sdaf Posted August 26, 2012 ID:590287 Share Posted August 26, 2012 my computer is infected by Trojan.Dropper.BCMinerI would appreciate your help - thanks.DDS (Ver_2011-08-26.01) - NTFSAMD64Internet Explorer: 9.0.8112.16421Run by ms at 14:46:26 on 2012-08-26Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3001.1512 [GMT -7:00].AV: Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Program Files\LSI SoftModem\agr64svc.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Acer\Acer ePower Management\ePowerSvc.exeC:\Program Files (x86)\Acer\Registration\GregHSRW.exeC:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exeC:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exeC:\Program Files (x86)\Spyware Doctor\pctsAuxs.exeC:\Program Files (x86)\Spyware Doctor\pctsSvc.exeC:\Program Files (x86)\SWS\SWSAgent\Sws.Agent.Service.exeC:\Program Files\Acer\Acer Updater\UpdaterService.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\taskhost.exeC:\Program Files (x86)\Spyware Doctor\pctsTray.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exeC:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeC:\Windows\PLFSetI.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\Acer\Acer ePower Management\ePowerTray.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Users\ms\AppData\Roaming\Google\Google Talk\googletalk.exeC:\Windows\system32\igfxext.exeC:\Program Files (x86)\Skype\Phone\Skype.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exeC:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exeC:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exeC:\Program Files\Apoint2K\ApMsgFwd.exeC:\Program Files\Apoint2K\HidFind.exeC:\Program Files\Apoint2K\Apntex.exeC:\Windows\system32\conhost.exeC:\Program Files (x86)\Launch Manager\LManager.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exeC:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exeC:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exeC:\Program Files (x86)\iTunes\iTunesHelper.exeC:\Program Files\Acer\Acer ePower Management\ePowerEvent.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDnsC:\Windows\system32\taskeng.exeC:\Windows\system32\SearchProtocolHost.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\system32\conhost.exeC:\Windows\SysWOW64\cscript.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://google.com/uSearch Bar = PreservemDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_7736&r=27360210h706l03e8z1h5t5831a51nmStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_7736&r=27360210h706l03e8z1h5t5831a51nuInternet Settings,ProxyOverride = *.localBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dllBHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllTB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dlluRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"uRun: [Google Update] "C:\Users\ms\AppData\Local\Google\Update\GoogleUpdate.exe" /cuRun: [googletalk] C:\Users\ms\AppData\Roaming\Google\Google Talk\googletalk.exe /autostartuRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exeuRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimizedmRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"mRun: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -kmRun: [EgisTecLiveUpdate] "C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe"mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exemRun: [ArcadeDeluxeAgent] "C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"mRun: [PlayMovie] "C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe"mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [iSTray] "C:\Program Files (x86)\Spyware Doctor\pctsTray.exe"mRun: [ContentTransferWMDetector.exe] C:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exemRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOWmRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRunOnce: [b Register C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll] "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll",DllRegisterServerStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUDIBL~1.LNK - C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exemPolicies-explorer: NoActiveDesktop = 1 (0x1)mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlIE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlIE: {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlIE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLLLSP: mswsock.dllDPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://sabildownload.swst.com/Brokerview/iftwclix.cabDPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cabDPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocxDPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 192.168.200.1TCP: Interfaces\{AE3FEB77-5F62-46F7-A218-E9295E362423} : DhcpNameServer = 192.168.66.10 192.168.100.11TCP: Interfaces\{EC11A37B-0DA5-4D82-A54E-490123FC15D8} : DhcpNameServer = 192.168.200.1TCP: Interfaces\{EC11A37B-0DA5-4D82-A54E-490123FC15D8}\03468343 : DhcpNameServer = 212.150.49.10 212.150.48.169TCP: Interfaces\{EC11A37B-0DA5-4D82-A54E-490123FC15D8}\2414E4B4358414C4F4D4 : DhcpNameServer = 10.0.0.138TCP: Interfaces\{EC11A37B-0DA5-4D82-A54E-490123FC15D8}\2454A5541594E445F5750514F513832333 : DhcpNameServer = 192.168.14.1TCP: Interfaces\{EC11A37B-0DA5-4D82-A54E-490123FC15D8}\25963786960235368677569676723702E4564777F627B6 : DhcpNameServer = 10.0.1.1TCP: Interfaces\{EC11A37B-0DA5-4D82-A54E-490123FC15D8}\46C696E6B6 : DhcpNameServer = 192.168.0.1Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllBHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO-X64: AcroIEHelperStub - No FileC:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dllBHO-X64: RoboForm BHO - No FileBHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllBHO-X64: SkypeIEPluginBHO - No FileTB-X64: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dllmRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"mRun-x64: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -kmRun-x64: [EgisTecLiveUpdate] "C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe"mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exemRun-x64: [ArcadeDeluxeAgent] "C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"mRun-x64: [PlayMovie] "C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe"mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun-x64: [iSTray] "C:\Program Files (x86)\Spyware Doctor\pctsTray.exe"mRun-x64: [ContentTransferWMDetector.exe] C:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exemRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOWmRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRunOnce-x64: [b Register C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll] "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll",DllRegisterServerIE-X64: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlIE-X64: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlIE-X64: {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html.============= SERVICES / DRIVERS ===============.R0 PCTCore;PCTools KDS;C:\Windows\system32\drivers\PCTCore64.sys --> C:\Windows\system32\drivers\PCTCore64.sys [?]R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\system32\DRIVERS\mwlPSDFilter.sys --> C:\Windows\system32\DRIVERS\mwlPSDFilter.sys [?]R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\system32\DRIVERS\mwlPSDNServ.sys --> C:\Windows\system32\DRIVERS\mwlPSDNServ.sys [?]R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys --> C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys [?]R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2009-12-7 844320]R2 Greg_Service;GRegService;C:\Program Files (x86)\Acer\Registration\GregHSRW.exe [2009-8-28 1150496]R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-9-24 62720]R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-6-17 144640]R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe [2010-3-16 359624]R2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe [2010-3-16 1141712]R2 Sws.Agent.Service;Sws.Agent.Service;C:\Program Files (x86)\SWS\SWSAgent\Sws.Agent.Service.exe [2010-11-21 50272]R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2009-10-28 240160]R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-19 257224]S3 MWLService;MyWinLocker Service;C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe [2009-9-10 305448]S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-6-17 50432]S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?].=============== Created Last 30 ================.2012-08-20 01:36:25 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%2012-08-20 01:32:54 773968 ----a-w- C:\Windows\System32\msvcr100.dll2012-08-20 01:30:55 -------- d-----w- C:\Users\ms\AppData\Local\iLivid2012-08-20 01:30:30 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe.==================== Find3M ====================.2012-08-20 01:30:30 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2012-07-03 20:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys2012-06-25 23:04:24 1394248 ----a-w- C:\Windows\SysWow64\msxml4.dll2012-06-12 03:08:36 3148800 ----a-w- C:\Windows\System32\win32k.sys2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll2012-05-31 19:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe.============= FINISH: 14:47:22.63 ===============.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft Windows 7 Home PremiumBoot Device: \Device\HarddiskVolume2Install Date: 2/15/2010 2:31:18 AMSystem Uptime: 8/26/2012 2:29:05 PM (0 hours ago).Motherboard: Acer | | JV50 Processor: Pentium® Dual-Core CPU T4400 @ 2.20GHz | U2E1 | 2200/200mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 286 GiB total, 148.056 GiB free.D: is CDROM ().==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP236: 6/8/2012 7:17:02 AM - Windows UpdateRP237: 6/8/2012 10:22:49 AM - Removed Microsoft Office Home and Student 2007RP238: 6/8/2012 10:29:05 AM - Windows UpdateRP239: 6/21/2012 9:10:16 PM - Windows UpdateRP240: 6/21/2012 9:18:36 PM - Windows UpdateRP241: 7/1/2012 10:27:15 AM - Windows UpdateRP242: 7/1/2012 12:37:28 PM - Windows UpdateRP243: 7/7/2012 10:02:04 PM - Windows UpdateRP244: 7/18/2012 10:59:26 AM - Windows UpdateRP245: 7/20/2012 2:59:07 PM - Windows UpdateRP246: 7/20/2012 3:16:10 PM - Windows UpdateRP247: 7/27/2012 7:38:31 AM - Windows UpdateRP248: 8/19/2012 8:59:09 PM - Scheduled Checkpoint.==== Installed Programs ======================.Acer Arcade DeluxeAcer Backup ManagerAcer Crystal Eye webcam Ver:1.1.124.1120Acer ePower ManagementAcer eRecovery ManagementAcer GamesAcer GridVistaAcer RegistrationAcer ScreenSaverAcer UpdaterAcrobat.comAdobe AIRAdobe Flash Player 11 ActiveXAdobe Reader 9.4.7 MUIApple Application SupportApple Software UpdateAudible Download ManagerBackup Manager BasicCompatibility Pack for the 2007 Office systemContent TransferCSS Cost Basis Client 7.0.1052CSS Cost Basis Client 7.0.1252CSS Cost Basis Reporting Services 7.0.1273CSS Framework 1.0.36.6CSS Framework 2.0.30CSS LOPR ClientCSS Mutual Funds ClientCSS Obligation Warehouse Client 7.0.1199CSS Omgeo AccessCSS Review and Release ClientCSS Segregation ManagementCSS Wealth Management 7.0.513D3DX10DivX SetupeSobi v2Google ChromeGoogle Talk (remove only)Google UpdaterIdentity CardiLividJava 6 Update 22Java 6 Update 26Junk Mail filter updateLaunch ManagerMalwarebytes Anti-Malware version 1.62.0.1300Microsoft Office Basic Edition 2003Microsoft Office File Validation Add-InMicrosoft Office PowerPoint Viewer 2007 (English)Microsoft Office Suite Activation AssistantMicrosoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft SQL Server Compact 3.5 SP2 ENUMicrosoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft WorksMiroMSVCRTMSVCRT_amd64MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MSXML 4.0 SP3 ParserMSXML 4.0 SP3 Parser (KB2721691)MSXML 4.0 SP3 Parser (KB973685)MyWinLockerNTI Backup Now 5NTI Backup Now StandardNTI Media Maker 8Picasa 3QuickTimeRealtek High Definition Audio DriverRealtek USB 2.0 Card ReaderRoboForm 7-4-1 (All Users)Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Extended (KB2416472)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)Skype Click to CallSkype™ 5.5Southwest Securities Inc. - QSpyware Doctor 7.0TD AMERITRADE StrategyDesk 3.4TD AMERITRADE StrategyDesk 3.5_2 (C:\Users\ms\AppData\Roaming\TD AMERITRADE\StrategyDesk)TD AMERITRADE StrategyDesk 3.5_3 (C:\Users\ms\AppData\Roaming\TD AMERITRADE\StrategyDesk)thinkorswim from TD AMERITRADEUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2473228)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)VC80CRTRedist - 8.0.50727.6195VLC media player 1.1.11Welcome CenterWindows Live Communications PlatformWindows Live EssentialsWindows Live InstallerWindows Live MailWindows Live MessengerWindows Live Movie MakerWindows Live Photo CommonWindows Live Photo GalleryWindows Live PIMT PlatformWindows Live SOXEWindows Live SOXE DefinitionsWindows Live SyncWindows Live UX PlatformWindows Live UX Platform Language PackWindows Live WriterWindows Live Writer ResourcesWinRAR 4.01 (32-bit)WinX DVD Ripper Platinum 6.0.0Xvid Video Codec.==== Event Viewer Messages From Past Week ========.8/26/2012 2:31:14 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the followingerror: %%-21470248918/26/2012 2:31:14 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery ResourcePublication service which failed to start because of the following error: %%-21470248918/26/2012 2:29:31 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specifiedservice does not exist as an installed service.8/26/2012 2:29:31 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This servicemight not be installed.8/26/2012 2:29:30 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service:BFE. This service might not be installed.8/20/2012 7:22:05 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Sws.Agent.Serviceservice to connect.8/20/2012 7:22:05 PM, Error: Service Control Manager [7000] - The Sws.Agent.Service service failed to start due to the following error: Theservice did not respond to the start or control request in a timely fashion..==== End Of File =========================== Link to post Share on other sites More sharing options...
MrCharlie Posted August 26, 2012 ID:590293 Share Posted August 26, 2012 Welcome to the forum.Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller to your desktop.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.MrC Link to post Share on other sites More sharing options...
sdaf Posted August 26, 2012 Author ID:590295 Share Posted August 26, 2012 thanks for your replybefore I got your instructions I had also run TDSSKiller system scan.... hope that doesnt complicate thingsHere's RKRogueKiller V8.0.0 [08/26/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : ms [Admin rights]Mode : Scan -- Date : 08/26/2012 15:27:45¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 4 ¤¤¤[RUN][bLACKLIST DLL] HKLM\[...]\Wow6432Node\RunOnce : B Register C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll ("C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll",DllRegisterServer) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\ms\AppData\Local\{87f26e2c-8360-a580-2ff3-357139ab4015}\n.) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][FOLDER] U : C:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015}\U --> FOUND[ZeroAccess][FOLDER] L : C:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015}\L --> FOUND[ZeroAccess][FOLDER] U : C:\Users\ms\AppData\Local\{87f26e2c-8360-a580-2ff3-357139ab4015}\U --> FOUND[ZeroAccess][FOLDER] L : C:\Users\ms\AppData\Local\{87f26e2c-8360-a580-2ff3-357139ab4015}\L --> FOUND¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 +++++--- User ---[MBR] a27d801c85514dcce593fe9a40b51b86[bSP] 2fcf1124e0c40b1e656e585b939921d5 : Windows Vista MBR CodePartition table:0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 100 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 24782848 | Size: 293143 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[1].txt >>RKreport[1].txt Link to post Share on other sites More sharing options...
MrCharlie Posted August 26, 2012 ID:590299 Share Posted August 26, 2012 ¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][FOLDER] U : C:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015}\U --> FOUND[ZeroAccess][FOLDER] L : C:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015}\L --> FOUND[ZeroAccess][FOLDER] U : C:\Users\ms\AppData\Local\{87f26e2c-8360-a580-2ff3-357139ab4015}\U --> FOUND[ZeroAccess][FOLDER] L : C:\Users\ms\AppData\Local\{87f26e2c-8360-a580-2ff3-357139ab4015}\L --> FOUND¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤You ran TDSSKiller but you're still infected.~~~~~~~~~~~~~~~~~~Here you go......Your computer is infected with a nasty rootkit. Please read the following information first.You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?http://www.dslreports.com/faq/10451When Should I Format, How Should I Reinstallhttp://www.dslreports.com/faq/10063I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.-----------------------------------------Please make sure system restore is running and create a new restore point before continuing!For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.How to tell > 32 or 64 bitPlug the flashdrive into the infected PC.Enter System Recovery Options.To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press EnterNote: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:services.exe[*]Now press the Search button[*]When the search is complete, search.txt will also be written to your USB[*]Type exit and reboot the computer normally[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)MrC Link to post Share on other sites More sharing options...
sdaf Posted August 26, 2012 Author ID:590304 Share Posted August 26, 2012 Scan result of Farbar Recovery Scan Tool Version: 26-08-2012 01Ran by SYSTEM at 26-08-2012 16:16:58Running from G:\Windows 7 Home Premium (X64) OS Language: English(US)The current controlset is ControlSet001==================== Registry (Whitelisted) ===================HKLM\...\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)HKLM\...\Run: [mwlDaemon] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe [349480 2009-09-10] (Egis Technology Inc.)HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8060960 2009-08-05] (Realtek Semiconductor)HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [200704 2009-12-07] ()HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [295936 2009-05-21] (Alps Electric Co., Ltd.)HKLM\...\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)HKLM-x32\...\Run: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k [261888 2009-09-24] (NewTech Infosystems, Inc.)HKLM-x32\...\Run: [EgisTecLiveUpdate] "C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe" [199464 2009-08-04] (Egis Technology Inc.)HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1094736 2009-11-01] (Dritek System Inc.)HKLM-x32\...\Run: [ArcadeDeluxeAgent] "C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [419112 2009-10-06] (CyberLink Corp.)HKLM-x32\...\Run: [PlayMovie] "C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [181480 2009-10-05] (Acer Corp.)HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)HKLM-x32\...\Run: [iSTray] "C:\Program Files (x86)\Spyware Doctor\pctsTray.exe" [1243088 2009-11-18] (PC Tools)HKLM-x32\...\Run: [ContentTransferWMDetector.exe] C:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exe [583016 2009-11-19] (Sony Corporation)HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [162336 2009-07-08] ()HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [162336 2009-07-08] ()HKU\ETC\...\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [107000 2011-08-13] (Siber Systems)HKU\Guest\...\Run: [RoboForm] "C:\Users\Guest\AppData\Roaming\RoboForm\RoboTaskBarIcon.exe" [107000 2011-07-12] (Siber Systems)HKU\Guest\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10v_ActiveX.exe -update activex [x]HKU\ms\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-03-16] (Google Inc.)HKU\ms\...\Run: [Google Update] "C:\Users\ms\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-06] (Google Inc.)HKU\ms\...\Run: [googletalk] C:\Users\ms\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)HKU\ms\...\Run: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe [8192 2011-01-17] ()HKU\ms\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17351304 2011-10-13] (Skype Technologies S.A.)HKLM-x32\...\RunOnce: [b Register C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll] "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll",DllRegisterServer [194432 2011-12-12] (DivX, LLC)Tcpip\Parameters: [DhcpNameServer] 192.168.200.1Startup: C:\Users\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnkShortcutTarget: Audible Download Manager.lnk -> C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)==================== Services (Whitelisted) ======3 MWLService; C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [305448 2009-09-10] (Egis Technology Inc.)2 sdAuxService; C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe [359624 2009-10-30] (PC Tools)2 sdCoreService; C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe [1141712 2009-11-06] (PC Tools)2 Sws.Agent.Service; "C:\Program Files (x86)\SWS\SWSAgent\Sws.Agent.Service.exe" [50272 2011-12-09] (Southwest Securities, Inc.)==================== Drivers (Whitelisted) ===================0 PCTCore; C:\Windows\System32\drivers\PCTCore64.sys [218056 2009-11-09] (PC Tools)3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]==================== NetSvcs (Whitelisted) ===================================== One Month Created Files and Folders ======================2012-08-26 14:27 - 2012-08-26 14:27 - 00002174 ____A C:\Users\ms\Desktop\RKreport[1].txt2012-08-26 14:26 - 2012-08-26 14:27 - 00000000 ____D C:\Users\ms\Desktop\RK_Quarantine2012-08-26 14:26 - 2012-08-26 14:26 - 01367040 ____A C:\Users\ms\Downloads\RogueKiller.exe2012-08-26 14:13 - 2012-08-26 14:13 - 00000000 ____D C:\Users\ms\AppData\Roaming\TestApp2012-08-26 14:12 - 2012-08-26 14:12 - 00000000 ____D C:\TDSSKiller_Quarantine2012-08-26 13:48 - 2012-08-26 13:48 - 00019110 ____A C:\Users\ms\Desktop\DDS.txt2012-08-26 13:48 - 2012-08-26 13:48 - 00007401 ____A C:\Users\ms\Desktop\Attach.txt2012-08-26 10:46 - 2012-08-26 10:46 - 00001117 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2012-08-20 18:38 - 2012-08-20 18:38 - 00015128 ____A C:\Users\ms\Downloads\[kat.ph]the.avengers.2012.dvdrip.xvid.ac3.blackjesus.torrent2012-08-19 19:10 - 2012-08-19 19:10 - 00000218 ____A C:\Users\ms\.recently-used.xbel2012-08-19 17:47 - 2012-08-19 17:47 - 00249285 ____A C:\Users\ms\Downloads\[kat.ph]the.avengers.2012.dvdrip.x264.ac3.nydic.torrent2012-08-19 17:36 - 2012-08-19 17:36 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%2012-08-19 17:32 - 2012-06-26 02:25 - 00773968 ____A (Microsoft Corporation) C:\Windows\System32\msvcr100.dll2012-08-19 17:30 - 2012-08-26 14:28 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job2012-08-19 17:30 - 2012-08-19 17:33 - 00000000 ____D C:\Users\ms\AppData\Local\iLivid2012-08-19 17:30 - 2012-08-19 17:30 - 01276504 ____A (Bandoo Media Inc) C:\Users\ms\Downloads\iLividSetupV1.exe2012-08-19 17:30 - 2012-08-19 17:30 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe2012-07-27 06:39 - 2012-07-27 06:40 - 00412672 ____A C:\Users\ms\Desktop\SWS Bid-Sheet SF NURY.xls==================== 3 Months Modified Files ================================2012-08-26 15:15 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02012-08-26 15:15 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02012-08-26 15:09 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT2012-08-26 15:09 - 2009-07-13 20:51 - 00111443 ____A C:\Windows\setupact.log2012-08-26 14:56 - 2009-12-07 03:52 - 02014693 ____A C:\Windows\WindowsUpdate.log2012-08-26 14:44 - 2011-07-06 01:55 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3728207060-1175151752-3422579409-1000UA.job2012-08-26 14:28 - 2012-08-19 17:30 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job2012-08-26 14:27 - 2012-08-26 14:27 - 00002174 ____A C:\Users\ms\Desktop\RKreport[1].txt2012-08-26 14:26 - 2012-08-26 14:26 - 01367040 ____A C:\Users\ms\Downloads\RogueKiller.exe2012-08-26 14:16 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe2012-08-26 13:48 - 2012-08-26 13:48 - 00019110 ____A C:\Users\ms\Desktop\DDS.txt2012-08-26 13:48 - 2012-08-26 13:48 - 00007401 ____A C:\Users\ms\Desktop\Attach.txt2012-08-26 13:29 - 2009-11-04 20:54 - 00774904 ____A C:\Windows\PFRO.log2012-08-26 12:32 - 2011-07-29 20:20 - 00000880 ____A C:\Windows\Tasks\Google Software Updater.job2012-08-26 10:46 - 2012-08-26 10:46 - 00001117 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2012-08-24 14:28 - 2009-07-13 21:08 - 00032542 ____A C:\Windows\Tasks\SCHEDLGU.TXT2012-08-23 19:10 - 2011-07-06 01:55 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3728207060-1175151752-3422579409-1000Core.job2012-08-20 18:38 - 2012-08-20 18:38 - 00015128 ____A C:\Users\ms\Downloads\[kat.ph]the.avengers.2012.dvdrip.xvid.ac3.blackjesus.torrent2012-08-19 19:10 - 2012-08-19 19:10 - 00000218 ____A C:\Users\ms\.recently-used.xbel2012-08-19 17:47 - 2012-08-19 17:47 - 00249285 ____A C:\Users\ms\Downloads\[kat.ph]the.avengers.2012.dvdrip.x264.ac3.nydic.torrent2012-08-19 17:30 - 2012-08-19 17:30 - 01276504 ____A (Bandoo Media Inc) C:\Users\ms\Downloads\iLividSetupV1.exe2012-08-19 17:30 - 2012-08-19 17:30 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe2012-08-19 17:30 - 2011-07-09 10:05 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl2012-07-27 06:40 - 2012-07-27 06:39 - 00412672 ____A C:\Users\ms\Desktop\SWS Bid-Sheet SF NURY.xls2012-07-27 06:30 - 2009-07-13 20:45 - 00369000 ____A C:\Windows\System32\FNTCACHE.DAT2012-07-20 14:09 - 2012-07-20 14:09 - 00264970 ____A C:\Windows\msxml4-KB2721691-enu.LOG2012-07-20 14:05 - 2010-03-16 18:39 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe2012-07-20 14:04 - 2009-07-13 18:34 - 00000531 ____A C:\Windows\win.ini2012-07-18 09:55 - 2012-07-18 09:55 - 00277680 ____A C:\Windows\Minidump\071812-21668-01.dmp2012-07-18 09:55 - 2011-03-27 14:02 - 416566356 ____A C:\Windows\MEMORY.DMP2012-07-17 21:49 - 2009-07-13 21:13 - 00779266 ____A C:\Windows\System32\PerfStringBackup.INI2012-07-03 12:46 - 2010-03-23 15:55 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys2012-06-26 02:25 - 2012-08-19 17:32 - 00773968 ____A (Microsoft Corporation) C:\Windows\System32\msvcr100.dll2012-06-25 15:04 - 2012-06-25 15:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll2012-06-11 19:08 - 2012-07-20 14:09 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys2012-06-08 21:43 - 2012-07-18 10:08 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll2012-06-08 20:41 - 2012-07-18 10:08 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll2012-06-05 22:06 - 2012-07-18 10:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll2012-06-05 22:06 - 2012-07-18 10:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll2012-06-05 22:02 - 2012-07-18 10:08 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll2012-06-05 21:05 - 2012-07-18 10:06 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll2012-06-05 21:05 - 2012-07-18 10:06 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll2012-06-05 21:03 - 2012-07-18 10:08 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll2012-06-02 14:19 - 2012-06-21 20:11 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll2012-06-02 14:19 - 2012-06-21 20:11 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll2012-06-02 14:19 - 2012-06-21 20:11 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll2012-06-02 14:19 - 2012-06-21 20:11 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe2012-06-02 14:19 - 2012-06-21 20:11 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll2012-06-02 14:19 - 2012-06-21 20:11 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll2012-06-02 14:15 - 2012-06-21 20:11 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll2012-06-02 14:15 - 2012-06-21 20:11 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll2012-06-02 14:15 - 2012-06-21 20:11 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe2012-06-02 04:49 - 2012-07-20 14:16 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll2012-06-02 04:17 - 2012-07-20 14:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll2012-06-02 04:12 - 2012-07-20 14:16 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll2012-06-02 04:05 - 2012-07-20 14:16 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll2012-06-02 04:05 - 2012-07-20 14:16 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll2012-06-02 04:04 - 2012-07-20 14:16 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl2012-06-02 04:04 - 2012-07-20 14:16 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll2012-06-02 04:03 - 2012-07-20 14:16 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll2012-06-02 04:01 - 2012-07-20 14:16 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe2012-06-02 04:00 - 2012-07-20 14:16 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll2012-06-02 03:59 - 2012-07-20 14:16 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll2012-06-02 03:57 - 2012-07-20 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2012-06-02 03:57 - 2012-07-20 14:16 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll2012-06-02 03:54 - 2012-07-20 14:16 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll2012-06-02 01:07 - 2012-07-20 14:16 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll2012-06-02 00:43 - 2012-07-20 14:16 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll2012-06-02 00:33 - 2012-07-20 14:16 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll2012-06-02 00:26 - 2012-07-20 14:16 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll2012-06-02 00:25 - 2012-07-20 14:16 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl2012-06-02 00:25 - 2012-07-20 14:16 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll2012-06-02 00:23 - 2012-07-20 14:16 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll2012-06-02 00:21 - 2012-07-20 14:16 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll2012-06-02 00:20 - 2012-07-20 14:16 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe2012-06-02 00:19 - 2012-07-20 14:16 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll2012-06-02 00:19 - 2012-07-20 14:16 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll2012-06-02 00:17 - 2012-07-20 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll2012-06-02 00:16 - 2012-07-20 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb2012-06-02 00:14 - 2012-07-20 14:16 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll2012-06-01 21:50 - 2012-07-18 10:04 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys2012-06-01 21:48 - 2012-07-18 10:04 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys2012-06-01 21:48 - 2012-07-18 10:04 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys2012-06-01 21:45 - 2012-07-18 10:04 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll2012-06-01 21:44 - 2012-07-18 10:04 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll2012-06-01 20:40 - 2012-07-18 10:04 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll2012-06-01 20:40 - 2012-07-18 10:04 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll2012-06-01 20:39 - 2012-07-18 10:04 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll2012-06-01 20:34 - 2012-07-18 10:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll2012-05-31 11:25 - 2010-02-22 17:40 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exeZeroAccess:C:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015}C:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015}\LC:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015}\UC:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015}\L\00000004.@C:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015}\L\201d3ddeZeroAccess:C:\Users\ms\AppData\Local\{87f26e2c-8360-a580-2ff3-357139ab4015}C:\Users\ms\AppData\Local\{87f26e2c-8360-a580-2ff3-357139ab4015}\LC:\Users\ms\AppData\Local\{87f26e2c-8360-a580-2ff3-357139ab4015}\U==================== Known DLLs (Whitelisted) ===================================== Bamital & volsnap Check =================C:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\SysWOW64\wininit.exe => MD5 is legitC:\Windows\explorer.exe => MD5 is legitC:\Windows\SysWOW64\explorer.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\SysWOW64\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\SysWOW64\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\SysWOW64\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit==================== EXE ASSOCIATION =====================HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK==================== Restore Points =========================Restore point made on: 2012-06-08 06:17:26Restore point made on: 2012-06-08 09:23:23Restore point made on: 2012-06-08 09:29:18Restore point made on: 2012-06-21 20:10:58Restore point made on: 2012-06-21 20:19:26Restore point made on: 2012-07-01 09:28:33Restore point made on: 2012-07-01 11:37:52Restore point made on: 2012-07-07 21:03:12Restore point made on: 2012-07-18 10:00:43Restore point made on: 2012-07-20 14:02:50Restore point made on: 2012-07-20 14:16:31Restore point made on: 2012-07-27 06:39:09Restore point made on: 2012-08-19 19:59:39==================== Memory info ===========================Percentage of memory in use: 22%Total physical RAM: 3000.93 MBAvailable physical RAM: 2334.01 MBTotal Pagefile: 2999.07 MBAvailable Pagefile: 2329.15 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.91 MB==================== Partitions ============================1 Drive c: (ACER) (Fixed) (Total:286.27 GB) (Free:148.06 GB) NTFS2 Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:1.35 GB) NTFS4 Drive g: (USB20FD) (Removable) (Total:3.77 GB) (Free:3.76 GB) FAT325 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 298 GB 0 B Disk 1 Online 3864 MB 0 B Partitions of Disk 0:=============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Recovery 11 GB 1024 KB Partition 2 Primary 100 MB 11 GB Partition 3 Primary 286 GB 11 GB==================================================================================Disk: 0Partition 1Type : 27Hidden: YesActive: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 3 E PQSERVICE NTFS Partition 11 GB Healthy Hidden ==================================================================================Disk: 0Partition 2Type : 07Hidden: NoActive: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy ==================================================================================Disk: 0Partition 3Type : 07Hidden: NoActive: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 2 C ACER NTFS Partition 286 GB Healthy ==================================================================================Partitions of Disk 1:=============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 3863 MB 31 KB==================================================================================Disk: 1Partition 1Type : 0CHidden: NoActive: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 4 G USB20FD FAT32 Removable 3863 MB Healthy ==================================================================================Last Boot: 2012-08-19 19:52==================== End Of Log =============================Farbar Recovery Scan Tool Version: 26-08-2012 01Ran by SYSTEM at 2012-08-26 16:21:33Running from G:\================== Search: "services.exe" ===================C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCBC:\Windows\System32\services.exe[2009-07-13 15:19] - [2012-08-26 14:16] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB====== End Of Search ====== Link to post Share on other sites More sharing options...
MrCharlie Posted August 26, 2012 ID:590307 Share Posted August 26, 2012 OK, here you go......Please carefully carry out this procedure!!!!!!Please download the attached fixlist.txt and copy it to your flashdrive.NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7: Now please enter System Recovery Options. (as you did before)Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.MrC Link to post Share on other sites More sharing options...
sdaf Posted August 26, 2012 Author ID:590310 Share Posted August 26, 2012 Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 26-08-2012 01Ran by SYSTEM at 2012-08-26 16:47:31 Run:1Running from G:\==============================================C:\Windows\Installer\{87f26e2c-8360-a580-2ff3-357139ab4015} moved successfully.C:\Users\ms\AppData\Local\{87f26e2c-8360-a580-2ff3-357139ab4015} moved successfully.==== End of Fixlog ==== Link to post Share on other sites More sharing options...
MrCharlie Posted August 27, 2012 ID:590315 Share Posted August 27, 2012 Well Done, lets run ComboFix to clear up any leftovers.Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingcomputer.com/combofix/how-to-use-combofixEnsure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed.Please include the C:\ComboFix.txt in your next reply for further review.---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.MrC Link to post Share on other sites More sharing options...
sdaf Posted August 27, 2012 Author ID:590329 Share Posted August 27, 2012 here's the log with a couple of caveats - the latest scanner seemed to start running automatically after the download so it may have not run from the desktop, and I'm not 100% sure all AV software had been disabled.Let me know if I should run this scan againthanksComboFix 12-08-25.04 - ms 08/26/2012 17:19:11.1.2 - x64Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3001.1806 [GMT -7:00]Running from: c:\users\ms\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B69I21BB\ComboFix.exeAV: Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}SP: Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\program files (x86)\Q Securities Processing Software\BrokerView\regsvr32.exec:\users\ms\AppData\Local\Temp\{79D70647-F792-4AB7-836F-640B729C913F}\fpb.tmpc:\users\ms\GoToAssistDownloadHelper.exe..((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))..2012-08-27 00:28 . 2012-08-27 00:28 -------- d-----w- c:\users\ETC\AppData\Local\temp2012-08-27 00:28 . 2012-08-27 00:28 -------- d-----w- c:\users\Default\AppData\Local\temp2012-08-27 00:28 . 2012-08-27 00:28 -------- d-----w- c:\users\Guest\AppData\Local\temp2012-08-27 00:06 . 2012-08-27 00:06 -------- d-----w- C:\FRST2012-08-26 22:13 . 2012-08-26 22:13 -------- d-----w- c:\users\ms\AppData\Roaming\TestApp2012-08-26 22:12 . 2012-08-26 22:12 -------- d-----w- C:\TDSSKiller_Quarantine2012-08-20 01:36 . 2012-08-20 01:36 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%2012-08-20 01:32 . 2012-06-26 10:25 773968 ----a-w- c:\windows\system32\msvcr100.dll2012-08-20 01:30 . 2012-08-20 01:33 -------- d-----w- c:\users\ms\AppData\Local\iLivid2012-08-20 01:30 . 2012-08-20 01:30 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-08-26 22:16 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe2012-08-20 01:30 . 2011-07-09 18:05 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2012-07-20 22:05 . 2010-03-17 02:39 59701280 ----a-w- c:\windows\system32\MRT.exe2012-07-03 20:46 . 2010-03-23 23:55 24904 ----a-w- c:\windows\system32\drivers\mbam.sys2012-06-29 10:04 . 2012-07-27 14:39 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{672E2E14-9F2C-4B19-A07F-0B14A01D072A}\mpengine.dll2012-06-25 23:04 . 2012-06-25 23:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll2012-06-12 03:08 . 2012-07-20 22:09 3148800 ----a-w- c:\windows\system32\win32k.sys2012-06-09 05:43 . 2012-07-18 18:08 14172672 ----a-w- c:\windows\system32\shell32.dll2012-06-06 06:06 . 2012-07-18 18:06 2004480 ----a-w- c:\windows\system32\msxml6.dll2012-06-06 06:06 . 2012-07-18 18:06 1881600 ----a-w- c:\windows\system32\msxml3.dll2012-06-06 06:02 . 2012-07-18 18:08 1133568 ----a-w- c:\windows\system32\cdosys.dll2012-06-06 05:05 . 2012-07-18 18:06 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll2012-06-06 05:05 . 2012-07-18 18:06 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll2012-06-06 05:03 . 2012-07-18 18:08 805376 ----a-w- c:\windows\SysWow64\cdosys.dll2012-06-02 22:19 . 2012-06-22 04:11 38424 ----a-w- c:\windows\system32\wups.dll2012-06-02 22:19 . 2012-06-22 04:11 2428952 ----a-w- c:\windows\system32\wuaueng.dll2012-06-02 22:19 . 2012-06-22 04:11 57880 ----a-w- c:\windows\system32\wuauclt.exe2012-06-02 22:19 . 2012-06-22 04:11 44056 ----a-w- c:\windows\system32\wups2.dll2012-06-02 22:19 . 2012-06-22 04:11 186752 ----a-w- c:\windows\system32\wuwebv.dll2012-06-02 22:19 . 2012-06-22 04:11 701976 ----a-w- c:\windows\system32\wuapi.dll2012-06-02 22:15 . 2012-06-22 04:11 2622464 ----a-w- c:\windows\system32\wucltux.dll2012-06-02 22:15 . 2012-06-22 04:11 36864 ----a-w- c:\windows\system32\wuapp.exe2012-06-02 22:15 . 2012-06-22 04:11 99840 ----a-w- c:\windows\system32\wudriver.dll2012-06-02 12:49 . 2012-07-20 22:16 17807360 ----a-w- c:\windows\system32\mshtml.dll2012-06-02 12:17 . 2012-07-20 22:16 10924032 ----a-w- c:\windows\system32\ieframe.dll2012-06-02 12:12 . 2012-07-20 22:16 2311680 ----a-w- c:\windows\system32\jscript9.dll2012-06-02 12:05 . 2012-07-20 22:16 1346048 ----a-w- c:\windows\system32\urlmon.dll2012-06-02 12:05 . 2012-07-20 22:16 1392128 ----a-w- c:\windows\system32\wininet.dll2012-06-02 12:04 . 2012-07-20 22:16 1494528 ----a-w- c:\windows\system32\inetcpl.cpl2012-06-02 12:04 . 2012-07-20 22:16 237056 ----a-w- c:\windows\system32\url.dll2012-06-02 12:03 . 2012-07-20 22:16 85504 ----a-w- c:\windows\system32\jsproxy.dll2012-06-02 12:01 . 2012-07-20 22:16 173056 ----a-w- c:\windows\system32\ieUnatt.exe2012-06-02 12:00 . 2012-07-20 22:16 818688 ----a-w- c:\windows\system32\jscript.dll2012-06-02 11:59 . 2012-07-20 22:16 2144768 ----a-w- c:\windows\system32\iertutil.dll2012-06-02 11:57 . 2012-07-20 22:16 96768 ----a-w- c:\windows\system32\mshtmled.dll2012-06-02 11:57 . 2012-07-20 22:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb2012-06-02 11:54 . 2012-07-20 22:16 248320 ----a-w- c:\windows\system32\ieui.dll2012-06-02 08:33 . 2012-07-20 22:16 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll2012-06-02 08:25 . 2012-07-20 22:16 1129472 ----a-w- c:\windows\SysWow64\wininet.dll2012-06-02 08:25 . 2012-07-20 22:16 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl2012-06-02 08:20 . 2012-07-20 22:16 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe2012-06-02 08:16 . 2012-07-20 22:16 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb2012-06-02 05:50 . 2012-07-18 18:04 458704 ----a-w- c:\windows\system32\drivers\cng.sys2012-06-02 05:48 . 2012-07-18 18:04 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys2012-06-02 05:48 . 2012-07-18 18:04 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys2012-06-02 05:45 . 2012-07-18 18:04 340992 ----a-w- c:\windows\system32\schannel.dll2012-06-02 05:44 . 2012-07-18 18:04 307200 ----a-w- c:\windows\system32\ncrypt.dll2012-06-02 04:40 . 2012-07-18 18:04 22016 ----a-w- c:\windows\SysWow64\secur32.dll2012-06-02 04:40 . 2012-07-18 18:04 225280 ----a-w- c:\windows\SysWow64\schannel.dll2012-06-02 04:39 . 2012-07-18 18:04 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll2012-06-02 04:34 . 2012-07-18 18:04 96768 ----a-w- c:\windows\SysWow64\sspicli.dll2012-05-31 19:25 . 2010-02-23 01:40 279656 ------w- c:\windows\system32\MpSigStub.exe..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]2009-09-11 05:41 120104 ----a-w- c:\program files (x86)\EgisTec\MyWinLocker 3\x86\PSDProtect.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-17 39408]"googletalk"="c:\users\ms\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-09-24 261888]"EgisTecLiveUpdate"="c:\program files (x86)\EgisTec Egis Software Update\EgisUpdate.exe" [2009-08-04 199464]"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-11-01 1094736]"ArcadeDeluxeAgent"="c:\program files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2009-10-06 419112]"PlayMovie"="c:\program files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2009-10-06 181480]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]"ISTray"="c:\program files (x86)\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]"ContentTransferWMDetector.exe"="c:\program files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-20 583016]"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-17 421736].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk - c:\program files (x86)\Audible\Bin\AudibleDownloadHelper.exe [2011-3-14 2125472].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp.R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-20 257224]R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-09-11 305448]R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-18 50432]R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-05 216064]R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-30 1255736]S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [2009-11-09 218056]S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2009-06-03 22576]S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2009-06-03 20016]S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2009-06-03 60464]S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-09-30 844320]S2 Greg_Service;GRegService;c:\program files (x86)\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-09-24 62720]S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-18 144640]S2 sdAuxService;PC Tools Auxiliary Service;c:\program files (x86)\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]S2 Sws.Agent.Service;Sws.Agent.Service;c:\program files (x86)\SWS\SWSAgent\Sws.Agent.Service.exe [2011-12-09 50272]S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 139264]S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-20 317480]S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]..Contents of the 'Scheduled Tasks' folder.2012-08-27 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-20 01:30].2012-08-26 c:\windows\Tasks\Google Software Updater.job- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-17 15:05].2012-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3728207060-1175151752-3422579409-1000Core.job- c:\users\ms\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-06 09:55].2012-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3728207060-1175151752-3422579409-1000UA.job- c:\users\ms\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-06 09:55]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]2009-09-11 05:44 137512 ----a-w- c:\program files (x86)\EgisTec\MyWinLocker 3\x64\PSDProtect.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]"mwlDaemon"="c:\program files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-11 349480]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-06 8060960]"PLFSetI"="c:\windows\PLFSetI.exe" [2009-12-07 200704]"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-05-22 295936]"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-09-30 823840]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"LoadAppInit_DLLs"=0x0.------- Supplementary Scan -------.uStart Page = hxxp://google.com/uLocal Page = c:\windows\system32\blank.htmmStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_7736&r=27360210h706l03e8z1h5t5831a51nmLocal Page = c:\windows\SysWOW64\blank.htmuInternet Settings,ProxyOverride = *.localIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200TCP: DhcpNameServer = 192.168.200.1.- - - - ORPHANS REMOVED - - - -.Toolbar-Locked - (no file)SafeBoot-68743439.sysSafeBoot-mcmscsvcSafeBoot-MCODSToolbar-Locked - (no file)...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-3728207060-1175151752-3422579409-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]@Denied: (2) (S-1-5-21-3728207060-1175151752-3422579409-1000)@Denied: (2) (LocalSystem)"Progid"="WindowsLiveMail.Email.1".[HKEY_USERS\S-1-5-21-3728207060-1175151752-3422579409-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]@Denied: (2) (S-1-5-21-3728207060-1175151752-3422579409-1000)@Denied: (2) (LocalSystem)"Progid"="WindowsLiveMail.VCard.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.11".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000"MSCurrentCountry"=dword:000000b5.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files (x86)\Spyware Doctor\pctsSvc.exec:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe.**************************************************************************.Completion time: 2012-08-26 17:36:39 - machine was rebootedComboFix-quarantined-files.txt 2012-08-27 00:36.Pre-Run: 177,473,953,792 bytes freePost-Run: 181,320,646,656 bytes free.- - End Of File - - DB9274FEF96666DD676F000DE29E1E8D Link to post Share on other sites More sharing options...
MrCharlie Posted August 27, 2012 ID:590331 Share Posted August 27, 2012 Looks Good.....Please Update and run a Quick Scan with MBAM, post the report.Make sure that everything is checked, and click Remove Selected.Please let me know how computer is running now, MrC Link to post Share on other sites More sharing options...
sdaf Posted August 27, 2012 Author ID:590333 Share Posted August 27, 2012 awesome - looks like you did it! now I have a nother old PC running the MBAM scan - it's been going for 2:48 already and two infected items are coming up -- can I repeat the above steps if it has the same infection or do I need to get step by assistance all over again?thanks very muchMalwarebytes Anti-Malware 1.62.0.1300www.malwarebytes.orgDatabase version: v2012.08.26.05Windows 7 Service Pack 1 x64 NTFSInternet Explorer 9.0.8112.16421ms :: MS-PC [administrator]8/26/2012 5:55:06 PMmbam-log-2012-08-26 (17-55-06).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 240564Time elapsed: 3 minute(s), 57 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
MrCharlie Posted August 27, 2012 ID:590334 Share Posted August 27, 2012 awesome - looks like you did it!now I have a nother old PC running the MBAM scan - it's been going for 2:48 already and two infected items are coming up -- can I repeat the above steps if it has the same infection or do I need to get step by assistance all over again?No, every infections is different....so post on the forum.~~~~~~~~~~~~~~A little clean up to do....Please Uninstall ComboFix: (if you used it)Press the Windows logo key + R to bring up the "run box"Copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)---------------------------------Please download OTL from one of the links below: (you may already have OTL on the system)http://oldtimer.geekstogo.com/OTL.exehttp://oldtimer.geekstogo.com/OTL.comhttp://www.itxassoci...T-Tools/OTL.exeSave it to your desktop.Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)Any other programs or logs you can manually delete.IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....-------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again.Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 27, 2012 ID:590432 Share Posted August 27, 2012 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts