za trojon will not go away - assistance requested

[bcurtisiii]

can't get malwarebytes to get rid of this trojan.  logs below and thanks:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 10.5.0
Run by Bobby at 11:02:49 on 2013-08-22
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2030.1241 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\schtasks.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [cwcptray] c:\program files\contentwatch\internet protection\cwtray.exe
mRun: [CWPhoenixApp] c:\program files\contentwatch\internet protection\updater\Phoenix.exe /r
mRun: [uVS10 Preload] c:\program files\ulead systems\ulead videostudio se dvd\uvPL.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
dRunOnce: [sPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna1100\WNA1100.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\cwalsp.dll
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com




TCP: Interfaces\{9C74A344-2E88-490D-9E93-8DFA5BE106E2} : NameServer = 192.168.1.11
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\bobby\appdata\roaming\mozilla\firefox\profiles\c8y2ioex.default\

FF - prefs.js: browser.search.selectedEngine - Delta Search

FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\bobby\appdata\local\microsoft\internet explorer\downloaded program files\npsoe.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-07-29 12:29; addon@defaulttab.com; c:\users\bobby\appdata\roaming\mozilla\firefox\profiles\c8y2ioex.default\extensions\addon@defaulttab.com.xpi
FF - ExtSQL: 2013-08-16 23:10; 588a2804-b11d-4809-963b-a886d1e8684e@416c8902-1140-4f75-9037-bf86b99379db.com; c:\users\bobby\appdata\roaming\mozilla\firefox\profiles\c8y2ioex.default\extensions\588a2804-b11d-4809-963b-a886d1e8684e@416c8902-1140-4f75-9037-bf86b99379db.com
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false

FF - user.js: extensions.BabylonToolbar.id - 942d051e00000000000030469a35da68
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15651
FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.3.8
FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.3.8
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.3.819:07:02
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110803&tt=4512_4
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(extensions.autoDisableScopes, 0
FF - user.js: extensions.shownSelectionUI - true
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 942d051e00000000000030469a35da68
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15915
FF - user.js: extensions.delta.vrsn - 1.8.22.0
FF - user.js: extensions.delta.vrsni - 1.8.22.0
FF - user.js: extensions.delta.vrsnTs - 1.8.22.012:30:53
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta_i.babTrack - affID=119351&tsp=4958
FF - user.js: extensions.delta_i.babExt -
FF - user.js: extensions.delta_i.srcExt - ss
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-18 343920]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2011-3-19 21728]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2011-3-19 20384]
R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2011-3-19 1484800]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-18 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-18 43288]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-18 66600]
S3 SMIUSBAVCALL;SMI Grabber Device 4CH1CH ALL;c:\windows\system32\drivers\SmiUsbGrabber3F.sys [2013-6-21 129664]
.
=============== Created Last 30 ================
.
2013-08-22 00:22:16    --------    d-----w-    c:\users\bobby\appdata\local\Deployment
2013-08-22 00:22:16    --------    d-----w-    c:\users\bobby\appdata\local\Apps
2013-08-18 01:44:50    --------    d-----w-    c:\program files\common files\Symantec Shared
2013-08-05 23:07:51    --------    d-----w-    c:\users\bobby\appdata\local\Macromedia
2013-08-04 19:19:34    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-29 21:45:22    --------    d-----w-    c:\users\bobby\appdata\local\Google
2013-07-29 16:32:22    --------    d-----w-    c:\programdata\Symantec
2013-07-29 16:32:02    --------    d-----w-    c:\windows\system32\drivers\nss\0400010.010
2013-07-29 16:32:02    --------    d-----w-    c:\windows\system32\drivers\NSS
2013-07-29 16:32:01    --------    d-----w-    c:\program files\Norton Security Scan
2013-07-29 16:31:56    --------    d-----w-    c:\programdata\Norton
2013-07-29 16:31:47    --------    d-----w-    c:\programdata\NortonInstaller
2013-07-29 16:31:47    --------    d-----w-    c:\program files\NortonInstaller
2013-07-29 16:30:45    --------    d-----w-    c:\programdata\BrowserDefender
2013-07-29 16:30:43    --------    d-----w-    c:\program files\Delta
2013-07-28 21:48:52    --------    d-----w-    c:\users\bobby\appdata\roaming\DigitalSite
2013-07-26 22:22:42    60872    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{e0259fda-fe09-4373-bce3-97e8856f5586}\offreg.dll
2013-07-26 14:02:34    7143960    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{e0259fda-fe09-4373-bce3-97e8856f5586}\mpengine.dll
.
==================== Find3M  ====================
.
2013-08-04 19:19:34    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-11 23:43:37    1767936    ----a-w-    c:\windows\system32\wininet.dll
2013-06-11 23:43:00    2877440    ----a-w-    c:\windows\system32\jscript9.dll
2013-06-11 23:42:58    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-06-11 23:42:58    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-06-11 22:51:45    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-06-07 02:37:52    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-06-05 03:05:09    2347520    ----a-w-    c:\windows\system32\win32k.sys
2013-06-04 07:17:03    745472    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2013-06-04 07:17:03    185344    ----a-w-    c:\windows\system32\elshyph.dll
2013-06-04 07:17:01    523264    ----a-w-    c:\windows\system32\vbscript.dll
2013-06-04 07:17:01    158720    ----a-w-    c:\windows\system32\msls31.dll
2013-06-04 07:17:01    150528    ----a-w-    c:\windows\system32\iexpress.exe
2013-06-04 07:17:01    138752    ----a-w-    c:\windows\system32\wextract.exe
2013-06-04 07:17:00    38400    ----a-w-    c:\windows\system32\imgutil.dll
2013-06-04 07:17:00    137216    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-06-04 07:17:00    12800    ----a-w-    c:\windows\system32\mshta.exe
2013-06-04 07:17:00    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2013-06-04 07:16:59    73728    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2013-06-04 07:16:59    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-06-04 07:16:59    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2013-06-04 07:16:59    361984    ----a-w-    c:\windows\system32\html.iec
2013-06-04 07:16:58    719360    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2013-06-04 07:16:58    23040    ----a-w-    c:\windows\system32\licmgr10.dll
2013-06-04 07:16:58    1441280    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-06-04 04:53:07    509440    ----a-w-    c:\windows\system32\qedit.dll
2013-05-28 13:05:16    163328    ----a-w-    c:\windows\system32\FlashPlayerUpdateService.exe
.
============= FINISH: 11:37:41.08 ===============
 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/18/2011 7:26:56 PM
System Uptime: 8/22/2013 11:01:09 AM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0PU052
Processor: Intel® Core2 Duo CPU     E7300  @ 2.66GHz | CPU | 2667/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 1.017 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_29B4&SUBSYS_02111028&REV_02\3&172E68DD&0&18
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_29B4&SUBSYS_02111028&REV_02\3&172E68DD&0&18
Service:
.
Class GUID:
Description: PCI Serial Port
Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B
Manufacturer:
Name: PCI Serial Port
PNP Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B
Service:
.
==== System Restore Points ===================
.
RP427: 8/21/2013 9:44:55 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.0.1)
ArcSoft ShowBiz
Call of Duty® 2
D3DX10
FlipShare
Java Auto Updater
Java 6 Update 26
Java 7 Update 5
Malwarebytes Anti-Malware version 1.75.0.1300
McAfee Agent
McAfee VirusScan Enterprise
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Movie Maker
Mozilla Firefox 4.0 (x86 en-US)
MSVCRT
MSVCRT110
Net Nanny Parental Controls
NETGEAR WNA1100 wireless USB 2.0 adapter
Norton Security Scan
Photo Common
Photo Gallery
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
SMI Grabber Device
Ulead VideoStudio SE DVD
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817563) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
USB Video/Audio Device Driver
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
.
==== Event Viewer Messages From Past Week ========
.
8/22/2013 11:37:00 AM, Error: Service Control Manager [7000]  - The BrowserDefendert service failed to start due to the following error:  The system cannot find the file specified.
8/22/2013 11:02:16 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  aemjeahc
8/22/2013 11:01:41 AM, Error: Service Control Manager [7003]  - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
8/22/2013 11:01:39 AM, Error: Service Control Manager [7003]  - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
8/22/2013 11:01:33 AM, Error: Service Control Manager [7023]  - The Function Discovery Resource Publication service terminated with the following error:  %%-2147024891
8/22/2013 11:01:30 AM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
8/22/2013 11:01:23 AM, Error: atikmdag [52236]  - CPLIB :: General - Invalid Parameter
8/22/2013 11:01:23 AM, Error: atikmdag [43029]  - Display is not active
8/21/2013 8:23:31 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 10 time(s).
8/21/2013 8:23:31 PM, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-2147218037.
8/21/2013 8:23:24 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 9 time(s).
8/21/2013 8:23:21 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 8 time(s).
8/21/2013 8:23:07 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 7 time(s).
8/21/2013 8:20:44 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 6 time(s).
8/21/2013 7:28:08 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 5 time(s).
8/21/2013 3:30:09 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 4 time(s).
8/21/2013 3:30:09 PM, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-2147217025.
8/21/2013 3:28:28 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 3 time(s).
8/21/2013 3:27:34 PM, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/21/2013 3:26:55 PM, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/21/2013 3:26:55 PM, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-1073473535.
8/21/2013 3:23:46 PM, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-2147215320.
8/21/2013 3:18:22 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
8/21/2013 3:18:22 PM, Error: Service Control Manager [7000]  - The Windows Search service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
8/21/2013 10:13:03 AM, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
8/20/2013 9:38:24 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.
8/20/2013 9:36:56 PM, Error: Service Control Manager [7022]  - The Network Location Awareness service hung on starting.
8/20/2013 4:26:28 PM, Error: Ntfs [137]  - The default transaction resource manager on volume C: encountered a non-retryable error and could not start.  The data contains the error code.
8/18/2013 12:03:56 AM, Error: Service Control Manager [7034]  - The McAfee McShield service terminated unexpectedly.  It has done this 2 time(s).
8/17/2013 12:38:16 PM, Error: Service Control Manager [7000]  - The Application Experience service failed to start due to the following error:  A thread could not be created for the service.
8/17/2013 11:45:19 PM, Error: Service Control Manager [7034]  - The McAfee McShield service terminated unexpectedly.  It has done this 1 time(s).
8/16/2013 9:40:04 AM, Error: Service Control Manager [7022]  - The McAfee McShield service hung on starting.
8/16/2013 11:09:47 PM, Error: volmgr [46]  - Crash dump initialization failed!
.
==== End Of File ===========================
 

[MrCharlie]

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[bcurtisiii]

here you go.

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Bobby [Admin rights]
Mode : Scan -- Date : 08/22/2013 14:28:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\   \...\???ﯹ๛\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 13 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Bobby\AppData\Local\Google\Desktop\Install\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\?��?��?��\?��?��?��\???ﯹ๛\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-939549938-1947164955-4229279808-1000\[...]\Run : Google Update ("C:\Users\Bobby\AppData\Local\Google\Desktop\Install\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\?��?��?��\?��?��?��\???ﯹ๛\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\GoogleUpdate.exe" >) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\   \...\???ﯹ๛\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\   \...\???ﯹ๛\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\   \...\???ﯹ๛\{4b8a454e-a8e5-6347-3e65-7ad8344801db}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS002\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V2][sUSP PATH] EPUpdater : C:\Users\Bobby\AppData\Roaming\BABSOL~1\Shared\BabMaint.exe [x] -> FOUND
[V2][sUSP PATH] RunAsStdUser Task : "C:\Users\Bobby\AppData\Local\teeveewatchSA\bin\1.0.15.0\TeeveeWatchSA.exe" [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Users\Bobby\AppData\Local\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800JD-75MSA3 ATA Device +++++
--- User ---
[MBR] ccea62c910834253fd4ae8a8c39bf17a
[bSP] e7a4d88e39462edee4d9ce59ade9badd : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 133 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 273105 | Size: 76151 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD800JD-75MSA3 ATA Device +++++
--- User ---
[MBR] 4f51ad12035b20f81bd82f86a3f375f7
[bSP] ba87eb2ff276c984a2b90c4873d68d9e : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 38 | Size: 3827 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_08222013_142846.txt >>



 

[MrCharlie]

You've got the new nasty version of ZA.

Please read the following information first.

 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please download Farbar Recovery Scan Tool and save it to a folder. (32bit version)

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

[MrCharlie]

How are we doing??

 

Do you still need help or can I close this post??

 

MrC

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!