Trojan.Zaccess

[stm]

Malwarebytes has detected a LEGACY rootkit and Trojan.Zaccess.  Malwarebytes indicates a restart is required but on restart Windows fails to start completely requiring a manual shutdown.  When I restart the system, I get a message about Malwarebytes not finding the cleanup.dll file.  If I rescan the problem re-occurs.  I have also found and deleted a folder named Avenger and a separate multi-gigabyte text file also called Avenger.  This Avenger file is apparently building itself to a size were it is trying to use up my disk space.  I had previously deleted it as it had consumed enough disk space to cause a disk space warning.  Attached are my log files. 

dds.txt

attach.txt

[Maniac]

Hello stm and ! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
• One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

  If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

  Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

  Please read:

  • When should I re-format? How should I reinstall?
  • Help: I Got Hacked. Now What Do I Do?
  • Where to draw the line? When to recommend a format and reinstall?
  Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

  Please let us know how you would like to proceed.

[stm]

^{I would like to try fixing it before reinstalling the operating system.}

[Maniac]

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system.  You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[stm]

I downloaded and tried to run the tool.  On the first attempt, the computer froze after the application backed-up the registry (I may have created a problem by denying it access to the internet which is disabled anyway).  I manually shutdown the computer and on restart was able to complete the scan with the following results:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2013 02
Ran by Stewart (administrator) on 21-08-2013 20:33:53
Running from C:\Documents and Settings\Stewart\Desktop\Farbar Recovery Scan Tool
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Check Point Software Technologies LTD) C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
(Check Point Software Technologies) C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(AOL LLC) C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
(Check Point Software Technologies) C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CTsvcCDA.EXE
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Intel Corporation) C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
(Creative Technology Ltd) C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
(Sonic Solutions) C:\WINDOWS\system32\dla\tfswctrl.exe
() C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
(Check Point Software Technologies LTD) C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
() C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(America Online, Inc.) C:\WINDOWS\wanmpsvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\MsPMSPSv.exe
(Microsoft Corporation) C:\WINDOWS\system32\fxssvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [intelMeM] - C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [221184 2003-09-03] (Intel Corporation)
HKLM\...\Run: [CTSysVol] - C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe [57344 2003-09-17] (Creative Technology Ltd)
HKLM\...\Run: [P17Helper] - C:\Windows\System32\P17.dll [60928 2004-06-10] ()
HKLM\...\Run: [dla] - C:\WINDOWS\system32\dla\tfswctrl.exe [127035 2004-12-06] (Sonic Solutions)
HKLM\...\Run: [Dell Photo AIO Printer 922] - C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe [290816 2004-11-10] ()
HKLM\...\Run: [NvCplDaemon] - C:\WINDOWS\system32\NvCpl.dll [7110656 2005-07-20] (NVIDIA Corporation)
HKLM\...\Run: [nwiz] - nwiz.exe /install [x]
HKLM\...\Run: [NvMediaCenter] - C:\Windows\System32\NvMCTray.dll [86016 2005-07-20] (NVIDIA Corporation)
HKLM\...\Run: [NeroFilterCheck] - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [161328 2007-05-04] (Nero AG)
HKLM\...\Run: [DLBTCATS] - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll [73728 2007-02-22] ()
HKLM\...\Run: [ZoneAlarm] - C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe [73360 2012-03-19] (Check Point Software Technologies LTD)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421736 2012-03-27] (Apple Inc.)
HKLM\...\Run: [iSW] - C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [738944 2012-03-16] (Check Point Software Technologies)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [995184 2013-07-18] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxsrvc.dll (Intel Corporation)
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
HKCU\...\Run: [Google Update*] -  [x] <===== ATTENTION (ZeroAccess rootkit hidden path)

==================== Internet (Whitelisted) ====================

ProxyEnable: Internet Explorer proxy is enabled.
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {3DA5B5BD-9FD0-4E5D-BC46-6C22878EBBA0} URL = http://www.weather.com/search/enhanced?where={searchTerms}
SearchScopes: HKCU - {410DA61F-F409-476E-8F6C-68761B406568} URL = http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q={searchTerms}
SearchScopes: HKCU - {44121767-3665-4C69-850B-61C07C250362} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKCU - {4BCF46AE-1E37-4FA9-8AA6-FB9FC9707E53} URL = http://query.nytimes.com/gst/handler.html?query={searchTerms}&opensearch=1
SearchScopes: HKCU - {4DCF532C-7CD1-42A9-9D1D-18B253536C3B} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {7BA319AF-11C1-420A-9926-B391A9CA28CD} URL = http://www.amazon.com/s?ie=UTF8&tag=amznsearch.ms-20&index=aps&link%5Fcode=qs&field-keywords={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2645238
SearchScopes: HKCU - {CB071AED-99E1-4284-AACA-EAF999ED5C53} URL = http://search.live.com/results.aspx?q={searchTerms}&mkt=en-us&FORM=OPNSCH
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
SearchScopes: HKCU - {E8BE2DFD-3894-4726-BC36-C41181CF1B12} URL = http://us.imdb.com/find?s=all&q={searchTerms}&x=20&y=6
SearchScopes: HKCU - {EFE87EC1-19E5-4CE1-B90E-7A7892C62F02} URL = http://dictionary.reference.com/browse/{searchTerms}
BHO: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\bh\zonealarm.dll (Montera Technologeis LTD)
BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\zonealarmTlbr.dll (Montera Technologeis LTD)
Toolbar: HKLM - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
Toolbar: HKCU -No Name - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -  No File
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU -No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU -ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} http://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} http://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} http://www.cult3d.com/download/cult.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} file://D:\CDVIEWER\CdViewer.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: ipp - No CLSID Value -
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

========================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [119056 2013-05-23] (SUPERAntiSpyware.com)
R2 AOL ACS; C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe [46640 2006-10-23] (AOL LLC)
S2 CoachUsb; C:\Windows\system32\svchost.exe [14336 2008-04-13] (Microsoft Corporation)
R2 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [44032 1999-12-13] (Creative Technology Ltd)
S3 dlbt_device; C:\WINDOWS\system32\dlbtcoms.exe [538096 2007-06-07] ( )
S3 getPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper.dll [67360 2009-12-17] (NOS Microsystems Ltd.)
R2 IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [497280 2012-03-16] (Check Point Software Technologies)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2013-07-18] (Microsoft Corporation)
S3 NetSvc; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [143360 2003-12-17] (Intel® Corporation)
R2 vsmon; C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe [2421640 2012-03-19] (Check Point Software Technologies LTD)
R2 WANMiniportService; C:\WINDOWS\wanmpsvc.exe [65536 2003-08-27] (America Online, Inc.)
R2 WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [53520 2000-06-26] (Microsoft Corporation)
S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e}\   \   \???\{d56fa829-a31d-f4be-d690-361f95070b3e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R1 BANTExt; C:\Windows\System32\Drivers\BANTExt.sys [3840 2005-04-07] ()
S3 bvrp_pci; C:\Windows\System32\Drivers\bvrp_pci.sys [4272 2004-03-24] ()
R2 drvnddm; C:\Windows\System32\drivers\drvnddm.sys [40480 2004-11-23] (Sonic Solutions)
R0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-03] ()
R3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [804317 2005-01-23] (Intel Corporation)
R3 IntelC51; C:\Windows\System32\DRIVERS\IntelC51.sys [1233525 2004-03-05] (Intel Corporation)
R3 IntelC52; C:\Windows\System32\DRIVERS\IntelC52.sys [647929 2004-03-05] (Intel Corporation)
R3 IntelC53; C:\Windows\System32\DRIVERS\IntelC53.sys [61157 2004-06-15] (Intel Corporation)
R2 ISWKL; C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [27016 2012-03-16] (Check Point Software Technologies)
R3 mohfilt; C:\Windows\System32\DRIVERS\mohfilt.sys [37048 2004-03-05] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
R3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
R3 P17; C:\Windows\System32\drivers\P17.sys [840960 2004-06-09] (Creative Technology Ltd.)
R2 PfModNT; C:\WINDOWS\system32\drivers\PfModNT.sys [15840 2003-03-05] (Creative Technology Ltd.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R0 speedfan; C:\Windows\System32\speedfan.sys [25240 2011-03-18] (Almico Software)
R1 sscdbhk5; C:\Windows\System32\drivers\sscdbhk5.sys [5627 2004-07-14] (Sonic Solutions)
R1 ssrtln; C:\Windows\System32\drivers\ssrtln.sys [23545 2004-07-14] (Sonic Solutions)
R2 tfsnboio; C:\Windows\System32\dla\tfsnboio.sys [25883 2004-12-06] (Sonic Solutions)
R2 tfsncofs; C:\Windows\System32\dla\tfsncofs.sys [34843 2004-12-06] (Sonic Solutions)
R2 tfsndrct; C:\Windows\System32\dla\tfsndrct.sys [4123 2004-12-06] (Sonic Solutions)
R2 tfsndres; C:\Windows\System32\dla\tfsndres.sys [2239 2004-12-06] (Sonic Solutions)
R2 tfsnifs; C:\Windows\System32\dla\tfsnifs.sys [86586 2004-12-06] (Sonic Solutions)
R2 tfsnopio; C:\Windows\System32\dla\tfsnopio.sys [15227 2004-12-06] (Sonic Solutions)
R2 tfsnpool; C:\Windows\System32\dla\tfsnpool.sys [6363 2004-12-06] (Sonic Solutions)
R2 tfsnudf; C:\Windows\System32\dla\tfsnudf.sys [98714 2004-12-06] (Sonic Solutions)
R2 tfsnudfa; C:\Windows\System32\dla\tfsnudfa.sys [100603 2004-12-06] (Sonic Solutions)
R1 Vsdatant; C:\Windows\System32\vsdatant.sys [525840 2012-03-19] (Check Point Software Technologies LTD)
R3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
S0 dppgssgl; System32\drivers\pvihung.sys [x]
S0 eecpgju; System32\drivers\kkmww.sys [x]
S0 kmum; System32\drivers\mijxexpm.sys [x]
S0 srescan; system32\ZoneLabs\srescan.sys [x]
S3 SymIM; system32\DRIVERS\SymIM.sys [x]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [x]
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-21 20:20 - 2013-08-21 20:20 - 00000000 ____D C:\Documents and Settings\Stewart\Desktop\Farbar Recovery Scan Tool
2013-08-20 17:25 - 2013-08-20 17:25 - 00012945 _____ C:\Documents and Settings\Stewart\Desktop\attach.txt
2013-08-20 17:25 - 2013-08-20 17:25 - 00012285 _____ C:\Documents and Settings\Stewart\Desktop\dds.txt
2013-08-20 17:21 - 2013-08-20 13:38 - 00688992 ____R (Swearware) C:\Documents and Settings\Stewart\Desktop\dds.scr
2013-08-13 22:18 - 2013-08-13 22:18 - 00156280 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2013-08-13 21:23 - 2013-08-13 21:23 - 00141571 _____ C:\Documents and Settings\Stewart\Desktop\mbsa.xps
2013-08-11 11:37 - 2013-08-11 11:38 - 00000000 ____D C:\Documents and Settings\Stewart\Desktop\cemetary
2013-08-07 23:07 - 2013-08-07 23:07 - 00000000 ____D C:\Documents and Settings\Stewart\Application Data\SUPERAntiSpyware.com
2013-08-07 23:05 - 2013-08-07 23:07 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-08-07 23:05 - 2013-08-07 23:05 - 00001678 _____ C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-08-07 23:05 - 2013-08-07 23:05 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2013-08-06 19:44 - 2013-08-06 19:45 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-08-06 11:00 - 2013-08-06 11:00 - 88865040 _____ (Microsoft Corporation) C:\Documents and Settings\Stewart\Desktop\MS Safety Scanner.exe
2013-08-06 06:04 - 2013-08-06 06:04 - 00000000 ____D C:\Program Files\HitmanPro
2013-08-06 06:03 - 2013-07-26 13:45 - 09171472 _____ (SurfRight B.V.) C:\Documents and Settings\Stewart\Desktop\HitmanProBeta.exe
2013-08-02 20:09 - 2013-08-02 20:09 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
2013-08-01 20:54 - 2013-07-19 21:46 - 00449568 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20130801-205450.backup
2013-07-25 22:55 - 2013-08-21 20:31 - 01064167 _____ C:\WINDOWS\WindowsUpdate.log

==================== One Month Modified Files and Folders =======

2013-08-21 20:31 - 2013-07-25 22:55 - 01064167 _____ C:\WINDOWS\WindowsUpdate.log
2013-08-21 20:31 - 2005-07-29 21:24 - 00002206 _____ C:\WINDOWS\system32\WPA.DBL
2013-08-21 20:30 - 2006-04-01 17:44 - 00029204 _____ C:\WINDOWS\system32\nvapps.xml
2013-08-21 20:30 - 2005-07-29 21:27 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-08-21 20:30 - 2004-08-10 13:59 - 00000159 _____ C:\WINDOWS\WIADEBUG.LOG
2013-08-21 20:30 - 2004-08-10 13:59 - 00000049 _____ C:\WINDOWS\WIASERVC.LOG
2013-08-21 20:22 - 2013-08-21 20:22 - 00000000 ____D C:\FRST
2013-08-21 20:20 - 2013-08-21 20:20 - 00000000 ____D C:\Documents and Settings\Stewart\Desktop\Farbar Recovery Scan Tool
2013-08-20 17:35 - 2013-04-17 17:59 - 00032380 _____ C:\WINDOWS\SchedLgU.Txt
2013-08-20 17:35 - 2005-08-02 20:37 - 00000278 ___SH C:\Documents and Settings\Stewart\NTUSER.INI
2013-08-20 17:35 - 2005-08-02 20:37 - 00000000 ____D C:\Documents and Settings\Stewart
2013-08-20 17:25 - 2013-08-20 17:25 - 00012945 _____ C:\Documents and Settings\Stewart\Desktop\attach.txt
2013-08-20 17:25 - 2013-08-20 17:25 - 00012285 _____ C:\Documents and Settings\Stewart\Desktop\dds.txt
2013-08-20 13:38 - 2013-08-20 17:21 - 00688992 ____R (Swearware) C:\Documents and Settings\Stewart\Desktop\dds.scr
2013-08-19 21:38 - 2005-08-08 17:43 - 00000000 __SHD C:\Documents and Settings\Stewart\UserData
2013-08-19 21:10 - 2005-07-29 21:51 - 00000000 ____D C:\WINDOWS\Intuit
2013-08-19 15:55 - 2005-08-21 17:23 - 03888054 _____ C:\WINDOWS\default.bmp
2013-08-18 20:24 - 2005-07-29 21:07 - 00000000 ____D C:\WINDOWS\Resources
2013-08-17 23:18 - 2008-06-20 17:43 - 00000313 _____ C:\Documents and Settings\Stewart\Desktop\Links Corner.url
2013-08-17 22:50 - 2008-09-05 20:04 - 00000069 _____ C:\WINDOWS\NeroDigital.ini
2013-08-15 00:52 - 2005-08-04 22:06 - 00000000 ____D C:\WINDOWS\Minidump
2013-08-13 23:36 - 2008-08-14 18:23 - 00000000 ____D C:\WINDOWS\ServicePackFiles
2013-08-13 23:21 - 2005-07-29 21:07 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2013-08-13 22:18 - 2013-08-13 22:18 - 00156280 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2013-08-13 22:08 - 2013-07-10 23:18 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-08-13 21:56 - 2008-12-14 21:37 - 75778376 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-08-13 21:50 - 2005-07-29 21:26 - 00510812 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-08-13 21:42 - 2007-02-17 04:08 - 00887644 _____ C:\WINDOWS\system32\TZLog.log
2013-08-13 21:40 - 2010-08-20 17:48 - 00000000 ____D C:\WINDOWS\ie8updates
2013-08-13 21:23 - 2013-08-13 21:23 - 00141571 _____ C:\Documents and Settings\Stewart\Desktop\mbsa.xps
2013-08-13 20:56 - 2007-11-06 20:23 - 00000000 ____D C:\Documents and Settings\Stewart\SecurityScans
2013-08-12 23:01 - 2008-01-18 21:43 - 00002521 _____ C:\Documents and Settings\Stewart\Desktop\Microsoft Office Outlook 2003.lnk
2013-08-11 21:48 - 2005-08-04 21:26 - 00302080 _____ C:\Documents and Settings\Stewart\My Documents\CHECKS.XLS
2013-08-11 11:38 - 2013-08-11 11:37 - 00000000 ____D C:\Documents and Settings\Stewart\Desktop\cemetary
2013-08-10 05:55 - 2006-04-01 17:43 - 00000000 ____D C:\WINDOWS\nview
2013-08-07 23:07 - 2013-08-07 23:07 - 00000000 ____D C:\Documents and Settings\Stewart\Application Data\SUPERAntiSpyware.com
2013-08-07 23:07 - 2013-08-07 23:05 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-08-07 23:05 - 2013-08-07 23:05 - 00001678 _____ C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-08-07 23:05 - 2013-08-07 23:05 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2013-08-07 21:23 - 2012-05-08 18:03 - 00000000 ____D C:\Program Files\tdsskiller
2013-08-06 19:45 - 2013-08-06 19:44 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-08-06 19:45 - 2011-03-02 22:57 - 00001945 _____ C:\WINDOWS\epplauncher.mif
2013-08-06 11:00 - 2013-08-06 11:00 - 88865040 _____ (Microsoft Corporation) C:\Documents and Settings\Stewart\Desktop\MS Safety Scanner.exe
2013-08-06 07:02 - 2012-05-08 21:42 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-08-06 06:04 - 2013-08-06 06:04 - 00000000 ____D C:\Program Files\HitmanPro
2013-08-05 00:32 - 2005-07-29 21:07 - 00000000 __SHD C:\Documents and Settings\NetworkService
2013-08-05 00:32 - 2005-07-29 21:07 - 00000000 __SHD C:\Documents and Settings\LocalService
2013-08-05 00:31 - 2005-07-29 21:07 - 00000000 ____D C:\WINDOWS\Registration
2013-08-02 20:09 - 2013-08-02 20:09 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
2013-08-01 14:06 - 2005-08-02 21:19 - 00000000 ____D C:\Program Files\Dl_cats
2013-07-26 13:45 - 2013-08-06 06:03 - 09171472 _____ (SurfRight B.V.) C:\Documents and Settings\Stewart\Desktop\HitmanProBeta.exe
2013-07-25 22:47 - 2012-06-12 17:28 - 00522240 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsdbgui.dll
2013-07-25 22:47 - 2010-08-20 17:37 - 00743424 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedvtool.dll
2013-07-25 22:47 - 2010-08-20 17:37 - 00247808 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieproxy.dll
2013-07-25 22:47 - 2010-08-20 17:37 - 00012800 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpshims.dll
2013-07-25 22:47 - 2007-05-08 18:28 - 11113472 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieframe.dll
2013-07-25 22:47 - 2007-05-08 18:28 - 02005504 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iertutil.dll
2013-07-25 22:47 - 2007-05-08 18:28 - 00630272 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeeds.dll
2013-07-25 22:47 - 2007-05-08 18:28 - 00055296 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2013-07-25 22:47 - 2006-11-07 22:03 - 11113472 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2013-07-25 22:47 - 2006-11-07 22:03 - 00630272 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2013-07-25 22:47 - 2006-11-07 22:03 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeedsbs.dll
2013-07-25 22:47 - 2006-11-07 04:27 - 00387584 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedkcs32.dll
2013-07-25 22:47 - 2006-10-17 13:05 - 01469440 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\inetcpl.cpl
2013-07-25 22:47 - 2006-10-17 13:05 - 00105984 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\url.dll
2013-07-25 22:47 - 2006-10-17 13:05 - 00043520 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\licmgr10.dll
2013-07-25 22:47 - 2006-10-17 13:04 - 00206848 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\occache.dll
2013-07-25 22:47 - 2006-10-17 12:57 - 02005504 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2013-07-25 22:47 - 2006-09-18 10:15 - 00759296 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\vgx.dll
2013-07-25 22:47 - 2006-05-19 11:08 - 06017536 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtml.dll
2013-07-25 22:47 - 2006-05-10 01:23 - 01215488 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\urlmon.dll
2013-07-25 22:47 - 2006-05-10 01:23 - 00920064 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wininet.dll
2013-07-25 22:47 - 2006-05-10 01:23 - 00611840 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mstime.dll
2013-07-25 22:47 - 2006-05-10 01:23 - 00067072 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtmled.dll
2013-07-25 22:47 - 2006-05-10 01:22 - 00184320 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iepeers.dll
2013-07-25 22:47 - 2006-05-10 01:22 - 00025600 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsproxy.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 06017536 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 01469440 ____N (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2013-07-25 22:47 - 2004-08-04 06:00 - 01215488 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 00920064 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 00611840 ____N (Microsoft Corporation) C:\WINDOWS\system32\mstime.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 00387584 ____N (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 00206848 ____N (Microsoft Corporation) C:\WINDOWS\system32\occache.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 00184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 00105984 _____ (Microsoft Corporation) C:\WINDOWS\system32\url.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\licmgr10.dll
2013-07-25 22:47 - 2004-08-04 06:00 - 00025600 _____ (Microsoft Corporation) C:\WINDOWS\system32\jsproxy.dll
2013-07-25 21:45 - 2005-07-29 21:06 - 00000000 ____D C:\WINDOWS\system32\Restore
2013-07-25 21:23 - 2006-12-05 18:58 - 00000000 ____D C:\WINDOWS\Performance
2013-07-25 21:23 - 2006-11-07 04:26 - 00174592 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ie4uinit.exe
2013-07-25 21:23 - 2004-08-04 06:00 - 00174592 ____N (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2013-07-25 21:13 - 2012-05-07 23:38 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-07-25 17:31 - 2005-08-21 13:41 - 00000000 ____D C:\Program Files\Google
2013-07-25 17:31 - 2005-08-21 13:41 - 00000000 ____D C:\Documents and Settings\Stewart\Local Settings\Application Data\Google
2013-07-25 11:52 - 2004-08-04 06:00 - 00385024 ____N (Microsoft Corporation) C:\WINDOWS\system32\html.iec
2013-07-23 07:18 - 2007-02-15 20:32 - 00057012 _____ C:\VETlog.dmp
2013-07-23 07:18 - 2004-08-10 14:04 - 00000992 _____ C:\WINDOWS\WIN.INI

Files to move or delete:
====================
ZeroAccess:
C:\DOCUME~1\Stewart\LOCALS~1\Application Data\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e}
ZeroAccess:
C:\Program Files\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e}

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Addition.txt

[Maniac]

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the same directory as FRST.exe and save it as fixlist.txt

 

HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)

U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e}\ \ \???\{d56fa829-a31d-f4be-d690-361f95070b3e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

S0 dppgssgl; System32\drivers\pvihung.sys [x]

S0 eecpgju; System32\drivers\kkmww.sys [x]

S0 kmum; System32\drivers\mijxexpm.sys [x]

C:\DOCUME~1\Stewart\LOCALS~1\Application Data\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e}

C:\Program Files\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e}

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.

Reboot Normally.

[stm]

Worked without issue:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-08-2013 02
Ran by Stewart at 2013-08-22 18:04:38 Run:1
Running from C:\Documents and Settings\Stewart\Desktop\Farbar Recovery Scan Tool
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e}\ \ \???\{d56fa829-a31d-f4be-d690-361f95070b3e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
S0 dppgssgl; System32\drivers\pvihung.sys [x]
S0 eecpgju; System32\drivers\kkmww.sys [x]
S0 kmum; System32\drivers\mijxexpm.sys [x]
C:\DOCUME~1\Stewart\LOCALS~1\Application Data\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e}
C:\Program Files\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e}

*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
*etadpug => Service deleted successfully.
dppgssgl => Service deleted successfully.
eecpgju => Service deleted successfully.
kmum => Service deleted successfully.
C:\DOCUME~1\Stewart\LOCALS~1\Application Data\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e} => Moved successfully.
C:\Program Files\Google\Desktop\Install\{d56fa829-a31d-f4be-d690-361f95070b3e} => Moved successfully.

==== End of Fixlog ====

[Maniac]

Very well!

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
• Please copy/paste the contents or attach that log file to your next reply.
• If needed the file can be located here: C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

[stm]

Is it okay to install the Recovery Console first, then disable the internet connection before starting Combofix? 

 

I am concerned about being connected to the internet with all the security applications disabled.  I have had the internet connection disabled while we have been addressing this problem and have been posting from another computer.  I will enable the internet it when installing the Console from the cd, but am conerned about being connected otherwise.

[Maniac]

Yes, it is okay.

[stm]

Had some trouble installing the Recovery Console.  It could not connect to Microsoft, so I tried the link in the ComboFix instructions, which led to a new web page that did not have the console download.  Searched the Windows site and could not find the downloadable version.  So I installed off the XP installation disc, allowing it continue whithout updating.  Then disabled internet, shutdown protections as instructed, and started ComboFix:

 

During the initial scan I received 2-3 sets of messages more or less read as follows: 

 

1st message:  "You are infected with RootKit,ZeroAccess!  It has inserted itself into the tcp/ip stack.  This is a particularly difficult infection.  If for any reason that you are unable to connect to the internet...run ComboFix again..."  I was not able to copy the entire message before it disappeared, but this is generally what it said.

 

The 2nd: "A rootkit was detected" 

 

I clicked OK to both. 

 

ComboFix continued, then i received the message "ComboFix has detected rootkit activity and needs to reboot the machine".  I clicked OK and the machine rebooted into an incomplete windows desktop with ComboFix running.  The scan continued running, completed 50 tasks, deleted files and folders then automatically rebooted.  ComboFix completed running and produced the log file. I rebooted the machine, enabled the internet and checked that it was working, disabled it again, copied log file and shutdown.  Here is the log file:

 

ComboFix 13-08-22.01 - Stewart 08/25/2013  15:08:57.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.766.430 [GMT -4:00]
Running from: c:\documents and settings\Stewart\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Free Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Stewart\WINDOWS
C:\Documents
c:\windows\$NtUninstallKB40091$
c:\windows\$NtUninstallKB40091$\15506551\@
c:\windows\$NtUninstallKB40091$\15506551\cfg.ini
c:\windows\$NtUninstallKB40091$\15506551\Desktop.ini
c:\windows\$NtUninstallKB40091$\15506551\L\odetmngk
c:\windows\$NtUninstallKB40091$\15506551\oemid
c:\windows\$NtUninstallKB40091$\15506551\U\00000001.@
c:\windows\$NtUninstallKB40091$\15506551\U\00000002.@
c:\windows\$NtUninstallKB40091$\15506551\U\00000004.@
c:\windows\$NtUninstallKB40091$\15506551\U\80000000.@
c:\windows\$NtUninstallKB40091$\15506551\U\80000004.@
c:\windows\$NtUninstallKB40091$\15506551\U\80000032.@
c:\windows\$NtUninstallKB40091$\15506551\version
c:\windows\$NtUninstallKB40091$\2719861212
c:\windows\patch.exe
c:\windows\settings.reg
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\Packet.dll
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\pthreadVC.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\wpcap.dll
c:\windows\wininit.ini
G:\autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-25 to 2013-08-25  )))))))))))))))))))))))))))))))
.
.
2013-08-25 18:43 . 2013-08-25 18:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2013-08-22 00:22 . 2013-08-22 00:22 -------- d-----w- C:\FRST
2013-08-18 22:59 . 2013-07-02 03:54 7143960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8CF3158A-DB97-4BFC-87D1-F6A4EE7C2F70}\mpengine.dll
2013-08-17 20:30 . 2013-07-02 03:54 7143960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-08-08 03:07 . 2013-08-08 03:07 -------- d-----w- c:\documents and settings\Stewart\Application Data\SUPERAntiSpyware.com
2013-08-08 03:05 . 2013-08-08 03:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-08-08 03:05 . 2013-08-08 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2013-08-06 23:44 . 2013-08-06 23:45 -------- d-----w- c:\program files\Microsoft Security Client
2013-08-06 10:04 . 2013-08-06 10:04 -------- d-----w- c:\program files\HitmanPro
2013-08-05 04:31 . 2013-08-05 04:31 -------- d-----w- c:\windows\system32\wbem\Repository
2013-08-03 00:09 . 2013-08-03 00:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-26 02:47 . 2004-08-04 10:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2013-07-10 10:37 . 2004-08-04 10:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 02:59 . 2004-08-04 10:00 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-04 10:00 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-19 01:50 . 2013-06-19 01:50 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-04 07:23 . 2004-08-04 10:00 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2004-08-04 10:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-28 01:59 . 2004-08-04 10:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2013-05-28 00:41 . 2009-04-16 20:54 6144 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Stewart\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Stewart\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Stewart\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Stewart\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"nwiz"="nwiz.exe" [2005-07-21 1519616]
"NvMediaCenter"="NvMCTray.dll" [2005-07-21 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-04 161328]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-03-19 73360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-03-16 738944]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-07-18 995184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"dplaysvr"=c:\documents and settings\Stewart\Application Data\dplaysvr.exe
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"WallPaper"=c:\program files\wallpaper changer\Wallpaper.exe /h
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"UpdReg"=c:\windows\UpdReg.EXE
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
"boinctray"="c:\program files\BOINC\boinctray.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
"boincmgr"="c:\program files\BOINC\boincmgr.exe" /a /s
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
"HostManager"=c:\program files\Common Files\AOL\1166744473\ee\AOLSoftware.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-05-23 119056]
S2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2012-03-16 27016]
S2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2012-03-16 497280]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ    getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 17:23 452136 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-08-25 c:\windows\Tasks\User_Feed_Synchronization-{8FE6608D-2610-42C8-973E-12FA28B3E57C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/Stewart/Favorites/Bookmarks/Start%20Page.htm

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local


IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-Amsterdam International Golf Club for MS Links - c:\documents and settings\Stewart\My Documents\Downloads Temp\Links courses\Uninstal.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-25 15:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ... 
.
.
c:\documents and settings\Stewart\Application Data\Dropbox\shellext\l\521a6406 124 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(560)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\documents and settings\Stewart\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2013-08-25  16:13:17 - machine was rebooted
ComboFix-quarantined-files.txt  2013-08-25 20:13
.
Pre-Run: 3,419,000,832 bytes free
Post-Run: 3,601,395,712 bytes free
.
- - End Of File - - C2DC050C14A15AD4496639BB0CB6F291
B16A2359F4962B0C622D81A1C1F4B703
 

[Maniac]

Well done!

Please scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

  ESET OnlineScan

• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

    Save it to your Desktop.

  • Double click on the to download the ESET Smart Installer. icon on your Desktop.
• Check "YES, I accept the Terms of Use."
• Click the Start button.
• Accept any security warnings from your browser.
• Under Scan Settings, check "Scan Archives" and "Remove found threats"
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

[stm]

The scan took quite a while to run so I had to leave it running overnight.  Found the following:

 

C:\Documents and Settings\Stewart\My Documents\Downloads Temp\FreeAudioConverter.exe multiple threats cleaned by deleting - quarantined
C:\Program Files\Common Files\DVDVideoSoft\AskTB\ApnIC.dll a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Program Files\Common Files\DVDVideoSoft\AskTB\ApnToolbarInstaller.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
G:\Backups\8-25-13\My Documents\Downloads Temp\FreeAudioConverter.exe multiple threats cleaned by deleting - quarantined
 

[Maniac]

How are things now?

[stm]

I didn't notice any problems, but have not used the machine to do anything.  The computer seemed to start a little slowly.  Microsoft Essentials did update itself during the scan, so it seems to be working properly.  I noticed a hidden autostart entry in the ComboFix log, but no indication that it was deleted.  Did ComboFix remove this?

 

Will try another Malwarebytes scan and surfing the internet tonight to see how it is working.  I need a recommendation on a new firewall.  The Zone Alarm version I am using is no longer supported and I have read bad things about the upgrade.  I have had difficulty in finding any good firewall and was considering going back to the Windows firewall.  Do you have any ideas? 

 

I have recently installed SUPERAntiSpyware.  Is this recommended for use?  I also am running Spybot scans weekly in addition to Malewarebytes.  Should I be running any other protective software?

[Maniac]

I noticed a hidden autostart entry in the ComboFix log, but no indication that it was deleted. Did ComboFix remove this?

Please, show me what do you mean.

Do you have any ideas?

Here you go:

http://users.telenet.be/bluepatchy/miekiemoes/Links.html#Firewalls

Is this recommended for use?

You have Malwarebytes' Anti-Malware. It is much better than SUPERAntiSpyware.

Should I be running any other protective software?

Here some tips and protections software, but in my opinion you have everything needed.

users.telenet.be/bluepatchy/miekiemoes/prevention.html

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

[stm]

 

Please, show me what do you mean.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-08-25 15:49

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ... 

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

.

scanning hidden files ... 

.

.

c:\documents and settings\Stewart\Application Data\Dropbox\shellext\l\521a6406 124 bytes

.

scan completed successfully

hidden files: 1

 

 

 

Here you go:

http://users.telenet.be/bluepatchy/miekiemoes/Links.html#Firewalls

 

 

The link on the page does not work, but I am looking at this  http://www.online-armor.com/ for a firewall.

 

I addition to updating Malwarebytes, Spybot and MS Essentials, I also installed the new version of Spywareblaster last night.  Sounds like I am ok, other than the above potential problem.

 

Thank you very much for all the help.

[Maniac]

It is hidden for a reason, but don't worry it is legitimate.

If you don't any more questions I could send you my last instructions to cleanup this mess.

[stm]

I didn't look legitimate to me and I thought it was causing my delay in startup.  I don't I have any other questions.  There seemed to be a delay in my MS Essentials starting, where I was getting the "Your system is not protected" window starting to open as the green icon was coming on.  I have not seen this on the last couple boots.

 

I am going to go ahead and install Online Armor when we are done.  After your instructions, I will try disk cleanup and defragmenting to try and speed things up.

[Maniac]

I wouldn't tell you something that I have not checked. Here is a proof:

http://www.bleepingcomputer.com/startups/DLBTtime.dll-20767.html

To improve your PC perfomance:

http://forums.malwarebytes.org/index.php?showtopic=81990

Step 1

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Step 2

Please uninstall ESET Online Scanner

Step 3

Some malware prevention tips:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[stm]

 

I wouldn't tell you something that I have not checked. Here is a proof:
http://www.bleepingcomputer.com/startups/DLBTtime.dll-20767.html

 

 

I did not think you would.  I thought you were going to tell me it was removed.  The long string of question marks looked strange to me.

 

Before I could read your reply, I went home and started the machine to find the following:

 

On initial boot, a window opened to inform me that MS Essentials was not enabled.  I clicked to enabled, which took some time but worked.  This looked to me like a problem in the autostart entries that I inquired about, so I logged directly onto this thread to see if you replied.  When I clicked on your above link, internet explorer froze and I had to use task manager to shut it down.  I tried to start Malwarebytes and had some graphic issues with it flickering and had to manually shut it down.  Then I had a problem when the start button froze and windows explorer crashed.  Eventually, I was able to get Malwarebytes to run a complete scan, which came back clean.

 

The only change I had made to the system that I did not mention in the other post was to re-enable wallpaper.exe in the start up entries via Spybot.  Apparently, allowing this small program to change my desktop background, which I have been running on my machine back to Windows 95 looked to cause a problem with MS Essentials.  I disabled it again, re-booted and the machine and MSE started normally.  Since this did not make sense to me, I look at the running processes using Spybot and noticed that SUPERAntiSpyware was running, even though it was not setup to be running.  I remembered that I had problems with MSE starting when I  installed SUPERAntiSpyware several weeks ago.  Since you said I didn't need it, and I did not like the interface and upselling, I uninstalled it.  Then I re-enabled wallpaper.exe and re-booted.

 

This time, MSE started fine, but I got a message that new hardware was found.  I ignored it and let the machine boot.  Then I went into Add New Hardware, which gave me a warning about needing an installation disk.  I closed it and looked at the device manager, which showed an unknown device and no keyboard.  I checked by creating a text document and could not name it -  the keyboard was not working.  Then, somehow Combofix started running.  I could not cancel the scan, received warning messages about the virus scanner being on, but could not close it as the icon had vanished.  When the Combofix window opened, I clicked the x to close it.

 

Assuming I had caused damage by starting the scan, I used System Restore to restore the system to earlier in the day (MS Essesntial must have created it).  I re-booted, MSE started correctly, the wallpaper changed and the keyboard was there.  Everything seemed to be running correctly so I shut down for the night.

 

It seems to me that these was a conflict between SUPERAntiSpyware and MS Essentials which affect my start up entries.  I will go home tonight and see was it going on before continuing with your instructions.

[stm]

I am on the computer now and it seems to be working properly.  Everything started correctly.  I left  the machine on and came back a little later and MS Esssentials had updated itself.  I then visited a couple of websites, checked the links in your post, then did quick scans with Malwarebytes and MSE.   Both came back clean.

 

I think and a ready to proceed with the cleanup steps.  Will shutdown and wait for your reply before continuing.

[Maniac]

Glad everything is fine!

Your last instructions are here:

http://forums.malwarebytes.org/index.php?showtopic=131531&p=722065

[stm]

Have completed the cleanup process and the instructions to speed up a slow PC.  Eveverything seems to be working well now.  Did have problems with MS Essentials staring in protection mode again after the cleanup, this problem has resloved itself after the additional cleanup and procedures to speed up the PC. A subsequent problem with a black menu bar in IE 8 I was also able to resolve.

 

I plan on running the current setup for a few days to make sure it is stable before changing firewalls.  If problems continue with MS Essentials, I will look at the recommended options for replacing that as well.

 

On last question:  after cleanup, I still see a folder on my C drive named FRST with a Quarantine folder and items in it.  Is it safe to delete this folder?

 

And thank you very much again Borislav for all your help.

[Maniac]

Yes, it is okay to manually delete it.