Jump to content

Need help with Rootkit.0access and Trojan.Zaccess


gflo
 Share

Recommended Posts

Scanning with Malware Bytes  found the Rootkit.0access and Trojan.Zaccess.  Malware Bytes removes it but after restarting the computer and running another scan its back again.  I also use Norton and it doesn't detect either one.  I used Norton Power Eraser and it didn't help.

 

Here are the logs from the ddr.scr scan:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by George at 15:54:29 on 2013-08-23
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.

uURLSearchHooks: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - c:\program files\pdfforge toolbar\ie\7.4\pdfforgeToolbarIE.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\20.4.0.40\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\20.4.0.40\ips\IPSBHO.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - c:\program files\pdfforge toolbar\ie\7.4\pdfforgeToolbarIE.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\20.4.0.40\CoIEPlg.dll
TB: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - c:\program files\pdfforge toolbar\ie\7.4\pdfforgeToolbarIE.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageechoworkstation\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageechoworkstation\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [searchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll



TCP: NameServer = 192.168.0.1
TCP: Interfaces\{780D17BB-64F9-429E-92FE-634F4E4FC903} : DHCPNameServer = 192.168.0.1
LSA: Authentication Packages =  msv1_0 relog_ap
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\george\application data\mozilla\firefox\profiles\cq5r138g.default\

FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-08-23 20:17:55 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-08-23 16:50:48 54016 ----a-w- c:\windows\system32\drivers\oymo.sys
2013-08-23 16:01:21 -------- d-----w- c:\documents and settings\george\local settings\application data\NPE
2013-08-22 15:32:16 54016 ----a-w- c:\windows\system32\drivers\nisin.sys
2013-08-09 15:16:49 -------- d-----w- c:\documents and settings\george\application data\Search Settings
2013-08-09 15:16:43 -------- d-----w- c:\program files\Application Updater
2013-08-09 15:16:42 -------- d-----w- c:\program files\pdfforge Toolbar
2013-08-09 15:16:42 -------- d-----w- c:\program files\common files\Spigot
.
==================== Find3M  ====================
.
2013-08-23 16:55:46 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
2013-08-21 15:51:02 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 15:51:02 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-26 18:34:20 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.
============= FINISH: 15:59:21.76 ===============
 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Acronis True Image Echo Workstation
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.03)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Brother DCP-9040CN
Brother MFL-Pro Suite
CCleaner
Compatibility Pack for the 2007 Office system
Defraggler
EASEUS Partition Manager 3.0 Home Edition
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB952287)
HTC Driver
iTunes
Java Auto Updater
Java 6 Update 23
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 17.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton 360
NVIDIA Drivers
NVIDIA nView Desktop Manager
PaperPort Image Printer
PDFCreator
pdfforge Toolbar v7.4
QuickTime
Realtek High Definition Audio Driver
Safari
ScanSoft PaperPort 11
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
WinZip 11.2
WordPerfect Office 12
.
==== End Of File ===========================
 

 

Any help with this will be greatly appeciated.  Please be patient with me I'm not very computer savvy.

 

Thanks.

Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Here is the RK report:

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : George [Admin rights]
Mode : Scan -- Date : 08/26/2013 10:21:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{d074f1b1-76a3-1f25-6260-4073a20f2785}\   \   \???ﯹ๛\{d074f1b1-76a3-1f25-6260-4073a20f2785}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 5 ¤¤¤
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{d074f1b1-76a3-1f25-6260-4073a20f2785}\   \   \???ﯹ๛\{d074f1b1-76a3-1f25-6260-4073a20f2785}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS003\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{d074f1b1-76a3-1f25-6260-4073a20f2785}\   \   \???ﯹ๛\{d074f1b1-76a3-1f25-6260-4073a20f2785}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS003\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\WINDOWS\Installer\{d074f1b1-76a3-1f25-6260-4073a20f2785}\@ [-] --> FOUND
[ZeroAccess][File] @ : C:\Documents and Settings\George\Local Settings\Application Data\{d074f1b1-76a3-1f25-6260-4073a20f2785}\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\WINDOWS\Installer\{d074f1b1-76a3-1f25-6260-4073a20f2785}\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\Documents and Settings\George\Local Settings\Application Data\{d074f1b1-76a3-1f25-6260-4073a20f2785}\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\WINDOWS\Installer\{d074f1b1-76a3-1f25-6260-4073a20f2785}\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\Documents and Settings\George\Local Settings\Application Data\{d074f1b1-76a3-1f25-6260-4073a20f2785}\L [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Documents and Settings\George\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x830E5A10)
[Address] SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x830E5AF0)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x830E5440)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x82A0B650)
[Address] SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x83D7EF08)
[Address] SSDT[43] : NtCreateMutant @ 0x806176AE -> HOOKED (Unknown @ 0x830EC9C0)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x829696D8)
[Address] SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x82A09380)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643B3E -> HOOKED (Unknown @ 0x82A0B730)
[Address] SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x82FAF988)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8314EC40)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x830ECAB0)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x830E5930)
[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x830088C0)
[Address] SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8314EB40)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F06C -> HOOKED (Unknown @ 0x830EC8E0)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x82A092A8)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x82FAF950)
[Address] SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x82EFD8F0)
[Address] SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x82FAFA58)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x829697C8)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8312B968)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x82A09BF0)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x82A09C28)
[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FD24 -> HOOKED (Unknown @ 0x82A0B810)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x82EFD9D0)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8312BA48)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x82F8DBD8)
[Address] SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x82A09B30)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x82A09CB8)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8314ED10)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8313FB30)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x834F5F48)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x834F5E88)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x828C8290)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x828C8350)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x831EE690)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8324AAE8)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8324AA18)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x828D71A8)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x83444668)

¤¤¤ External Hives: ¤¤¤
-> E:\windows\system32\config\SYSTEM | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\windows\system32\config\SOFTWARE | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\windows\system32\config\SECURITY | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\windows\system32\config\SAM | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\windows\system32\config\DEFAULT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\George\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\Rose\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] de181e059b1f0e44b2a440c7feed547d
[bSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 30718 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 62910540 | Size: 45567 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 9a4157a4b2fc88de38dc3fad6f68edd2
[bSP] 260a2c1c807adf5e31be5133d5e6e103 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_08262013_102128.txt >>

 

 

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

Inadvertently downloaded Express Installer while trying to download Farbar.  How do I get rid of it?

 

Here are the Farbar logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-08-2013
Ran by George (administrator) on 26-08-2013 11:39:57
Running from C:\Documents and Settings\George\Desktop
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Could not list processes ===============

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvMediaCenter] - C:\WINDOWS\system32\NvMcTray.dll [86016 2009-09-27] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] - C:\WINDOWS\system32\NvCpl.dll [13918208 2009-09-27] (NVIDIA Corporation)
HKLM\...\Run: [RTHDCPL] - C:\Windows\RTHDCPL.EXE [18750976 2009-10-06] (Realtek Semiconductor Corp.)
HKLM\...\Run: [TrueImageMonitor.exe] - C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe [1274624 2008-01-30] (Acronis)
HKLM\...\Run: [AcronisTimounterMonitor] - C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe [884696 2008-01-29] (Acronis)
HKLM\...\Run: [Acronis Scheduler2 Service] - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [136472 2008-01-29] (Acronis)
HKLM\...\Run: [sSBkgdUpdate] - C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] - C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [30248 2007-01-29] (Nuance Communications, Inc.)
HKLM\...\Run: [indexSearch] - C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [46632 2007-01-29] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] - C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe [255528 2007-02-01] (Nuance Communications, Inc.)
HKLM\...\Run: [brMfcWnd] - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [630784 2007-03-02] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] - C:\Program Files\Brother\ControlCenter3\brctrcen.exe [65536 2006-11-07] (Brother Industries, Ltd.)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM\...\Run: [] -  [x]
HKLM\...\Run: [searchSettings] - C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe [1303360 2013-08-08] (Spigot, Inc.)
HKLM\...\Command Processor:  <======= ATTENTION
MountPoints2: {ac9a3a72-b7d5-11e1-8017-6c626d07a123} - G:\RunClubSanDisk.exe
MountPoints2: {c3e7bf56-d7f4-11e1-8038-6c626d07a123} - G:\urDrive.exe
Lsa: [Authentication Packages] msv1_0 relog_ap

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\7.4\pdfforgeToolbarIE.dll (Spigot, Inc.)
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKCU - {149FBD79-122B-4080-8627-8595CB4D4251} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=971163&p={searchTerms}
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=360&chn=retail&geo=US&ver=4
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\7.4\pdfforgeToolbarIE.dll (Spigot, Inc.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\7.4\pdfforgeToolbarIE.dll (Spigot, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: ipp - No CLSID Value -
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\George\Application Data\Mozilla\Firefox\Profiles\cq5r138g.default

FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: pdfforge - C:\Documents and Settings\George\Application Data\Mozilla\Firefox\Profiles\cq5r138g.default\Extensions\pdfforge@mybrowserbar.com
FF Extension: Default - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\IPSFFPlgn\
FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\IPSFFPlgn\
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\coFFPlgn\
FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\coFFPlgn\
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff

========================== Services (Whitelisted) =================

R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [423192 2008-01-29] (Acronis)
R2 Application Updater; C:\Program Files\Application Updater\ApplicationUpdater.exe [807800 2013-08-08] (Spigot, Inc.)
R2 N360; C:\Program Files\Norton 360\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{d074f1b1-76a3-1f25-6260-4073a20f2785}\   \   \???\{d074f1b1-76a3-1f25-6260-4073a20f2785}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 Ambfilt; C:\Windows\System32\drivers\Ambfilt.sys [1684736 2008-08-05] (Creative)
R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-05-20] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-08-21] (Symantec Corporation)
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [8704 2008-11-25] ()
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-08-21] (Symantec Corporation)
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [3072 2008-11-25] ()
R3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\IPSDefs\20130823.001\IDSxpx86.sys [380832 2013-08-21] (Symantec Corporation)
S3 Monfilt; C:\Windows\System32\drivers\Monfilt.sys [1389056 2006-01-04] (Creative Technology Ltd.)
R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\VirusDefs\20130825.019\NAVENG.SYS [93272 2013-06-26] (Symantec Corporation)
R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\VirusDefs\20130825.019\NAVEX15.SYS [1611992 2013-06-26] (Symantec Corporation)
R3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [66816 2009-07-30] (NVIDIA Corporation)
R0 nvgts; C:\Windows\System32\DRIVERS\nvgts.sys [165920 2009-08-04] (NVIDIA Corporation)
R3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [13824 2009-07-30] (NVIDIA Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\N360\1404000.028\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\N360\1404000.028\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360\1404000.028\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-06-26] (Symantec Corporation)
S3 SymIM; C:\Windows\System32\DRIVERS\SymIM.sys [44064 2013-03-04] (Symantec Corporation)
R3 SymIMMP; C:\Windows\System32\DRIVERS\SymIM.sys [44064 2013-03-04] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\N360\1404000.028\SYMTDI.SYS [396760 2013-04-24] (Symantec Corporation)
R2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [43008 2010-10-26] (Acronis)
S4 IntelIde; No ImagePath
S3 SYMFW; \SystemRoot\System32\Drivers\N360\0308000.029\SYMFW.SYS [x]
S3 SYMIDS; \SystemRoot\System32\Drivers\N360\0308000.029\SYMIDS.SYS [x]
S3 SYMNDIS; \SystemRoot\System32\Drivers\N360\0308000.029\SYMNDIS.SYS [x]
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-26 11:39 - 2013-08-26 11:39 - 00000000 ____D C:\FRST
2013-08-26 11:38 - 2013-08-26 11:38 - 01070979 _____ (Farbar) C:\Documents and Settings\George\Desktop\FRST.exe
2013-08-26 11:28 - 2013-08-26 11:28 - 01066648 _____ (InstallManager) C:\Documents and Settings\George\Desktop\Express_Installer.exe
2013-08-26 10:21 - 2013-08-26 10:21 - 00008517 _____ C:\Documents and Settings\George\Desktop\RKreport[0]_S_08262013_102128.txt
2013-08-26 10:19 - 2013-08-26 10:21 - 00000000 ____D C:\Documents and Settings\George\Desktop\RK_Quarantine
2013-08-26 10:18 - 2013-08-26 10:18 - 00923136 _____ C:\Documents and Settings\George\Desktop\RogueKiller.exe
2013-08-26 09:16 - 2013-08-26 11:40 - 3425191602 _____ C:\avenger.txt
2013-08-26 09:16 - 2013-08-26 09:16 - 00000000 ____D C:\Avenger
2013-08-23 15:59 - 2013-08-23 15:59 - 00008191 _____ C:\Documents and Settings\George\Desktop\attach.txt
2013-08-23 15:59 - 2013-08-23 15:59 - 00008149 _____ C:\Documents and Settings\George\Desktop\dds.txt
2013-08-23 15:39 - 2013-08-23 15:39 - 00688992 ____R (Swearware) C:\Documents and Settings\George\Desktop\dds.scr
2013-08-23 11:20 - 2013-08-23 11:20 - 00000000 ____D C:\WINDOWS\CSC
2013-08-23 11:01 - 2013-08-23 11:13 - 00000000 ____D C:\Documents and Settings\George\Local Settings\Application Data\NPE
2013-08-22 10:32 - 2013-08-22 10:32 - 00054016 _____ C:\WINDOWS\system32\Drivers\nisin.sys
2013-08-20 08:44 - 2013-08-20 08:44 - 00004096 ____H C:\Documents and Settings\NetworkService\Local Settings\Application Data.LOG
2013-08-20 08:44 - 2013-08-20 08:44 - 00004096 ____H C:\Documents and Settings\LocalService\Local Settings\Application Data.LOG
2013-08-20 08:44 - 2013-08-20 08:44 - 00004096 ____H C:\DOCUME~1\George\LOCALS~1\Application Data.LOG
2013-08-19 16:33 - 2013-08-19 16:44 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-08-19 16:32 - 2013-08-19 16:32 - 00000000 __SHD C:\Documents and Settings\LocalService\IETldCache
2013-08-19 16:32 - 2013-08-19 16:32 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2013-08-19 16:31 - 2013-08-19 16:31 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2013-08-19 10:32 - 2013-08-19 10:59 - 00003683 _____ C:\WINDOWS\setupapi.log
2013-08-09 10:16 - 2013-08-09 10:16 - 00000000 ____D C:\Program Files\pdfforge Toolbar
2013-08-09 10:16 - 2013-08-09 10:16 - 00000000 ____D C:\Program Files\Common Files\Spigot
2013-08-09 10:16 - 2013-08-09 10:16 - 00000000 ____D C:\Program Files\Application Updater
2013-08-09 10:16 - 2013-08-09 10:16 - 00000000 ____D C:\Documents and Settings\George\Application Data\Search Settings

==================== One Month Modified Files and Folders =======

2013-08-26 11:40 - 2013-08-26 09:16 - 3425191602 _____ C:\avenger.txt
2013-08-26 11:39 - 2013-08-26 11:39 - 00000000 ____D C:\FRST
2013-08-26 11:38 - 2013-08-26 11:38 - 01070979 _____ (Farbar) C:\Documents and Settings\George\Desktop\FRST.exe
2013-08-26 11:28 - 2013-08-26 11:28 - 01066648 _____ (InstallManager) C:\Documents and Settings\George\Desktop\Express_Installer.exe
2013-08-26 10:50 - 2012-07-20 09:44 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-08-26 10:41 - 2013-04-26 09:14 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-26 10:23 - 2013-08-26 10:19 - 00000000 ____D C:\Documents and Settings\George\Desktop\RK_Quarantine
2013-08-26 10:21 - 2013-08-26 10:21 - 00008517 _____ C:\Documents and Settings\George\Desktop\RKreport[0]_S_08262013_102128.txt
2013-08-26 10:18 - 2013-08-26 10:18 - 00923136 _____ C:\Documents and Settings\George\Desktop\RogueKiller.exe
2013-08-26 09:29 - 2010-10-27 12:27 - 00000426 _____ C:\WINDOWS\BRWMARK.INI
2013-08-26 09:28 - 2010-10-27 00:55 - 01700600 _____ C:\WINDOWS\WindowsUpdate.log
2013-08-26 09:18 - 2010-10-26 19:38 - 00000259 _____ C:\WINDOWS\wiadebug.log
2013-08-26 09:17 - 2013-04-26 09:14 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-26 09:17 - 2010-10-27 00:59 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-08-26 09:17 - 2010-10-26 19:38 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-08-26 09:17 - 2009-09-27 18:19 - 00253748 _____ C:\WINDOWS\system32\NvApps.xml
2013-08-26 09:17 - 2008-04-14 07:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-08-26 09:16 - 2013-08-26 09:16 - 00000000 ____D C:\Avenger
2013-08-26 09:16 - 2012-12-05 18:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2483185$
2013-08-23 17:25 - 2010-10-27 00:59 - 00032580 _____ C:\WINDOWS\SchedLgU.Txt
2013-08-23 17:19 - 2010-10-26 12:55 - 00002497 _____ C:\Documents and Settings\George\Desktop\Microsoft Office Word 2003.lnk
2013-08-23 15:59 - 2013-08-23 15:59 - 00008191 _____ C:\Documents and Settings\George\Desktop\attach.txt
2013-08-23 15:59 - 2013-08-23 15:59 - 00008149 _____ C:\Documents and Settings\George\Desktop\dds.txt
2013-08-23 15:39 - 2013-08-23 15:39 - 00688992 ____R (Swearware) C:\Documents and Settings\George\Desktop\dds.scr
2013-08-23 11:55 - 2010-10-26 12:38 - 00000900 ___SH C:\WINDOWS\system32\KGyGaAvL.sys
2013-08-23 11:36 - 2010-10-26 15:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2296011$
2013-08-23 11:27 - 2010-10-27 00:53 - 00000000 ____D C:\WINDOWS\Registration
2013-08-23 11:26 - 2010-10-27 01:00 - 00000278 ___SH C:\Documents and Settings\George\ntuser.ini
2013-08-23 11:20 - 2013-08-23 11:20 - 00000000 ____D C:\WINDOWS\CSC
2013-08-23 11:20 - 2010-10-26 19:31 - 00000000 ____D C:\WINDOWS\msagent
2013-08-23 11:13 - 2013-08-23 11:01 - 00000000 ____D C:\Documents and Settings\George\Local Settings\Application Data\NPE
2013-08-23 11:11 - 2010-10-26 19:35 - 00000211 _____ C:\boot.ini
2013-08-23 11:01 - 2010-10-27 12:09 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-08-23 10:59 - 2010-10-26 13:22 - 00000000 ____D C:\Documents and Settings\George\My Documents\Symantec
2013-08-23 10:47 - 2013-04-26 09:15 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2013-08-23 10:16 - 2010-10-26 12:54 - 00002429 _____ C:\Documents and Settings\George\Desktop\WordPerfect.lnk
2013-08-23 09:38 - 2012-12-05 18:15 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2761226$
2013-08-23 09:25 - 2010-10-26 19:31 - 00000000 ____D C:\WINDOWS\Help
2013-08-22 12:20 - 2010-10-26 13:44 - 00002521 _____ C:\Documents and Settings\George\Desktop\Microsoft Office Outlook 2003.lnk
2013-08-22 11:49 - 2010-10-26 13:14 - 00000000 ____D C:\CLIENTS
2013-08-22 10:32 - 2013-08-22 10:32 - 00054016 _____ C:\WINDOWS\system32\Drivers\nisin.sys
2013-08-22 10:32 - 2010-10-26 12:14 - 00000000 ____D C:\WINDOWS\SHELLNEW
2013-08-22 09:10 - 2010-10-26 15:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB972270$
2013-08-21 10:51 - 2012-07-20 09:44 - 00692104 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-08-21 10:51 - 2011-06-01 08:54 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-08-20 14:19 - 2012-12-05 18:21 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2485663$
2013-08-20 13:54 - 2010-10-28 08:57 - 00000000 ____D C:\WINDOWS\Downloaded Installations
2013-08-20 11:30 - 2010-10-26 15:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB974318$
2013-08-20 10:23 - 2010-10-26 15:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB956572$
2013-08-20 09:52 - 2010-10-26 19:31 - 00000000 ____D C:\WINDOWS\mui
2013-08-20 08:55 - 2010-10-27 00:54 - 00000000 ____D C:\WINDOWS\srchasst
2013-08-20 08:44 - 2013-08-20 08:44 - 00004096 ____H C:\Documents and Settings\NetworkService\Local Settings\Application Data.LOG
2013-08-20 08:44 - 2013-08-20 08:44 - 00004096 ____H C:\Documents and Settings\LocalService\Local Settings\Application Data.LOG
2013-08-20 08:44 - 2013-08-20 08:44 - 00004096 ____H C:\DOCUME~1\George\LOCALS~1\Application Data.LOG
2013-08-19 16:55 - 2010-10-26 15:57 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB967715$
2013-08-19 16:44 - 2013-08-19 16:33 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-08-19 16:32 - 2013-08-19 16:32 - 00000000 __SHD C:\Documents and Settings\LocalService\IETldCache
2013-08-19 16:32 - 2013-08-19 16:32 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2013-08-19 16:32 - 2010-10-27 00:59 - 00000000 __SHD C:\Documents and Settings\LocalService
2013-08-19 16:31 - 2013-08-19 16:31 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2013-08-19 16:26 - 2013-04-26 09:14 - 00000000 ____D C:\Program Files\Google
2013-08-19 16:26 - 2013-04-26 09:14 - 00000000 ____D C:\Documents and Settings\George\Local Settings\Application Data\Google
2013-08-19 12:48 - 2012-03-05 13:52 - 00000284 _____ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2013-08-19 10:59 - 2013-08-19 10:32 - 00003683 _____ C:\WINDOWS\setupapi.log
2013-08-16 17:17 - 2011-04-04 12:41 - 00000000 ____D C:\WINDOWS\Minidump
2013-08-16 17:17 - 2010-10-27 01:00 - 00000000 ____D C:\Documents and Settings\George
2013-08-09 10:16 - 2013-08-09 10:16 - 00000000 ____D C:\Program Files\pdfforge Toolbar
2013-08-09 10:16 - 2013-08-09 10:16 - 00000000 ____D C:\Program Files\Common Files\Spigot
2013-08-09 10:16 - 2013-08-09 10:16 - 00000000 ____D C:\Program Files\Application Updater
2013-08-09 10:16 - 2013-08-09 10:16 - 00000000 ____D C:\Documents and Settings\George\Application Data\Search Settings
2013-08-06 09:05 - 2010-10-26 12:52 - 00000000 ____D C:\Documents and Settings\George\Local Settings\Application Data\Adobe
2013-07-30 16:43 - 2010-10-26 13:19 - 00000000 ____D C:\Law Business

ZeroAccess:
C:\Windows\Installer\{d074f1b1-76a3-1f25-6260-4073a20f2785}
C:\Windows\Installer\{d074f1b1-76a3-1f25-6260-4073a20f2785}\@
C:\Windows\Installer\{d074f1b1-76a3-1f25-6260-4073a20f2785}\L\00000004.@

ZeroAccess:
C:\Documents and Settings\George\Local Settings\Application Data\{d074f1b1-76a3-1f25-6260-4073a20f2785}
C:\Documents and Settings\George\Local Settings\Application Data\{d074f1b1-76a3-1f25-6260-4073a20f2785}\@

Files to move or delete:
====================
ZeroAccess:
C:\DOCUME~1\George\LOCALS~1\Application Data\Google\Desktop\Install\{d074f1b1-76a3-1f25-6260-4073a20f2785}
ZeroAccess:
C:\Program Files\Google\Desktop\Install\{d074f1b1-76a3-1f25-6260-4073a20f2785}

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-08-2013
Ran by George at 2013-08-26 11:40:49
Running from C:\Documents and Settings\George\Desktop
Boot Mode: Normal
==========================================================

==================== Installed Programs =======================

Acronis True Image Echo Workstation (Version: 9.5.8039)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.94)
Adobe Flash Player 11 Plugin (Version: 11.8.800.94)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
Apple Application Support (Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (Version: 2.1.3.127)
Bonjour (Version: 3.0.0.10)
Brother DCP-9040CN (Version: 1.00)
Brother MFL-Pro Suite (Version: 1.00)
CCleaner (Version: 2.36)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Defraggler (Version: 1.21)
EASEUS Partition Manager 3.0 Home Edition
Google Chrome (Version: 29.0.1547.57)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4413.1752)
Google Update Helper (Version: 1.3.21.153)
HTC Driver (Version: 1.09.0022)
iTunes (Version: 11.0.4.4)
Java Auto Updater (Version: 2.0.2.4)
Java 6 Update 23 (Version: 6.0.230)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Mozilla Firefox 17.0.1 (x86 en-US) (Version: 17.0.1)
Mozilla Maintenance Service (Version: 17.0.1)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Norton 360 (Version: 20.4.0.40)
NVIDIA Drivers (Version: 1.7)
NVIDIA nView Desktop Manager (Version: 125.24)
PaperPort Image Printer (Version: 1.00.0000)
PDFCreator (Version: 0.9.8)
pdfforge Toolbar v7.4 (Version: 7.4)
QuickTime (Version: 7.74.80.86)
Realtek High Definition Audio Driver (Version: 5.10.0.5953)
Safari (Version: 5.34.57.2)
ScanSoft PaperPort 11 (Version: 11.1.0000)
Update for Windows Internet Explorer 8 (KB2362765) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
WinZip 11.2 (Version: 11.2.8094)
WordPerfect Office 12 (Version: 12.0.0.238)
 

==================== Restore Points  =========================

Could not list Restore Points.

==================== Hosts content: ==========================

2008-04-14 07:00 - 2008-04-14 07:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Faulty Device Manager Devices =============

Could not list Devices.

==================== Event log errors: =========================

Application errors:
==================
Error: (08/26/2013 09:18:12 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/23/2013 03:41:43 PM) (Source: Application Hang) (User: )
Description: Hanging application mbam.exe, version 1.75.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/23/2013 03:41:22 PM) (Source: Application Hang) (User: )
Description: Hanging application mbam.exe, version 1.75.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/23/2013 03:41:17 PM) (Source: Application Hang) (User: )
Description: Hanging application mbam.exe, version 1.75.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/23/2013 11:37:29 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/23/2013 11:28:47 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/23/2013 11:22:03 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/23/2013 11:13:19 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/23/2013 11:05:01 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/23/2013 09:55:09 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

System errors:
=============
Error: (08/26/2013 09:17:18 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume3

Error: (08/23/2013 11:36:59 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume3

Error: (08/23/2013 11:28:16 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume3

Error: (08/23/2013 11:26:41 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/23/2013 11:26:40 AM) (Source: PlugPlayManager) (User: )
Description: The device Root\LEGACY_SMR322\0000 disappeared from the system without first being prepared for removal.

Error: (08/23/2013 11:21:24 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/23/2013 11:21:00 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume3

Error: (08/23/2013 10:05:43 AM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (08/23/2013 10:05:43 AM) (Source: 0) (User: )
Description: \Device\Scsi\nvgts1

Error: (08/23/2013 09:54:42 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume3

Microsoft Office Sessions:
=========================
Error: (08/26/2013 09:18:12 AM) (Source: WinMgmt)(User: )
Description:

Error: (08/23/2013 03:41:43 PM) (Source: Application Hang)(User: )
Description: mbam.exe1.75.0.1hungapp0.0.0.000000000

Error: (08/23/2013 03:41:22 PM) (Source: Application Hang)(User: )
Description: mbam.exe1.75.0.1hungapp0.0.0.000000000

Error: (08/23/2013 03:41:17 PM) (Source: Application Hang)(User: )
Description: mbam.exe1.75.0.1hungapp0.0.0.000000000

Error: (08/23/2013 11:37:29 AM) (Source: WinMgmt)(User: )
Description:

Error: (08/23/2013 11:28:47 AM) (Source: WinMgmt)(User: )
Description:

Error: (08/23/2013 11:22:03 AM) (Source: WinMgmt)(User: )
Description:

Error: (08/23/2013 11:13:19 AM) (Source: WinMgmt)(User: )
Description:

Error: (08/23/2013 11:05:01 AM) (Source: WinMgmt)(User: )
Description:

Error: (08/23/2013 09:55:09 AM) (Source: WinMgmt)(User: )
Description:

==================== Memory info ===========================

Percentage of memory in use: 73%
Total physical RAM: 767.17 MB
Available physical RAM: 204 MB
Total Pagefile: 1872.42 MB
Available Pagefile: 653.64 MB
Total Virtual: 2047.88 MB
Available Virtual: 1949.55 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.75 GB) (Free:396.84 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive e: (Old_C) (Fixed) (Total:30 GB) (Free:19.39 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive f: (georgepersonal) (Fixed) (Total:44.5 GB) (Free:40.48 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: D0F4738C)
Partition 1: (Active) - (Size=30 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=44 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: 00000001)
Partition 1: (Active) - (Size=466 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Ok, I ran RK again and it seems to still find the Rootkit.  Here is the report:

 

ogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : George [Admin rights]
Mode : Scan -- Date : 08/26/2013 13:31:40
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\RunOnce :  (A0) (cmd /c "C:\Documents and Settings\George\Desktop\mbar\mbar.exe" /rdv /s [7]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] U : C:\Documents and Settings\George\Local Settings\Application Data\{d074f1b1-76a3-1f25-6260-4073a20f2785}\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\Documents and Settings\George\Local Settings\Application Data\{d074f1b1-76a3-1f25-6260-4073a20f2785}\L [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Documents and Settings\George\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x83108008)
[Address] SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x830FF118)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x83107900)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8310E198)
[Address] SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x83DE31A8)
[Address] SSDT[43] : NtCreateMutant @ 0x806176AE -> HOOKED (Unknown @ 0x83149188)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x831121D0)
[Address] SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x830C2F70)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643B3E -> HOOKED (Unknown @ 0x831040B8)
[Address] SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x83107A58)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x830A0008)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x83108070)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x83108150)
[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x83D3C2D0)
[Address] SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x830A0118)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F06C -> HOOKED (Unknown @ 0x831490A8)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB9AA8A24)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x830E0738)
[Address] SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x831260B8)
[Address] SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB9AA8B70)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8310E0A8)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x830FF1D8)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x830DE268)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x83098150)
[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FD24 -> HOOKED (Unknown @ 0x83104198)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x83126198)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8310B0B8)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x830986B0)
[Address] SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8310B198)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x83121200)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x830DE120)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x83D580D0)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8297B090)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8294CBB0)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8297B008)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x83D42860)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x83CBD008)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8345A730)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x83479730)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x830EC148)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x83D755D0)

¤¤¤ External Hives: ¤¤¤
-> E:\windows\system32\config\SYSTEM | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\windows\system32\config\SOFTWARE | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\windows\system32\config\SECURITY | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\windows\system32\config\SAM | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\windows\system32\config\DEFAULT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\George\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> E:\Documents and Settings\Rose\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] de181e059b1f0e44b2a440c7feed547d
[bSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 30718 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 62910540 | Size: 45567 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 9a4157a4b2fc88de38dc3fad6f68edd2
[bSP] 260a2c1c807adf5e31be5133d5e6e103 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_08262013_133140.txt >>
RKreport[0]_S_08262013_102128.txt

Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest: (if found)

[ZeroAccess][Folder] U : C:\Documents and Settings\George\Local Settings\Application Data\{d074f1b1-76a3-1f25-6260-4073a20f2785}\U [-] --> FOUND

[ZeroAccess][Folder] L : C:\Documents and Settings\George\Local Settings\Application Data\{d074f1b1-76a3-1f25-6260-4073a20f2785}\L [-] --> FOUND

[ZeroAccess][Folder] Install : C:\Documents and Settings\George\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND

[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

Now click Delete on the right hand column under Options

-------------

Reboot and run another scan to ensure they're gone.

MrC

Link to post
Share on other sites

OK...Good:

Lets check for any adware while you're here:

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
If you agree with everything listed to be removed in the folders section...........

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Ok, downloaded and ran AdwCleaner.  Here is the first report.  I don't recognize anything but would like for you to double check to make sure I'm not removing anything I shouldn't remove.

 

# AdwCleaner v3.001 - Report created 26/08/2013 at 14:08:04
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : George - GEORGE-993A4601
# Running from : C:\Documents and Settings\George\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : Application Updater

***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\George\Application Data\Mozilla\Firefox\Profiles\cq5r138g.default\Extensions\pdfforge@mybrowserbar.com
Folder Found C:\Documents and Settings\George\Application Data\pdfforge
Folder Found C:\Documents and Settings\George\Application Data\Search Settings
Folder Found C:\Documents and Settings\George\IECompatCache
Folder Found C:\Program Files\Application Updater
Folder Found C:\Program Files\Common Files\spigot
Folder Found C:\Program Files\pdfforge Toolbar

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\pdfforge
Key Found : HKCU\Software\AppDataLow\Software\Search Settings
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Found : HKCU\Software\pdfforge
Key Found : HKCU\Software\Search Settings
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\Application Updater
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Found : HKLM\Software\pdfforge
Key Found : HKLM\Software\Search Settings
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{B922D405-6D13-4A2B-AE89-08A030DA4402}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{B922D405-6D13-4A2B-AE89-08A030DA4402}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [searchSettings]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v17.0.1 (en-US)

[ File : C:\Documents and Settings\George\Application Data\Mozilla\Firefox\Profiles\cq5r138g.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [2540 octets] - [26/08/2013 14:08:04]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2600 octets] ##########

Link to post
Share on other sites

Removed all the Adware.  Ran Malwarebytes and it found 1 PUP.  Removed it and rebooted.  Ran Malwarebytes again and nothing was found.  The computer is running fine!  Seems somewhat faster that before. Here are is the Adwcleaner log and the Malwarebytes report:

 

# AdwCleaner v3.001 - Report created 26/08/2013 at 15:02:21
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : George - GEORGE-993A4601
# Running from : C:\Documents and Settings\George\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : Application Updater

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Application Updater
Folder Deleted : C:\Program Files\pdfforge Toolbar
Folder Deleted : C:\Program Files\Common Files\spigot
Folder Deleted : C:\Documents and Settings\George\IECompatCache
Folder Deleted : C:\Documents and Settings\George\Application Data\pdfforge
Folder Deleted : C:\Documents and Settings\George\Application Data\Search Settings
File Deleted : C:\Documents and Settings\George\Application Data\Mozilla\Firefox\Profiles\cq5r138g.default\Extensions\pdfforge@mybrowserbar.com

***** [ Shortcuts ] *****

***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [searchSettings]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{B922D405-6D13-4A2B-AE89-08A030DA4402}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{B922D405-6D13-4A2B-AE89-08A030DA4402}]
Key Deleted : HKCU\Software\pdfforge
Key Deleted : HKCU\Software\Search Settings
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\pdfforge
Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
Key Deleted : HKLM\Software\Application Updater
Key Deleted : HKLM\Software\pdfforge
Key Deleted : HKLM\Software\Search Settings

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v17.0.1 (en-US)

[ File : C:\Documents and Settings\George\Application Data\Mozilla\Firefox\Profiles\cq5r138g.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [2680 octets] - [26/08/2013 14:08:04]
AdwCleaner[R1].txt - [2740 octets] - [26/08/2013 15:00:54]
AdwCleaner[s0].txt - [2723 octets] - [26/08/2013 15:02:21]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2783 octets] ##########

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.26.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
George :: GEORGE-993A4601 [administrator]

8/26/2013 3:26:39 PM
mbam-log-2013-08-26 (15-26-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208693
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Ran AdwCleaner and cleaned the adware.  Ran Malwarebytes and it found 1 PUP.  Removed the PUP and rebooted.  Ran Malwarebytes again and nothing found.  The computer runs fine!  Seems somewhat faster than before.  Here is the AdwCleaner log and the Malwarebytes report:

 

 

# AdwCleaner v3.001 - Report created 26/08/2013 at 15:02:21
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : George - GEORGE-993A4601
# Running from : C:\Documents and Settings\George\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : Application Updater

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Application Updater
Folder Deleted : C:\Program Files\pdfforge Toolbar
Folder Deleted : C:\Program Files\Common Files\spigot
Folder Deleted : C:\Documents and Settings\George\IECompatCache
Folder Deleted : C:\Documents and Settings\George\Application Data\pdfforge
Folder Deleted : C:\Documents and Settings\George\Application Data\Search Settings
File Deleted : C:\Documents and Settings\George\Application Data\Mozilla\Firefox\Profiles\cq5r138g.default\Extensions\pdfforge@mybrowserbar.com

***** [ Shortcuts ] *****

***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [searchSettings]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{B922D405-6D13-4A2B-AE89-08A030DA4402}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{B922D405-6D13-4A2B-AE89-08A030DA4402}]
Key Deleted : HKCU\Software\pdfforge
Key Deleted : HKCU\Software\Search Settings
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\pdfforge
Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
Key Deleted : HKLM\Software\Application Updater
Key Deleted : HKLM\Software\pdfforge
Key Deleted : HKLM\Software\Search Settings

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v17.0.1 (en-US)

[ File : C:\Documents and Settings\George\Application Data\Mozilla\Firefox\Profiles\cq5r138g.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [2680 octets] - [26/08/2013 14:08:04]
AdwCleaner[R1].txt - [2740 octets] - [26/08/2013 15:00:54]
AdwCleaner[s0].txt - [2723 octets] - [26/08/2013 15:02:21]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2783 octets] ##########

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.26.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
George :: GEORGE-993A4601 [administrator]

8/26/2013 3:26:39 PM
mbam-log-2013-08-26 (15-26-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208693
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Good.....

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

MrC -

 

Sorry for the delay in getting back to you on this but life got in the way.  Anyway, I just ran the Security Check and here is the report.  When it first started running I got an Autolt Error that said, Error: Variable must be type "object", not sure if this is important but I thought I'd let you know.

 

 

Results of screen317's Security Check version 0.99.73 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Java 6 Update 23 
 Java version out of Date!
 Adobe Flash Player  11.8.800.94 
 Adobe Reader XI 
 Mozilla Firefox 17.0.1 Firefox out of Date! 
 Google Chrome 28.0.1500.95 
 Google Chrome 29.0.1547.57 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.