Jump to content

trojan.zaccess removal help


Recommended Posts

Malwarebytes is identifying trojan.zaccess but is unable to remove it.  I also cannot download any files on this computer as it says they have a virus and deletes them.  I do have access to a clean computer though so I can download there and use a USB stick to copy to this computer.

 

Malwarebytes log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.23.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
yusishen :: OFFICE-PC [administrator]

24/08/2013 10:21:21 AM
MBAM-log-2013-08-24 (12-14-48).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 425230
Time elapsed: 1 hour(s), 36 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\‮etadpug (Trojan.Zaccess) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

DDR logs:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16502
Run by yusishen at 12:22:45 on 2013-08-24
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\system32\lxctcoms.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\NMSAccess32.exe
C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM05Mon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Garmin\Express Tray\ExpressTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Symantec\Norton Online Backup\NOBuClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.

uWindow Title = Internet Explorer provided by Dell






BHO: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\norton internet security\engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\norton internet security\engine\20.4.0.40\ips\ipsbho.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\norton internet security\engine\20.4.0.40\coieplg.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\norton internet security\engine\20.4.0.40\coieplg.dll
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [GarminExpressTrayApp] "c:\program files\garmin\express tray\ExpressTray.exe"
uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [NPSStartup] <no file>
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
StartupFolder: c:\users\yusishen\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks 2012\QBW32.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:149
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.




TCP: NameServer = 192.168.0.1
TCP: Interfaces\{E7940A85-A7CC-4471-9E05-D3496C9CBA0A} : DHCPNameServer = 192.168.0.1
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2012\HelpAsyncPluggableProtocol.dll
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\turbotax 2012\ic2012pp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
FileExt: .ini: inifile=c:\windows\system32\NOTEPAD.EXE %1"
.
=============== Created Last 30 ================
.
2013-08-24 15:14:15 98392 ----a-w- c:\windows\system32\drivers\SMR322.SYS
2013-08-24 15:07:36 -------- d-----w- c:\users\yusishen\appdata\roaming\FixZeroAccess
2013-08-23 17:02:21 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-23 17:02:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-08-23 16:34:16 -------- d-----w- c:\users\yusishen\appdata\local\NPE
2013-08-14 17:58:50 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-14 17:58:50 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-08-14 17:58:46 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-14 17:58:36 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-14 17:58:33 783360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-14 17:58:31 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-14 17:58:31 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-14 17:58:31 1205168 ----a-w- c:\windows\system32\ntdll.dll
2013-08-14 17:58:28 992768 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 17:58:28 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-14 17:58:27 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 17:58:27 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-07-27 08:00:36 -------- d-----w- c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-08-21 18:21:37 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 18:21:37 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-25 02:32:35 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-07-25 02:26:10 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-07-25 02:25:30 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-25 02:23:59 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-07-25 02:23:58 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-07-25 02:22:35 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-06-10 23:36:03 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-06-04 01:50:43 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-06-01 04:06:08 505344 ----a-w- c:\windows\system32\qedit.dll
.
============= FINISH: 12:32:32.75 ===============
 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
ABBYY FineReader 6.0 Sprint
Adobe Digital Editions 2.0
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.7)
Adobe Shockwave Player 12.0
Adobe SVG Viewer 3.0
Advanced Audio FX Engine
Advanced Video FX Engine
AGEIA PhysX v7.03.21
AgExpert Analyst 2012-05
AgExpert Analyst 2013-04
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avery Wizard 3.1
AviSynth 2.5
Bonjour
Browser Address Error Redirector
Bullzip PDF Printer 6.0.0.744
Business Contact Manager for Outlook 2007 SP2
Canon PowerShot A3300 IS and A3200 IS and A2200 Camera User Guide
Cisco Network Magic
Conexant D850 PCI V.92 Modem
Content Manager
D3DX10
Dell Dock
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Webcam Center
Dell Webcam Manager
Digital Line Detect
Easy DVD Clone
EDocs
Elevated Installer
Empire Earth III
EZ-Toolbox Version 2.1.0.3
Facebook Plug-In
Facebook Video Calling 1.2.0.159
Fast MP4 3GP AVI MPG WMV RM MOV FLV Converter 6.3
Field Manager PRO Desktop 2013-02
Free YouTube Downloader 3.5.136
Garmin Communicator Plugin
Garmin Express
Garmin Express Tray
Garmin Update Service
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GPL Ghostscript Lite 8.63
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® PRO Network Connections 12.1.11.0
iSEEK AnswerWorks English Runtime
iTunes
Java 6 Update 5
K-Lite Codec Pack 7.1.0 (Basic)
Kobo
Lexmark 5400 Series
Lexmark Toolbar
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300
MediaInfo 0.7.58
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works 6-9 Converter
Modem Diagnostic Tool
Monitor Webcam (SP2208WFP) Driver (1.00.08.0720) 
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MuseScore 1.3
NetWaiting
Network Magic
Norton Internet Security
Norton Online Backup
Picasa 3
Pure Networks Platform
QuickBooks
QuickBooks EasyStart 2012
QuickBooks EasyStart Edition
Quicken 2013
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Samsung ML-2510 Series
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Segoe UI
Skype™ 6.3
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
swMSM
Symantec Technical Support Web Controls
System Requirements Lab CYRI
T4 Internet - T4 par Internet 9.0
TurboTax 2012
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2768023) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817642) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinPatrol 2008
.
==== End Of File ===========================

 

Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : yusishen [Admin rights]
Mode : Scan -- Date : 08/24/2013 13:24:26
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\   \...\???ﯹ๛\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 13 ¤¤¤
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\   \...\???ﯹ๛\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\   \...\???ﯹ๛\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS003\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\   \...\???ﯹ๛\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS003\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRtMon.dll : C:\Program Files\Windows Defender\MpRtMon.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRtPlug.dll : C:\Program Files\Windows Defender\MpRtPlug.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSigDwn.dll : C:\Program Files\Windows Defender\MpSigDwn.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSoftEx.dll : C:\Program Files\Windows Defender\MpSoftEx.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x824AF823 -> HOOKED (Unknown @ 0x8760AE68)
[Address] SSDT[14] : NtAlertThread @ 0x8242834F -> HOOKED (Unknown @ 0x8760AF48)
[Address] SSDT[18] : NtAllocateVirtualMemory @ 0x8246469D -> HOOKED (Unknown @ 0x87239890)
[Address] SSDT[21] : NtAlpcConnectPort @ 0x824068A7 -> HOOKED (Unknown @ 0x8723A8A8)
[Address] SSDT[42] : NtAssignProcessToJobObject @ 0x823D9B32 -> HOOKED (Unknown @ 0x87473E10)
[Address] SSDT[67] : NtCreateMutant @ 0x8243C993 -> HOOKED (Unknown @ 0x87473710)
[Address] SSDT[77] : NtCreateSymbolicLinkObject @ 0x823DC349 -> HOOKED (Unknown @ 0x87459BF0)
[Address] SSDT[78] : NtCreateThread @ 0x824ADE40 -> HOOKED (Unknown @ 0x873A1E48)
[Address] SSDT[116] : NtDebugActiveProcess @ 0x82480ED4 -> HOOKED (Unknown @ 0x87473EF0)
[Address] SSDT[129] : NtDuplicateObject @ 0x82414579 -> HOOKED (Unknown @ 0x87300B70)
[Address] SSDT[147] : NtFreeVirtualMemory @ 0x822A0E75 -> HOOKED (Unknown @ 0x875B8F38)
[Address] SSDT[156] : NtImpersonateAnonymousToken @ 0x823D6F3F -> HOOKED (Unknown @ 0x87473800)
[Address] SSDT[158] : NtImpersonateThread @ 0x823EC589 -> HOOKED (Unknown @ 0x874738C0)
[Address] SSDT[165] : NtLoadDriver @ 0x82387E12 -> HOOKED (Unknown @ 0x8723A830)
[Address] SSDT[177] : NtMapViewOfSection @ 0x8242C994 -> HOOKED (Unknown @ 0x875B8E58)
[Address] SSDT[184] : NtOpenEvent @ 0x82415DF7 -> HOOKED (Unknown @ 0x8725DCE0)
[Address] SSDT[194] : NtOpenProcess @ 0x8243D12F -> HOOKED (Unknown @ 0x87236E78)
[Address] SSDT[195] : NtOpenProcessToken @ 0x8241DA58 -> HOOKED (Unknown @ 0x87300AB0)
[Address] SSDT[197] : NtOpenSection @ 0x8242D78C -> HOOKED (Unknown @ 0x8725DB20)
[Address] SSDT[201] : NtOpenThread @ 0x8243862B -> HOOKED (Unknown @ 0x87300DF0)
[Address] SSDT[210] : NtProtectVirtualMemory @ 0x824363E2 -> HOOKED (Unknown @ 0x87473D20)
[Address] SSDT[282] : NtResumeThread @ 0x82437C4A -> HOOKED (Unknown @ 0x877B2DD0)
[Address] SSDT[289] : NtSetContextThread @ 0x824AF2CF -> HOOKED (Unknown @ 0x87459420)
[Address] SSDT[305] : NtSetInformationProcess @ 0x824309E6 -> HOOKED (Unknown @ 0x87459500)
[Address] SSDT[317] : NtSetSystemInformation @ 0x82402F1E -> HOOKED (Unknown @ 0x87473FD0)
[Address] SSDT[330] : NtSuspendProcess @ 0x824AF75F -> HOOKED (Unknown @ 0x8725DC00)
[Address] SSDT[331] : NtSuspendThread @ 0x823B6945 -> HOOKED (Unknown @ 0x877B2EB0)
[Address] SSDT[334] : NtTerminateProcess @ 0x8240D16B -> HOOKED (Unknown @ 0x873A1F28)
[Address] SSDT[335] : unknown @ 0x82438660 -> HOOKED (Unknown @ 0x877B2F90)
[Address] SSDT[348] : NtUnmapViewOfSection @ 0x8242CC57 -> HOOKED (Unknown @ 0x874595D0)
[Address] SSDT[358] : NtWriteVirtualMemory @ 0x82429A27 -> HOOKED (Unknown @ 0x873A44A8)
[Address] SSDT[382] : NtCreateThreadEx @ 0x82438115 -> HOOKED (Unknown @ 0x87459CE0)
[Address] Shadow SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x87C9E578)
[Address] Shadow SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x888137F0)
[Address] Shadow SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x88813730)
[Address] Shadow SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x888138B0)
[Address] Shadow SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x897B1480)
[Address] Shadow SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x897F7008)
[Address] Shadow SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x88813660)
[Address] Shadow SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x88813590)
[Address] Shadow SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x88813C90)
[Address] Shadow SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x86D40428)

¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] b0fc266a4c01e3685d55e3de3b870c76
[bSP] bdf99326810b3ea5b3c85f61013cb3ba : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 466644 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08242013_132426.txt >>

 

 

Link to post
Share on other sites

Please read the following information first.
 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


-----------------------------------------

Please download Farbar Recovery Scan Tool and save it to a folder. (32bit version)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

Link to post
Share on other sites

I will attempt the cleanup at least so I can get the necessary data files copied from the computer before doing a complete reformat/re-install (or just replace, computer is 6 years old).  I haven't used any online banking, etc. since I noticed signs of infection but will change all passwords immediately anyway.  I'm now using the clean computer for internet access so will copy the next log over to this computer via USB stick and will then post once it is done.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-08-2013 01
Ran by yusishen (administrator) on 24-08-2013 13:56:26
Running from C:\Users\yusishen\Desktop
Windows Vista Home Premium Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Could not list processes ===============

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NPSStartup] -  [x]
HKLM\...\Run: [samsung PanelMgr] - C:\Windows\Samsung\PanelMgr\SSMMgr.exe [520192 2007-01-14] ()
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4452352 2007-05-11] (Realtek Semiconductor)
HKLM\...\Run: [OEM05Mon.exe] - C:\Windows\OEM05Mon.exe [36864 2007-08-22] (Creative Technology Ltd.)
HKLM\...\Run: [nmctxth] - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [648488 2008-09-14] (Cisco Systems, Inc.)
HKLM\...\Run: [LXCTCATS] - C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll [106496 2006-11-21] (Lexmark International Inc.)
HKLM\...\Run: [EzPrint] - C:\Program Files\Lexmark 5400 Series\ezprint.exe [82864 2007-03-19] (Lexmark International Inc.)
HKLM\...\Run: [dellsupportcenter] - C:\Program Files\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
HKLM\...\Run: [lxctmon.exe] - C:\Program Files\Lexmark 5400 Series\lxctmon.exe [291760 2007-03-19] ()
HKLM\...\Run: [ECenter] - C:\Dell\E-Center\EULALauncher.exe [17920 2008-02-28] ( )
HKLM\...\Run: [dscactivate] - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [16384 2008-03-11] ( )
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [intuit SyncManager] - C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2643320 2012-11-28] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKCU\...\Run: [AutoStartNPSAgent] - C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe [98304 2009-01-02] (Samsung Electronics Co., Ltd.)
HKCU\...\Run: [spybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKCU\...\Run: [GarminExpressTrayApp] - C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1100120 2013-03-20] (Garmin Ltd or its subsidiaries)
HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.)
HKCU\...\Winlogon: [shell] Explorer.exe <==== ATTENTION
MountPoints2: {f43be747-edb1-11df-9bdd-00219b062144} - L:\LaunchU3.exe -a
HKU\Network User\...\RunOnce: [] -  [x]
HKU\Network User\...\Winlogon: [shell] Explorer.exe <==== ATTENTION
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Canada ULC.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Canada ULC.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Network User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\yusishen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080909
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
SearchScopes: HKLM - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2642709
SearchScopes: HKLM - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2642709
SearchScopes: HKCU - {5D2B041B-175F-44AC-9942-DF607B94AEF3} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL =
BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
Toolbar: HKLM - &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.)
Toolbar: HKLM - Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU -&Google - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.)
Toolbar: HKCU -Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 18 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

========================== Services (Whitelisted) =================

R2 Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [554352 2007-09-12] (Symantec Corporation)
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [161048 2008-04-28] (Stardock Corporation)
R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [186200 2013-03-20] (Garmin Ltd or its subsidiaries)
R3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2999664 2007-09-12] (Symantec Corporation)
R2 LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll [537992 2008-04-10] (Symantec Corporation)
R2 lxct_device; C:\Windows\system32\lxctcoms.exe [537520 2007-03-19] ( )
S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
R2 NIS; C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)
R2 NMSAccess; C:\Windows\system32\NMSAccess32.exe [71096 2010-01-19] ()
R2 nmservice; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [648488 2008-09-14] (Cisco Systems, Inc.)
R2 NOBU; C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe [3236224 2013-04-29] (Symantec Corporation)
R2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-14] (SupportSoft, Inc.)
S3 Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [394704 2008-01-29] (Symantec, Inc.)
S2 LiveUpdate Notice Ex; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\   \...\???\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 61883; C:\Windows\System32\DRIVERS\61883.sys [45696 2008-01-20] (Microsoft Corporation)
R1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)
R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)
S2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [41984 2007-01-04] (Samsung Electronics Co., Ltd.)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-08-20] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)
R3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [36608 2009-01-02] ()
S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57536 2008-03-13] (FTDI Ltd.)
R1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\IPSDefs\20130823.001\IDSvix86.sys [392792 2013-08-19] (Symantec Corporation)
S4 mrtRate; C:\Windows\System32\Drivers\mrtRate.sys [34712 2000-05-31] (Marimba, Inc.)
R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130823.019\NAVENG.SYS [93272 2013-08-20] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130823.019\NAVEX15.SYS [1611992 2013-08-20] (Symantec Corporation)
R3 OEM05Afx; C:\Windows\system32\Drivers\OEM05Afx.sys [141376 2007-08-22] (Creative Technology Ltd.)
R3 OEM05Vfx; C:\Windows\System32\DRIVERS\OEM05Vfx.sys [7424 2007-08-22] (EyePower Games Pte. Ltd.)
R3 OEM05Vid; C:\Windows\System32\DRIVERS\OEM05Vid.sys [235616 2007-08-22] (Creative Technology Ltd.)
R2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [24888 2008-09-14] (Pure Networks, Inc.)
R2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [26424 2008-09-14] (Pure Networks, Inc.)
R3 RLDesignVirtualAudioCableWdm; C:\Windows\System32\DRIVERS\livecamv.sys [31616 2007-01-15] ()
R0 SMR322; C:\Windows\System32\drivers\SMR322.SYS [98392 2013-08-24] (Symantec Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\NIS\1404000.028\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NIS\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)
R2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2007-01-04] (Samsung Electronics)
R0 SymDS; C:\Windows\System32\drivers\NIS\1404000.028\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NIS\1404000.028\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-10] (Symantec Corporation)
R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [36512 2013-03-04] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NIS\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)
R1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1404000.028\SYMTDIV.SYS [352344 2013-04-24] (Symantec Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
U2 SharedAccess;
S3 SYMDNS; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMDNS.SYS [x]
S3 SYMFW; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMFW.SYS [x]
S3 SYMNDISV; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [x]
S3 SYMREDRV; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMREDRV.SYS [x]
U3 mbr; \??\C:\Users\yusishen\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-24 13:55 - 2013-08-24 13:38 - 01070693 _____ (Farbar) C:\Users\yusishen\Desktop\FRST.exe
2013-08-24 13:24 - 2013-08-24 13:25 - 00010011 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08242013_132426.txt
2013-08-24 13:12 - 2013-08-24 13:25 - 00000000 ____D C:\Users\yusishen\Desktop\RK_Quarantine
2013-08-24 13:12 - 2013-08-24 13:10 - 00923136 _____ C:\Users\yusishen\Desktop\RogueKiller.exe
2013-08-24 12:32 - 2013-08-24 12:32 - 00012137 _____ C:\Users\yusishen\Desktop\dds.txt
2013-08-24 12:32 - 2013-08-24 12:32 - 00010810 _____ C:\Users\yusishen\Desktop\attach.txt
2013-08-24 12:22 - 2013-08-24 12:19 - 00688992 ____R (Swearware) C:\Users\yusishen\Desktop\dds.scr
2013-08-24 10:14 - 2013-08-24 10:14 - 00098392 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SMR322.SYS
2013-08-24 10:07 - 2013-08-24 10:07 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\FixZeroAccess
2013-08-24 01:34 - 2013-08-24 01:34 - 00002072 _____ C:\{30B3FEB5-AD37-47C5-974D-25BFB5CFC765}
2013-08-23 12:02 - 2013-08-23 12:02 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-23 12:02 - 2013-08-23 12:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-08-23 12:02 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-08-23 11:34 - 2013-08-24 10:20 - 00000000 ____D C:\Users\yusishen\AppData\Local\NPE
2013-08-15 03:02 - 2013-07-24 21:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-15 03:02 - 2013-07-24 21:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-15 03:02 - 2013-07-24 21:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-15 03:02 - 2013-07-24 21:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-15 03:02 - 2013-07-24 21:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-15 03:02 - 2013-07-24 21:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-08-15 03:02 - 2013-07-24 21:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-08-15 03:02 - 2013-07-24 21:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-15 03:02 - 2013-07-24 21:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-15 03:02 - 2013-07-24 21:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-15 03:02 - 2013-07-24 21:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-15 03:02 - 2013-07-24 21:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-08-15 03:02 - 2013-07-24 21:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-08-15 03:02 - 2013-07-24 21:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-15 03:02 - 2013-07-24 21:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-15 03:02 - 2013-07-24 21:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-08-14 12:58 - 2013-07-17 14:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-08-14 12:58 - 2013-07-10 04:47 - 00783360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-14 12:58 - 2013-07-09 07:10 - 01205168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-08-14 12:58 - 2013-07-07 23:55 - 03603904 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2013-08-14 12:58 - 2013-07-07 23:55 - 03551680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-08-14 12:58 - 2013-07-07 23:20 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-14 12:58 - 2013-07-07 23:16 - 00992768 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-14 12:58 - 2013-07-07 23:16 - 00133120 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-14 12:58 - 2013-07-07 23:16 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-14 12:58 - 2013-07-04 23:53 - 00905664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-14 12:58 - 2013-06-15 08:22 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll
2013-08-14 12:58 - 2013-06-15 06:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-07-30 07:55 - 2013-07-30 07:55 - 00002075 _____ C:\Users\Public\Desktop\Google Earth.lnk
2013-07-27 03:00 - 2013-08-15 03:27 - 00000000 ____D C:\Windows\system32\MRT

==================== One Month Modified Files and Folders =======

2013-08-24 13:48 - 2009-12-29 20:06 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-24 13:38 - 2013-08-24 13:55 - 01070693 _____ (Farbar) C:\Users\yusishen\Desktop\FRST.exe
2013-08-24 13:25 - 2013-08-24 13:24 - 00010011 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08242013_132426.txt
2013-08-24 13:25 - 2013-08-24 13:12 - 00000000 ____D C:\Users\yusishen\Desktop\RK_Quarantine
2013-08-24 13:20 - 2013-02-16 18:36 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-24 13:11 - 2012-08-21 18:24 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\Skype
2013-08-24 13:10 - 2013-08-24 13:12 - 00923136 _____ C:\Users\yusishen\Desktop\RogueKiller.exe
2013-08-24 13:10 - 2009-12-29 20:06 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-24 13:09 - 2008-10-03 16:51 - 00000000 ____D C:\Program Files\Lx_cats
2013-08-24 13:08 - 2012-05-23 21:52 - 00000940 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3613409154-809846524-3207628668-1003UA.job
2013-08-24 12:39 - 2006-11-02 07:47 - 00003744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-24 12:39 - 2006-11-02 07:47 - 00003744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-24 12:32 - 2013-08-24 12:32 - 00012137 _____ C:\Users\yusishen\Desktop\dds.txt
2013-08-24 12:32 - 2013-08-24 12:32 - 00010810 _____ C:\Users\yusishen\Desktop\attach.txt
2013-08-24 12:19 - 2013-08-24 12:22 - 00688992 ____R (Swearware) C:\Users\yusishen\Desktop\dds.scr
2013-08-24 10:21 - 2008-09-09 03:09 - 02002692 _____ C:\Windows\WindowsUpdate.log
2013-08-24 10:20 - 2013-08-23 11:34 - 00000000 ____D C:\Users\yusishen\AppData\Local\NPE
2013-08-24 10:17 - 2011-11-02 17:09 - 00000000 ____D C:\ProgramData\boost_interprocess
2013-08-24 10:16 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-24 10:14 - 2013-08-24 10:14 - 00098392 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SMR322.SYS
2013-08-24 10:14 - 2006-11-02 08:01 - 00032600 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-08-24 10:07 - 2013-08-24 10:07 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\FixZeroAccess
2013-08-24 07:55 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Branding
2013-08-24 07:09 - 2012-05-23 21:52 - 00000918 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3613409154-809846524-3207628668-1003Core.job
2013-08-24 01:34 - 2013-08-24 01:34 - 00002072 _____ C:\{30B3FEB5-AD37-47C5-974D-25BFB5CFC765}
2013-08-23 19:09 - 2008-01-20 21:47 - 00290144 _____ C:\Windows\PFRO.log
2013-08-23 12:02 - 2013-08-23 12:02 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-23 12:02 - 2013-08-23 12:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-08-23 11:55 - 2009-10-09 11:51 - 00000472 _____ C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2013-08-23 11:34 - 2008-10-17 19:06 - 00000000 ____D C:\ProgramData\Norton
2013-08-23 08:28 - 2011-05-06 03:13 - 00000000 ____D C:\Users\yusishen\AppData\Local\CrashDumps
2013-08-23 07:32 - 2008-09-09 08:33 - 00000000 ____D C:\Program Files\Google
2013-08-21 15:58 - 2012-11-13 16:07 - 00000000 ____D C:\Users\yusishen\Documents\My Digital Editions
2013-08-21 13:21 - 2013-02-09 16:20 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-08-21 13:21 - 2013-02-09 16:20 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-08-20 09:26 - 2013-06-21 08:53 - 00002399 _____ C:\Users\yusishen\Desktop\Field Manager PRO Desktop 2013-02.lnk
2013-08-19 12:41 - 2009-10-09 10:50 - 00000334 _____ C:\Windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
2013-08-19 11:29 - 2009-10-09 10:49 - 00000320 _____ C:\Windows\Tasks\Spybot - Search & Destroy Updater -  Scheduled Task.job
2013-08-16 20:24 - 2006-11-02 05:33 - 00862256 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-15 04:27 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\rescache
2013-08-15 04:09 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-08-15 03:27 - 2013-07-27 03:00 - 00000000 ____D C:\Windows\system32\MRT
2013-08-15 03:16 - 2006-11-02 05:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-08-15 03:13 - 2008-09-09 08:27 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-30 16:28 - 2010-07-06 20:23 - 00000680 _____ C:\Users\yusishen\AppData\Local\d3d9caps.dat
2013-07-30 07:55 - 2013-07-30 07:55 - 00002075 _____ C:\Users\Public\Desktop\Google Earth.lnk
2013-07-25 15:13 - 2012-07-04 22:11 - 00002293 _____ C:\Users\yusishen\Desktop\AgExpert Analyst.lnk

Files to move or delete:
====================
ZeroAccess:
C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}
C:\Users\yusishen\AppData\Local\Temp\AdobeUpdater12345.exe
C:\Users\yusishen\AppData\Local\Temp\_is782D.exe
C:\Users\yusishen\AppData\Local\Temp\_isFFE8.exe
C:\Users\yusishen\AppData\Local\Temp\{A5FF7511-2B35-4CF5-99C5-D6E687117052}\ISSetup.dll
C:\Users\yusishen\AppData\Local\Temp\{A5FF7511-2B35-4CF5-99C5-D6E687117052}\_Setup.dll
C:\Users\yusishen\AppData\Local\Temp\{6307B251-DC38-445C-91A1-E1A9BE07C3F5}\ISSetup.dll
C:\Users\yusishen\AppData\Local\Temp\{6307B251-DC38-445C-91A1-E1A9BE07C3F5}\_Setup.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\msvcp71.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\msvcr71.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\SymHTML.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\SymTheme.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\Reporter\Reporter.exe
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\NOLU\Lsetup.exe
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\MSI\wiupdate.exe
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\HTMLHelp\External\symhelp.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\SYMSHARE\Options\CLTWrap.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\SYMSHARE\Options\VTCache.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\asLstCtl.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\ASOpts.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\EmlOpts.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\LUOpts.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\Options.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\symDynLd.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\UIHelper.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAddrBk.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAdITsk.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAuAdIm.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asBAList.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEClMnt.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngAB.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngBay.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\ASEngBWL.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngUR.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asFilter.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asFtPxy.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asLogHlp.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asOEHook.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asOELnch.exe
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSetHlp.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSpmEvt.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSpmLog.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asUniPlg.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\bteuclid.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\btutils.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\FRESpam.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\MsouPlug.dll
C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\NASPlug.dll

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

LastRegBack: 2013-08-24 11:18

==================== End Of Log ============================

 

I have the addition.txt file but can't figure out how to attach the file to the reply.  I'm missing something obvioius, I know.

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then........

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

One question before I follow those steps...does the computer need to be connected to the internet to run the anti-rootkit program (you mention updates)?  I've been using a clean computer to download files to a USB stick then copying them from the stick to the infected computer as I currently have it disconnected from the internet (as per your instructions above).

 

The addition.txt file from FBRTis attached to this reply.

Addition.txt

Link to post
Share on other sites

Followed your instructions.  While running FRST, I got the following error message:

 

line 15370 file C:\users\yusishen\desktop\FRST\FRST.exe  error:  subscript used with non-array variable.

 

Log file is attached to reply.

 

I also run and updated MBAR.  It said no cleanup required after the first scan was completed.  Logs also attached.

 

I have rebooted the computer and am now going to check and see if things are working properly (internet access is okay).

 

I will also re-run a Malwarebytes full scan later and post the results from that.

Fixlog.txt

mbar-log-2013-08-24 (15-18-28).txt

system-log.txt

Link to post
Share on other sites

Definitely not fixed yet.  Still cannot download files.  At the end of download, it says "file is infected so deleted" but at the same time, a popup from Norton on the bottom right corner says file is fine.  I tried Windows Update and it says I can't check for updates because service is not running.

 

Will disconnect internet now and try Malwarebytes scan to see what that says. 

Link to post
Share on other sites

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy

 

mail : tigzyRK<at>gmail<dot>com

 

Feedback : http://www.adlice.com/forum/

 

Website : http://www.adlice.com/softwares/roguekiller/

 

Blog : http://tigzyrk.blogspot.com/

 

 

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

 

Started in : Normal mode

 

User : yusishen [Admin rights]

 

Mode : Scan -- Date : 08/25/2013 08:03:41

 

| ARK || FAK || MBR |

 

 

¤¤¤ Bad processes : 0 ¤¤¤

 

 

¤¤¤ Registry Entries : 7 ¤¤¤

 

[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

 

[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

 

[HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

 

[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

 

[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

 

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

 

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

 

¤¤¤ Web browsers : 0 ¤¤¤

 

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpRtMon.dll : C:\Program Files\Windows Defender\MpRtMon.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpRtPlug.dll : C:\Program Files\Windows Defender\MpRtPlug.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpSigDwn.dll : C:\Program Files\Windows Defender\MpSigDwn.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpSoftEx.dll : C:\Program Files\Windows Defender\MpSoftEx.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND

 

[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

 

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

[Address] SSDT[13] : NtAlertResumeThread @ 0x824AC823 -> HOOKED (Unknown @ 0x873F2D68)

 

[Address] SSDT[14] : NtAlertThread @ 0x8242534F -> HOOKED (Unknown @ 0x873F2E48)

 

[Address] SSDT[18] : NtAllocateVirtualMemory @ 0x8246169D -> HOOKED (Unknown @ 0x8744EA30)

 

[Address] SSDT[21] : NtAlpcConnectPort @ 0x824038A7 -> HOOKED (Unknown @ 0x872FF008)

 

[Address] SSDT[42] : NtAssignProcessToJobObject @ 0x823D6B32 -> HOOKED (Unknown @ 0x87452C20)

 

[Address] SSDT[67] : NtCreateMutant @ 0x82439993 -> HOOKED (Unknown @ 0x873F2AB8)

 

[Address] SSDT[77] : NtCreateSymbolicLinkObject @ 0x823D9349 -> HOOKED (Unknown @ 0x87452940)

 

[Address] SSDT[78] : NtCreateThread @ 0x824AAE40 -> HOOKED (Unknown @ 0x8744EE78)

 

[Address] SSDT[116] : NtDebugActiveProcess @ 0x8247DED4 -> HOOKED (Unknown @ 0x87452D00)

 

[Address] SSDT[129] : NtDuplicateObject @ 0x82411579 -> HOOKED (Unknown @ 0x8744EBC0)

 

[Address] SSDT[147] : NtFreeVirtualMemory @ 0x8229DE75 -> HOOKED (Unknown @ 0x873F0ED0)

 

[Address] SSDT[156] : NtImpersonateAnonymousToken @ 0x823D3F3F -> HOOKED (Unknown @ 0x873F2BA8)

 

[Address] SSDT[158] : NtImpersonateThread @ 0x823E9589 -> HOOKED (Unknown @ 0x873F2C88)

 

[Address] SSDT[165] : NtLoadDriver @ 0x82384E12 -> HOOKED (Unknown @ 0x872FFFD0)

 

[Address] SSDT[177] : NtMapViewOfSection @ 0x82429994 -> HOOKED (Unknown @ 0x873F0DD0)

 

[Address] SSDT[184] : NtOpenEvent @ 0x82412DF7 -> HOOKED (Unknown @ 0x873F29D8)

 

[Address] SSDT[194] : NtOpenProcess @ 0x8243A12F -> HOOKED (Unknown @ 0x8744ED60)

 

[Address] SSDT[195] : NtOpenProcessToken @ 0x8241AA58 -> HOOKED (Unknown @ 0x8744EB00)

 

[Address] SSDT[197] : NtOpenSection @ 0x8242A78C -> HOOKED (Unknown @ 0x87452F28)

 

[Address] SSDT[201] : NtOpenThread @ 0x8243562B -> HOOKED (Unknown @ 0x8744EC90)

 

[Address] SSDT[210] : NtProtectVirtualMemory @ 0x824333E2 -> HOOKED (Unknown @ 0x87452B30)

 

[Address] SSDT[282] : NtResumeThread @ 0x82434C4A -> HOOKED (Unknown @ 0x873F2F28)

 

[Address] SSDT[289] : NtSetContextThread @ 0x824AC2CF -> HOOKED (Unknown @ 0x873F0B20)

 

[Address] SSDT[305] : NtSetInformationProcess @ 0x8242D9E6 -> HOOKED (Unknown @ 0x873F0C00)

 

[Address] SSDT[317] : NtSetSystemInformation @ 0x823FFF1E -> HOOKED (Unknown @ 0x87452DE0)

 

[Address] SSDT[330] : NtSuspendProcess @ 0x824AC75F -> HOOKED (Unknown @ 0x873F28F8)

 

[Address] SSDT[331] : NtSuspendThread @ 0x823B3945 -> HOOKED (Unknown @ 0x873F0960)

 

[Address] SSDT[334] : NtTerminateProcess @ 0x8240A16B -> HOOKED (Unknown @ 0x8744EF58)

 

[Address] SSDT[335] : unknown @ 0x82435660 -> HOOKED (Unknown @ 0x873F0A40)

 

[Address] SSDT[348] : NtUnmapViewOfSection @ 0x82429C57 -> HOOKED (Unknown @ 0x873F0CF0)

 

[Address] SSDT[358] : NtWriteVirtualMemory @ 0x82426A27 -> HOOKED (Unknown @ 0x873F0FC0)

 

[Address] SSDT[382] : NtCreateThreadEx @ 0x82435115 -> HOOKED (Unknown @ 0x87452A30)

 

[Address] Shadow SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x87B7DB38)

 

[Address] Shadow SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x87B7D378)

 

[Address] Shadow SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x87B7D298)

 

[Address] Shadow SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x87B7D458)

 

[Address] Shadow SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x87B7D538)

 

[Address] Shadow SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x8AAD7F60)

 

[Address] Shadow SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x87B7D1A8)

 

[Address] Shadow SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x87B7D0B8)

 

[Address] Shadow SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x87B7D6B0)

 

[Address] Shadow SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87B7D008)

 

 

¤¤¤ External Hives: ¤¤¤

 

-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

 

-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

 

-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

 

-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

 

-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

 

-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

 

 

¤¤¤ Infection : ZeroAccess ¤¤¤

 

 

¤¤¤ HOSTS File: ¤¤¤

 

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

127.0.0.1       localhost

 

::1             localhost

 

127.0.0.1 www.007guard.com

 

127.0.0.1 007guard.com

 

127.0.0.1 008i.com

 

127.0.0.1 www.008k.com

 

127.0.0.1 008k.com

 

127.0.0.1 www.00hq.com

 

127.0.0.1 00hq.com

 

127.0.0.1 010402.com

 

127.0.0.1 www.032439.com

 

127.0.0.1 032439.com

 

127.0.0.1 www.0scan.com

 

127.0.0.1 0scan.com

 

127.0.0.1 www.100888290cs.com

 

127.0.0.1 100888290cs.com

 

127.0.0.1 www.100sexlinks.com

 

127.0.0.1 100sexlinks.com

 

127.0.0.1 www.10sek.com

 

127.0.0.1 10sek.com

 

[...]

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

 

+++++ PhysicalDrive0:  +++++

 

--- User ---

 

[MBR] b0fc266a4c01e3685d55e3de3b870c76

 

[bSP] bdf99326810b3ea5b3c85f61013cb3ba : Windows Vista MBR Code

 

Partition table:

 

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo

 

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo

 

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 466644 Mo

 

User = LL1 ... OK!

 

User = LL2 ... OK!

 

 

Finished : << RKreport[0]_S_08252013_080341.txt >>

 

RKreport[0]_S_08242013_132426.txt

Link to post
Share on other sites

I forgot to rename the fixlist.txt file before running FRST.  Log from first run is attached to this message.  I then renamed the file so it would only scan.  Log from scan is below:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-08-2013 01

 

Ran by yusishen (administrator) on 25-08-2013 08:53:28

 

Running from C:\Users\yusishen\Desktop\FRST

 

Windows Vista Home Premium Service Pack 2 (X86) OS Language: English(US)

 

Internet Explorer Version 9

 

Boot Mode: Normal

 

 

==================== Could not list processes ===============

 

 

==================== Registry (Whitelisted) ==================

 

 

HKLM\...\Run: [NPSStartup] -  [x]

 

HKLM\...\Run: [samsung PanelMgr] - C:\Windows\Samsung\PanelMgr\SSMMgr.exe [520192 2007-01-14] ()

 

HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4452352 2007-05-11] (Realtek Semiconductor)

 

HKLM\...\Run: [OEM05Mon.exe] - C:\Windows\OEM05Mon.exe [36864 2007-08-22] (Creative Technology Ltd.)

 

HKLM\...\Run: [nmctxth] - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [648488 2008-09-14] (Cisco Systems, Inc.)

 

HKLM\...\Run: [LXCTCATS] - C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll [106496 2006-11-21] (Lexmark International Inc.)

 

HKLM\...\Run: [EzPrint] - C:\Program Files\Lexmark 5400 Series\ezprint.exe [82864 2007-03-19] (Lexmark International Inc.)

 

HKLM\...\Run: [dellsupportcenter] - C:\Program Files\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)

 

HKLM\...\Run: [lxctmon.exe] - C:\Program Files\Lexmark 5400 Series\lxctmon.exe [291760 2007-03-19] ()

 

HKLM\...\Run: [ECenter] - C:\Dell\E-Center\EULALauncher.exe [17920 2008-02-28] ( )

 

HKLM\...\Run: [dscactivate] - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [16384 2008-03-11] ( )

 

HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)

 

HKLM\...\Run: [intuit SyncManager] - C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2643320 2012-11-28] (Intuit Inc. All rights reserved.)

 

HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)

 

HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)

 

HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)

 

HKCU\...\Run: [AutoStartNPSAgent] - C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe [98304 2009-01-02] (Samsung Electronics Co., Ltd.)

 

HKCU\...\Run: [spybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

 

HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)

 

HKCU\...\Run: [GarminExpressTrayApp] - C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1100120 2013-03-20] (Garmin Ltd or its subsidiaries)

 

HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.)

 

HKCU\...\Winlogon: [shell] Explorer.exe <==== ATTENTION

 

MountPoints2: {f43be747-edb1-11df-9bdd-00219b062144} - L:\LaunchU3.exe -a

 

HKU\Network User\...\RunOnce: [] -  [x]

 

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk

 

ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )

 

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

 

ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Canada ULC.)

 

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk

 

ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Canada ULC.)

 

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk

 

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

 

Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk

 

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

 

Startup: C:\Users\Network User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk

 

ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

 

Startup: C:\Users\yusishen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk

 

ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

 

 

==================== Internet (Whitelisted) ====================

 

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

 

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080909

 

HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

 

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

 

SearchScopes: HKLM - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2642709

 

SearchScopes: HKLM - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

 

SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2642709

 

SearchScopes: HKCU - {5D2B041B-175F-44AC-9942-DF607B94AEF3} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}

 

SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

 

SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL =

 

BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()

 

BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)

 

BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)

 

BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)

 

BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)

 

BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

 

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (Google Inc.)

 

BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)

 

BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)

 

Toolbar: HKLM - &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.)

 

Toolbar: HKLM - Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()

 

Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)

 

Toolbar: HKCU -&Google - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.)

 

Toolbar: HKCU -Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()

 

Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)

 

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab

 

DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

 

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

 

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

 

Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)

 

Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)

 

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)

 

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

 

Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

 

Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)

 

Winsock: Catalog9 18 mswsock.dll File Not found (Microsoft Corporation)

 

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

 

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

 

 

========================== Services (Whitelisted) =================

 

 

R2 Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [554352 2007-09-12] (Symantec Corporation)

 

R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [161048 2008-04-28] (Stardock Corporation)

 

R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [186200 2013-03-20] (Garmin Ltd or its subsidiaries)

 

S3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2999664 2007-09-12] (Symantec Corporation)

 

R2 LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll [537992 2008-04-10] (Symantec Corporation)

 

R2 lxct_device; C:\Windows\system32\lxctcoms.exe [537520 2007-03-19] ( )

 

S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)

 

R2 NIS; C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)

 

R2 NMSAccess; C:\Windows\system32\NMSAccess32.exe [71096 2010-01-19] ()

 

R2 nmservice; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [648488 2008-09-14] (Cisco Systems, Inc.)

 

R2 NOBU; C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe [3236224 2013-04-29] (Symantec Corporation)

 

R2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-14] (SupportSoft, Inc.)

 

S3 Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [394704 2008-01-29] (Symantec, Inc.)

 

S2 LiveUpdate Notice Ex; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

 

 

==================== Drivers (Whitelisted) ====================

 

 

S3 61883; C:\Windows\System32\DRIVERS\61883.sys [45696 2008-01-20] (Microsoft Corporation)

 

R1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)

 

R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)

 

R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)

 

S2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [41984 2007-01-04] (Samsung Electronics Co., Ltd.)

 

R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-08-20] (Symantec Corporation)

 

R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)

 

R3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [36608 2009-01-02] ()

 

S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57536 2008-03-13] (FTDI Ltd.)

 

R1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\IPSDefs\20130823.001\IDSvix86.sys [392792 2013-08-19] (Symantec Corporation)

 

S4 mrtRate; C:\Windows\System32\Drivers\mrtRate.sys [34712 2000-05-31] (Marimba, Inc.)

 

R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130824.007\NAVENG.SYS [93272 2013-08-20] (Symantec Corporation)

 

R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130824.007\NAVEX15.SYS [1611992 2013-08-20] (Symantec Corporation)

 

R3 OEM05Afx; C:\Windows\system32\Drivers\OEM05Afx.sys [141376 2007-08-22] (Creative Technology Ltd.)

 

R3 OEM05Vfx; C:\Windows\System32\DRIVERS\OEM05Vfx.sys [7424 2007-08-22] (EyePower Games Pte. Ltd.)

 

R3 OEM05Vid; C:\Windows\System32\DRIVERS\OEM05Vid.sys [235616 2007-08-22] (Creative Technology Ltd.)

 

R2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [24888 2008-09-14] (Pure Networks, Inc.)

 

R2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [26424 2008-09-14] (Pure Networks, Inc.)

 

R3 RLDesignVirtualAudioCableWdm; C:\Windows\System32\DRIVERS\livecamv.sys [31616 2007-01-15] ()

 

R3 SRTSP; C:\Windows\System32\Drivers\NIS\1404000.028\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)

 

R1 SRTSPX; C:\Windows\system32\drivers\NIS\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)

 

R2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2007-01-04] (Samsung Electronics)

 

R0 SymDS; C:\Windows\System32\drivers\NIS\1404000.028\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)

 

R0 SymEFA; C:\Windows\System32\drivers\NIS\1404000.028\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)

 

R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-10] (Symantec Corporation)

 

R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [36512 2013-03-04] (Symantec Corporation)

 

R1 SymIRON; C:\Windows\system32\drivers\NIS\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)

 

R1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1404000.028\SYMTDIV.SYS [352344 2013-04-24] (Symantec Corporation)

 

S3 IpInIp; system32\DRIVERS\ipinip.sys [x]

 

S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]

 

S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

 

U2 SharedAccess;

 

S3 SYMDNS; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMDNS.SYS [x]

 

S3 SYMFW; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMFW.SYS [x]

 

S3 SYMNDISV; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [x]

 

S3 SYMREDRV; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMREDRV.SYS [x]

 

 

==================== NetSvcs (Whitelisted) ===================

 

 

 

==================== One Month Created Files and Folders ========

 

 

2013-08-24 15:18 - 2013-08-24 15:34 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

 

2013-08-24 15:15 - 2013-08-24 15:34 - 00000000 ____D C:\Users\yusishen\Desktop\mbar

 

2013-08-24 15:14 - 2013-08-24 15:14 - 00000000 ____D C:\Users\yusishen\Desktop\MBAR Download

 

2013-08-24 15:11 - 2013-08-25 08:53 - 00000000 ____D C:\Users\yusishen\Desktop\FRST

 

2013-08-24 13:56 - 2013-08-25 08:52 - 00000000 ____D C:\FRST

 

2013-08-24 13:24 - 2013-08-24 13:25 - 00010011 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08242013_132426.txt

 

2013-08-24 13:12 - 2013-08-24 13:25 - 00000000 ____D C:\Users\yusishen\Desktop\RK_Quarantine

 

2013-08-24 13:12 - 2013-08-24 13:10 - 00923136 _____ C:\Users\yusishen\Desktop\RogueKiller.exe

 

2013-08-24 12:32 - 2013-08-24 12:32 - 00012137 _____ C:\Users\yusishen\Desktop\dds.txt

 

2013-08-24 12:32 - 2013-08-24 12:32 - 00010810 _____ C:\Users\yusishen\Desktop\attach.txt

 

2013-08-24 12:22 - 2013-08-24 12:19 - 00688992 ____R (Swearware) C:\Users\yusishen\Desktop\dds.scr

 

2013-08-24 10:07 - 2013-08-24 10:07 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\FixZeroAccess

 

2013-08-24 01:34 - 2013-08-24 01:34 - 00002072 _____ C:\{30B3FEB5-AD37-47C5-974D-25BFB5CFC765}

 

2013-08-23 12:02 - 2013-08-23 12:02 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

 

2013-08-23 12:02 - 2013-08-23 12:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

 

2013-08-23 12:02 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

 

2013-08-23 11:34 - 2013-08-24 10:20 - 00000000 ____D C:\Users\yusishen\AppData\Local\NPE

 

2013-08-15 03:02 - 2013-07-24 21:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

 

2013-08-15 03:02 - 2013-07-24 21:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

 

2013-08-15 03:02 - 2013-07-24 21:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

 

2013-08-15 03:02 - 2013-07-24 21:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

 

2013-08-15 03:02 - 2013-07-24 21:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

 

2013-08-15 03:02 - 2013-07-24 21:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

 

2013-08-15 03:02 - 2013-07-24 21:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll

 

2013-08-15 03:02 - 2013-07-24 21:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

 

2013-08-15 03:02 - 2013-07-24 21:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

 

2013-08-15 03:02 - 2013-07-24 21:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

 

2013-08-15 03:02 - 2013-07-24 21:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

 

2013-08-15 03:02 - 2013-07-24 21:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

 

2013-08-15 03:02 - 2013-07-24 21:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

 

2013-08-15 03:02 - 2013-07-24 21:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

 

2013-08-15 03:02 - 2013-07-24 21:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

 

2013-08-15 03:02 - 2013-07-24 21:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

 

2013-08-14 12:58 - 2013-07-17 14:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll

 

2013-08-14 12:58 - 2013-07-10 04:47 - 00783360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll

 

2013-08-14 12:58 - 2013-07-09 07:10 - 01205168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll

 

2013-08-14 12:58 - 2013-07-07 23:55 - 03603904 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe

 

2013-08-14 12:58 - 2013-07-07 23:55 - 03551680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe

 

2013-08-14 12:58 - 2013-07-07 23:20 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll

 

2013-08-14 12:58 - 2013-07-07 23:16 - 00992768 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll

 

2013-08-14 12:58 - 2013-07-07 23:16 - 00133120 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll

 

2013-08-14 12:58 - 2013-07-07 23:16 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll

 

2013-08-14 12:58 - 2013-07-04 23:53 - 00905664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys

 

2013-08-14 12:58 - 2013-06-15 08:22 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll

 

2013-08-14 12:58 - 2013-06-15 06:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys

 

2013-07-30 07:55 - 2013-07-30 07:55 - 00002075 _____ C:\Users\Public\Desktop\Google Earth.lnk

 

2013-07-27 03:00 - 2013-08-15 03:27 - 00000000 ____D C:\Windows\system32\MRT

 

 

==================== One Month Modified Files and Folders =======

 

 

2013-08-25 08:52 - 2013-08-24 13:56 - 00000000 ____D C:\FRST

 

2013-08-25 08:48 - 2009-12-29 20:06 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

 

2013-08-25 08:20 - 2013-02-16 18:36 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

 

2013-08-25 08:03 - 2013-08-25 08:03 - 00008880 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08252013_080341.txt

 

2013-08-25 07:37 - 2006-11-02 07:47 - 00003744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

 

2013-08-25 07:37 - 2006-11-02 07:47 - 00003744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

 

2013-08-25 07:09 - 2012-05-23 21:52 - 00000940 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3613409154-809846524-3207628668-1003UA.job

 

2013-08-25 07:09 - 2012-05-23 21:52 - 00000918 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3613409154-809846524-3207628668-1003Core.job

 

2013-08-24 15:56 - 2008-09-17 20:50 - 00000049 __RSH C:\Users\Public\Documents\HBEPGUID.TXT

 

2013-08-24 15:41 - 2008-09-09 03:09 - 02003787 _____ C:\Windows\WindowsUpdate.log

 

2013-08-24 15:38 - 2011-11-02 17:09 - 00000000 ____D C:\ProgramData\boost_interprocess

 

2013-08-24 15:37 - 2012-08-21 18:24 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\Skype

 

2013-08-24 15:37 - 2008-10-03 16:51 - 00000000 ____D C:\Program Files\Lx_cats

 

2013-08-24 15:36 - 2009-12-29 20:06 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

 

2013-08-24 15:36 - 2008-01-20 21:47 - 00290556 _____ C:\Windows\PFRO.log

 

2013-08-24 15:36 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT

 

2013-08-24 15:35 - 2006-11-02 08:01 - 00032600 _____ C:\Windows\Tasks\SCHEDLGU.TXT

 

2013-08-24 15:34 - 2013-08-24 15:18 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

 

2013-08-24 15:34 - 2013-08-24 15:15 - 00000000 ____D C:\Users\yusishen\Desktop\mbar

 

2013-08-24 15:14 - 2013-08-24 15:14 - 00000000 ____D C:\Users\yusishen\Desktop\MBAR Download

 

2013-08-24 13:25 - 2013-08-24 13:24 - 00010011 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08242013_132426.txt

 

2013-08-24 13:25 - 2013-08-24 13:12 - 00000000 ____D C:\Users\yusishen\Desktop\RK_Quarantine

 

2013-08-24 13:10 - 2013-08-24 13:12 - 00923136 _____ C:\Users\yusishen\Desktop\RogueKiller.exe

 

2013-08-24 12:32 - 2013-08-24 12:32 - 00012137 _____ C:\Users\yusishen\Desktop\dds.txt

 

2013-08-24 12:32 - 2013-08-24 12:32 - 00010810 _____ C:\Users\yusishen\Desktop\attach.txt

 

2013-08-24 12:19 - 2013-08-24 12:22 - 00688992 ____R (Swearware) C:\Users\yusishen\Desktop\dds.scr

 

2013-08-24 10:20 - 2013-08-23 11:34 - 00000000 ____D C:\Users\yusishen\AppData\Local\NPE

 

2013-08-24 10:07 - 2013-08-24 10:07 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\FixZeroAccess

 

2013-08-24 07:55 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Branding

 

2013-08-24 01:34 - 2013-08-24 01:34 - 00002072 _____ C:\{30B3FEB5-AD37-47C5-974D-25BFB5CFC765}

 

2013-08-23 12:02 - 2013-08-23 12:02 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

 

2013-08-23 12:02 - 2013-08-23 12:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

 

2013-08-23 11:55 - 2009-10-09 11:51 - 00000472 _____ C:\Windows\Tasks\Ad-Aware Update (Weekly).job

 

2013-08-23 11:34 - 2008-10-17 19:06 - 00000000 ____D C:\ProgramData\Norton

 

2013-08-23 08:28 - 2011-05-06 03:13 - 00000000 ____D C:\Users\yusishen\AppData\Local\CrashDumps

 

2013-08-23 07:32 - 2008-09-09 08:33 - 00000000 ____D C:\Program Files\Google

 

2013-08-21 15:58 - 2012-11-13 16:07 - 00000000 ____D C:\Users\yusishen\Documents\My Digital Editions

 

2013-08-21 13:21 - 2013-02-09 16:20 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe

 

2013-08-21 13:21 - 2013-02-09 16:20 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

 

2013-08-20 09:26 - 2013-06-21 08:53 - 00002399 _____ C:\Users\yusishen\Desktop\Field Manager PRO Desktop 2013-02.lnk

 

2013-08-19 12:41 - 2009-10-09 10:50 - 00000334 _____ C:\Windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job

 

2013-08-19 11:29 - 2009-10-09 10:49 - 00000320 _____ C:\Windows\Tasks\Spybot - Search & Destroy Updater -  Scheduled Task.job

 

2013-08-16 20:24 - 2006-11-02 05:33 - 00862256 _____ C:\Windows\system32\PerfStringBackup.INI

 

2013-08-15 04:27 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\rescache

 

2013-08-15 04:09 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET

 

2013-08-15 03:27 - 2013-07-27 03:00 - 00000000 ____D C:\Windows\system32\MRT

 

2013-08-15 03:16 - 2006-11-02 05:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe

 

2013-08-15 03:13 - 2008-09-09 08:27 - 00000000 ____D C:\ProgramData\Microsoft Help

 

2013-07-30 16:28 - 2010-07-06 20:23 - 00000680 _____ C:\Users\yusishen\AppData\Local\d3d9caps.dat

 

2013-07-30 07:55 - 2013-07-30 07:55 - 00002075 _____ C:\Users\Public\Desktop\Google Earth.lnk

 

 

Files to move or delete:

 

====================

 

C:\Users\yusishen\AppData\Local\Temp\_is782D.exe

 

C:\Users\yusishen\AppData\Local\Temp\_isFFE8.exe

 

C:\Users\yusishen\AppData\Local\Temp\{A5FF7511-2B35-4CF5-99C5-D6E687117052}\ISSetup.dll

 

C:\Users\yusishen\AppData\Local\Temp\{A5FF7511-2B35-4CF5-99C5-D6E687117052}\_Setup.dll

 

C:\Users\yusishen\AppData\Local\Temp\{6307B251-DC38-445C-91A1-E1A9BE07C3F5}\ISSetup.dll

 

C:\Users\yusishen\AppData\Local\Temp\{6307B251-DC38-445C-91A1-E1A9BE07C3F5}\_Setup.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\msvcp71.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\msvcr71.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\SymHTML.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\SymTheme.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\Reporter\Reporter.exe

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\NOLU\Lsetup.exe

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\MSI\wiupdate.exe

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\HTMLHelp\External\symhelp.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\SYMSHARE\Options\CLTWrap.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\SYMSHARE\Options\VTCache.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\asLstCtl.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\ASOpts.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\EmlOpts.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\LUOpts.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\Options.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\symDynLd.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\UIHelper.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAddrBk.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAdITsk.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAuAdIm.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asBAList.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEClMnt.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngAB.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngBay.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\ASEngBWL.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngUR.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asFilter.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asFtPxy.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asLogHlp.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asOEHook.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asOELnch.exe

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSetHlp.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSpmEvt.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSpmLog.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asUniPlg.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\bteuclid.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\btutils.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\FRESpam.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\MsouPlug.dll

 

C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\NASPlug.dll

 

 

==================== Bamital & volsnap Check =================

 

 

C:\Windows\explorer.exe => MD5 is legit

 

C:\Windows\System32\winlogon.exe => MD5 is legit

 

C:\Windows\System32\wininit.exe => MD5 is legit

 

C:\Windows\System32\svchost.exe => MD5 is legit

 

C:\Windows\System32\services.exe => MD5 is legit

 

C:\Windows\System32\User32.dll => MD5 is legit

 

C:\Windows\System32\userinit.exe => MD5 is legit

 

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

 

 

 

LastRegBack: 2013-08-25 03:48

 

 

==================== End Of Log ============================

Fixlog.txt

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then run MBAR:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

If you would like to check for any adware on the system.....

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
If you agree with everything listed to be removed...........

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

It actually ran very quickly.  Here's the log.  I don't recognize any of this so I assume I can probably go ahead and remove it all?  Will wait for your confirmation.

 

 

# AdwCleaner v3.001 - Report created 25/08/2013 at 13:34:38

 

# Updated 24/08/2013 by Xplode

 

# Operating System : Windows Vista Home Premium Service Pack 2 (32 bits)

 

# Username : yusishen - OFFICE-PC

 

# Running from : C:\Users\yusishen\Desktop\AdwCleaner.exe

 

# Option : Scan

 

 

***** [ Services ] *****

 

 

 

***** [ Files / Folders ] *****

 

 

Folder Found C:\Program Files\Conduit

 

Folder Found C:\ProgramData\boost_interprocess

 

Folder Found C:\Users\yusishen\AppData\LocalLow\PriceGong

 

 

***** [ Shortcuts ] *****

 

 

 

***** [ Registry ] *****

 

 

Key Found : HKCU\Software\AppDataLow\Software\Conduit

 

Key Found : HKCU\Software\AppDataLow\Software\PriceGong

 

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

 

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

 

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com

 

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com

 

Key Found : HKCU\Software\YahooPartnerToolbar

 

Key Found : HKLM\Software\Description

 

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

 

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

 

 

***** [ Browsers ] *****

 

 

-\\ Internet Explorer v9.0.8112.16502

 

 

 

*************************

 

 

AdwCleaner[R0].txt - [1520 octets] - [25/08/2013 13:34:38]

 

 

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1580 octets] ##########

 

Link to post
Share on other sites

AdwCleaner log after removal:

 

# AdwCleaner v3.001 - Report created 25/08/2013 at 14:22:54

 

# Updated 24/08/2013 by Xplode

 

# Operating System : Windows Vista Home Premium Service Pack 2 (32 bits)

 

# Username : yusishen - OFFICE-PC

 

# Running from : C:\Users\yusishen\Desktop\AdwCleaner.exe

 

# Option : Clean

 

 

***** [ Services ] *****

 

 

 

***** [ Files / Folders ] *****

 

 

Folder Deleted : C:\ProgramData\boost_interprocess

 

Folder Deleted : C:\Program Files\Conduit

 

Folder Deleted : C:\Users\yusishen\AppData\LocalLow\PriceGong

 

 

***** [ Shortcuts ] *****

 

 

 

***** [ Registry ] *****

 

 

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com

 

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com

 

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

 

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

 

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

 

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

 

Key Deleted : HKCU\Software\YahooPartnerToolbar

 

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

 

Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong

 

Key Deleted : HKLM\Software\Description

 

 

***** [ Browsers ] *****

 

 

-\\ Internet Explorer v9.0.8112.16502

 

 

 

*************************

 

 

AdwCleaner[R0].txt - [1660 octets] - [25/08/2013 13:34:38]

 

AdwCleaner[s0].txt - [1613 octets] - [25/08/2013 14:22:54]

 

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1673 octets] ##########

 

Malwarebytes scan running now.  Will update when finished.

Link to post
Share on other sites

Here's the Malwarebytes log.  Looks clean.  Now I guess I need to cleanup the various tools I installed.

 

Malwarebytes Anti-Malware 1.75.0.1300

 

www.malwarebytes.org

 

 

Database version: v2013.08.25.05

 

 

Windows Vista Service Pack 2 x86 NTFS

 

Internet Explorer 9.0.8112.16421

 

yusishen :: OFFICE-PC [administrator]

 

 

25/08/2013 2:28:44 PM

 

mbam-log-2013-08-25 (14-28-44).txt

 

 

Scan type: Quick scan

 

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

 

Scan options disabled: P2P

 

Objects scanned: 247282

 

Time elapsed: 11 minute(s), 52 second(s)

 

 

Memory Processes Detected: 0

 

(No malicious items detected)

 

 

Memory Modules Detected: 0

 

(No malicious items detected)

 

 

Registry Keys Detected: 0

 

(No malicious items detected)

 

 

Registry Values Detected: 0

 

(No malicious items detected)

 

 

Registry Data Items Detected: 0

 

(No malicious items detected)

 

 

Folders Detected: 0

 

(No malicious items detected)

 

 

Files Detected: 0

 

(No malicious items detected)

 

 

(end)

Link to post
Share on other sites

OK......

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used FRST:

Download the fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

That will delete the quarantine folder created by FRST.

-----------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTC to your desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.