Jump to content

sirefef zero access mostly cleaned, but not quite


flacorps
 Share

Recommended Posts

my situation is very similar to the one discussed here: http://forums.malwarebytes.org/index.php?showtopic=112682

I am at the stage where two log files have been produced:

FRST.TXT


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-09-2012
Ran by SYSTEM at 21-09-2012 13:02:56
Running from G:\
Windows Vista (TM) Home Basic (X86) OS Language: English(US)
The current controlset is ControlSet001
==================== Registry (Whitelisted) ===================
HKLM\...\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [90112 2006-07-11] ()
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2011-10-04] (Google)
HKLM\...\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe [161360 2006-10-19] (McAfee Inc.)
HKLM\...\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup [x]
HKLM\...\Run: [HostManager] C:\Program Files\Common Files\AOL\1173636751\ee\AOLSoftware.exe [50736 2006-09-25] (America Online, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [622592 2007-02-06] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [65536 2006-07-19] (Brother Industries, Ltd.)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [155648 2003-09-29] (Scansoft, Inc.)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [36864 2006-05-05] (ScanSoft, Inc.)
HKLM\...\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [40960 2006-05-05] (ScanSoft, Inc.)
HKLM\...\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\ereg.ini" [324 2012-09-20] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [3039352 2012-08-29] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [947808 2012-09-18] ()
HKLM\...\Run: [ROC_ROC_NT] "C:\Program Files\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT [856160 2012-09-18] ()
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4282728 2012-08-21] (AVAST Software)
HKU\dothankins\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
HKU\dothankins\...\Run: [PPScheduler] C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe [98304 2006-05-05] (Nuance Communications, Inc.)
HKU\dothankins\...\Run: [Iligkaids] C:\Users\dothankins\AppData\Roaming\Solei\iscuw.exe [245760 2012-01-31] ()
HKU\dothankins\...\Run: [Google Update] "C:\Users\dothankins\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-09-20] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
Startup: C:\Users\dothankins\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
==================== Services (Whitelisted) ===================
2 AOL ACS; "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" [46640 2006-10-23] (AOL LLC)
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-08-21] (AVAST Software)
2 AVGIDSAgent; "C:\Program Files\AVG\AVG2013\avgidsagent.exe" [5751928 2012-08-20] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files\AVG\AVG2013\avgwdsvc.exe" [184304 2012-08-20] (AVG Technologies CZ, s.r.o.)
3 Emproxy; C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe [337488 2006-10-15] (McAfee, Inc.)
3 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2011-10-04] (Google)
2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation)
2 McAfee HackerWatch Service; "C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe" [554600 2006-09-28] (McAfee, Inc.)
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.1.121\McCHSvc.exe" [227232 2010-09-02] (McAfee, Inc.)
3 mcmispupdmgr; C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe [689752 2007-01-05] (McAfee, Inc.)
2 mcmscsvc; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [361560 2007-01-05] (McAfee, Inc.)
2 McODS; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [362064 2006-10-16] (McAfee, Inc.)
2 mcpromgr; C:\PROGRA~1\McAfee\MSC\mcpromgr.exe [493144 2007-01-05] (McAfee, Inc.)
2 McShield; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [140864 2006-10-12] (McAfee, Inc.)
3 McSysmon; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [622160 2006-10-15] (McAfee, Inc.)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [114144 2012-09-05] (Mozilla Foundation)
2 MpfService; "C:\Program Files\McAfee\MPF\MPFSrv.exe" [828968 2006-10-12] (McAfee, Inc.)
2 MPS9; C:\PROGRA~1\McAfee\MPS\mps.exe [890408 2006-10-11] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\McAfee\MSK\MskSrver.exe" [28752 2006-10-19] (McAfee Inc.)
2 vToolbarUpdater12.2.6; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [722528 2012-09-18] ()
2 McNASvc; "c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe" [x]
2 McProxy; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [x]
2 McRedirector; c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe [x]
==================== Drivers (Whitelisted) ====================
2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [58680 2012-08-21] (AVAST Software)
1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [176096 2012-08-13] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [54112 2012-08-09] (AVG Technologies CZ, s.r.o. )
1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [19808 2012-08-10] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [151520 2012-08-09] (AVG Technologies CZ, s.r.o.)
0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [178656 2012-08-09] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [89440 2012-08-10] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35168 2012-08-10] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [164704 2012-08-10] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [27496 2012-09-18] (AVG Technologies)
3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1302492 2006-11-01] (Intel Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22856 2012-09-07] (Malwarebytes Corporation)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [71496 2006-10-12] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [34120 2006-10-12] (McAfee, Inc.)
3 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [168392 2006-10-12] (McAfee, Inc.)
3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [31944 2006-10-12] (McAfee, Inc.)
3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [35048 2006-10-12] (McAfee, Inc.)
1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [111192 2006-10-12] (McAfee, Inc.)
3 NETw2v32; C:\Windows\System32\DRIVERS\NETw2v32.sys [2589184 2006-11-01] (Intel® Corporation)
2 PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [65536 2006-12-16] (New Boundary Technologies, Inc.)
3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-01] (America Online, Inc.)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2012-09-20 14:58 - 2012-09-20 14:58 - 10213296 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-09-20 13:27 - 2012-09-20 13:27 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-09-20 13:19 - 2012-09-20 13:27 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-09-20 13:19 - 2012-09-20 13:27 - 00000000 ____D C:\Users\All Users\Application Data\HitmanPro
2012-09-20 13:19 - 2012-09-20 13:19 - 00135016 ____A (SurfRight B.V.) C:\Windows\System32\LnkProtect.dll
2012-09-20 13:18 - 2012-09-20 13:18 - 07758424 ____A (SurfRight B.V.) C:\Users\dothankins\Downloads\HitmanPro36.exe
2012-09-20 12:47 - 2012-09-20 12:47 - 00002067 ____A C:\Users\dothankins\Desktop\Google Chrome.lnk
2012-09-20 12:44 - 2012-09-21 08:54 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3074645540-534623877-3370066440-1000UA.job
2012-09-20 12:44 - 2012-09-20 17:54 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3074645540-534623877-3370066440-1000Core.job
2012-09-20 12:43 - 2012-09-20 12:44 - 00000000 ____D C:\Users\dothankins\Local Settings\Deployment
2012-09-20 12:43 - 2012-09-20 12:44 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\Deployment
2012-09-20 12:43 - 2012-09-20 12:44 - 00000000 ____D C:\Users\dothankins\AppData\Local\Deployment
2012-09-20 12:43 - 2012-09-20 12:43 - 00000000 ____D C:\Users\dothankins\AppData\Local\Apps\2.0
2012-09-20 12:30 - 2012-09-20 12:30 - 00000134 ____A C:\Users\dothankins\Desktop\Microsoft Fix it.url
2012-09-20 12:25 - 2012-09-20 12:30 - 01703936 ____A C:\Windows\ocsetup_install_MicrosoftWindowsPowerShell.etl
2012-09-20 12:25 - 2012-09-20 12:30 - 00327680 ____A C:\Windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.perf
2012-09-20 12:25 - 2012-09-20 12:30 - 00065536 ____A C:\Windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.dpx
2012-09-20 12:23 - 2012-09-20 12:23 - 00347424 ____A (Microsoft Corporation) C:\Users\dothankins\Downloads\MicrosoftFixit.wu.MATSKB.Run.exe
2012-09-20 08:53 - 2012-09-20 08:53 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-20 08:53 - 2012-09-20 08:53 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Users\dothankins\Application Data\Malwarebytes
2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Malwarebytes
2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-09-20 08:53 - 2012-09-07 13:04 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-20 08:50 - 2012-09-20 08:51 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\dothankins\Downloads\mbam-setup-1.65.0.1400.exe
2012-09-20 08:20 - 2012-09-20 08:20 - 00000000 ____D C:\Users\dothankins\Application Data\Macromedia
2012-09-20 08:20 - 2012-09-20 08:20 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Macromedia
2012-09-20 08:15 - 2012-09-20 08:15 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-09-20 07:55 - 2012-09-20 07:56 - 17790056 ____A (Mozilla) C:\Users\dothankins\Downloads\Firefox Setup 15.0.1.exe
2012-09-18 16:13 - 2012-09-18 16:13 - 00001829 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-09-18 16:13 - 2012-09-18 16:13 - 00001829 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk
2012-09-18 16:13 - 2012-08-21 01:13 - 00058680 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-09-18 15:47 - 2012-09-18 15:47 - 216786920 ____A C:\Windows\MEMORY.DMP
2012-09-18 15:47 - 2012-09-18 15:47 - 00138096 ____A C:\Windows\Minidump\Mini091812-01.dmp
2012-09-18 15:47 - 2012-09-18 15:47 - 00000000 ____D C:\Windows\Minidump
2012-09-18 15:09 - 2012-09-18 15:09 - 00000000 ____D C:\Users\dothankins\Application Data\AVG2013
2012-09-18 15:09 - 2012-09-18 15:09 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\AVG2013
2012-09-18 15:04 - 2012-09-18 15:17 - 00000000 ____D C:\Users\All Users\AVG Secure Search
2012-09-18 15:04 - 2012-09-18 15:17 - 00000000 ____D C:\Users\All Users\Application Data\AVG Secure Search
2012-09-18 15:04 - 2012-09-18 15:04 - 00000842 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-09-18 15:04 - 2012-09-18 15:04 - 00000842 ____A C:\Users\All Users\Desktop\AVG 2013.lnk
2012-09-18 15:04 - 2012-09-18 15:04 - 00000000 ____D C:\Users\dothankins\Application Data\TuneUp Software
2012-09-18 15:04 - 2012-09-18 15:04 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\TuneUp Software
2012-09-18 15:03 - 2012-09-18 15:03 - 00027496 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Users\dothankins\Local Settings\AVG Secure Search
2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\AVG Secure Search
2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Users\dothankins\AppData\Local\AVG Secure Search
2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Program Files\AVG Secure Search
2012-09-18 15:00 - 2012-09-18 15:35 - 00000000 ____D C:\Users\All Users\AVG2013
2012-09-18 15:00 - 2012-09-18 15:35 - 00000000 ____D C:\Users\All Users\Application Data\AVG2013
2012-09-18 15:00 - 2012-09-18 15:00 - 00000000 ___HD C:\$AVG
2012-09-18 14:58 - 2012-09-18 14:58 - 00000000 ____D C:\Program Files\AVG
2012-09-18 14:50 - 2012-09-21 08:04 - 00000000 ____D C:\Users\All Users\MFAData
2012-09-18 14:50 - 2012-09-21 08:04 - 00000000 ____D C:\Users\All Users\Application Data\MFAData
2012-09-18 14:50 - 2012-09-18 15:32 - 00000000 ____D C:\Users\dothankins\Local Settings\Avg2013
2012-09-18 14:50 - 2012-09-18 15:32 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\Avg2013
2012-09-18 14:50 - 2012-09-18 15:32 - 00000000 ____D C:\Users\dothankins\AppData\Local\Avg2013
2012-09-18 14:50 - 2012-09-18 14:50 - 00000000 ____D C:\Users\dothankins\Local Settings\MFAData
2012-09-18 14:50 - 2012-09-18 14:50 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\MFAData
2012-09-18 14:50 - 2012-09-18 14:50 - 00000000 ____D C:\Users\dothankins\AppData\Local\MFAData
2012-09-18 14:41 - 2012-08-21 01:12 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-09-18 14:41 - 2012-08-21 01:12 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-09-18 14:39 - 2012-09-18 16:09 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-09-18 14:39 - 2012-09-18 16:09 - 00000000 ____D C:\Users\All Users\Application Data\AVAST Software
2012-09-18 14:39 - 2012-09-18 16:09 - 00000000 ____D C:\Program Files\AVAST Software
2012-09-18 14:19 - 2012-09-18 14:19 - 00000000 ____D C:\Users\All Users\McAfee Security Scan
2012-09-18 14:19 - 2012-09-18 14:19 - 00000000 ____D C:\Users\All Users\Application Data\McAfee Security Scan
2012-09-18 14:19 - 2012-09-18 14:18 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-18 14:18 - 2012-09-18 14:18 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-09-18 14:18 - 2012-09-18 14:18 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-09-18 14:18 - 2012-09-18 14:18 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-09-18 13:09 - 2012-09-18 13:10 - 00894952 ____A (Oracle Corporation) C:\Users\dothankins\Downloads\jre-7u7-windows-i586-iftw.exe
2012-09-18 12:02 - 2012-09-19 06:26 - 00000000 ___HD C:\Users\dothankins\Application Data\80B1A0DF
2012-09-18 12:02 - 2012-09-19 06:26 - 00000000 ___HD C:\Users\dothankins\AppData\Roaming\80B1A0DF
2012-09-12 10:44 - 2012-09-20 09:43 - 00000000 ____D C:\Users\dothankins\Application Data\Ultotu
2012-09-12 10:44 - 2012-09-20 09:43 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Ultotu
2012-09-12 10:44 - 2012-09-12 10:44 - 00000000 ____D C:\Users\dothankins\Application Data\Solei
2012-09-12 10:44 - 2012-09-12 10:44 - 00000000 ____D C:\Users\dothankins\Application Data\Azlemu
2012-09-12 10:44 - 2012-09-12 10:44 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Solei
2012-09-12 10:44 - 2012-09-12 10:44 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Azlemu
2012-09-12 10:43 - 2012-09-18 15:08 - 00006530 ____A C:\Users\dothankins\Local Settings\chromeupdate.crx
2012-09-12 10:43 - 2012-09-18 15:08 - 00006530 ____A C:\Users\dothankins\Local Settings\Application Data\chromeupdate.crx
2012-09-12 10:43 - 2012-09-18 15:08 - 00006530 ____A C:\Users\dothankins\AppData\Local\chromeupdate.crx
2012-09-12 10:43 - 2012-09-12 10:43 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\{D0ADB54E-FD09-11E1-8271-B8AC6F996F26}
2012-09-12 10:43 - 2012-09-12 10:43 - 00000000 ____D C:\Users\dothankins\Local Settings\{D0ADB54E-FD09-11E1-8271-B8AC6F996F26}
2012-09-12 10:43 - 2012-09-12 10:43 - 00000000 ____D C:\Users\dothankins\AppData\Local\{D0ADB54E-FD09-11E1-8271-B8AC6F996F26}
2012-09-07 12:16 - 2012-09-20 08:15 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-09-04 12:20 - 2012-09-04 12:20 - 00003001 ____A C:\Users\dothankins\Downloads\covenant mortuary cover.htm
2012-09-04 12:20 - 2012-09-04 12:20 - 00000000 ____D C:\Users\dothankins\Downloads\covenant mortuary cover_files
2012-08-31 09:09 - 2012-08-31 09:09 - 00051712 ___AH C:\Users\dothankins\My Documents\~WRL2356.tmp
2012-08-31 09:09 - 2012-08-31 09:09 - 00051712 ___AH C:\Users\dothankins\Documents\~WRL2356.tmp
2012-08-27 12:33 - 2012-08-27 12:33 - 00003761 ____A C:\Users\dothankins\My Documents\msh_searchpoint_signature.html
2012-08-27 12:33 - 2012-08-27 12:33 - 00003761 ____A C:\Users\dothankins\Documents\msh_searchpoint_signature.html
2012-08-23 11:41 - 2012-08-23 11:41 - 00168572 ____A C:\Users\dothankins\Downloads\Grunau Hankins & Associates.08.16.2011.mdi
2012-08-23 09:40 - 2012-08-23 09:40 - 00000000 ____D C:\Users\dothankins\Downloads\jne amendment cover_files
2012-08-23 09:39 - 2012-08-23 09:40 - 00002995 ____A C:\Users\dothankins\Downloads\jne amendment cover.htm
2012-08-22 06:09 - 2012-08-22 06:09 - 01105016 ____A C:\Users\dothankins\Downloads\drupal-6.26.tar.gz

==================== 3 Months Modified Files ==================
2012-09-21 08:57 - 2006-12-16 14:40 - 00083222 ____A C:\Windows\System32\Config.MPF
2012-09-21 08:57 - 2006-11-02 04:58 - 00027722 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-21 08:57 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-21 08:56 - 2006-11-02 04:45 - 00003072 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-21 08:56 - 2006-11-02 04:45 - 00003072 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-21 08:54 - 2012-09-20 12:44 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3074645540-534623877-3370066440-1000UA.job
2012-09-21 07:58 - 2012-05-14 05:17 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-20 17:54 - 2012-09-20 12:44 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3074645540-534623877-3370066440-1000Core.job
2012-09-20 14:58 - 2012-09-20 14:58 - 10213296 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-09-20 14:58 - 2012-05-14 05:17 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-09-20 14:58 - 2011-10-04 06:06 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-09-20 13:27 - 2012-09-20 13:27 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-09-20 13:19 - 2012-09-20 13:19 - 00135016 ____A (SurfRight B.V.) C:\Windows\System32\LnkProtect.dll
2012-09-20 13:18 - 2012-09-20 13:18 - 07758424 ____A (SurfRight B.V.) C:\Users\dothankins\Downloads\HitmanPro36.exe
2012-09-20 12:47 - 2012-09-20 12:47 - 00002067 ____A C:\Users\dothankins\Desktop\Google Chrome.lnk
2012-09-20 12:38 - 2006-12-16 13:37 - 01918392 ____A C:\Windows\WindowsUpdate.log
2012-09-20 12:35 - 2011-10-06 05:38 - 00005728 ____A C:\Windows\IE9_main.log
2012-09-20 12:30 - 2012-09-20 12:30 - 00000134 ____A C:\Users\dothankins\Desktop\Microsoft Fix it.url
2012-09-20 12:30 - 2012-09-20 12:25 - 01703936 ____A C:\Windows\ocsetup_install_MicrosoftWindowsPowerShell.etl
2012-09-20 12:30 - 2012-09-20 12:25 - 00327680 ____A C:\Windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.perf
2012-09-20 12:30 - 2012-09-20 12:25 - 00065536 ____A C:\Windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.dpx
2012-09-20 12:23 - 2012-09-20 12:23 - 00347424 ____A (Microsoft Corporation) C:\Users\dothankins\Downloads\MicrosoftFixit.wu.MATSKB.Run.exe
2012-09-20 11:59 - 2006-11-02 02:33 - 00716774 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-20 09:30 - 2006-12-16 14:17 - 00042528 ____A C:\Windows\PFRO.log
2012-09-20 08:53 - 2012-09-20 08:53 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-20 08:53 - 2012-09-20 08:53 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-20 08:51 - 2012-09-20 08:50 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\dothankins\Downloads\mbam-setup-1.65.0.1400.exe
2012-09-20 07:56 - 2012-09-20 07:55 - 17790056 ____A (Mozilla) C:\Users\dothankins\Downloads\Firefox Setup 15.0.1.exe
2012-09-18 16:13 - 2012-09-18 16:13 - 00001829 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-09-18 16:13 - 2012-09-18 16:13 - 00001829 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk
2012-09-18 16:13 - 2006-11-02 02:23 - 00002577 ____A C:\Windows\System32\config.nt
2012-09-18 15:47 - 2012-09-18 15:47 - 216786920 ____A C:\Windows\MEMORY.DMP
2012-09-18 15:47 - 2012-09-18 15:47 - 00138096 ____A C:\Windows\Minidump\Mini091812-01.dmp
2012-09-18 15:08 - 2012-09-12 10:43 - 00006530 ____A C:\Users\dothankins\Local Settings\chromeupdate.crx
2012-09-18 15:08 - 2012-09-12 10:43 - 00006530 ____A C:\Users\dothankins\Local Settings\Application Data\chromeupdate.crx
2012-09-18 15:08 - 2012-09-12 10:43 - 00006530 ____A C:\Users\dothankins\AppData\Local\chromeupdate.crx
2012-09-18 15:04 - 2012-09-18 15:04 - 00000842 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-09-18 15:04 - 2012-09-18 15:04 - 00000842 ____A C:\Users\All Users\Desktop\AVG 2013.lnk
2012-09-18 15:03 - 2012-09-18 15:03 - 00027496 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
2012-09-18 14:37 - 2006-11-02 04:49 - 00002696 ____A C:\Windows\setupact.log
2012-09-18 14:18 - 2012-09-18 14:19 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-18 14:18 - 2012-09-18 14:18 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-09-18 14:18 - 2012-09-18 14:18 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-09-18 14:18 - 2012-09-18 14:18 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-09-18 14:18 - 2012-06-28 06:31 - 00821736 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-09-18 14:18 - 2012-06-28 06:31 - 00746984 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-09-18 13:10 - 2012-09-18 13:09 - 00894952 ____A (Oracle Corporation) C:\Users\dothankins\Downloads\jre-7u7-windows-i586-iftw.exe
2012-09-13 16:56 - 2007-03-10 14:01 - 00000376 ____A C:\Windows\ODBC.INI
2012-09-12 23:02 - 2006-11-02 02:24 - 62164608 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-09-07 13:04 - 2012-09-20 08:53 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-04 12:20 - 2012-09-04 12:20 - 00003001 ____A C:\Users\dothankins\Downloads\covenant mortuary cover.htm
2012-08-31 09:09 - 2012-08-31 09:09 - 00051712 ___AH C:\Users\dothankins\My Documents\~WRL2356.tmp
2012-08-31 09:09 - 2012-08-31 09:09 - 00051712 ___AH C:\Users\dothankins\Documents\~WRL2356.tmp
2012-08-27 12:33 - 2012-08-27 12:33 - 00003761 ____A C:\Users\dothankins\My Documents\msh_searchpoint_signature.html
2012-08-27 12:33 - 2012-08-27 12:33 - 00003761 ____A C:\Users\dothankins\Documents\msh_searchpoint_signature.html
2012-08-23 11:41 - 2012-08-23 11:41 - 00168572 ____A C:\Users\dothankins\Downloads\Grunau Hankins & Associates.08.16.2011.mdi
2012-08-23 09:40 - 2012-08-23 09:39 - 00002995 ____A C:\Users\dothankins\Downloads\jne amendment cover.htm
2012-08-22 06:09 - 2012-08-22 06:09 - 01105016 ____A C:\Users\dothankins\Downloads\drupal-6.26.tar.gz
2012-08-21 12:53 - 2012-08-21 12:53 - 02234513 ____A C:\Users\dothankins\Downloads\daniels bank of america sale page 1.jpeg
2012-08-21 01:13 - 2012-09-18 16:13 - 00058680 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-21 01:12 - 2012-09-18 14:41 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-08-21 01:12 - 2012-09-18 14:41 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-08-13 12:40 - 2012-08-13 12:40 - 00176096 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdriverx.sys
2012-08-10 07:21 - 2012-03-20 10:26 - 00000162 ___AH C:\Users\dothankins\My Documents\~$rpe diem counseling RUSH LLC 2 ARTICLES FLACORPS RA.DOT
2012-08-10 07:21 - 2012-03-20 10:26 - 00000162 ___AH C:\Users\dothankins\Documents\~$rpe diem counseling RUSH LLC 2 ARTICLES FLACORPS RA.DOT
2012-08-10 00:52 - 2012-08-10 00:52 - 00164704 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdix.sys
2012-08-10 00:52 - 2012-08-10 00:52 - 00089440 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx86.sys
2012-08-10 00:52 - 2012-08-10 00:52 - 00035168 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgrkx86.sys
2012-08-10 00:52 - 2012-08-10 00:52 - 00019808 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsshimx.sys
2012-08-09 09:56 - 2012-08-09 09:56 - 00178656 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avglogx.sys
2012-08-09 09:56 - 2012-08-09 09:56 - 00151520 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx86.sys
2012-08-09 09:56 - 2012-08-09 09:56 - 00054112 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidshx.sys
2012-07-17 10:02 - 2011-10-11 12:43 - 00000426 ____A C:\Windows\BRWMARK.INI
2012-07-16 11:41 - 2012-07-16 11:39 - 00000104 ___AH C:\Users\dothankins\Downloads\.picasa.ini
2012-07-16 11:38 - 2012-07-16 11:38 - 00000899 ____A C:\Users\Public\Desktop\Picasa 3.lnk
2012-07-16 11:38 - 2012-07-16 11:38 - 00000899 ____A C:\Users\All Users\Desktop\Picasa 3.lnk
2012-07-16 11:33 - 2012-07-16 11:32 - 15267728 ____A (Google Inc.) C:\Users\dothankins\Downloads\picasa39-setup.exe
2012-06-28 06:22 - 2012-06-28 06:22 - 00894448 ____A (Oracle Corporation) C:\Users\dothankins\Downloads\jxpiinstall.exe
2012-06-26 06:17 - 2011-10-11 12:40 - 00000065 ____A C:\Windows\System32\bd7820n.dat
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\@
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\L
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\U
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\@
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\L
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\00000001.@
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\80000000.@
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\800000cb.@
==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2012-09-07 17:47:57
Restore point made on: 2012-09-08 20:00:50
Restore point made on: 2012-09-09 20:00:49
Restore point made on: 2012-09-10 20:00:52
Restore point made on: 2012-09-11 06:22:07
Restore point made on: 2012-09-11 20:00:51
Restore point made on: 2012-09-12 23:01:16
Restore point made on: 2012-09-18 14:16:17
Restore point made on: 2012-09-18 14:39:50
Restore point made on: 2012-09-18 14:58:09
Restore point made on: 2012-09-18 14:59:41
Restore point made on: 2012-09-18 16:09:30
Restore point made on: 2012-09-19 14:15:42
Restore point made on: 2012-09-20 08:03:45
Restore point made on: 2012-09-20 08:04:57
Restore point made on: 2012-09-20 08:07:50
==================== Memory info ===========================
Percentage of memory in use: 17%
Total physical RAM: 1501.01 MB
Available physical RAM: 1235.23 MB
Total Pagefile: 1451.44 MB
Available Pagefile: 1292.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.51 MB
==================== Partitions =============================
1 Drive c: () (Fixed) (Total:140.54 GB) (Free:93.44 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Fixed) (Total:104.89 GB) (Free:58.58 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (DRV1_VOL1) (Fixed) (Total:128 GB) (Free:31.67 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (990928_1326) (CDROM) (Total:0.49 GB) (Free:0 GB) CDFS
5 Drive g: () (Removable) (Total:14.89 GB) (Free:14.65 GB) FAT32
10 Drive r: (MS-RAMDRIVE) (Fixed) (Total:0.01 GB) (Free:0.01 GB) FAT
11 Drive x: (Recovery) (Fixed) (Total:8.51 GB) (Free:3.65 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 153 GB 4441 MB
Disk 1 Online 233 GB 822 KB
Disk 2 Online 15 GB 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Disk 6 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 9 GB 32 KB
Partition 2 Primary 141 GB 9 GB
=========================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 X Recovery NTFS Partition 9 GB Healthy Boot
=========================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 C NTFS Partition 141 GB Healthy
=========================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 128 GB 32 KB
Partition 2 Primary 105 GB 128 GB
=========================================================
Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E DRV1_VOL1 NTFS Partition 128 GB Healthy
=========================================================
Disk: 1
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 9 D NTFS Partition 105 GB Healthy
=========================================================
Partitions of Disk 2:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 16 KB
=========================================================
Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 G FAT32 Removable 15 GB Healthy
=========================================================
Last Boot: 2012-09-20 21:38
==================== End Of Log ============================

and search.txt


Farbar Recovery Scan Tool (x86) Version: 20-09-2012
Ran by SYSTEM at 2012-09-21 13:05:32
Running from G:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0
C:\Windows\System32\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2011-10-07 00:31] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
=== End Of Search ===

I have beaten my system to death with antivirus software and my browser is still redirected, even though I think I've gotten the droppers out of the picture. Help!

Thanks in advance for what comes next!

FRST.txt

Search.txt

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Thank you. Here is the result:


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-09-2012
Ran by SYSTEM at 2012-09-21 15:23:23 Run:1
Running from G:\
==============================================
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0 moved successfully.
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\@ not found.
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\L not found.
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\U not found.
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0 moved successfully.
C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0 not found.
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\@ not found.
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\L not found.
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U not found.
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\00000001.@ not found.
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\80000000.@ not found.
C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\800000cb.@ not found.
==== End of Fixlog ====

Fixlog.txt

Link to post
Share on other sites

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

OK, I'm back. I have a quarantine report:



Time : 24/09/2012 10:20:26
--------------------------
ERROR [cmd.exe.vir] -> cmd.exe
ERROR [k start cmd.exe.vir] -> /k start cmd.exe

And I have an RKreport:


RogueKiller V8.0.5 [09/23/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User : dothankins [Admin rights]
Mode : Scan -- Date : 09/24/2012 10:20:26
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SHELL][BLPATH] [ON_D:]HKLM\Software[...]\Winlogon : Shell (cmd.exe /k start cmd.exe) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\Default\NTUSER.DAT
-> E:\windows\system32\config\SOFTWARE
-> E:\Users\Default\NTUSER.DAT
-> E:\Users\Default User\NTUSER.DAT
-> E:\Users\Mark\NTUSER.DAT
-> E:\Documents and Settings\Default\NTUSER.DAT
-> E:\Documents and Settings\Default User\NTUSER.DAT
-> F:\windows\system32\config\SOFTWARE
-> F:\Users\Administrator\NTUSER.DAT
-> F:\Users\Default\NTUSER.DAT
-> F:\Users\Default User\NTUSER.DAT
-> F:\Users\Julie E Hankins\NTUSER.DAT
-> F:\Users\Mark S Hankins\NTUSER.DAT
-> F:\Users\Test\NTUSER.DAT
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: Hitachi HDS721616PLAT80 ATA Device +++++
--- User ---
[MBR] 63722a15bdbcee31dd06a1707dbedbf8
[BSP] 107bb2816be0d452767ea2321ea18ee1 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 8714 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 17848215 | Size: 143910 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: WDC WD2500JB-00GVC0 ATA Device +++++
--- User ---
[MBR] f71629c0b2bc5165920af661b8e301d6
[BSP] f5b36c4e0f4443bd92c6bc1d8cfe5b09 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 131069 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 268431360 | Size: 107404 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt

Looks to me like there may be a little left over, but what do I know?

Link to post
Share on other sites

It looks Good. Please don't put the logs in code, they're too hard to read...thanks

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[sHELL][bLPATH] [ON_D:]HKLM\Software[...]\Winlogon : Shell (cmd.exe /k start cmd.exe) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~~~

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

~~~~~~~~~~~~~~~~~~~~~~~

Last........

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

Link to post
Share on other sites

Looks clean:

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.24.08

Windows Vista x86 NTFS

Internet Explorer 7.0.6000.16982

dothankins :: DOTHANKINS-PC [administrator]

Protection: Enabled

9/24/2012 11:30:17 AM

mbam-log-2012-09-24 (11-30-17).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 189735

Time elapsed: 12 minute(s), 12 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Many thanks. I chipped in too.

Link to post
Share on other sites

Great thumbsup.gif

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.