Jump to content

Idiotically downloaded x264 video codec and Im now infected

disneyfan
 Share

Recommended Posts

disneyfan

disneyfan

Posted
Posted

Hi.  I stupidly downloaded a file which had x264 vide codec attached.  In a moment of post nightshift brain fog I ran the x264 file and immediately infected my computer.  Malwarebytes has shifted most of the problem but 3 registry infections persistantly remain, even after scan/ removal.  The x264 folder and contents resist deletion as well, even in safe mode.  I'm stumped.  Norton doesnt even notice the infection and Malware seems unable to remove it.

 

The malwarebytes log file says:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.21.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Grant :: HOUSEPC [administrator]

21/08/2013 14:46:47
MBAM-log-2013-08-21 (17-22-58).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 483881
Time elapsed: 2 hour(s), 26 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG (Rootkit.0Access) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\‮etadpug (Trojan.Zaccess) -> No action taken.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Google Update (Trojan.Zaccess) -> Data:  -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

The DDS Log is:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Grant at 19:31:40 on 2013-08-21
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.2046.962 [GMT 1:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *Disabled*
FW: Norton Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
D:\Program Files\Ashampoo\Ashampoo WinOptimizer 8\DfsdkS.exe
D:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Common Files\Motive\pcCMService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\program files\real\realplayer\update\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MyTomTom 3\MyTomTomSA.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.




BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - d:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\20.4.0.40\ips\ipsbho.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.4.0.40\coieplg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [EPSON Stylus DX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticee.exe /fu "d:\docume~1\grant\locals~1\temp\E_S41.tmp" /EF "HKCU"
uRun: [MyTomTomSA.exe] "c:\program files\mytomtom 3\MyTomTomSA.exe"
mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\liveupdate.lnk - c:\program files\norton internet security\engine\16.2.0.7\uiStub.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoResolveTrack = dword:1
mPolicies-Explorer: NoFileAssociate = dword:0
mPolicies-System: NoDispSettingsPage = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.

TCP: NameServer = 192.168.1.254
TCP: Interfaces\{58EAEE17-F72D-49D4-9D9D-0CD73C58E5E6} : DHCPNameServer = 192.168.1.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1404000.028\symds.sys [2013-6-14 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1404000.028\symefa.sys [2013-6-14 934488]
R1 BHDrvx86;BHDrvx86;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.3.1.22\definitions\bashdefs\20130715.001\BHDrvx86.sys [2013-7-25 1002072]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1404000.028\ccsetx86.sys [2013-6-14 134744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1404000.028\ironx86.sys [2013-6-14 175264]
R2 DfSdkS;Defragmentation-Service;d:\program files\ashampoo\ashampoo winoptimizer 8\DfSdkS.exe [2012-8-25 406016]
R2 LiveTunerPM;Ashampoo LiveTuner ProcessMonitor Driver;d:\program files\ashampoo\ashampoo winoptimizer 8\LiveTunerProcessMonitor32.sys [2012-8-25 12696]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-27 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-7 701512]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\20.4.0.40\ccsvchst.exe [2013-6-14 144368]
R2 pcCMService;pcCMService;c:\program files\common files\motive\pcCMService.exe [2012-10-10 376144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-10-26 106656]
R3 IDSxpx86;IDSxpx86;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.3.1.22\definitions\ipsdefs\20130820.006\IDSXpx86.sys [2013-8-20 380832]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-7 22856]
R3 NAVENG;NAVENG;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.3.1.22\definitions\virusdefs\20130821.002\NAVENG.SYS [2013-8-21 93272]
R3 NAVEX15;NAVEX15;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.3.1.22\definitions\virusdefs\20130821.002\NAVEX15.SYS [2013-8-21 1611992]
S2 gupdate1c9b223f88c48b4;Google Update Service (gupdate1c9b223f88c48b4);c:\program files\google\update\GoogleUpdate.exe [2009-3-31 133104]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys --> c:\windows\system32\drivers\ANDROIDUSB.sys [?]
S3 Sony PC Companion;Sony PC Companion;c:\program files\sony\sony pc companion\PCCService.exe [2012-4-20 155824]
S3 WO_LiveService;Ashampoo LiveTuner Service;d:\program files\ashampoo\ashampoo winoptimizer 8\LiveTunerService.exe [2012-8-25 885160]
S4 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2007-4-3 69120]
.
=============== Created Last 30 ================
.
2013-08-21 16:52:29 -------- d-----w- d:\documents and settings\grant\application data\ParetoLogic
2013-08-21 16:52:29 -------- d-----w- d:\documents and settings\grant\application data\DriverCure
2013-08-21 16:50:53 -------- d-----w- c:\program files\common files\ParetoLogic
2013-08-21 16:50:47 -------- d-----w- d:\documents and settings\all users\application data\ParetoLogic
2013-08-20 00:49:54 225280 ----a-w- d:\documents and settings\all users\application data\microsoft\media tools\MediaIconsOverlays.dll
2013-08-20 00:49:34 -------- d-----w- c:\program files\x264 Video Codec
2013-08-16 17:39:49 -------- d-----w- c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-07-26 02:47:17 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47:13 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59 385024 ----a-w- c:\windows\system32\html.iec
2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-30 16:18:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-30 16:18:53 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-24 20:14:54 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-24 20:14:52 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-24 20:14:52 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-24 20:14:52 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-18 15:39:13 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-06-04 07:23:02 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-28 01:59:37 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2013-05-28 00:41:07 6144 ----a-w- c:\windows\system32\xpsp4res.dll
.
============= FINISH: 19:32:25.70 ===============

 

The Attach log is:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 17/11/2006 00:58:55
System Uptime: 21/08/2013 17:25:06 (2 hours ago)
.
Motherboard: NEC COMPUTERS INTERNATIONAL |  | GA-8TRC410M-NF
Processor:               Intel® Pentium® D CPU 3.40GHz | Socket 775 | 3391/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 30 GiB total, 0 GiB free.
D: is FIXED (NTFS) - 335 GiB total, 57.915 GiB free.
E: is CDROM (CDFS)
F: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
ABBYY FineReader 6.0 Sprint
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.7)
Adobe Shockwave Player 11
Age of Empires III
Age of Empires III - The WarChiefs
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo WinOptimizer 2010 Advanced
Ashampoo WinOptimizer 8 v.8.13
Bonjour
BT Desktop Help
BTHomeHub
Camera RAW Plug-In for EPSON Creativity Suite
Coupon Printer
Critical Update for Windows Media Player 11 (KB959772)
DivX Setup
Drive Manager
DVDXCopy Xpress 3.0.1
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Stylus CX7300_CX8300_DX7400_DX8400 Manual
EPSON Web-To-Page
Google Earth
Google Update Helper
GoToAssist Corporate
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB959765)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iTunes
Java 7 Update 25
Java Auto Updater
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes Anti-Malware version 1.75.0.1300
Media Go
Media Go Video Playback Engine 1.88.114.12060
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Windows Media Video 9 VCM
Microsoft Works
Microsoft WSE 3.0 Runtime
Motorola SM56 Data Fax Modem
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyTomTom 3.2.0.1116
Network Play System (Patching)
Norton Internet Security
NVIDIA Control Panel 306.81
NVIDIA Graphics Driver 306.81
NVIDIA HD Audio Driver 1.3.18.0
NVIDIA Install Application
NVIDIA nView 136.28
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0604
NVIDIA Update 1.10.8
NVIDIA Update Components
Origin
PlayStation®Network Downloader
PlayStation®Store
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.1
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB2862772)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834904)
Security Update for Windows Media Player (KB2845142)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2849470)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SM56Tester
SmartSound Quicktracks Plugin
Sonic Express Labeler
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sony Ericsson Update Engine
Sony PC Companion 2.10.165
The Sims™ 3
The Sims™ 3 Ambitions
The Sims™ 3 Generations
The Sims™ 3 High-End Loft Stuff
The Sims™ 3 Late Night
The Sims™ 3 Outdoor Living Stuff
The Sims™ 3 Showtime
The Sims™ 3 Town Life Stuff
The Sims™ 3 World Adventures
Ulead DVD DiskRecorder 2.1.1
Ulead PhotoImpact 10 SE
Ulead VideoStudio 9.0 SE DVD
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2808679)
Update for Windows XP (KB2863058)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.6195
Viewpoint Media Player
Visual Studio C++ 10.0 Runtime
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
21/08/2013 17:33:20, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
21/08/2013 12:19:30, error: Service Control Manager [7034]  - The Ashampoo LiveTuner Service service terminated unexpectedly.  It has done this 1 time(s).
20/08/2013 22:19:14, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
20/08/2013 22:18:44, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
20/08/2013 22:18:30, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
20/08/2013 22:17:24, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD BHDrvx86 ccSet_NIS eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SymIRON SYMTDI Tcpip
20/08/2013 22:17:24, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
20/08/2013 22:17:24, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
20/08/2013 22:17:24, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
20/08/2013 22:17:24, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
20/08/2013 22:17:24, error: Service Control Manager [7001]  - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
20/08/2013 22:17:24, error: Service Control Manager [7001]  - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
20/08/2013 10:29:54, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
20/08/2013 10:27:05, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
20/08/2013 10:27:05, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
.
==== End Of File ===========================

 

hope someone can help, thanks.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

Thanks, here's the report

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Grant [Admin rights]
Mode : Scan -- Date : 08/22/2013 08:37:50
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}\   \   \???ﯹ๛\{10765838-a275-fe3b-b49a-998e6cc95cee}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 13 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("D:\Documents and Settings\Grant\Local Settings\Application Data\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}\???\???\???ﯹ๛\{10765838-a275-fe3b-b49a-998e6cc95cee}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-3864999605-194895897-2757658402-1006\[...]\Run : Google Update ("D:\Documents and Settings\Grant\Local Settings\Application Data\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}\???\???\???ﯹ๛\{10765838-a275-fe3b-b49a-998e6cc95cee}\GoogleUpdate.exe" >) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}\   \   \???ﯹ๛\{10765838-a275-fe3b-b49a-998e6cc95cee}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}\   \   \???ﯹ๛\{10765838-a275-fe3b-b49a-998e6cc95cee}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}\   \   \???ﯹ๛\{10765838-a275-fe3b-b49a-998e6cc95cee}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS002\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] Desktop.ini : C:\WINDOWS\assembly\GAC\Desktop.ini [-] --> FOUND
[ZeroAccess][Folder] Install : D:\Documents and Settings\Grant\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8A1EDB00)
[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A7C1420)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x8A8EA6E0)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8A8B72B8)
[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A81A668)
[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8A4A2990)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x8A1EBED0)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8AA00FB0)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8A8B7398)
[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x8A8B3A58)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A2C0270)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x8A219FD0)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x8A24A7C0)
[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A7D7798)
[Address] SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8AA3FCF0)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8A4A28D0)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x8A8649C8)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x8A1ED318)
[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x8A234418)
[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x8A8AA4C0)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x8A1EBFC0)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x8A7D6C58)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x8A844AD0)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8A769628)
[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x8A8443F0)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A7C3278)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x8A7E84B0)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8A7DB790)
[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A7EBCA0)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8A1EA6D8)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A2AC270)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A893920)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A893990)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A8939C8)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A893958)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A839A60)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A83ACA8)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A83AA60)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A83A990)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89A8EC00)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A83A6C8)

¤¤¤ External Hives: ¤¤¤
-> D:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\All Users\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\Grant\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\Rebecca\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\UpdatusUser\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3400833AS +++++
--- User ---
[MBR] a20d69f11818fbb91a7d89e07a1c73d6
[bSP] 987cf5983f07a295a06cf311d092e291 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 63 | Size: 7993 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 16370235 | Size: 30710 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 79280775 | Size: 342832 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08222013_083750.txt >>

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please download Farbar Recovery Scan Tool and save it to a folder. (32bit version)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

Hi, Thanks for the quick reply, unfortunately my stupid email consigned it to spam so my apologies for my delay.  Thanks for the warning RE- backdoor trojan.  Would figure I wouldnt get a simple one.  I dont use online banking and now I guess wont be making online purchases!  but would like to at least try to return this to a semi useable state so here goes..

 

Addition.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2013 02
Ran by Grant (administrator) on 22-08-2013 20:01:16
Running from D:\Documents and Settings\Grant\Desktop\farbar recovery tool
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Seagate Technology LLC) C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
(Cyberlink) c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
(mst software GmbH, Germany) D:\Program Files\Ashampoo\Ashampoo WinOptimizer 8\DfsdkS.exe
(SEIKO EPSON CORPORATION) D:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\pcCMService.exe
(Ulead Systems, Inc.) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
() C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
() c:\APPS\Powercinema\Kernel\TV\CLSched.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
() C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
(CyberLink Corp.) C:\APPS\Powercinema\PCMService.exe
(Maxtor Corporation) C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
(NEC Computers International) C:\apps\ABoard\ABoard.exe
(NEC Computers International) C:\apps\ABoard\AOSD.exe
(RealNetworks, Inc.) C:\program files\real\realplayer\update\realsched.exe
(Apple Inc.) D:\Program Files\iTunes\iTunesHelper.exe
() C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(TomTom) C:\Program Files\MyTomTom 3\MyTomTomSA.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [iMJPMIG8.1] - C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [208952 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [High Definition Audio Property Page Shortcut] - C:\Windows\system32\HDAShCut.exe [61952 2005-01-07] (Windows ® Server 2003 DDK provider)
HKLM\...\Run: [Alcmtr] - C:\Windows\ALCMTR.EXE [69632 2005-05-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [DetectorApp] - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe [102400 2005-10-20] ()
HKLM\...\Run: [iSUSPM Startup] - C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [x]
HKLM\...\Run: [iSUSScheduler] - "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [x]
HKLM\...\Run: [PCMService] - c:\APPS\Powercinema\PCMService.exe [147456 2006-02-23] (CyberLink Corp.)
HKLM\...\Run: [basicsmssmenu] - C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe [169328 2007-10-09] (Maxtor Corporation)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [ACTIVBOARD] - c:\apps\ABoard\ABoard.exe [24576 2003-05-02] (NEC Computers International)
HKLM\...\Run: [NvCplDaemon] - C:\WINDOWS\system32\NvCpl.dll [15512424 2012-09-23] (NVIDIA Corporation)
HKLM\...\Run: [DivXMediaServer] - C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-05-20] (DivX, LLC)
HKLM\...\Run: [PHIME2002ASync] - C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] - C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [TkBellExe] - C:\program files\real\realplayer\update\realsched.exe [296056 2012-06-17] (RealNetworks, Inc.)
HKLM\...\Run: [iTunesHelper] - D:\Program Files\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)
HKLM\...\Run: [DivXUpdate] - C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-13] ()
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKCU\...\Run: [updateMgr] - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 [x]
HKCU\...\Run: [EPSON Stylus DX8400 Series] - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "D:\DOCUME~1\Grant\LOCALS~1\Temp\E_S41.tmp" /EF "HKCU" [x]
HKCU\...\Run: [MyTomTomSA.exe] - C:\Program Files\MyTomTom 3\MyTomTomSA.exe [455608 2013-05-23] (TomTom)
HKCU\...\Run: [Google Update*] -  [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: E - E:\autorun.exe
MountPoints2: F - F:\Autorun.exe
MountPoints2: {86943aab-8b07-11e1-880a-00038a000015} - G:\Startme.exe
HKU\Administrator\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-14] (Microsoft Corporation)
HKU\Default User\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-14] (Microsoft Corporation)
HKU\LocalService.NT AUTHORITY\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-14] (Microsoft Corporation)
HKU\NetworkService.NT AUTHORITY\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-14] (Microsoft Corporation)
HKU\Rebecca\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-14] (Microsoft Corporation)
HKU\Rebecca\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [ 2013-05-01] (Apple Inc.)
HKU\Rebecca\...\Run: [EPSON Stylus DX8400 Series] - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "D:\DOCUME~1\Rebecca\LOCALS~1\Temp\E_S2E8.tmp" /EF "HKCU" [x]
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\LiveUpdate.LNK
ShortcutTarget: LiveUpdate.LNK -> C:\Program Files\Norton Internet Security\Engine\16.2.0.7\uiStub.exe (No File)
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * DfSDKBt

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKCU - {6047A59C-235E-4822-9CBC-A07C5BD2F7D5} URL = http://uk.search.yahoo.com/search?p={searchTerms}&fr=FP-tab-web-t340&ei=UTF-8&meta=vc%3D
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468&CUI=UN42709397438811199
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
Toolbar: HKLM - EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU -EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: ipp - No CLSID Value -
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 18 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 19 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

========================== Services (Whitelisted) =================

R2 Basics Service; C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [124280 2007-10-09] (Seagate Technology LLC)
S4 Boonty Games; C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe [69120 2007-04-03] (BOONTY)
R2 CLCapSvc; c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe [266338 2006-02-23] ()
R2 CLSched; c:\APPS\Powercinema\Kernel\TV\CLSched.exe [114784 2006-02-23] ()
R2 CyberLink Media Library Service; c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe [1073152 2006-02-23] (Cyberlink)
R2 DfSdkS; D:\Program Files\Ashampoo\Ashampoo WinOptimizer 8\DfsdkS.exe [406016 2009-08-24] (mst software GmbH, Germany)
R2 EPSON_PM_RPCV4_01; D:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE [113664 2007-01-11] (SEIKO EPSON CORPORATION)
S2 gupdate1c9b223f88c48b4; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-03-31] (Google Inc.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NIS; C:\Program Files\Norton Internet Security\Engine\20.4.0.40\diMaster.dll [556336 2013-05-30] (Symantec Corporation)
S3 Sony PC Companion; C:\Program Files\Sony\Sony PC Companion\PCCService.exe [155824 2013-02-04] (Avanquest Software)
R2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2005-01-31] (Ulead Systems, Inc.)
R2 USBDeviceService; C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe [90112 2005-10-20] ()
S3 WO_LiveService; D:\Program Files\Ashampoo\Ashampoo WinOptimizer 8\LiveTunerService.exe [885160 2011-09-28] ()
S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}\   \   \???\{10765838-a275-fe3b-b49a-998e6cc95cee}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R1 BHDrvx86; D:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1404000.028\ccSetx86.sys [134744 2013-04-16] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-08-21] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-08-21] (Symantec Corporation)
S3 HdAudAddService; C:\Windows\System32\drivers\HdAudio.sys [145920 2005-01-07] (Windows ® Server 2003 DDK provider)
R3 IDSxpx86; D:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\IPSDefs\20130821.003\IDSxpx86.sys [380832 2013-08-20] (Symantec Corporation)
R2 LiveTunerPM; D:\Program Files\Ashampoo\Ashampoo WinOptimizer 8\LiveTunerProcessMonitor32.sys [12696 2011-03-08] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 MREMP50; C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2013-06-12] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2013-06-12] (Printing Communications Assoc., Inc. (PCAUSA))
R3 NAVENG; D:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130822.002\NAVENG.SYS [93272 2013-08-16] (Symantec Corporation)
R3 NAVEX15; D:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130822.002\NAVEX15.SYS [1611992 2013-08-16] (Symantec Corporation)
R3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [124264 2012-07-03] (NVIDIA Corporation)
S3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\NIS\1404000.028\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NIS\1404000.028\SRTSPX.SYS [32344 2013-03-05] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NIS\1404000.028\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NIS\1404000.028\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-06-18] (Symantec Corporation)
S3 SymIM; C:\Windows\System32\DRIVERS\SymIM.sys [44064 2013-03-05] (Symantec Corporation)
R3 SymIMMP; C:\Windows\System32\DRIVERS\SymIM.sys [44064 2013-03-05] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NIS\1404000.028\Ironx86.SYS [175264 2013-03-05] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\NIS\1404000.028\SYMTDI.SYS [396760 2013-04-25] (Symantec Corporation)
S3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
S3 HTCAND32; System32\Drivers\ANDROIDUSB.sys [x]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-22 19:57 - 2013-08-22 20:00 - 00000000 ____D D:\Documents and Settings\Grant\Desktop\farbar recovery tool
2013-08-22 08:37 - 2013-08-22 08:37 - 00009402 _____ D:\Documents and Settings\Grant\Desktop\RKreport[0]_S_08222013_083750.txt
2013-08-22 08:35 - 2013-08-22 08:40 - 00000000 ____D D:\Documents and Settings\Grant\Desktop\RK_Quarantine
2013-08-22 08:35 - 2013-08-22 08:35 - 00923136 _____ D:\Documents and Settings\Grant\Desktop\RogueKiller.exe
2013-08-21 20:38 - 2013-08-21 20:38 - 00000207 _____ D:\Documents and Settings\Grant\Desktop\Malwarebytes forum.url
2013-08-21 19:32 - 2013-08-21 19:32 - 00023811 _____ D:\Documents and Settings\Grant\Desktop\attach.txt
2013-08-21 19:32 - 2013-08-21 19:32 - 00013146 _____ D:\Documents and Settings\Grant\Desktop\dds.txt
2013-08-21 19:31 - 2013-08-21 19:31 - 00000000 ___RD D:\Documents and Settings\Grant\Start Menu\Programs\Administrative Tools
2013-08-21 18:47 - 2013-08-21 18:48 - 00000180 _____ C:\WINDOWS\setupact.log
2013-08-21 18:47 - 2013-08-21 18:47 - 00000000 _____ C:\WINDOWS\setuperr.log
2013-08-21 17:52 - 2013-08-21 17:52 - 00000000 ____D D:\Documents and Settings\Grant\Application Data\ParetoLogic
2013-08-21 17:52 - 2013-08-21 17:52 - 00000000 ____D D:\Documents and Settings\Grant\Application Data\DriverCure
2013-08-21 17:50 - 2013-08-21 18:35 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\ParetoLogic
2013-08-21 17:50 - 2013-08-21 17:50 - 00000000 ____D C:\Program Files\Common Files\ParetoLogic
2013-08-20 22:17 - 2013-08-22 20:01 - 00001024 ____H D:\Documents and Settings\Administrator\ntuser.dat.LOG
2013-08-20 22:17 - 2013-08-20 22:26 - 00786432 ____H D:\Documents and Settings\Administrator\NTUSER.DAT
2013-08-20 22:17 - 2013-08-20 22:26 - 00000178 ___SH D:\Documents and Settings\Administrator\ntuser.ini
2013-08-20 22:17 - 2013-08-20 22:26 - 00000000 ____D D:\Documents and Settings\Administrator\Local Settings\Temp
2013-08-20 22:17 - 2013-08-20 22:18 - 00000062 ___SH D:\Documents and Settings\Administrator\Local Settings\desktop.ini
2013-08-20 22:17 - 2013-08-20 22:17 - 00000000 ____D D:\Documents and Settings\Administrator
2013-08-20 22:17 - 2011-10-13 15:04 - 00000000 __SHD D:\Documents and Settings\Administrator\IETldCache
2013-08-20 22:17 - 2009-05-30 08:05 - 00000000 ____D D:\Documents and Settings\Administrator\Application Data\Macromedia
2013-08-20 22:17 - 2008-12-09 22:57 - 00000000 __SHD D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
2013-08-20 22:17 - 2008-12-09 22:57 - 00000000 __SHD D:\Documents and Settings\Administrator\Local Settings\History
2013-08-20 22:17 - 2006-09-22 23:44 - 00000000 __SHD D:\Documents and Settings\Administrator\Cookies
2013-08-20 22:17 - 2006-09-22 23:44 - 00000000 __RHD D:\Documents and Settings\Administrator\SendTo
2013-08-20 22:17 - 2006-09-22 23:44 - 00000000 __RHD D:\Documents and Settings\Administrator\Recent
2013-08-20 22:17 - 2006-09-22 23:44 - 00000000 ___RD D:\Documents and Settings\Administrator\Start Menu
2013-08-20 22:17 - 2006-09-22 23:44 - 00000000 ___RD D:\Documents and Settings\Administrator\My Documents\My Pictures
2013-08-20 22:17 - 2006-09-22 23:44 - 00000000 ___RD D:\Documents and Settings\Administrator\My Documents\My Music
2013-08-20 22:17 - 2006-09-22 23:44 - 00000000 ___HD D:\Documents and Settings\Administrator\Templates
2013-08-20 22:17 - 2006-09-22 23:44 - 00000000 ___HD D:\Documents and Settings\Administrator\Local Settings
2013-08-20 22:17 - 2006-09-22 23:44 - 00000000 ____D D:\Documents and Settings\Administrator\Application Data\Identities
2013-08-20 22:17 - 2006-09-22 16:30 - 02692462 ____H D:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
2013-08-20 22:17 - 2006-09-22 16:26 - 00000000 ___SD D:\Documents and Settings\Administrator\Application Data\Microsoft
2013-08-20 22:17 - 2006-09-22 16:21 - 00000000 __RHD D:\Documents and Settings\Administrator\Application Data
2013-08-20 22:17 - 2006-09-22 16:21 - 00000000 ____D D:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory
2013-08-20 22:17 - 2006-09-22 16:19 - 00000000 ___RD D:\Documents and Settings\Administrator\My Documents
2013-08-20 22:17 - 2006-09-22 16:19 - 00000000 ___RD D:\Documents and Settings\Administrator\Desktop
2013-08-20 22:17 - 2006-09-22 16:19 - 00000000 ____D D:\Documents and Settings\Administrator\My Documents\My Skype Pictures
2013-08-20 22:17 - 2006-09-22 16:19 - 00000000 ____D D:\Documents and Settings\Administrator\Local Settings\Application Data\PowerCinema
2013-08-20 22:17 - 2006-09-22 16:14 - 00000000 ____D D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
2013-08-20 22:17 - 2006-09-22 16:08 - 00034232 _____ D:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-08-20 22:17 - 2006-09-22 16:08 - 00000000 ___HD D:\Documents and Settings\Administrator\Local Settings\Application Data
2013-08-20 22:17 - 2006-09-22 16:07 - 00000000 ___RD D:\Documents and Settings\Administrator\Favorites
2013-08-20 22:17 - 2006-09-22 16:07 - 00000000 ____D D:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2013-08-20 22:17 - 2006-09-22 16:03 - 00000000 ____D D:\Documents and Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150040}
2013-08-20 22:17 - 2004-08-11 01:04 - 00000076 ___SH D:\Documents and Settings\Administrator\My Documents\desktop.ini
2013-08-20 22:17 - 2004-08-11 00:47 - 00000062 ___SH D:\Documents and Settings\Administrator\Application Data\desktop.ini
2013-08-20 22:17 - 2004-08-11 00:47 - 00000000 ___HD D:\Documents and Settings\Administrator\PrintHood
2013-08-20 22:17 - 2004-08-11 00:47 - 00000000 ___HD D:\Documents and Settings\Administrator\NetHood
2013-08-20 18:29 - 2013-08-22 19:35 - 00008416 _____ C:\WINDOWS\WindowsUpdate.log
2013-08-20 03:42 - 2013-08-20 03:42 - 00000000 ____D D:\Documents and Settings\LocalService\Application Data\RealNetworks
2013-08-20 03:42 - 2013-08-20 03:42 - 00000000 ____D D:\Documents and Settings\LocalService\Application Data\Real
2013-08-20 02:02 - 2013-08-20 02:02 - 00000000 ___RD D:\Documents and Settings\LocalService\Favorites
2013-08-20 01:57 - 2013-08-20 01:57 - 00000000 ____D D:\Documents and Settings\LocalService\Application Data\Macromedia
2013-08-20 01:57 - 2013-08-20 01:57 - 00000000 ____D D:\Documents and Settings\LocalService\Application Data\Adobe
2013-08-20 01:49 - 2013-08-20 22:28 - 00000000 ____D D:\Documents and Settings\Grant\Start Menu\Programs\x264 Video Codec
2013-08-20 01:49 - 2013-08-20 22:28 - 00000000 ____D C:\Program Files\x264 Video Codec
2013-08-20 01:48 - 2013-08-20 01:48 - 00000218 _____ D:\Documents and Settings\Grant\Local Settings\Application Data\recently-used.xbel
2013-08-16 18:39 - 2013-08-16 19:00 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-08-16 18:33 - 2013-08-16 18:33 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2850869$
2013-08-16 18:32 - 2013-08-16 18:32 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2859537$
2013-08-16 18:30 - 2013-08-16 18:31 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2863058$
2013-08-16 18:30 - 2013-08-16 18:30 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2849470$
2013-08-16 18:03 - 2013-08-16 18:03 - 00001792 _____ D:\Documents and Settings\All Users\Desktop\Google Earth.lnk

==================== One Month Modified Files and Folders =======

2013-08-22 20:01 - 2013-08-20 22:17 - 00001024 ____H D:\Documents and Settings\Administrator\ntuser.dat.LOG
2013-08-22 20:01 - 2007-04-01 16:01 - 00001024 ____H D:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG
2013-08-22 20:01 - 2007-04-01 16:01 - 00001024 ____H D:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG
2013-08-22 20:01 - 2006-11-29 18:12 - 00001024 ____H D:\Documents and Settings\Rebecca\ntuser.dat.LOG
2013-08-22 20:01 - 2006-11-17 02:31 - 00000000 ____D D:\DOCUME~1\Grant\LOCALS~1\Temp
2013-08-22 20:01 - 2006-11-17 01:58 - 00001024 ____H D:\Documents and Settings\All Users\NTUSER.DAT.LOG
2013-08-22 20:01 - 2006-09-22 23:45 - 00001024 ____H D:\Documents and Settings\Default User\ntuser.dat.LOG
2013-08-22 20:00 - 2013-08-22 19:57 - 00000000 ____D D:\Documents and Settings\Grant\Desktop\farbar recovery tool
2013-08-22 20:00 - 2006-11-17 02:31 - 00001024 ____H D:\Documents and Settings\Grant\ntuser.dat.LOG
2013-08-22 19:59 - 2006-11-17 02:31 - 00000000 __SHD D:\Documents and Settings\Grant\Cookies
2013-08-22 19:58 - 2006-11-17 02:31 - 00000000 ___RD D:\Documents and Settings\Grant\Desktop
2013-08-22 19:57 - 2012-05-06 21:32 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-08-22 19:44 - 2013-05-11 21:47 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore1ce4e88b51cd02a.job
2013-08-22 19:44 - 2013-03-01 17:47 - 00000282 _____ C:\WINDOWS\Tasks\GoforFilesUpdate.job
2013-08-22 19:44 - 2012-03-20 08:52 - 00000278 _____ C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-3864999605-194895897-2757658402-1006.job
2013-08-22 19:44 - 2012-03-15 14:39 - 00001024 ____H D:\Documents and Settings\UpdatusUser\ntuser.dat.LOG
2013-08-22 19:44 - 2010-12-03 09:00 - 00000282 _____ C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-3864999605-194895897-2757658402-1008.job
2013-08-22 19:44 - 2006-11-17 02:31 - 00000062 ___SH D:\DOCUME~1\Grant\LOCALS~1\desktop.ini
2013-08-22 19:44 - 2006-09-22 23:44 - 00001024 ____H D:\Documents and Settings\NetworkService\ntuser.dat.LOG
2013-08-22 19:44 - 2006-09-22 23:44 - 00001024 ____H D:\Documents and Settings\LocalService\ntuser.dat.LOG
2013-08-22 19:43 - 2004-08-10 16:50 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-08-22 19:42 - 2012-03-15 14:39 - 00000062 ___SH D:\Documents and Settings\UpdatusUser\Local Settings\desktop.ini
2013-08-22 19:42 - 2006-09-22 23:44 - 00000062 ___SH D:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-08-22 19:42 - 2006-09-22 23:44 - 00000062 ___SH D:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-08-22 19:42 - 2004-08-10 17:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-08-22 19:42 - 2004-08-10 16:50 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-08-22 19:36 - 2012-03-15 14:39 - 00786432 ____H D:\Documents and Settings\UpdatusUser\NTUSER.DAT
2013-08-22 19:36 - 2007-03-06 13:40 - 00262144 _____ D:\Documents and Settings\NetworkService\ntuser.dat
2013-08-22 19:36 - 2007-03-06 13:40 - 00233472 _____ D:\Documents and Settings\LocalService\ntuser.dat
2013-08-22 19:35 - 2013-08-20 18:29 - 00008416 _____ C:\WINDOWS\WindowsUpdate.log
2013-08-22 19:35 - 2007-03-06 13:40 - 13107200 _____ D:\Documents and Settings\Grant\ntuser.dat
2013-08-22 19:35 - 2006-11-17 02:31 - 00000278 ___SH D:\Documents and Settings\Grant\ntuser.ini
2013-08-22 19:35 - 2004-08-10 17:04 - 00032124 _____ C:\WINDOWS\SchedLgU.Txt
2013-08-22 08:40 - 2013-08-22 08:35 - 00000000 ____D D:\Documents and Settings\Grant\Desktop\RK_Quarantine
2013-08-22 08:38 - 2009-07-01 13:38 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-22 08:37 - 2013-08-22 08:37 - 00009402 _____ D:\Documents and Settings\Grant\Desktop\RKreport[0]_S_08222013_083750.txt
2013-08-22 08:35 - 2013-08-22 08:35 - 00923136 _____ D:\Documents and Settings\Grant\Desktop\RogueKiller.exe
2013-08-21 20:38 - 2013-08-21 20:38 - 00000207 _____ D:\Documents and Settings\Grant\Desktop\Malwarebytes forum.url
2013-08-21 20:18 - 2006-11-17 02:31 - 00000000 ___RD D:\Documents and Settings\Grant\My Documents
2013-08-21 19:32 - 2013-08-21 19:32 - 00023811 _____ D:\Documents and Settings\Grant\Desktop\attach.txt
2013-08-21 19:32 - 2013-08-21 19:32 - 00013146 _____ D:\Documents and Settings\Grant\Desktop\dds.txt
2013-08-21 19:31 - 2013-08-21 19:31 - 00000000 ___RD D:\Documents and Settings\Grant\Start Menu\Programs\Administrative Tools
2013-08-21 19:31 - 2006-11-17 02:31 - 00000000 ___RD D:\Documents and Settings\Grant\Start Menu\Programs
2013-08-21 18:48 - 2013-08-21 18:47 - 00000180 _____ C:\WINDOWS\setupact.log
2013-08-21 18:47 - 2013-08-21 18:47 - 00000000 _____ C:\WINDOWS\setuperr.log
2013-08-21 18:35 - 2013-08-21 17:50 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\ParetoLogic
2013-08-21 17:57 - 2006-11-17 02:31 - 00001520 _____ D:\Documents and Settings\Grant\Start Menu\Programs\Remote Assistance.lnk
2013-08-21 17:52 - 2013-08-21 17:52 - 00000000 ____D D:\Documents and Settings\Grant\Application Data\ParetoLogic
2013-08-21 17:52 - 2013-08-21 17:52 - 00000000 ____D D:\Documents and Settings\Grant\Application Data\DriverCure
2013-08-21 17:52 - 2006-11-17 02:31 - 00000000 __RHD D:\Documents and Settings\Grant\Application Data
2013-08-21 17:50 - 2013-08-21 17:50 - 00000000 ____D C:\Program Files\Common Files\ParetoLogic
2013-08-21 17:50 - 2006-09-22 23:44 - 00000000 __RHD D:\Documents and Settings\All Users\Application Data
2013-08-21 17:25 - 2009-04-18 23:51 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB956572$
2013-08-21 14:37 - 2010-10-13 07:56 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2387149$
2013-08-21 12:21 - 2009-04-13 17:46 - 00000000 ____D C:\WINDOWS\SxsCaPendDel
2013-08-20 22:28 - 2013-08-20 01:49 - 00000000 ____D D:\Documents and Settings\Grant\Start Menu\Programs\x264 Video Codec
2013-08-20 22:28 - 2013-08-20 01:49 - 00000000 ____D C:\Program Files\x264 Video Codec
2013-08-20 22:26 - 2013-08-20 22:17 - 00786432 ____H D:\Documents and Settings\Administrator\NTUSER.DAT
2013-08-20 22:26 - 2013-08-20 22:17 - 00000178 ___SH D:\Documents and Settings\Administrator\ntuser.ini
2013-08-20 22:26 - 2013-08-20 22:17 - 00000000 ____D D:\Documents and Settings\Administrator\Local Settings\Temp
2013-08-20 22:18 - 2013-08-20 22:17 - 00000062 ___SH D:\Documents and Settings\Administrator\Local Settings\desktop.ini
2013-08-20 22:17 - 2013-08-20 22:17 - 00000000 ____D D:\Documents and Settings\Administrator
2013-08-20 21:48 - 2010-10-13 07:47 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2360937$
2013-08-20 18:30 - 2010-05-12 17:24 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB978542$
2013-08-20 18:18 - 2013-06-30 17:21 - 00000000 ____D D:\Documents and Settings\Grant\My Documents\Downloads
2013-08-20 13:23 - 2008-03-23 20:20 - 00000000 ____D C:\Program Files\Google
2013-08-20 12:18 - 2011-03-07 19:52 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB971029$
2013-08-20 11:09 - 2004-08-10 16:56 - 00000000 ____D C:\WINDOWS\system32\Restore
2013-08-20 10:34 - 2012-01-13 17:49 - 00000000 ____D D:\Documents and Settings\Grant\My Documents\BitLord
2013-08-20 10:32 - 2008-05-01 12:03 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\Google
2013-08-20 10:32 - 2008-03-23 20:21 - 00000000 ____D D:\Documents and Settings\Grant\Local Settings\Application Data\Google
2013-08-20 10:30 - 2006-09-22 23:44 - 00000000 ___RD D:\Documents and Settings\All Users\Desktop
2013-08-20 10:23 - 2006-11-17 02:31 - 00000000 ____D D:\Documents and Settings\Grant
2013-08-20 07:40 - 2006-09-22 23:44 - 00000000 __SHD D:\Documents and Settings\LocalService\Cookies
2013-08-20 07:38 - 2010-12-28 09:16 - 00001984 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-08-20 03:42 - 2013-08-20 03:42 - 00000000 ____D D:\Documents and Settings\LocalService\Application Data\RealNetworks
2013-08-20 03:42 - 2013-08-20 03:42 - 00000000 ____D D:\Documents and Settings\LocalService\Application Data\Real
2013-08-20 03:42 - 2006-09-22 23:44 - 00000000 ____D D:\Documents and Settings\LocalService\Application Data
2013-08-20 02:02 - 2013-08-20 02:02 - 00000000 ___RD D:\Documents and Settings\LocalService\Favorites
2013-08-20 02:02 - 2006-09-22 23:44 - 00000000 __SHD D:\Documents and Settings\LocalService
2013-08-20 01:57 - 2013-08-20 01:57 - 00000000 ____D D:\Documents and Settings\LocalService\Application Data\Macromedia
2013-08-20 01:57 - 2013-08-20 01:57 - 00000000 ____D D:\Documents and Settings\LocalService\Application Data\Adobe
2013-08-20 01:56 - 2006-09-22 23:44 - 00000000 ____D D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
2013-08-20 01:54 - 2004-08-10 16:38 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl
2013-08-20 01:49 - 2006-09-22 23:44 - 00000000 ___SD D:\Documents and Settings\All Users\Application Data\Microsoft
2013-08-20 01:48 - 2013-08-20 01:48 - 00000218 _____ D:\Documents and Settings\Grant\Local Settings\Application Data\recently-used.xbel
2013-08-20 01:48 - 2006-11-17 02:31 - 00000000 ___HD D:\DOCUME~1\Grant\LOCALS~1\Application Data
2013-08-20 00:50 - 2012-01-13 17:51 - 00000000 _____ D:\Documents and Settings\Grant\Application Data\bitlord_log.txt
2013-08-19 19:52 - 2012-01-13 17:51 - 00000000 ____D D:\Documents and Settings\Grant\Application Data\BitLord
2013-08-18 15:36 - 2010-11-29 00:07 - 00000286 _____ C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-3864999605-194895897-2757658402-1006.job
2013-08-16 19:00 - 2013-08-16 18:39 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-08-16 18:35 - 2008-03-19 23:14 - 75778376 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-08-16 18:33 - 2013-08-16 18:33 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2850869$
2013-08-16 18:33 - 2013-03-13 22:54 - 00001374 _____ C:\WINDOWS\imsins.BAK
2013-08-16 18:32 - 2013-08-16 18:32 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2859537$
2013-08-16 18:32 - 2006-09-22 15:51 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2013-08-16 18:31 - 2013-08-16 18:30 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2863058$
2013-08-16 18:31 - 2008-03-17 20:12 - 00635700 _____ C:\WINDOWS\system32\TZLog.log
2013-08-16 18:30 - 2013-08-16 18:30 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2849470$
2013-08-16 18:22 - 2004-08-10 16:48 - 00531052 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-08-16 18:03 - 2013-08-16 18:03 - 00001792 _____ D:\Documents and Settings\All Users\Desktop\Google Earth.lnk
2013-07-26 03:47 - 2012-06-17 20:22 - 00522240 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsdbgui.dll
2013-07-26 03:47 - 2010-06-11 18:11 - 00743424 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedvtool.dll
2013-07-26 03:47 - 2009-07-22 23:01 - 00247808 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieproxy.dll
2013-07-26 03:47 - 2009-07-22 23:01 - 00012800 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpshims.dll
2013-07-26 03:47 - 2008-03-19 23:20 - 11113472 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieframe.dll
2013-07-26 03:47 - 2008-03-19 23:20 - 02005504 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iertutil.dll
2013-07-26 03:47 - 2008-03-19 23:20 - 00630272 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeeds.dll
2013-07-26 03:47 - 2008-03-19 23:20 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2013-07-26 03:47 - 2007-12-07 15:37 - 06017536 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtml.dll
2013-07-26 03:47 - 2007-12-07 02:07 - 01215488 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\urlmon.dll
2013-07-26 03:47 - 2007-12-07 02:07 - 00920064 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wininet.dll
2013-07-26 03:47 - 2007-12-07 02:07 - 00611840 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mstime.dll
2013-07-26 03:47 - 2007-12-07 02:07 - 00184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iepeers.dll
2013-07-26 03:47 - 2007-12-07 02:07 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtmled.dll
2013-07-26 03:47 - 2007-12-07 02:07 - 00025600 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsproxy.dll
2013-07-26 03:47 - 2007-08-13 19:54 - 11113472 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2013-07-26 03:47 - 2007-08-13 19:54 - 00630272 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2013-07-26 03:47 - 2007-08-13 19:54 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeedsbs.dll
2013-07-26 03:47 - 2007-08-13 19:45 - 01469440 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\inetcpl.cpl
2013-07-26 03:47 - 2007-08-13 19:44 - 00206848 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\occache.dll
2013-07-26 03:47 - 2007-08-13 19:44 - 00105984 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\url.dll
2013-07-26 03:47 - 2007-08-13 19:44 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\licmgr10.dll
2013-07-26 03:47 - 2007-08-13 19:39 - 00387584 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedkcs32.dll
2013-07-26 03:47 - 2007-08-13 19:34 - 02005504 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2013-07-26 03:47 - 2007-06-26 16:13 - 00759296 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\vgx.dll
2013-07-26 03:47 - 2004-08-10 16:38 - 06017536 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2013-07-26 03:47 - 2004-08-10 16:38 - 01215488 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2013-07-26 03:47 - 2004-08-10 16:38 - 00920064 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2013-07-26 03:47 - 2004-08-10 16:38 - 00611840 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstime.dll
2013-07-26 03:47 - 2004-08-10 16:38 - 00206848 _____ (Microsoft Corporation) C:\WINDOWS\system32\occache.dll
2013-07-26 03:47 - 2004-08-10 16:38 - 00105984 _____ (Microsoft Corporation) C:\WINDOWS\system32\url.dll
2013-07-26 03:47 - 2004-08-10 16:38 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2013-07-26 03:47 - 2004-08-10 16:37 - 01469440 ____N (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2013-07-26 03:47 - 2004-08-10 16:37 - 00387584 ____N (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2013-07-26 03:47 - 2004-08-10 16:37 - 00184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2013-07-26 03:47 - 2004-08-10 16:37 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\licmgr10.dll
2013-07-26 03:47 - 2004-08-10 16:37 - 00025600 ____N (Microsoft Corporation) C:\WINDOWS\system32\jsproxy.dll
2013-07-25 21:23 - 2007-08-13 19:39 - 00174592 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ie4uinit.exe
2013-07-25 21:23 - 2004-08-10 16:37 - 00174592 ____N (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2013-07-25 16:52 - 2004-08-10 16:37 - 00385024 _____ (Microsoft Corporation) C:\WINDOWS\system32\html.iec

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
ZeroAccess:
D:\DOCUME~1\Grant\LOCALS~1\Application Data\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}
ZeroAccess:
C:\Program Files\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then........

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

OK, I freely admit I am an idiot of the epic order.  Ran FRST but it encountered an error and Crashed.  Without thinking (thats what got me in this trouble in the first place, aargh) I ran it again.  This time it finished and rebooted the computer.  However you did say only to run It once.  Hopefully Ive not stuffed things up...

 

Heres the log file..

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-08-2013 02
Ran by Grant at 2013-08-22 21:38:06 Run:2
Running from D:\Documents and Settings\Grant\Desktop\farbar recovery tool
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] -  [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}\   \   \???\{10765838-a275-fe3b-b49a-998e6cc95cee}\GoogleUpdate.exe"
D:\DOCUME~1\Grant\LOCALS~1\Application Data\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}
C:\Program Files\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}
C:\Windows\assembly\GAC\Desktop.ini

*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
*etadpug => Service not found.

"D:\DOCUME~1\Grant\LOCALS~1\Application Data\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}" directory move:

Could not move "D:\DOCUME~1\Grant\LOCALS~1\Application Data\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee}" directory. => Scheduled to move on reboot.

C:\Program Files\Google\Desktop\Install\{10765838-a275-fe3b-b49a-998e6cc95cee} => Moved successfully.
C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.

=========== Result of Scheduled Files to move ===========

Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

Thanks, here's the rougue log..

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Grant [Admin rights]
Mode : Scan -- Date : 08/22/2013 22:48:30
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\RunOnce : A0 (cmd /c "D:\Documents and Settings\Grant\Desktop\mbar\mbar.exe" /r /s [7]) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : D:\Documents and Settings\Grant\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8A817D98)
[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A8160B8)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x8A88C508)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8A1F60A0)
[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A7D57A8)
[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8A2B1EA0)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x8A1F80C0)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8AA00860)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8A1F6180)
[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x8A8ECF60)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A7F0B88)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x8A2B1F90)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x8A817CB8)
[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A7B18D8)
[Address] SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8A2793D0)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8A2B91C0)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB235BC4C)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x8A7E9778)
[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x8A16F1C0)
[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB235BD3C)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x8A1F81B0)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x8A816198)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x8A284CE8)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8A284DC8)
[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x8A16F098)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A2B90E0)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x8A1F90B8)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8A78E240)
[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A1F9198)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8A71A7C0)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A7F0C78)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A8D3C18)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A8D3C88)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A8D3CC0)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A8D3C50)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A8D3200)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A75A180)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A874820)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A749458)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A703630)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A173148)

¤¤¤ External Hives: ¤¤¤
-> D:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\All Users\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\Grant\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\Rebecca\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\UpdatusUser\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3400833AS +++++
--- User ---
[MBR] a20d69f11818fbb91a7d89e07a1c73d6
[bSP] 987cf5983f07a295a06cf311d092e291 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 63 | Size: 7993 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 16370235 | Size: 30710 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 79280775 | Size: 342832 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08222013_224830.txt >>
RKreport[0]_S_08222013_083750.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Still showing a little ZA:

Run RogueKiller again and click Scan
When the scan completes > click on the Files tab
Put a check next to all of these and uncheck the rest: (if found)
 

[ZeroAccess][Folder] Install : D:\Documents and Settings\Grant\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND


Then........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.
 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

Ok, Ive run rouguekiller again, but I'm having a confused moment.  I Click the files tab and the two file paths are there, but theres no check boxes to be able to check against them.  The only tab that lets me do that is the registry tab, it has 6 entries, but nothing I can recognise as being related to these files...  ???

Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

Of course.  I really appreciate all your help with this, its turning into a long job for you, sorry. I'd never have managed any of this on my own so many thanks, again!  Here is the roguekiller log..

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Grant [Admin rights]
Mode : Scan -- Date : 08/24/2013 22:29:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : D:\Documents and Settings\Grant\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8A5B45E0)
[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A5B46C0)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x8A5B6FC0)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8A5B6630)
[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A5CE5F0)
[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8A23D8E8)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x8A5B6450)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8A46D6B0)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8A5B6710)
[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x8A2474F8)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A5B6D78)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x8A23D9D8)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x8A23DAB8)
[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A8C2BB0)
[Address] SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8A5B6C78)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8A23D808)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x8A2476D8)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x8A247418)
[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x8A23D648)
[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x8A2475E8)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x8A5B6540)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x8A5B47A0)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x8A5B4A40)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8A5B6AA8)
[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x8A5B67F0)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A23D728)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x8A5B4880)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8A1E8678)
[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A5B4960)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8A5B6B98)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A5B6E68)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A7D4A28)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A7D4A98)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A7D45C8)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A7D4A60)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A2721F8)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A18ABA0)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A1EE660)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A18A910)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A26F1F8)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A189870)

¤¤¤ External Hives: ¤¤¤
-> D:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\All Users\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\Grant\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\Rebecca\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\UpdatusUser\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3400833AS +++++
--- User ---
[MBR] a20d69f11818fbb91a7d89e07a1c73d6
[bSP] 987cf5983f07a295a06cf311d092e291 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 63 | Size: 7993 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 16370235 | Size: 30710 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 79280775 | Size: 342832 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08242013_222953.txt >>
RKreport[0]_S_08222013_083750.txt;RKreport[0]_S_08222013_224830.txt;RKreport[0]_S_08222013_231118.txt

 

 

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest: (if found)

[ZeroAccess][Folder] Install : D:\Documents and Settings\Grant\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND

[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

Now click Delete on the right hand column under Options

Reboot and run another scan to ensure they're gone.

MrC

Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

Hi, same problem as before with roguekiller, Ive run the scan but have no option to check against these files, Ive attached a screenshot showing the two tabs and the contents.  If i hit delete it will remove the checked items in the registry tab, but I dont know which to uncheck.  Im easily confused, sorry.

 

post-144365-0-11955800-1377460991_thumb.

 

 

Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

great thanks, thats it done, The files tab and the registry tab are now clear.

 

heres the roguekiller log...

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Grant [Admin rights]
Mode : Scan -- Date : 08/25/2013 22:16:19
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8A1AAF90)
[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A23B408)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x8A8F8AE0)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8A7928E8)
[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A890878)
[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8A290EA0)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x8A7B9980)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8A95F4D0)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8A7929C8)
[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x8A8D4890)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A7C72A0)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x8A290F90)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x8A1AAEB0)
[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A2857D8)
[Address] SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8AA03188)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8A787818)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x8A7AF140)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x8A8AB290)
[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x8A1FFB20)
[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x8A8C9058)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x8A7B9A70)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x8A23B4A0)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x8A45B0B0)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8A75A350)
[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x8A1FF9D8)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A787738)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x8A23B538)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8A8A98F0)
[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A23B8A0)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8A8ADE18)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A959B58)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A8CE008)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A8CF100)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A8CF138)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A8CF0C8)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A7B22E8)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A246CA8)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A79A250)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A79A180)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89B391F8)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A792AF8)

¤¤¤ External Hives: ¤¤¤
-> D:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\All Users\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\Grant\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\Rebecca\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\UpdatusUser\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3400833AS +++++
--- User ---
[MBR] a20d69f11818fbb91a7d89e07a1c73d6
[bSP] 987cf5983f07a295a06cf311d092e291 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 63 | Size: 7993 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 16370235 | Size: 30710 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 79280775 | Size: 342832 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08252013_221619.txt >>
RKreport[0]_D_08252013_220935.txt;RKreport[0]_S_08222013_083750.txt;RKreport[0]_S_08222013_224830.txt
RKreport[0]_S_08222013_231118.txt;RKreport[0]_S_08242013_222953.txt;RKreport[0]_S_08252013_205507.txt
RKreport[0]_S_08252013_220843.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Good,Lets check for any adware while you're here:

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
If you agree with everything listed to be removed...........

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

This is the report from the first adwcleaner scan.   Nothing in it i recognise never mind want to keep so wil run the scan / delete and post the log.

 

# AdwCleaner v3.001 - Report created 25/08/2013 at 22:34:28
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Grant - HOUSEPC
# Running from : D:\Documents and Settings\Grant\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : D:\END
Folder Found C:\Program Files\Common Files\ParetoLogic
Folder Found C:\Program Files\Conduit
Folder Found C:\Program Files\Viewpoint
Folder Found D:\Documents and Settings\All Users\Application Data\ParetoLogic
Folder Found D:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Found D:\Documents and Settings\Grant\Application Data\DriverCure
Folder Found D:\Documents and Settings\Grant\Application Data\ParetoLogic
Folder Found D:\Documents and Settings\Grant\IECompatCache
Folder Found D:\Documents and Settings\Grant\Local Settings\Application Data\Conduit
Folder Found D:\Documents and Settings\Grant\Local Settings\Application Data\cre

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\ConduitSearchScopes
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6E4C89CF-3061-4EE4-B22A-B7A8AAEA5CB3}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\Viewpoint

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [2891 octets] - [25/08/2013 22:34:28]

########## EOF - D:\AdwCleaner\AdwCleaner[R0].txt - [2951 octets] ##########

Link to post
Share on other sites
disneyfan

disneyfan

Posted
  • Author
Posted

and this is the report after the clean.

 

# AdwCleaner v3.001 - Report created 25/08/2013 at 22:42:03
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Grant - HOUSEPC
# Running from : D:\Documents and Settings\Grant\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : D:\Documents and Settings\All Users\Application Data\ParetoLogic
Folder Deleted : D:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\Program Files\Common Files\ParetoLogic
Folder Deleted : D:\Documents and Settings\Grant\IECompatCache
Folder Deleted : D:\Documents and Settings\Grant\Local Settings\Application Data\Conduit
Folder Deleted : D:\Documents and Settings\Grant\Local Settings\Application Data\cre
Folder Deleted : D:\Documents and Settings\Grant\Application Data\DriverCure
Folder Deleted : D:\Documents and Settings\Grant\Application Data\ParetoLogic
File Deleted : D:\END

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6E4C89CF-3061-4EE4-B22A-B7A8AAEA5CB3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [3031 octets] - [25/08/2013 22:34:28]
AdwCleaner[R1].txt - [3091 octets] - [25/08/2013 22:40:57]
AdwCleaner[s0].txt - [3100 octets] - [25/08/2013 22:42:03]

########## EOF - D:\AdwCleaner\AdwCleaner[s0].txt - [3160 octets] ##########

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.