Infected by "FBI" RansomWare

[dkdc]

Hello -

Ihave run through all the pre-post steps to the best of my ability. However, I have only benn able to do so in Safe Mode on my affected laptop. I downloaded malwarebytes, ran it and detected and deleted some ransomware, in safe mode. Booting back into normal mode, i wasfaced with the same problems. I went backinto safemode, tried again, (found and deleted new ransomware). I rebooted into safe mode (no prompts from Malwarebytes), treid rebooting again into normal mode...problem still existed. Finally, backinto safemodeand ran as many of your recommended steps pre-posting this as I could. Below is the DDS file. Attached is the zipped "Attach" file. I ran GMER twice but came up with empty files both times. Finally I ahve attached logs of my Malwarebytes results. Thanks for any help you can give.

DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.5.1

Run by Meredith at 14:41:30 on 2012-09-23

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3824.2847 [GMT -4:00]

.

AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\Explorer.EXE

C:\windows\system32\ctfmon.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\windows\System32\svchost.exe -k secsvcs

C:\windows\notepad.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\windows\notepad.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig?brand=TSND&bmod=TSND

uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSND&bmod=TSND

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND

uInternet Settings,ProxyOverride = <local>

mWinlogon: Userinit=userinit.exe,

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "C:\Users\Meredith\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [AdobeBridge]

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

uRun: [WiaExtensionHost64] C:\Users\Meredith\AppData\Local\Microsoft\Windows\3930\WiaExtensionHost64.exe

mRun: [TOSDCR] %ProgramFiles%\TOSHIBA\PasswordUtility\TOSDCR.exe

mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [<NO NAME>]

mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRunOnce: [GrpConv] grpconv -o

StartupFolder: C:\Users\Meredith\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{2F7787CF-6176-4E45-B33A-B8B1A9941E13} : DhcpNameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{2F7787CF-6176-4E45-B33A-B8B1A9941E13}\131364850363131303836373 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2F7787CF-6176-4E45-B33A-B8B1A9941E13}\14942545945435 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{F8AA106B-0045-4F93-A888-6929393AF2F0} : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL

BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll

BHO-X64: Symantec NCO BHO - No File

BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL

BHO-X64: Symantec Intrusion Prevention - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL

BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: SmartSelect - No File

TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll

TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll

TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [TOSDCR] %ProgramFiles%\TOSHIBA\PasswordUtility\TOSDCR.exe

mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun-x64: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun-x64: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

mRun-x64: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

mRun-x64: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [(Default)]

mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRunOnce-x64: [GrpConv] grpconv -o

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Meredith\AppData\Roaming\Mozilla\Firefox\Profiles\vu8amws9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.salon.com/

FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Meredith\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\Meredith\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_278.dll

FF - plugin: C:\windows\SysWOW64\npdeployJava1.dll

FF - plugin: C:\windows\SysWOW64\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS --> C:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS --> C:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS [?]

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]

R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

R2 risdpcie;risdpcie;C:\windows\system32\DRIVERS\risdpe64.sys --> C:\windows\system32\DRIVERS\risdpe64.sys [?]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\windows\system32\DRIVERS\e1k62x64.sys --> C:\windows\system32\DRIVERS\e1k62x64.sys [?]

R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]

R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETw5s64.sys --> C:\windows\system32\DRIVERS\NETw5s64.sys [?]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]

S1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [2011-6-16 1143416]

S1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110629.050\IDSviA64.sys [2011-6-29 488056]

S1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS --> C:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [?]

S1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NISx64\1207020.003\SYMNETS.SYS --> C:\windows\system32\Drivers\NISx64\1207020.003\SYMNETS.SYS [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-29 136176]

S2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe [2012-6-16 130008]

S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2011-3-2 123320]

S2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2011-3-2 126392]

S2 RosettaStoneDaemon;RosettaStoneDaemon;C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2010-5-17 1615176]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\TECO\TecoService.exe [2010-4-23 259440]

S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-3-2 2320920]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-8-15 284016]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-9-18 250288]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-6-7 136824]

S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-4-10 1038088]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-29 136176]

S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]

S3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-27 31124344]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-29 113120]

S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-3-5 340240]

S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\windows\system32\DRIVERS\nusb3hub.sys --> C:\windows\system32\DRIVERS\nusb3hub.sys [?]

S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\windows\system32\DRIVERS\nusb3xhc.sys --> C:\windows\system32\DRIVERS\nusb3xhc.sys [?]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-3-2 51512]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]

S3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2010-5-10 836016]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S3 wdkmd;Intel WiDi KMD;C:\windows\system32\DRIVERS\WDKMD.sys --> C:\windows\system32\DRIVERS\WDKMD.sys [?]

.

=============== Created Last 30 ================

.

2012-09-23 17:52:27 4096000 ----a-w- C:\Program Files (x86)\GUTA9B7.tmp

2012-09-23 17:52:27 -------- d-----w- C:\Program Files (x86)\GUMA8DB.tmp

2012-09-23 17:18:10 -------- d-----w- C:\Users\Meredith\AppData\Local\Google

2012-09-23 14:21:19 -------- d-----w- C:\Users\Meredith\AppData\Roaming\Malwarebytes

2012-09-23 14:20:59 -------- d-----w- C:\ProgramData\Malwarebytes

2012-09-23 14:20:58 25928 ----a-w- C:\windows\System32\drivers\mbam.sys

2012-09-23 14:20:58 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-22 13:19:24 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{819006D0-5790-4EF6-93A6-74BF04005C78}\offreg.dll

2012-09-19 03:06:32 9310152 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{819006D0-5790-4EF6-93A6-74BF04005C78}\mpengine.dll

2012-09-19 03:01:11 -------- d-----w- C:\Users\Meredith\AppData\Local\Macromedia

2012-09-19 02:58:58 696240 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe

.

==================== Find3M ====================

.

2012-09-23 17:53:14 73136 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-18 17:31:12 3146752 ----a-w- C:\windows\System32\win32k.sys

2012-07-04 22:01:38 58880 ----a-w- C:\windows\System32\browcli.dll

2012-07-04 22:01:38 136704 ----a-w- C:\windows\System32\browser.dll

2012-07-04 21:23:55 41472 ----a-w- C:\windows\SysWow64\browcli.dll

2012-06-27 07:03:25 1197568 ----a-w- C:\windows\System32\wininet.dll

2012-06-27 06:59:12 57856 ----a-w- C:\windows\System32\licmgr10.dll

2012-06-27 06:03:21 981504 ----a-w- C:\windows\SysWow64\wininet.dll

2012-06-27 06:01:19 44544 ----a-w- C:\windows\SysWow64\licmgr10.dll

2012-06-27 05:41:43 482816 ----a-w- C:\windows\System32\html.iec

2012-06-27 04:58:58 1638912 ----a-w- C:\windows\System32\mshtml.tlb

2012-06-27 04:53:25 386048 ----a-w- C:\windows\SysWow64\html.iec

2012-06-27 04:19:51 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb

.

============= FINISH: 14:42:16.53 ===============

Attach.zip

malware logs.zip

[MrCharlie]

Welcome to the forum.

Is this the $100 one or $200?

See if you can do this.....

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[dkdc]

Thanks Mr. Charlie. I have the $200 version. I seem to currently only be able to operate in safe mode. In normal boot everything looks good for a little bit but the cmoputer eventually goes to the screen when it is done booting - I dont seem to have time/ability to get to a DOS prompt in moremla mode at this point.

I will try Rogue Killer in safe mode.

[dkdc]

Here is the Rogue report

RogueKiller V8.0.5 [09/23/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Safe mode with network support

User : Meredith [Admin rights]

Mode : Scan -- Date : 09/23/2012 19:20:15

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : WiaExtensionHost64 (C:\Users\Meredith\AppData\Local\Microsoft\Windows\3930\WiaExtensionHost64.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-834566774-3736314282-4209394653-1001[...]\Run : WiaExtensionHost64 (C:\Users\Meredith\AppData\Local\Microsoft\Windows\3930\WiaExtensionHost64.exe) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-834566774-3736314282-4209394653-1001\$37b4cbcd59c592ce8d57785b16ae7e0e\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-834566774-3736314282-4209394653-1001\$37b4cbcd59c592ce8d57785b16ae7e0e\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-834566774-3736314282-4209394653-1001\$37b4cbcd59c592ce8d57785b16ae7e0e\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-834566774-3736314282-4209394653-1001\$37b4cbcd59c592ce8d57785b16ae7e0e\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545050B9A300 +++++

--- User ---

[MBR] f13b89c49e361f05d37ce9b47011c32a

[bSP] 872c243b22df631530aa09a9a770c18a : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 465298 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 956004352 | Size: 10141 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

You're also infected with ZeroAccess which is a backdoor trojan.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKCU\[...]\Run : WiaExtensionHost64 (C:\Users\Meredith\AppData\Local\Microsoft\Windows\3930\WiaExtensionHost64.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-834566774-3736314282-4209394653-1001[...]\Run : WiaExtensionHost64 (C:\Users\Meredith\AppData\Local\Microsoft\Windows\3930\WiaExtensionHost64.exe) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-834566774-3736314282-4209394653-1001\$37b4cbcd59c592ce8d57785b16ae7e0e\n.) -> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-834566774-3736314282-4209394653-1001\$37b4cbcd59c592ce8d57785b16ae7e0e\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-834566774-3736314282-4209394653-1001\$37b4cbcd59c592ce8d57785b16ae7e0e\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-834566774-3736314282-4209394653-1001\$37b4cbcd59c592ce8d57785b16ae7e0e\L --> FOUND

Now click Delete on the right hand column under Options

-------------

Then run TDSSKiller in safe mode:

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.
  

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[dkdc]

Wow, that does not sound good.

Do you think basic pic files transferred to a zip drive will be compromised?

[dkdc]

Do you know if the level of my (current) exposure to security risks is at all related to the length of time the computer was exposed to the internet (probably < 8 hours total)?

[dkdc]

The Zero Access is in ADDITION to this FBI nonsesne?

[dkdc]

Here Rogue Killer for a different computer I have...is it clean (of the ZeroAccess?)

RogueKiller V8.0.5 [09/23/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 64 bits version

Started in : Normal mode

User : Owner [Admin rights]

Mode : Scan -- Date : 09/23/2012 20:02:23

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤

[services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49} (\??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl) -> FOUND

[services][ROGUE ST] HKLM\[...]\ControlSet003\Services\{55662437-DA8C-40c0-AADA-2C816A897A49} (\??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BEVT-60ZAT0 ATA Device +++++

--- User ---

[MBR] 1f6f4282d771726b312fe138ac1d8135

[bSP] 3e98088d9d39001e4c2bc061490cabd5 : Toshiba tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 462621 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 947449856 | Size: 14315 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: HP Photosmart C3150 USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

[MrCharlie]

Do you think basic pic files transferred to a zip drive will be compromised?

No

Do you know if the level of my (current) exposure to security risks is at all related to the length of time the computer was exposed to the internet (probably < 8 hours total)?

I'm not sure what you mean by this.

The Zero Access is in ADDITION to this FBI nonsesne?

Yes they usually come together

~~~~~~~~~~~~~~~~~~~`

On the vista computer > No ZA

but do this......

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49} (\??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl) -> FOUND

[services][ROGUE ST] HKLM\[...]\ControlSet003\Services\{55662437-DA8C-40c0-AADA-2C816A897A49} (\??

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~

How did you make out with the W7 computer??

We can clean it.

MrC

[dkdc]

Mr Charlie,

Thanks again - I had some other stuff I had to do, and just started the TDSSKiller. I downloaded and began the TDSSKiller in safe mode, then rebooted into normal mode (which until now was taking me to the FBI Ransomware page). It took about 5 minutes for the TDSSKIller to start recording objects it was looking at.

Found 1 Suspicious object "unsigned file Service: Switchboard", which I skipped as directed. Log coming in a second

[dkdc]

tdss reports are attached...3rd one may jsut bre repretitive of the other 2

TDSSKiller.2.8.10.0_23.09.2012_22.30.13_log.txt

TDSSKiller.2.8.10.0_23.09.2012_22.25.30_log.txt

TDSSKillerReport.txt

[MrCharlie]

Those logs were clean.

It's getting late for me.

Where do we stand with the W7 computer, did you run RogueKiller and delete those entries?

How is it? any difference? MrC (be back in the am)

[dkdc]

I was so focused on following your directions...looks like the FBI have returned my computer to me...thanks so very much! If you see anything in the logs or have further thoughts about teh ZeroACcess problem, I would be grateful for your advice. Cheers! I will be sure to make a donation!

Dave

[dkdc]

To give you a more complete answer, I reran Rogue Killer on the W7 as you suggested, deleted the registry files you suggested;the Zero Access files were then not found on that run. Then Ran TDSSKiller and sent you those logs. Currently on the W7 in normal mode with no sign of the FBI. Of course it seems the Zero Access is still a concern.

It is late for me as well. I really appreciate your help, thanks, and again will make a donation tomorrow AM. Look forward to any other suggestiosn you may have

[dkdc]

Also on the W7, I just reran malwarebytes and got this: these files were around earlier when I was running malwarebytes originaly and I hav edelated them at elast once already today...

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.24.01

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Meredith :: SU-ICIYOR [administrator]

9/23/2012 11:12:37 PM

mbam-log-2012-09-23 (23-16-26).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 213516

Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 1

C:\Users\Meredith\AppData\Roaming\hellomoto (Trojan.Ransom.FGen) -> No action taken.

Files Detected: 2

C:\Users\Meredith\AppData\Roaming\hellomoto\TujP.dat (Trojan.Ransom.FGen) -> No action taken.

C:\Users\Meredith\AppData\Roaming\hellomoto\BukF.dat (Trojan.Ransom.FGen) -> No action taken.

[MrCharlie]

OK, clean out temp files:

Download TFC to your desktop

Close any open windows.

Double click the TFC icon to run the program

TFC will close all open programs itself in order to run,

Click the Start button to begin the process.

Allow TFC to run uninterrupted.

The program should not take long to finish it's job

Once its finished it should automatically reboot your machine,

if it doesn't, manually reboot to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~

Then......

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

• Scan potentially unwanted applications
  
• Scan for potentially unsafe applications
  
• Enable Anti-Stealth technology
  

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

~~~~~~~~~~~~~~~~~~~~~

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now.

~~~~~~~~~~~~~~~~~~

So far as ZA, you should be OK. I would would change any passwords that are used on the system and keep an eye on any accounts that may have been used.

MrC

[dkdc]

Thanks 1,000,000. I will complete the steps in post #17 above this evening and let you know what happens.

[MrCharlie]

OK, let me know....MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!