Jump to content

Round 2 with Moneypak-- quarantined but really gone?


Recommended Posts

Ok, so I got hit with this back in October, and was able to successfully run MBAM and deal with it--so I thought, at least. One major problem it left me with is that it deleted all my restore points before I got the virus, so I haven't been able to do a proper system restore. Still, I was able to get past it and get my computer unlocked. A couple of weeks ago the dreaded screen popped up again, a little different this time, and even though I was able to run MBAM again I couldn't get around the screen.

So.... a couple weeks go by, I'm dealing with the holidays and all, thinking I am just gonna wipe my system. I decided to give this one more shot though--booted up in safe mode w/ networking again, updated the MBAM database and was finally able to get past the screen again, which is the state I'm at now. I've still got 13 items quarantined that leave me wondering if its still lingering my system somehow. Here are my DDS & Attatch files. If someone can tell me if I am finally safe or if I need to do something manually to get rid of it for good please let me know. Thanks very much!

DDS:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.7600.16671 BrowserJavaVersion: 1.6.0_29

Run by Rain at 22:03:27 on 2013-01-04

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2999.1590 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Configuration Center\bin\DeviceControlService.exe

C:\Program Files\Kensington TrackballWorks\KTbWorksS.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\rpcnet.exe

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Program Files\Configuration Center\bin\McaMaster.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\FSP\FspUip.exe

C:\Windows\system32\igfxext.exe

C:\Program Files\Kensington TrackballWorks\KTbWorksL.exe

C:\Program Files\Common Files\BSD\AppUpdater\BSDChecker.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Kensington TrackballWorks\KTbWorks.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k swprv

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.babylon.com/home?AF=14542

uURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll

mURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: uTorrentControl2 Toolbar: {687578B9-7132-4A7A-80E4-30EE31099E03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -

TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [Nico Mak Computing] RUNDLL32.EXE "c:\users\rain\appdata\local\nico mak computing\xjdoeves.dll",IZDSP_GetBassBoost

mRun: [Configuration Center] c:\program files\configuration center\bin\McaMaster.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [fspuip] c:\program files\fsp\fspuip.exe

mRun: [TrayServer] c:\program files\magix\movie_edit_pro_15\TrayServer.exe

mRun: [KTbWorks] "c:\program files\kensington trackballworks\KTbWorksL.exe"

mRun: [bSDAppUpdater] c:\program files\common files\bsd\appupdater\BSDChecker.exe

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRunOnce: [Launcher] c:\program files\sminst\Launcher.exe

StartupFolder: c:\users\rain\appdata\roaming\micros~1\windows\startm~1\programs\startup\config~1.lnk - c:\program files\configuration center\bin\CCStartup.exe

StartupFolder: c:\users\rain\appdata\roaming\microsoft\windows\start menu\programs\startup\TO DO.txt

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

uPolicies-Explorer: NoDriveAutorun = dword:0

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: HideSCAHealth = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{A0C67C27-DEF9-4C82-B910-F07407AE38DA} : DHCPNameServer = 12.127.16.67 12.127.17.71

TCP: Interfaces\{CA1ABEBE-1218-497F-9BF1-AE49A07713B9} : DHCPNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\rain\appdata\roaming\mozilla\firefox\profiles\c4stxr0m.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.easycgi.com/mail/index.bml

FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin10171.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\rain\appdata\roaming\mozilla\firefox\profiles\c4stxr0m.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\plugins\np-mswmp.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll

.

============= SERVICES / DRIVERS ===============

.

R2 DcsService;Device Control Service;c:\program files\configuration center\bin\DeviceControlService.exe [2010-2-23 622592]

R2 HMuKstE;Kensington TrackballWorks Expert USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstE.sys [2010-11-9 51280]

R2 KTbWorksService;Kensington TrackballWorks Service;c:\program files\kensington trackballworks\KTbWorksS.exe [2010-11-9 50256]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-4 398184]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-4 682344]

R3 fspad_wlh32;Finger Sensing Pad Driver for Windows 2000/XP/Vista/Win7_wlh32;c:\windows\system32\drivers\fspad_wlh32.sys [2010-7-19 44032]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-7-15 132480]

R3 IPMLEBL;Intel IPML ACPI Device;c:\windows\system32\drivers\ipmlebl.sys [2010-7-19 10368]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-4 21104]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-7-19 189440]

R3 VKBD;Virtual Keyboard Device;c:\windows\system32\drivers\virkbd.sys [2010-7-19 18432]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-4-1 183560]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-7-19 29472]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-7-19 14216]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-7-19 8456]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2010-11-2 1527900]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-8-17 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]

S3 L6PODHDBEAN;Service - Line 6 POD HD;c:\windows\system32\drivers\L6PODHDBEAN.sys [2011-11-30 583168]

S3 Saffire;Saffire;c:\windows\system32\drivers\Saffire.sys [2010-8-21 129376]

S3 SaffireAudio;Saffire Audio;c:\windows\system32\drivers\SaffireAudio.sys [2010-8-21 28256]

S3 SaffireMidi;Saffire MIDI;c:\windows\system32\drivers\SaffireMidi.sys [2010-8-21 31584]

S3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [2010-9-30 52824]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 VIRUSUSB;USB ASIO driver for Virus TI USB;c:\windows\system32\drivers\VirusUSB.sys [2010-5-27 389696]

S3 VTIAUDIO;Virus TI Audio;c:\windows\system32\drivers\vtiaudio.sys [2010-5-27 39488]

S3 VTIMIDEV01;Virus TI MIDI Driver;c:\windows\system32\drivers\vtimidi.sys [2010-5-11 56136]

S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2010-7-19 13336]

S4 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-7-19 2320920]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2013-01-05 02:14:28 -------- d-----w- c:\users\rain\appdata\local\Programs

.

==================== Find3M ====================

.

2013-01-05 02:44:22 17920 ----a-w- c:\windows\system32\rpcnetp.exe

2013-01-05 02:44:20 58288 ----a-w- c:\windows\system32\rpcnet.dll

2013-01-05 02:43:20 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-01-05 02:43:20 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-01-05 02:42:46 17920 ----a-w- c:\windows\system32\rpcnetp.dll

2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-19 17:16:42 13160 ----a-w- c:\windows\system32\Upgrd.exe

2012-10-19 17:16:38 58288 ------w- c:\windows\system32\rpcnet.exe

.

============= FINISH: 22:03:34.48 ===============

Attatch:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 7/19/2010 8:30:05 AM

System Uptime: 1/4/2013 9:44:03 PM (1 hours ago)

.

Motherboard: To be filled by O.E.M. | | To be filled by O.E.M.

Processor: Intel® Core™ i7 CPU M 620 @ 2.67GHz | CPU 1 | 2661/533mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 100 GiB total, 40.198 GiB free.

D: is FIXED (NTFS) - 354 GiB total, 13.825 GiB free.

E: is CDROM (UDF)

F: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}

Description: Bluetooth 2.1 module

Device ID: USB\VID_13D3&PID_3250\0025D3B5A09C

Manufacturer: Broadcom

Name: Bluetooth 2.1 module

PNP Device ID: USB\VID_13D3&PID_3250\0025D3B5A09C

Service: BTHUSB

.

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: Card Reader

Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_MULTIPLE&PROD_CARD__READER&REV_1.00#058F63666433&0#

Manufacturer: Multiple

Name: Q3HD_SD

PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_MULTIPLE&PROD_CARD__READER&REV_1.00#058F63666433&0#

Service: WUDFRd

.

==== System Restore Points ===================

.

RP16: 11/12/2012 8:29:44 PM - Scheduled Checkpoint

RP17: 11/21/2012 4:19:57 AM - Scheduled Checkpoint

.

==== Installed Programs ======================

.

µTorrent

1.2.1

Ableton Live 8

ACDSee 32

Adobe Flash Player 11 Plugin

Adobe Reader 9.5.1

Amazon MP3 Downloader 1.0.17

Analog Factory 2.5

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ARP2600 V2 2.0

Arturia CS-80V v1.5

Arturia Prophet V VSTi RTAS v1.2.1

Atheros Client Installation Program

Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver

Auslogics Disk Defrag

Bing Bar

Bonjour

Camera Recorder

Canon Camera Window DC_DV 6 for ZoomBrowser EX

Canon Camera Window MC 6 for ZoomBrowser EX

Canon G.726 WMP-Decoder

Canon MovieEdit Task for ZoomBrowser EX

Canon RAW Image Task for ZoomBrowser EX

Canon RemoteCapture Task for ZoomBrowser EX

Canon Utilities PhotoStitch

Canon Utilities ZoomBrowser EX

CDDRV_Installer

Compatibility Pack for the 2007 Office system

Configuration Center

D3DX10

Definition update for Microsoft Office 2010 (KB982726)

Driver Whiz

DVD Suite

EASEUS Partition Master 4.1.1 Professional

eLicenser Control

erLT

Finger Sensing Pad Driver

Firebird SQL Server - MAGIX Edition

FLAC To MP3 V4.0.4

Focusrite Plug-in Suite 1.0.3

foobar2000 v1.1.10

iCloud

Intel® Control Center

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Components

Intel® Rapid Storage Technology

Intel® TV Wizard

iPodCopy

iTunes

Java Auto Updater

Java™ 6 Update 29

Junk Mail filter update

Kensington TrackballWorks

KhalInstallWrapper

Line 6 Uninstaller

Live 8.0.9

Live 8.1.5

Live 8.2.1

Live 8.2.5

Live 8.2.7

Logitech SetPoint

MAGIX Movie Edit Pro 15 8.0.5.8 (UK)

MAGIX Photo Manager 8 6.0.1.465 (UK)

MAGIX Screenshare 4.3.6.1987 (UK)

Malwarebytes Anti-Malware version 1.70.0.1100

MediaWidget 6.0

Mesh Runtime

Messenger Companion

Microsoft Application Error Reporting

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Home and Business 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Virtual PC 2007

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

MobileMe Control Panel

Mozilla Firefox 17.0 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSXML 4.0 SP3 Parser (KB973685)

PC Recovery Center

PhotoNow! 1.0

PIXresizer 2.0.4

Power2Go 5.0

PowerDirector Express

PowerDVD

PowerDVD Copy

PowerProducer

QuickTime

Realtek High Definition Audio Driver

Safari

Saffire MixControl 2.2

SmartFTP Client

SmartFTP Client 4.0 Setup Files (remove only)

SoundTap Streaming Audio Recorder

Spelling Dictionaries Support For Adobe Reader 9

Switch Sound File Converter

TouchCopy 11

uTorrentControl2 Toolbar

Virus TI Software Suite

WavePad Sound Editor

WIDCOMM Bluetooth Software

Winamp

Winamp Detector Plug-in

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Media Player Firefox Plugin

WinRAR archiver

WinZip 16.5

.

==== Event Viewer Messages From Past Week ========

.

1/4/2013 9:44:19 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

1/4/2013 9:44:18 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

1/4/2013 9:44:17 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

1/4/2013 9:17:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

1/4/2013 9:17:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

1/4/2013 9:16:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

1/4/2013 9:16:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

1/4/2013 9:16:45 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr vmm Wanarpv6

1/4/2013 9:16:44 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

1/4/2013 9:14:12 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

1/4/2013 9:14:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

1/4/2013 9:14:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

1/4/2013 9:13:55 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vmm vwififlt Wanarpv6 WfpLwf

1/4/2013 9:13:55 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

1/4/2013 9:13:55 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

1/4/2013 9:13:55 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

1/4/2013 9:13:55 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

1/4/2013 9:13:55 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

1/4/2013 9:13:55 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

1/4/2013 9:13:55 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

1/4/2013 9:13:55 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

1/4/2013 9:13:55 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against the forums policy concerning P2P programs:

http://forums.malwarebytes.org/index.php?showtopic=97700

Then..............

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thanks very much MrCharlie!

I've uninstalled utorrent, never used it much but i understand why its a threat!

It also seems like every time I reboot the computer more stuff is quarantined-- up to 16 items now. Anyway, here is the RK report:

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : Rain [Admin rights]

Mode : Scan -- Date : 01/05/2013 17:43:32

¤¤¤ Bad processes : 2 ¤¤¤

[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Users\Rain\AppData\Local\Nico Mak Computing\xjdoeves.dll -> UNLOADED

[DLL] rundll32.exe -- C:\WINDOWS\System32\rundll32.exe : C:\Users\Rain\AppData\Local\Nico Mak Computing\xjdoeves.dll -> KILLED [TermProc]

¤¤¤ Registry Entries : 104 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : Nico Mak Computing (RUNDLL32.EXE "C:\Users\Rain\AppData\Local\Nico Mak Computing\xjdoeves.dll",IZDSP_GetBassBoost) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-19[...]\Run : FSP (rundll32.exe "C:\Users\Rain\AppData\Local\Google\FSP\vyvpmfvn.dll",CreateInstance) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-20[...]\Run : FSP (rundll32.exe "C:\Users\Rain\AppData\Local\Google\FSP\vyvpmfvn.dll",CreateInstance) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1184743540-3147673709-1241068237-1000[...]\Run : Nico Mak Computing (RUNDLL32.EXE "C:\Users\Rain\AppData\Local\Nico Mak Computing\xjdoeves.dll",IZDSP_GetBassBoost) -> FOUND

[TASK][sUSP PATH] At17.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At16.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At15.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At14.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At13.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At12.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At11.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At10.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At1.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At26.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At25.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At24.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At23.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At22.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At21.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At20.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At2.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At19.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At18.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At35.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At34.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At33.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At32.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At31.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At30.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At3.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At29.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At28.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At27.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At44.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At43.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At42.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At41.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At40.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At4.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At39.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At38.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At37.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At36.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At9.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At8.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At7.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At6.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At5.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At48.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At47.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At46.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At45.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At1 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At10 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At11 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At12 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At13 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At14 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At15 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At16 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At17 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At18 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At19 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At2 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At20 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At21 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At22 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At23 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At24 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At25 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At26 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At27 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At28 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At29 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At3 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At30 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At31 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At32 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At33 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At34 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At35 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At36 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At37 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At38 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At39 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At4 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At40 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At41 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At42 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At43 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At44 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At45 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At46 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At47 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At48 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At5 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At6 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At7 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At8 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At9 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\Windows\Installer\{70ca22f3-6136-65fc-51ef-5981a715ec43}\@ --> FOUND

[ZeroAccess][FILE] @ : C:\Users\Rain\AppData\Local\{70ca22f3-6136-65fc-51ef-5981a715ec43}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{70ca22f3-6136-65fc-51ef-5981a715ec43}\U --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\Rain\AppData\Local\{70ca22f3-6136-65fc-51ef-5981a715ec43}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{70ca22f3-6136-65fc-51ef-5981a715ec43}\L --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\Rain\AppData\Local\{70ca22f3-6136-65fc-51ef-5981a715ec43}\L --> FOUND

[susp.ASLR|Sig - ZeroAccess][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS +++++

--- User ---

[MBR] e264a005b0d2eec03d5b4f9af0badb12

[bSP] f4a7516ce92af5df718c4a017f9ecf22 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 12378 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25350570 | Size: 102398 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 235063080 | Size: 362160 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: Multiple Card Reader USB Device +++++

--- User ---

[MBR] 2e2e67a90b695e047c25c66e4f567233

[bSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown

Partition table:

0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 253 | Size: 1922 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2]_S_01052013_02d1743.txt >>

RKreport[1]_S_01042013_02d2153.txt ; RKreport[2]_S_01052013_02d1743.txt

Link to post
Share on other sites

Here you go......

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKCU\[...]\Run : Nico Mak Computing (RUNDLL32.EXE "C:\Users\Rain\AppData\Local\Nico Mak Computing\xjdoeves.dll",IZDSP_GetBassBoost) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-19[...]\Run : FSP (rundll32.exe "C:\Users\Rain\AppData\Local\Google\FSP\vyvpmfvn.dll",CreateInstance) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-20[...]\Run : FSP (rundll32.exe "C:\Users\Rain\AppData\Local\Google\FSP\vyvpmfvn.dll",CreateInstance) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1184743540-3147673709-1241068237-1000[...]\Run : Nico Mak Computing (RUNDLL32.EXE "C:\Users\Rain\AppData\Local\Nico Mak Computing\xjdoeves.dll",IZDSP_GetBassBoost) -> FOUND

[TASK][sUSP PATH] At17.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At16.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At15.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At14.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At13.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At12.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At11.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At10.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At1.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At26.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At25.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At24.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At23.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At22.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At21.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At20.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At2.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At19.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At18.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At35.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At34.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At33.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At32.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At31.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At30.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At3.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At29.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At28.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At27.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At44.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At43.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At42.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At41.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At40.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At4.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At39.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At38.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At37.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At36.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At9.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At8.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At7.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At6.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At5.job : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At48.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At47.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At46.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At45.job : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At1 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At10 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At11 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At12 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At13 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At14 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At15 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At16 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At17 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At18 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At19 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At2 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At20 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At21 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At22 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At23 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At24 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At25 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At26 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At27 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At28 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At29 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At3 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At30 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At31 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At32 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At33 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At34 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At35 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At36 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At37 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At38 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At39 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At4 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At40 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At41 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At42 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At43 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At44 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At45 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At46 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At47 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At48 : C:\ProgramData\bI2q4Xo8.exe_ -> FOUND

[TASK][sUSP PATH] At5 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At6 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At7 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At8 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

[TASK][sUSP PATH] At9 : C:\ProgramData\bI2q4Xo8.exe -> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FILE] @ : C:\Windows\Installer\{70ca22f3-6136-65fc-51ef-5981a715ec43}\@ --> FOUND

[ZeroAccess][FILE] @ : C:\Users\Rain\AppData\Local\{70ca22f3-6136-65fc-51ef-5981a715ec43}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{70ca22f3-6136-65fc-51ef-5981a715ec43}\U --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\Rain\AppData\Local\{70ca22f3-6136-65fc-51ef-5981a715ec43}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{70ca22f3-6136-65fc-51ef-5981a715ec43}\L --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\Rain\AppData\Local\{70ca22f3-6136-65fc-51ef-5981a715ec43}\L --> FOUND

[susp.ASLR|Sig - ZeroAccess][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Processes tab and put a check next to these and uncheck the rest. (if found)

[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Users\Rain\AppData\Local\Nico Mak Computing\xjdoeves.dll -> UNLOADED

[DLL] rundll32.exe -- C:\WINDOWS\System32\rundll32.exe : C:\Users\Rain\AppData\Local\Nico Mak Computing\xjdoeves.dll -> KILLED [TermProc]

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Delete these files if found:

You may have to enable hidden files to see them:

http://www.howtogeek...-windows-vista/

C:\Users\Rain\AppData\Local\Nico Mak Computing\xjdoeves.dll

C:\Users\Rain\AppData\Local\Google\FSP\vyvpmfvn.dll

C:\ProgramData\bI2q4Xo8.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next..........

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.