Mystery of Joyville ™

Python 2.4.3

QuickPar 0.9

QuickTime

RealPlayer

Realtek High Definition Audio Driver

Registry Mechanic 8.0

Roxio Creator Audio

Roxio Creator Basic v9

Roxio Creator Copy

Roxio Creator Data

Roxio Creator EasyArchive

Roxio Creator Tools

Roxio Express Labeler 3

Safari

Samantha Swift and the Hidden Roses of Athena

Samsung Kies

SAMSUNG USB Driver for Mobile Phones

Sansa Updater

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2553089)

Security Update for 2007 Microsoft Office System (KB2553090)

Security Update for 2007 Microsoft Office System (KB2584063)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Security Update for Windows Media Encoder (KB954156)

Sherlock Holmes and the Hound of the Baskervilles

Sibelius Scorch Plugin

Sigma Player 1.0

Soft Data Fax Modem with SmartCP

Sprill - The Mystery of The Bermuda Triangle

Sprill and Ritchie - Adventures In Time

Spybot - Search & Destroy 1.4

SUPERAntiSpyware Free Edition

SuperMegaSpoof 2.0

SuperNZB v3.2.1

swMSM

Synthesia (remove only)

System Requirements Lab

TallStick TS-AudioToMIDI 3.30 (remove only)

The Curse Of Montezuma

The Magicians Handbook Cursed Valley

The Mystery of the Mummy

The Rosetta Stone

The Secrets of Arcelia Island

The Serpent of Isis ™

The Timebuilders: Caveman's Prophecy

The Timebuilders: Pyramid Rising

The Tiny Bang Story

Thrustmaster Calibration Tool

Thrustmaster FFB Driver

TMPGEnc MPEG Editor 2.0 Trial Version

Total Video Converter 3.10

Treasure Masters

Treasure Masters, Inc.

Treasure Seekers: The Time Has Come

Tunatic

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office OneNote 2007 (KB980729)

Vacation Quest: Australia

Vacation Quest: The Hawaiian Islands

VC80CRTRedist - 8.0.50727.6195

VCRedistSetup

VLC media player 1.1.7

WIDI Recognition System Pro 4.03 (remove only)

Winamp (remove only)

WinAVI DVD Ripper

WinAVI Video Converter

WinAVI Video Converter 9.0

Windows Media Encoder 9 Series

WinFF 1.3.2

WinPcap 4.1.2

WinRAR archiver

Womens Murder Club

XingMP3 Player

XviD Video Codec 1.1.2-01022007

Youda Survivor

YouTube Downloader 2.7.4

.

==== Event Viewer Messages From Past Week ========

.

8/23/2012 2:29:08 PM, Error: Service Control Manager [7022] - The SharedAccess service hung on starting.

8/23/2012 2:28:22 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

8/23/2012 2:28:22 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

8/23/2012 2:26:51 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP Officejet 6300 series with shared resource name HP Officejet 6300 series. Error 2114. The printer cannot be used by others on the network.

8/23/2012 2:00:58 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP Officejet 6300 series with shared resource name HP Officejet 6300 series. Error 1753. The printer cannot be used by others on the network.

8/22/2012 12:40:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service NVSvc with arguments "" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C}

8/22/2012 12:27:20 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

8/22/2012 12:27:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

8/22/2012 12:27:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

8/22/2012 12:27:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

8/22/2012 12:27:05 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32 ElbyCDIO PCTSD SASDIFSV SASKUTIL spldr Wanarpv6

8/22/2012 12:27:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

8/22/2012 12:26:16 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

8/19/2012 4:17:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}

8/19/2012 4:17:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}

8/19/2012 4:12:40 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

8/19/2012 4:01:51 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

8/19/2012 3:50:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}

8/19/2012 3:41:39 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

8/19/2012 3:41:39 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

8/19/2012 3:32:41 PM, Error: EventLog [6008] - The previous system shutdown at 3:30:31 PM on 8/19/2012 was unexpected.

8/19/2012 1:07:10 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.

8/19/2012 1:07:10 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

8/19/2012 1:05:32 PM, Error: EventLog [6008] - The previous system shutdown at 1:04:06 PM on 8/19/2012 was unexpected.

8/19/2012 1:02:14 PM, Error: EventLog [6008] - The previous system shutdown at 1:00:23 PM on 8/19/2012 was unexpected.

.

==== End Of File ===========================

[prezd976]

roguekiller report

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: Home [Admin rights]

Mode: Scan -- Date: 08/23/2012 15:16:18

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 11 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : Java suns (C:\Users\Home\AppData\Roaming\Java suns\Jqsx.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-2081364277-493481855-364447279-1000[...]\Run : Java suns (C:\Users\Home\AppData\Roaming\Java suns\Jqsx.exe) -> FOUND

[sUSP PATH] HKCU\[...]\Policies\Explorer\Run : Java suns (C:\Users\Home\AppData\Roaming\Java suns\Jqsx.exe) -> FOUND

[sUSP PATH] HKLM\[...]\Policies\Explorer\Run : Java suns (C:\Users\Home\AppData\Roaming\Java suns\Jqsx.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-2081364277-493481855-364447279-1000[...]\Policies\Explorer\Run : Java suns (C:\Users\Home\AppData\Roaming\Java suns\Jqsx.exe) -> FOUND

[sUSP PATH] BFGLaunch_agathachristiedeat_s1_l1_gF1551T1L1_d2848725.job @ : C:\Users\Home\AppData\Local\Temp\agathachristiedeat_s1_l1_gF1551T1L1_d2848725.exe -> FOUND

[sUSP PATH] BFGLaunch_mysterycasefilesra_s1_l1_gF1331T1L1_d83085293.job @ : C:\Users\Home\AppData\Local\Temp\mysterycasefilesra_s1_l1_gF1331T1L1_d83085293.exe -> FOUND

[sUSP PATH] BFGLaunch_travelogue360paris_s1_l1_gF1256T1L1_d11908206.job @ : C:\Users\Home\AppData\Local\Temp\travelogue360paris_s1_l1_gF1256T1L1_d11908206.exe -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{92b36841-4953-892b-afa9-7f15ed077890}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{92b36841-4953-892b-afa9-7f15ed077890}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{92b36841-4953-892b-afa9-7f15ed077890}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\home\appdata\local\{92b36841-4953-892b-afa9-7f15ed077890}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\home\appdata\local\{92b36841-4953-892b-afa9-7f15ed077890}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\home\appdata\local\{92b36841-4953-892b-afa9-7f15ed077890}\L --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320820AS ATA Device +++++

--- User ---

[MBR] b098ca6489d60f24deb0c9e5481c77f3

[bSP] 2552b2d2227b2ea2b3c92a526a1a6f5d : HP tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 298834 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 612012240 | Size: 6408 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD5000AACS-61M6B2 ATA Device +++++

--- User ---

[MBR] 3d049d99820b8d4da4e499be4d4c6e58

[bSP] e42cf7e95b1eddbf64db42a2662bf3b9 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476938 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Being you have Vista, you may or may not be able to do this but please try.

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

  [*]Select Command Prompt

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

  services.exe

  [*]Now press the Search button

  [*]When the search is complete, search.txt will also be written to your USB

  [*]Type exit and reboot the computer normally

  [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[prezd976]

im going to try the cleanup process.

FRST log

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 23-08-2012 02

Ran by SYSTEM at 23-08-2012 15:48:33

Running from G:\

Windows Vista Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1480296 2006-11-16] (Hewlett-Packard)

HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1480296 2006-11-16] (Hewlett-Packard)

HKU\Home\...\Run: [Java suns] C:\Users\Home\AppData\Roaming\Java suns\Jqsx.exe [325192 2012-08-23] (BitDefender)

HKU\UpdatusUser\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1480296 2006-11-16] (Hewlett-Packard)

HKLM\...\Policies\Explorer\Run: [Java suns] C:\Users\Home\AppData\Roaming\Java suns\Jqsx.exe [325192 2012-08-23] (BitDefender)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

================================ Services (Whitelisted) ==================

2 aawservice; "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" [607576 2008-03-19] (Lavasoft)

4 Adobe LM Service; "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" [68096 2007-10-28] ()

4 Automatic LiveUpdate Scheduler; "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [554352 2007-09-12] (Symantec Corporation)

4 Browser Defender Update Service; "C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe" [575448 2012-06-14] (Threat Expert Ltd.)

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)

4 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2999664 2007-09-12] (Symantec Corporation)

4 LiveUpdate Notice Service; "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" [537992 2008-04-10] (Symantec Corporation)

4 MediaMall Server; "C:\Program Files\MediaMall\MediaMallServer.exe" [5154680 2012-01-28] (MediaMall Technologies, Inc.)

2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2253120 2011-10-15] (NVIDIA Corporation)

3 sdAuxService; C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe [402336 2012-05-11] (PC Tools)

3 sdCoreService; C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe [1118648 2012-05-11] (PC Tools)

2 CLTNetCnService; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

2 LightScribeService; "c:\Program Files\Common Files\LightScribe\LSSrvc.exe" [x]

2 LiveUpdate Notice Ex; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

3 rpcapd; "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" [x]

4 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

========================== Drivers (Whitelisted) =============

3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [104512 2009-08-05] (SlySoft, Inc.)

1 ASPI32; C:\Windows\System32\Drivers\ASPI32.sys [16877 2002-07-17] (Adaptec)

3 dgderdrv; C:\Windows\System32\drivers\dgderdrv.sys [20032 2011-03-02] (Devguru Co., Ltd)

1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [24232 2009-02-17] (Elaborate Bytes AG)

3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [51712 2010-06-30] (MotioninJoy)

1 ndisrd; C:\Windows\System32\DRIVERS\ndisrd.sys [26208 2012-04-23] (NT Kernel Resources)

3 NPF; C:\Windows\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)

3 PCTBD; C:\Windows\System32\Drivers\PCTBD.sys [70768 2012-06-14] (PC Tools)

0 PCTCore; C:\Windows\System32\drivers\PCTCore.sys [383368 2012-04-23] (PC Tools)

0 pctDS; C:\Windows\System32\drivers\pctDS.sys [342168 2012-02-28] (PC Tools)

1 PCTSD; C:\Windows\System32\Drivers\PCTSD.sys [203088 2012-05-11] (PC Tools)

3 PL-40R; C:\Windows\System32\Drivers\pl40rwdm.sys [18048 2004-09-30] (CASIO COMPUTER CO., LTD.)

1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [8944 2008-09-03] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

3 SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [7408 2008-09-03] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)

1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [55024 2008-09-03] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [13056 2011-02-14] (LG Electronics Inc.)

3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [61984 2009-11-24] (Microsoft Corporation)

4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]

3 catchme; \??\C:\ComboFix\catchme.sys [x]

3 Iassanva; [x]

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-23 14:32 - 2012-08-23 14:32 - 00012668 ____A C:\Users\Home\Desktop\FRST.txt

2012-08-23 14:30 - 2012-08-23 14:32 - 00000000 ____D C:\FRST

2012-08-23 14:30 - 2012-08-23 14:30 - 00898696 ____A (Farbar) C:\Users\Home\Desktop\FRST.exe

2012-08-23 14:16 - 2012-08-23 14:16 - 00003362 ____A C:\Users\Home\Desktop\RKreport[1].txt

2012-08-23 14:14 - 2012-08-23 14:16 - 00000000 ____D C:\Users\Home\Desktop\RK_Quarantine

2012-08-23 14:12 - 2012-08-23 14:12 - 01558528 ____A C:\Users\Home\Desktop\RogueKiller.exe

2012-08-23 13:43 - 2012-08-23 13:43 - 00607260 ____R (Swearware) C:\Users\Home\Desktop\dds.exe

2012-08-23 13:38 - 2012-08-23 13:38 - 00000000 ___HD C:\Windows\PIF

2012-08-23 09:54 - 2012-08-23 10:02 - 00000000 ____D C:\Users\Home\Application Data\Java suns

2012-08-23 09:54 - 2012-08-23 10:02 - 00000000 ____D C:\Users\Home\AppData\Roaming\Java suns

2012-08-22 11:48 - 2012-08-23 14:40 - 00021922 ____A C:\Windows\WindowsUpdate.log

2012-08-22 11:39 - 2012-08-22 11:41 - 00000000 ___SD C:\32788R22FWJFW

2012-08-19 15:11 - 2012-08-19 15:11 - 00012379 ____A C:\ComboFix.txt

2012-08-19 14:49 - 2012-08-19 15:12 - 00000000 ____D C:\ComboFix

2012-08-19 14:34 - 2012-08-19 14:34 - 00000000 ____D C:\Windows\pss

2012-08-19 11:59 - 2012-08-19 11:59 - 00000000 ____D C:\Program Files\Common Files\Java

2012-08-19 11:58 - 2012-08-19 11:58 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe

2012-08-19 11:58 - 2012-08-19 11:58 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe

2012-08-19 11:58 - 2012-08-19 11:58 - 00000000 ____D C:\Program Files\Oracle

2012-08-19 11:58 - 2012-07-05 21:06 - 00227760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe

2012-08-19 11:57 - 2012-08-19 11:57 - 00000000 ____D C:\Users\All Users\McAfee

2012-08-19 11:57 - 2012-08-19 11:57 - 00000000 ____D C:\Users\All Users\Application Data\McAfee

2012-08-18 10:50 - 2012-08-18 11:27 - 03595008 ____A C:\Users\Home\My Documents\C

2012-08-18 10:50 - 2012-08-18 11:27 - 03595008 ____A C:\Users\Home\Documents\C

2012-08-14 11:10 - 2012-08-14 11:10 - 00000000 ____D C:\Users\Home\My Documents\4Videosoft Studio

2012-08-14 11:10 - 2012-08-14 11:10 - 00000000 ____D C:\Users\Home\Documents\4Videosoft Studio

2012-08-14 11:10 - 2012-08-14 11:10 - 00000000 ____D C:\Users\All Users\Application Data\4Videosoft Studio

2012-08-14 11:10 - 2012-08-14 11:10 - 00000000 ____D C:\Users\All Users\4Videosoft Studio

2012-08-14 11:10 - 2012-08-14 11:10 - 00000000 ____D C:\Program Files\WinPcap

2012-08-14 11:10 - 2012-08-14 11:10 - 00000000 ____D C:\Program Files\4Videosoft Studio

2012-08-11 16:35 - 2012-08-11 16:45 - 00000000 ____D C:\Program Files\GetFLV

2012-08-11 09:47 - 2012-08-11 09:47 - 00001928 ____A C:\Users\Public\Desktop\Play Hidden Identity - Chicago Blackout.lnk

2012-08-11 09:47 - 2012-08-11 09:47 - 00001928 ____A C:\Users\All Users\Desktop\Play Hidden Identity - Chicago Blackout.lnk

2012-08-11 09:47 - 2012-08-11 09:47 - 00001234 ____A C:\Users\Public\Desktop\More Great Games.lnk

2012-08-11 09:47 - 2012-08-11 09:47 - 00001234 ____A C:\Users\All Users\Desktop\More Great Games.lnk

2012-08-11 09:47 - 2012-08-11 09:47 - 00000000 ____D C:\Program Files\Hidden Identity - Chicago Blackout

2012-07-28 16:44 - 2012-08-23 14:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

============ 3 Months Modified Files ========================

2012-08-23 14:42 - 2006-11-02 05:01 - 00032602 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-08-23 14:42 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-23 14:41 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-23 14:41 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-23 14:40 - 2012-08-22 11:48 - 00021922 ____A C:\Windows\WindowsUpdate.log

2012-08-23 14:39 - 2006-11-02 02:33 - 00690786 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-23 14:32 - 2012-08-23 14:32 - 00012668 ____A C:\Users\Home\Desktop\FRST.txt

2012-08-23 14:30 - 2012-08-23 14:30 - 00898696 ____A (Farbar) C:\Users\Home\Desktop\FRST.exe

2012-08-23 14:16 - 2012-08-23 14:16 - 00003362 ____A C:\Users\Home\Desktop\RKreport[1].txt

2012-08-23 14:12 - 2012-08-23 14:12 - 01558528 ____A C:\Users\Home\Desktop\RogueKiller.exe

2012-08-23 14:02 - 2012-07-28 16:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-23 13:43 - 2012-08-23 13:43 - 00607260 ____R (Swearware) C:\Users\Home\Desktop\dds.exe

2012-08-19 15:11 - 2012-08-19 15:11 - 00012379 ____A C:\ComboFix.txt

2012-08-19 15:03 - 2006-11-02 02:23 - 00000241 ____A C:\Windows\system.ini

2012-08-19 12:00 - 2012-07-19 08:26 - 04735580 ____R (Swearware) C:\Users\Home\Desktop\ComboFix.exe

2012-08-19 11:58 - 2012-08-19 11:58 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe

2012-08-19 11:58 - 2012-08-19 11:58 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe

2012-08-18 11:27 - 2012-08-18 10:50 - 03595008 ____A C:\Users\Home\My Documents\C

2012-08-18 11:27 - 2012-08-18 10:50 - 03595008 ____A C:\Users\Home\Documents\C

2012-08-18 11:27 - 2007-08-20 05:27 - 00000069 ____A C:\Windows\NeroDigital.ini

2012-08-15 12:02 - 2012-04-06 18:58 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-08-15 12:02 - 2011-05-16 03:54 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-08-11 09:47 - 2012-08-11 09:47 - 00001928 ____A C:\Users\Public\Desktop\Play Hidden Identity - Chicago Blackout.lnk

2012-08-11 09:47 - 2012-08-11 09:47 - 00001928 ____A C:\Users\All Users\Desktop\Play Hidden Identity - Chicago Blackout.lnk

2012-08-11 09:47 - 2012-08-11 09:47 - 00001234 ____A C:\Users\Public\Desktop\More Great Games.lnk

2012-08-11 09:47 - 2012-08-11 09:47 - 00001234 ____A C:\Users\All Users\Desktop\More Great Games.lnk

2012-07-22 03:32 - 2012-07-22 03:32 - 00000769 ____A C:\Users\Public\Desktop\CBR Reader.lnk

2012-07-22 03:32 - 2012-07-22 03:32 - 00000769 ____A C:\Users\All Users\Desktop\CBR Reader.lnk

2012-07-19 08:59 - 2006-11-02 02:22 - 44302336 ____A C:\Windows\System32\config\software.bak

2012-07-19 08:59 - 2006-11-02 02:22 - 39583744 ____A C:\Windows\System32\config\COMPON~3.bak

2012-07-19 08:59 - 2006-11-02 02:22 - 20971520 ____A C:\Windows\System32\config\system.bak

2012-07-19 08:59 - 2006-11-02 02:22 - 00786432 ____A C:\Windows\System32\config\default.bak

2012-07-19 08:59 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security.bak

2012-07-19 08:59 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam.bak

2012-07-18 13:13 - 2012-07-18 13:13 - 00017800 ____A (PrevX Research) C:\Windows\System32\Drivers\ZeroAccess.sys

2012-07-16 13:54 - 2010-05-27 16:49 - 00000370 ____A C:\rkill.log

2012-07-05 21:06 - 2012-08-19 11:58 - 00227760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe

2012-07-05 21:06 - 2012-05-12 03:33 - 00772544 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll

2012-07-05 21:06 - 2012-05-12 03:33 - 00687544 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll

2012-07-03 12:46 - 2009-08-23 18:14 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-14 11:31 - 2012-07-18 13:10 - 02267096 ____A (Threat Expert Ltd.) C:\Windows\PCTBDCore.dll

2012-06-14 11:31 - 2012-07-18 13:10 - 01681368 ____A (Threat Expert Ltd.) C:\Windows\PCTBDRes.dll

2012-06-14 11:31 - 2012-07-18 13:10 - 00767960 ____A C:\Windows\BDTSupport.dll

2012-06-14 11:31 - 2012-07-18 13:10 - 00149464 ____A (PC Tools) C:\Windows\SGDetectionTool.dll

2012-06-14 11:31 - 2012-07-18 13:10 - 00070768 ____A (PC Tools) C:\Windows\System32\Drivers\PCTBD.sys

2012-06-14 10:03 - 2012-07-18 13:10 - 00003488 ____A C:\Windows\UDB.zip

2012-06-14 10:03 - 2012-07-18 13:10 - 00000882 ____A C:\Windows\RegSDImport.xml

2012-06-14 10:03 - 2012-07-18 13:10 - 00000879 ____A C:\Windows\RegISSImport.xml

2012-06-14 10:03 - 2012-07-18 13:10 - 00000131 ____A C:\Windows\IDB.zip

2012-05-27 11:32 - 2012-05-27 11:32 - 00000000 ____A C:\Windows\System32\phqint.ime

2012-05-27 11:31 - 2012-05-27 11:31 - 00099512 ____A C:\Windows\System32\kbPTXJTR4T.exe

ZeroAccess:

C:\Windows\Installer\{92b36841-4953-892b-afa9-7f15ed077890}

C:\Windows\Installer\{92b36841-4953-892b-afa9-7f15ed077890}\@

C:\Windows\Installer\{92b36841-4953-892b-afa9-7f15ed077890}\L

C:\Windows\Installer\{92b36841-4953-892b-afa9-7f15ed077890}\U

C:\Windows\Installer\{92b36841-4953-892b-afa9-7f15ed077890}\L\00000004.@

C:\Windows\Installer\{92b36841-4953-892b-afa9-7f15ed077890}\L\201d3dde

ZeroAccess:

C:\Users\Home\AppData\Local\{92b36841-4953-892b-afa9-7f15ed077890}

C:\Users\Home\AppData\Local\{92b36841-4953-892b-afa9-7f15ed077890}\@

C:\Users\Home\AppData\Local\{92b36841-4953-892b-afa9-7f15ed077890}\L

C:\Users\Home\AppData\Local\{92b36841-4953-892b-afa9-7f15ed077890}\U

C:\Users\Home\AppData\Local\{92b36841-4953-892b-afa9-7f15ed077890}\L\00000004.@

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 16%

Total physical RAM: 2941.94 MB

Available physical RAM: 2452.31 MB

Total Pagefile: 2658.36 MB

Available Pagefile: 2514.41 MB

Total Virtual: 2047.88 MB

Available Virtual: 1990.18 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:291.83 GB) (Free:19.54 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (F) (Fixed) (Total:465.76 GB) (Free:285.26 GB) NTFS

3 Drive e: (Recovery) (Fixed) (Total:6.26 GB) (Free:0.88 GB) NTFS ==>[system with boot components (obtained from reading drive)]

5 Drive g: () (Removable) (Total:3.74 GB) (Free:3.74 GB) FAT32

6 Drive h: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

12 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 298 GB 1528 KB

Disk 1 Online 466 GB 1017 KB

Disk 2 Online 3830 MB 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Disk 6 No Media 0 B 0 B

Disk 7 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 292 GB 32 KB

Partition 2 Primary 6409 MB 292 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 C HP NTFS Partition 292 GB Healthy

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 7 E Recovery NTFS Partition 6409 MB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 466 GB 1024 KB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 D F NTFS Partition 466 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3828 MB 19 KB

==================================================================================

Disk: 2

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 9 G FAT32 Removable 3828 MB Healthy

==================================================================================

Last Boot: 2012-08-23 13:34

======================= End Of Log ==========================

search log

Farbar Recovery Scan Tool Version: 23-08-2012 02

Ran by SYSTEM at 2012-08-23 15:50:16

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

[2012-05-14 01:09] - [2009-04-10 22:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe

[2012-05-13 23:41] - [2008-01-18 22:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe

[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\Services.exe

[2012-05-14 01:09] - [2009-04-10 22:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\ERDNT\cache\services.exe

[2010-01-18 18:24] - [2009-04-10 22:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[prezd976]

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 23-08-2012 02

Ran by SYSTEM at 2012-08-23 16:30:56 Run:1

Running from G:\

==============================================

C:\Windows\Installer\{92b36841-4953-892b-afa9-7f15ed077890} moved successfully.

C:\Users\Home\AppData\Local\{92b36841-4953-892b-afa9-7f15ed077890} moved successfully.

HKEY_USERS\Home\Software\Microsoft\Windows\CurrentVersion\Run\\Java suns Value deleted successfully.

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\Java suns Value deleted successfully.

==== End of Fixlog ====

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[prezd976]

ComboFix 12-08-22.03 - Home 08/23/2012 17:05:56.6.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2088 [GMT -7:00]

Running from: c:\users\Home\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-07-24 to 2012-08-24 )))))))))))))))))))))))))))))))

.

.

2012-08-24 00:16 . 2012-08-24 00:19 -------- d-----w- c:\users\Home\AppData\Local\temp

2012-08-24 00:16 . 2012-08-24 00:16 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-08-24 00:16 . 2012-08-24 00:16 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-08-24 00:16 . 2012-08-24 00:16 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-23 22:30 . 2012-08-23 22:32 -------- d-----w- C:\FRST

2012-08-23 21:38 . 2012-08-23 21:38 -------- d--h--w- c:\windows\PIF

2012-08-23 17:54 . 2012-08-23 18:02 -------- d-----w- c:\users\Home\AppData\Roaming\Java suns

2012-08-19 19:59 . 2012-08-19 19:59 -------- d-----w- c:\program files\Common Files\Java

2012-08-19 19:58 . 2012-08-19 19:58 -------- d-----w- c:\program files\Oracle

2012-08-19 19:57 . 2012-08-19 19:57 -------- d-----w- c:\programdata\McAfee

2012-08-14 19:10 . 2012-08-14 19:10 -------- d-----w- c:\programdata\4Videosoft Studio

2012-08-14 19:10 . 2012-08-14 19:10 -------- d-----w- c:\program files\WinPcap

2012-08-14 19:10 . 2012-08-14 19:10 -------- d-----w- c:\program files\4Videosoft Studio

2012-08-12 00:35 . 2012-08-12 00:45 -------- d-----w- c:\program files\GetFLV

2012-08-11 17:47 . 2012-08-11 17:47 -------- d-----w- c:\program files\Hidden Identity - Chicago Blackout

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-15 20:02 . 2012-04-07 02:58 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-15 20:02 . 2011-05-16 11:54 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-18 21:13 . 2012-07-18 21:13 17800 ----a-w- c:\windows\system32\drivers\ZeroAccess.sys

2012-07-06 05:06 . 2012-05-12 11:33 772544 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-07-06 05:06 . 2012-05-12 11:33 687544 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-03 20:46 . 2009-08-24 02:14 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-14 19:31 . 2012-07-18 21:10 70768 ----a-w- c:\windows\system32\drivers\PCTBD.sys

2012-06-14 19:31 . 2012-07-18 21:10 2267096 ----a-w- c:\windows\PCTBDCore.dll

2012-06-14 19:31 . 2012-07-18 21:10 1681368 ----a-w- c:\windows\PCTBDRes.dll

2012-06-14 19:31 . 2012-07-18 21:10 149464 ----a-w- c:\windows\SGDetectionTool.dll

2012-06-14 19:31 . 2012-07-18 21:10 767960 ----a-w- c:\windows\BDTSupport.dll

2012-06-14 18:03 . 2012-07-18 21:10 3488 ----a-w- c:\windows\UDB.zip

2012-06-14 18:03 . 2012-07-18 21:10 131 ----a-w- c:\windows\IDB.zip

2012-06-04 00:10 . 2012-06-04 00:10 40960 ----a-r- c:\users\Home\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe

2012-06-04 00:10 . 2012-06-04 00:10 40960 ----a-r- c:\users\Home\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe

2012-05-27 19:31 . 2012-05-27 19:31 99512 ----a-w- c:\windows\system32\kbPTXJTR4T.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Java suns"="c:\users\Home\AppData\Roaming\Java suns\Jqsx.exe" [2012-08-23 325192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"Java suns"="c:\users\Home\AppData\Roaming\Java suns\Jqsx.exe" [2012-08-23 325192]

.

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]

"Java suns"="c:\users\Home\AppData\Roaming\Java suns\Jqsx.exe" [2012-08-23 325192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders credssp.dll, msansspc.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService]

@="Service"

.

[HKLM\~\startupfolder\C:^Users^Home^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^22a9f71f4e77ad6be6d55db944ce8f28.exe]

path=c:\users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22a9f71f4e77ad6be6d55db944ce8f28.exe

backup=c:\windows\pss\22a9f71f4e77ad6be6d55db944ce8f28.exe.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2011-04-20 19:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-06-08 00:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java suns]

2012-08-23 18:02 325192 ----a-w- c:\users\Home\AppData\Roaming\Java suns\Jqsx.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesHelper]

2012-04-27 09:13 955280 ----a-w- c:\program files\Samsung\Kies\KiesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPDLR]

2012-05-18 19:59 21416 ----a-w- c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]

2012-04-27 09:13 3521424 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Device Listener]

2011-03-03 08:38 380416 ----a-w- c:\program files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]

2007-10-25 12:52 4702208 ----a-w- c:\windows\RtHDVCpl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]

2012-04-28 06:58 79872 ----a-w- c:\users\Home\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2007-02-25 07:56 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1AA7FEAB-AE1B-F7DF-ACAF-2D5205B4C494}]

c:\users\Home\AppData\Roaming\Java\wlcomm.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6665855C-7F74-613M-P4E2-2KKQY0VBT4KP}]

2012-08-23 18:02 325192 ----a-w- c:\users\Home\AppData\Roaming\Java suns\Jqsx.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-24 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 20:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

mStart Page = about:blank

uInternet Settings,ProxyOverride = <local>;*.local

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{65CB202F-C53A-47EC-A58C-BF660DF2134C}: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-Messenger Update - c:\users\Home\AppData\Roaming\Java\wlcomm.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-23 17:18

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{326E768D-4182-46FD-9C16-1449A49795F4}"=hex:51,66,7a,6c,4c,1d,38,12,e3,75,7d,

36,b0,0f,93,03,e3,00,57,09,a1,c9,d1,e0

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,

fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17

"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,

b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:81,c7,5f,85,c0,49,cd,01

.

[HKEY_USERS\S-1-5-21-2081364277-493481855-364447279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*M*a*r*-$\OpenWithList]

@Class="Shell"

"a"="vlc.exe"

"MRUList"="a"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\NVIDIA Corporation\Display\nvxdsync.exe

c:\windows\system32\nvvsvc.exe

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\WUDFHost.exe

c:\program files\NVIDIA Corporation\Display\nvtray.exe

c:\program files\Windows Media Player\wmpnscfg.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

.

**************************************************************************

.

Completion time: 2012-08-23 17:29:32 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-24 00:29

ComboFix2.txt 2012-08-19 23:11

ComboFix3.txt 2012-07-19 17:10

ComboFix4.txt 2011-08-24 10:01

ComboFix5.txt 2012-08-24 00:04

.

Pre-Run: 20,954,386,432 bytes free

Post-Run: 21,040,979,968 bytes free

.

- - End Of File - - 225D889F28D63E73FA086111C3DEF800

[MrCharlie]

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

Files::

c:\windows\system32\kbPTXJTR4T.exe

c:\users\Home\AppData\Roaming\Java suns\Jqsx.exe

c:\users\home\appdata\roaming\java\wlcomm.exe

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Java suns"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"Java suns"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1AA7FEAB-AE1B-F7DF-ACAF-2D5205B4C494}]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]

"Java suns"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java suns]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6665855C-7F74-613M-P4E2-2KKQY0VBT4KP}]

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

[prezd976]

was too long to post

ComboFix.txt

[MrCharlie]

Everything got fixed except for this file being deleted:

c:\windows\system32\kbPTXJTR4T.exe

Can you find the file and upload it to VirusTotal for a free scan, let me know the results. (just copy back the url)

http://www.virustotal.com/

MrC

[prezd976]

https://www.virustotal.com/file/be3ec11fb17c1b0ea6fdf04b1e369e408ca43dd6cf8c9bd542c096c82ebe32c8/analysis/1345774001/

[MrCharlie]

It's clean but I don't like it, can you right click on it and delete it?

MrC

[prezd976]

will do. thanks for the help again much appreciated.

[MrCharlie]

OK, after you do that (if you can) then please do this........

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[prezd976]

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.23.08

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Home :: HOME-PC [administrator]

8/23/2012 7:25:59 PM

mbam-log-2012-08-23 (19-25-59).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 214414

Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Users\Home\AppData\Local\temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.

C:\Users\Home\AppData\Local\temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.

(end)

[MrCharlie]

Reboot and run another quick scan to make sure they're gone. MrC

Gone for tonight....be back tomorrow am.

[prezd976]

still showing up

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.23.08

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Home :: HOME-PC [administrator]

8/23/2012 7:54:47 PM

mbam-log-2012-08-23 (19-54-47).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 213942

Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Users\Home\AppData\Local\temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.

C:\Users\Home\AppData\Local\temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.

(end)

[MrCharlie]

Download TFC to your desktop

Close any open windows.

Double click the TFC icon to run the program

TFC will close all open programs itself in order to run,

Click the Start button to begin the process.

Allow TFC to run uninterrupted.

The program should not take long to finish it's job

Once its finished it should automatically reboot your machine,

if it doesn't, manually reboot to ensure a complete clean

~~~~~~~~~~~~~~~~~

It appears you're not running an anti-virus program.

Please download and install Microsoft Security Essentials and run a scan:

http://windows.micro...rity-essentials

Reboot and run another scan with Malwarebytes, MrC

[prezd976]

Ran TFC, rebooted. Downloaded/installed microsoft security essentials and rebooted. Scaned with microsoft security essentials, nothing detected, rebooted. Scanned with mbam, came back clean.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.23.08

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Home :: HOME-PC [administrator]

8/24/2012 10:31:54 AM

mbam-log-2012-08-24 (10-31-54).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 214332

Time elapsed: 8 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

Good, please do this.....

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

MrC

[prezd976]

Results of screen317's Security Check version 0.99.46

Windows Vista Service Pack 2 x86 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Out of date Spybot installed!

Ad-Aware

Out of date HijackThis installed!

Spybot - Search & Destroy 1.4

PC Tools Spyware Doctor 9.0

SUPERAntiSpyware Free Edition

Malwarebytes Anti-Malware version 1.62.0.1300

HijackThis 1.99.1

CCleaner

JavaFX 2.1.1

Java 7 Update 5

Java version out of Date!

Adobe Flash Player 11.3.300.271

Adobe Reader 7 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials MSMpEng.exe

Microsoft Security Essentials msseces.exe

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe is disabled!

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 11 % Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````