Jump to content

fbi malware


Recommended Posts

Hello jacksdharmabum and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Please post them in your next reply here.

Link to post
Share on other sites

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]

HKLM\...\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start [417792 2008-07-31] (Chicony)

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [431456 2008-02-06] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [54608 2007-10-31] (TOSHIBA Corporation)

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [448080 2007-06-15] (TOSHIBA Corporation)

HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [716800 2008-03-19] (TOSHIBA Corporation)

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)

HKLM\...\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START [75136 2007-09-28] ( TOSHIBA CORPORATION)

HKLM\...\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1029416 2007-12-06] (Synaptics, Inc.)

HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]

HKLM\...\Run: [cfFncEnabler.exe] cfFncEnabler.exe [x]

HKLM\...\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294712 2010-11-29] (TOSHIBA Corporation)

HKLM\...\Run: [PCMAgent] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [143360 2007-12-13] (CyberLink Corp.)

HKLM\...\Run: [CLMLServer] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [188416 2008-07-10] (CyberLink)

HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [51048 2008-10-17] (Symantec Corporation)

HKLM\...\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe" [988512 2008-02-25] (Symantec Corporation)

HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)

HKLM\...\Run: [skytel] Skytel.exe [x]

HKLM\...\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions [598016 2009-11-19] (Teleca Sweden AB)

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-08-30] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)

HKLM\...\Run: [Nike+ Connect] "C:\Program Files\Nike\Nike+ Connect\Nike+ Connect daemon.exe" [70656 2012-08-08] (Nike)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKLM\...\Run: [AllShare Play] C:\Program Files\Samsung\AllShare Play\utils\AllShare Play Launcher.exe [406944 2012-11-06] (Samsung Electronics)

HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)

HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)

HKU\zack\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]

HKU\zack\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]

HKU\zack\...\Run: [uTorrent] "C:\Users\zack\Downloads\uTorrent.exe" /MINIMIZED [968592 2012-11-12] (BitTorrent, Inc.)

HKU\zack\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)

HKU\zack\...\Run: [Amazon Cloud Drive] C:\Users\zack\AppData\Local\Amazon\Cloud Drive\AmazonCloudDrive.exe [646528 2012-11-12] ()

HKU\zack\...\Run: [spotify Web Helper] "C:\Users\zack\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-12-10] (Spotify Ltd)

HKU\zack\...\Run: [waofgrhyywna] C:\Users\zack\AppData\Roaming\nzqwwnh_ [x]

HKU\zack\...\Policies\system: [DisableTaskMgr] 1

HKLM\...\Winlogon: [shell] explorer.exe, C:\ProgramData\nzqwwnh_ [x ] ()

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Startup: C:\Users\All Users\Start Menu\Programs\Startup\iSyncr WiFi.lnk

ShortcutTarget: iSyncr WiFi.lnk -> C:\Windows\Installer\{40EDCE6B-2608-49AE-A544-5971A7073B22}\_DE29E446A7422EB0D6418F.exe ()

Startup: C:\Users\zack\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ===================

2 AllShare Framework DMS; C:\Program Files\Samsung\AllShare Framework DMS\1.3.06\AllShareFrameworkManagerDMS.exe [406648 2012-10-23] (Samsung)

2 Automatic LiveUpdate Scheduler; "C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe" [238968 2008-02-21] (Symantec Corporation)

2 ccEvtMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [149352 2008-10-17] (Symantec Corporation)

2 ccSetMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [149352 2008-10-17] (Symantec Corporation)

2 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [149352 2008-10-17] (Symantec Corporation)

3 comHost; "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe" [55640 2007-08-21] (Symantec Corporation)

2 ConfigFree Service; "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" [40960 2008-07-10] (TOSHIBA CORPORATION)

3 LiveUpdate; "C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE" [3220856 2008-09-05] (Symantec Corporation)

2 LiveUpdate Notice; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [149352 2008-10-17] (Symantec Corporation)

3 SmartFaceVWatchSrv; "C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe" [73728 2008-04-24] (Toshiba)

3 Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [1245064 2008-08-14] ()

3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [54136 2010-11-29] (TOSHIBA Corporation)

2 TosCoSrv; "C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe" [431456 2008-02-06] (TOSHIBA Corporation)

2 TOSHIBA SMART Log Service; "C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe" [126976 2007-12-03] (TOSHIBA Corporation)

2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)

==================== Drivers (Whitelisted) ====================

3 COH_Mon; \??\C:\Windows\system32\Drivers\COH_Mon.sys [23888 2008-07-30] (Symantec Corporation)

2 CO_Mon; \??\C:\Windows\system32\drivers\CO_Mon.sys [36056 2007-08-08] (Symantec Corporation)

1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2009-03-16] (Symantec Corporation)

3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [101936 2009-03-16] (Symantec Corporation)

1 IDSvix86; \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090520.001\IDSvix86.sys [272432 2009-03-18] (Symantec Corporation)

1 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [447024 2009-03-17] (Symantec Corporation)

3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [279088 2008-01-31] (Symantec Corporation)

3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2008-01-31] (Symantec Corporation)

1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2008-01-31] (Symantec Corporation)

3 SVRPEDRV; \??\C:\Windows\System32\sysprep\PEDrv.sys [9216 2008-01-18] (Inventec Corporation)

3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [13616 2009-02-19] (Symantec Corporation)

3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2009-04-01] (Symantec Corporation)

3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [96560 2009-02-19] (Symantec Corporation)

1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [24112 2009-02-19] (Symantec Corporation)

3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [41008 2009-02-19] (Symantec Corporation)

3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [22320 2009-02-19] (Symantec Corporation)

1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [184496 2009-02-19] (Symantec Corporation)

3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [17960 2008-07-15] (Chicony Electronics Co., Ltd.)

3 HTCAND32; C:\Windows\System32\Drivers\ANDROIDUSB.sys [x]

3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090523.003\NAVENG.SYS [x]

3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090523.003\NAVEX15.SYS [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

3 Tosrfcom; [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2012-12-23 20:49 - 2012-12-22 23:00 - 00248916 ____A (Satonakas ) C:\Users\zack\AppData\Roaming\nzqwwnh_.exe

2012-12-23 01:37 - 2012-12-23 00:11 - 00248916 ____A (Satonakas ) C:\Users\All Users\nzqwwnh_.exe

2012-12-23 01:37 - 2012-12-22 23:04 - 00248916 ____A (Satonakas ) C:\Users\zack\AppData\Local\nzqwwnh_.exe

2012-12-23 01:35 - 2012-12-23 01:35 - 00000000 ____D C:\FRST

2012-12-22 01:00 - 2012-12-16 05:12 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-22 01:00 - 2012-12-16 02:50 - 00293376 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-19 01:41 - 2012-12-19 01:41 - 00000000 ____D C:\Users\All Users\pcdfdata

2012-12-13 20:34 - 2012-12-13 20:35 - 00000000 ____D C:\Program Files\Mozilla Firefox

2012-12-13 07:34 - 2012-11-12 17:36 - 02048000 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-12-13 07:34 - 2012-11-12 17:29 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

2012-12-13 07:34 - 2012-11-02 02:18 - 00376320 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll

2012-12-13 07:34 - 2012-11-02 00:26 - 00023040 ____A (Microsoft Corporation) C:\Windows\System32\dpnsvr.exe

2012-12-13 07:34 - 2012-09-28 08:11 - 00892928 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2012-12-13 07:14 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-12-13 07:14 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-12-13 07:14 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-12-13 07:14 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-12-13 07:14 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-12-13 07:14 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-12-13 07:14 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-12-13 07:14 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-12-13 07:14 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-12-13 07:14 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-12-13 07:14 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-12-13 07:14 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-12-13 07:14 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-12-13 07:14 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-12-13 07:14 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-12-13 07:14 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-12-13 07:09 - 2012-07-25 18:46 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll

2012-12-13 07:09 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

2012-12-13 07:09 - 2012-06-02 06:34 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf

2012-12-13 07:08 - 2012-07-25 19:39 - 00526952 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys

2012-12-13 07:08 - 2012-07-25 19:39 - 00047720 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys

2012-12-13 07:08 - 2012-07-25 19:21 - 00196608 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe

2012-12-13 07:08 - 2012-07-25 19:20 - 00613888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll

2012-12-13 07:08 - 2012-07-25 19:20 - 00172032 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll

2012-12-13 07:08 - 2012-07-25 19:20 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll

2012-12-13 07:08 - 2012-07-25 19:20 - 00038912 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll

2012-12-13 07:08 - 2012-07-25 18:33 - 00066560 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys

2012-12-13 07:08 - 2012-07-25 18:32 - 00155136 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys

2012-12-13 07:08 - 2009-07-14 04:12 - 00016896 ____A (Microsoft Corporation) C:\Windows\System32\winusb.dll

2012-12-12 06:29 - 2012-08-21 03:47 - 00224640 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\volsnap.sys

2012-12-11 10:22 - 2012-12-11 10:22 - 00000000 ____D C:\Program Files\Mozilla Firefox(2)

2012-12-10 16:55 - 2012-12-10 16:55 - 00000000 ____D C:\Program Files\Skype(6)

2012-12-10 16:55 - 2012-08-02 19:14 - 00001878 ____A C:\Users\Public\Desktop\Skype.lnk

2012-12-10 04:07 - 2012-12-10 04:09 - 00000000 ____D C:\Users\All Users\F85E89F653502B450000F85D919D2FB3

2012-12-10 04:06 - 2012-12-10 04:21 - 00006527 ____A C:\Users\zack\AppData\Local\6189472f-6a7d-4e32-b2e5-1cf705bea66f.crx

2012-12-07 21:34 - 2012-12-07 21:34 - 00000000 ____D C:\Program Files\Mozilla Firefox(1)

2012-11-24 15:29 - 2012-11-24 15:29 - 13480796 ____A C:\Users\zack\Downloads\Hotmail.zip

==================== One Month Modified Files and Folders ========

2012-12-23 20:51 - 2009-01-17 23:48 - 01275050 ____A C:\Windows\WindowsUpdate.log

2012-12-23 20:50 - 2012-11-16 19:20 - 00000000 ___RD C:\Users\zack\Dropbox

2012-12-23 20:50 - 2012-11-16 19:17 - 00000000 ____D C:\Users\zack\AppData\Roaming\Dropbox

2012-12-23 20:49 - 2012-11-16 20:06 - 00000000 ____D C:\AllShare Play

2012-12-23 20:22 - 2012-08-25 05:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-12-23 06:48 - 2011-09-14 22:25 - 00000000 ____D C:\Program Files\Opera

2012-12-23 01:35 - 2012-12-23 01:35 - 00000000 ____D C:\FRST

2012-12-23 00:19 - 2006-11-02 04:52 - 00052597 ____A C:\Windows\setupact.log

2012-12-23 00:19 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-23 00:19 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-23 00:18 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-23 00:16 - 2012-04-17 20:57 - 00000000 ____D C:\Users\zack\AppData\Roaming\uTorrent

2012-12-23 00:16 - 2006-11-02 05:01 - 00032560 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-12-23 00:15 - 2010-09-16 06:34 - 00001356 ____A C:\Users\zack\AppData\Local\d3d9caps.dat

2012-12-23 00:11 - 2012-12-23 01:37 - 00248916 ____A (Satonakas ) C:\Users\All Users\nzqwwnh_.exe

2012-12-22 23:19 - 2006-11-02 02:33 - 00707520 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-22 23:04 - 2012-12-23 01:37 - 00248916 ____A (Satonakas ) C:\Users\zack\AppData\Local\nzqwwnh_.exe

2012-12-22 23:00 - 2012-12-23 20:49 - 00248916 ____A (Satonakas ) C:\Users\zack\AppData\Roaming\nzqwwnh_.exe

2012-12-22 01:18 - 2006-11-02 04:47 - 00397992 ____A C:\Windows\System32\FNTCACHE.DAT

2012-12-19 01:41 - 2012-12-19 01:41 - 00000000 ____D C:\Users\All Users\pcdfdata

2012-12-16 21:56 - 2012-04-25 09:31 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2012-12-16 05:12 - 2012-12-22 01:00 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-16 02:50 - 2012-12-22 01:00 - 00293376 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-15 08:01 - 2011-08-16 18:18 - 00000000 ____D C:\Users\zack\AppData\Roaming\Spotify

2012-12-15 07:30 - 2011-08-16 18:18 - 00000000 ____D C:\Users\zack\AppData\Local\Spotify

2012-12-14 01:39 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache

2012-12-13 20:35 - 2012-12-13 20:34 - 00000000 ____D C:\Program Files\Mozilla Firefox

2012-12-13 08:23 - 2012-08-25 05:46 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-12-13 08:23 - 2011-05-25 11:14 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-12-13 07:13 - 2009-01-17 22:47 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-12-13 06:51 - 2009-03-11 15:25 - 00000000 ____D C:\users\zack

2012-12-13 06:51 - 2006-11-02 02:22 - 47710208 ____A C:\Windows\System32\config\software_previous

2012-12-13 06:51 - 2006-11-02 02:22 - 36175872 ____A C:\Windows\System32\config\components_previous

2012-12-13 06:51 - 2006-11-02 02:22 - 23592960 ____A C:\Windows\System32\config\system_previous

2012-12-13 06:51 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous

2012-12-13 06:51 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous

2012-12-13 06:51 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\default_previous

2012-12-13 06:44 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool

2012-12-13 06:43 - 2012-08-02 19:14 - 00000000 ____D C:\Program Files\Common Files\Skype

2012-12-13 06:43 - 2009-04-05 09:30 - 00000000 ___RD C:\Program Files\Skype

2012-12-13 06:43 - 2009-04-05 09:30 - 00000000 ____D C:\Users\All Users\Skype

2012-12-13 06:43 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration

2012-12-11 20:31 - 2009-04-05 09:30 - 00000000 ____D C:\Users\zack\AppData\Roaming\Skype

2012-12-11 10:22 - 2012-12-11 10:22 - 00000000 ____D C:\Program Files\Mozilla Firefox(2)

2012-12-10 16:55 - 2012-12-10 16:55 - 00000000 ____D C:\Program Files\Skype(6)

2012-12-10 04:37 - 2009-03-11 15:26 - 00000000 ____D C:\Users\zack\AppData\Local\PowerCinema

2012-12-10 04:37 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\Msdtc

2012-12-10 04:21 - 2012-12-10 04:06 - 00006527 ____A C:\Users\zack\AppData\Local\6189472f-6a7d-4e32-b2e5-1cf705bea66f.crx

2012-12-10 04:09 - 2012-12-10 04:07 - 00000000 ____D C:\Users\All Users\F85E89F653502B450000F85D919D2FB3

2012-12-07 21:34 - 2012-12-07 21:34 - 00000000 ____D C:\Program Files\Mozilla Firefox(1)

2012-11-28 13:19 - 2006-11-02 02:24 - 65087872 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2012-11-28 13:03 - 2008-08-14 17:00 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared

2012-11-24 15:29 - 2012-11-24 15:29 - 13480796 ____A C:\Users\zack\Downloads\Hotmail.zip

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-737594619-1414829202-3786626943-1000\$482e0c653d90d9c2241f655afc31ceec

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-12 06:29] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-28 07:22:25

Restore point made on: 2012-11-29 23:24:14

Restore point made on: 2012-12-01 00:51:57

Restore point made on: 2012-12-03 00:46:07

Restore point made on: 2012-12-05 08:42:46

Restore point made on: 2012-12-06 07:23:14

Restore point made on: 2012-12-07 14:08:58

Restore point made on: 2012-12-08 06:20:40

Restore point made on: 2012-12-10 11:03:12

Restore point made on: 2012-12-11 07:54:52

Restore point made on: 2012-12-13 06:31:21

Restore point made on: 2012-12-13 07:03:07

Restore point made on: 2012-12-14 00:29:22

Restore point made on: 2012-12-14 01:00:28

Restore point made on: 2012-12-14 22:32:12

Restore point made on: 2012-12-15 01:00:28

Restore point made on: 2012-12-17 10:32:53

Restore point made on: 2012-12-18 01:17:16

Restore point made on: 2012-12-18 22:00:33

Restore point made on: 2012-12-20 10:19:40

Restore point made on: 2012-12-20 22:19:42

Restore point made on: 2012-12-21 22:00:35

Restore point made on: 2012-12-22 01:00:20

Restore point made on: 2012-12-23 00:21:43

==================== Memory info ===========================

Percentage of memory in use: 13%

Total physical RAM: 2939.25 MB

Available physical RAM: 2538.72 MB

Total Pagefile: 2734.8 MB

Available Pagefile: 2591.55 MB

Total Virtual: 2047.88 MB

Available Virtual: 1972.92 MB

==================== Partitions =============================

1 Drive c: (SQ004829V03) (Fixed) (Total:289.53 GB) (Free:89.91 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS

4 Drive f: (KINGSTON) (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 960 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 1500 MB 1024 KB

Partition 2 Primary 290 GB 1501 MB

Partition 3 Primary 7265 MB 291 GB

=========================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C SQ004829V03 NTFS Partition 290 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 959 MB 124 KB

=========================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 F KINGSTON FAT Removable 959 MB Healthy

=========================================================

Last Boot: 2012-12-23 20:53

==================== End Of Log ============================

Link to post
Share on other sites

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.