yusfarm Posted August 24, 2013 ID:719978 Share Posted August 24, 2013 Malwarebytes is identifying trojan.zaccess but is unable to remove it. I also cannot download any files on this computer as it says they have a virus and deletes them. I do have access to a clean computer though so I can download there and use a USB stick to copy to this computer. Malwarebytes log:Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.08.23.04Windows Vista Service Pack 2 x86 NTFSInternet Explorer 9.0.8112.16421yusishen :: OFFICE-PC [administrator]24/08/2013 10:21:21 AMMBAM-log-2013-08-24 (12-14-48).txtScan type: Full scan (C:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 425230Time elapsed: 1 hour(s), 36 minute(s), 52 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 1HKLM\SYSTEM\CurrentControlSet\Services\etadpug (Trojan.Zaccess) -> No action taken.Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) DDR logs:DDS (Ver_2012-11-20.01) - NTFS_x86Internet Explorer: 9.0.8112.16502Run by yusishen at 12:22:45 on 2013-08-24.============== Running Processes ================.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\SLsvc.exeC:\Program Files\Dell\DellDock\DockLogin.exeC:\Windows\System32\spoolsv.exeC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Windows\system32\FsUsbExService.ExeC:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Windows\system32\lxctcoms.exeC:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exeC:\Windows\system32\NMSAccess32.exeC:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\DRIVERS\xaudio.exeC:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exeC:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\System32\WUDFHost.exeC:\Program Files\Dell\DellDock\DellDock.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\conime.exeC:\Windows\Samsung\PanelMgr\SSMMgr.exeC:\Windows\RtHDVCpl.exeC:\Windows\System32\igfxpers.exeC:\Windows\OEM05Mon.exeC:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Program Files\Lexmark 5400 Series\ezprint.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Dell Support Center\bin\sprtcmd.exeC:\Program Files\Lexmark 5400 Series\lxctmon.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Garmin\Express Tray\ExpressTray.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\iPod\bin\iPodService.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exeC:\Windows\system32\DllHost.exeC:\Program Files\Symantec\Norton Online Backup\NOBuClient.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation.============== Pseudo HJT Report ===============.uWindow Title = Internet Explorer provided by DellBHO: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dllBHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllBHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\norton internet security\engine\20.4.0.40\coieplg.dllBHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\norton internet security\engine\20.4.0.40\ips\ipsbho.dllBHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllBHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dllBHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dllTB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllTB: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dllTB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\norton internet security\engine\20.4.0.40\coieplg.dllTB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllTB: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dllTB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\norton internet security\engine\20.4.0.40\coieplg.dlluRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exeuRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exeuRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exeuRun: [GarminExpressTrayApp] "c:\program files\garmin\express tray\ExpressTray.exe"uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrunmRun: [NPSStartup] <no file>dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthlyStartupFolder: c:\users\yusishen\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks 2012\QBW32.EXEuPolicies-Explorer: NoDriveTypeAutoRun = dword:149mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0mPolicies-System: EnableUIADesktopToggle = dword:0IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllLSP: mswsock.dll.INFO: HKCU has more than 50 listed domains.If you wish to scan all of them, select the 'Force scan all domains' option...INFO: HKLM has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option..TCP: NameServer = 192.168.0.1TCP: Interfaces\{E7940A85-A7CC-4471-9E05-D3496C9CBA0A} : DHCPNameServer = 192.168.0.1Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2012\HelpAsyncPluggableProtocol.dllHandler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\turbotax 2012\ic2012pp.dllHandler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dllNotify: igfxcui - igfxdev.dllLSA: Security Packages = kerberos msv1_0 schannel wdigest tspkgHosts: 127.0.0.1 www.spywareinfo.com.============= SERVICES / DRIVERS ===============..=============== File Associations ===============.FileExt: .ini: inifile=c:\windows\system32\NOTEPAD.EXE %1".=============== Created Last 30 ================.2013-08-24 15:14:15 98392 ----a-w- c:\windows\system32\drivers\SMR322.SYS2013-08-24 15:07:36 -------- d-----w- c:\users\yusishen\appdata\roaming\FixZeroAccess2013-08-23 17:02:21 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2013-08-23 17:02:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2013-08-23 16:34:16 -------- d-----w- c:\users\yusishen\appdata\local\NPE2013-08-14 17:58:50 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys2013-08-14 17:58:50 15872 ----a-w- c:\windows\system32\icaapi.dll2013-08-14 17:58:46 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys2013-08-14 17:58:36 2048 ----a-w- c:\windows\system32\tzres.dll2013-08-14 17:58:33 783360 ----a-w- c:\windows\system32\rpcrt4.dll2013-08-14 17:58:31 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe2013-08-14 17:58:31 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe2013-08-14 17:58:31 1205168 ----a-w- c:\windows\system32\ntdll.dll2013-08-14 17:58:28 992768 ----a-w- c:\windows\system32\crypt32.dll2013-08-14 17:58:28 133120 ----a-w- c:\windows\system32\cryptsvc.dll2013-08-14 17:58:27 98304 ----a-w- c:\windows\system32\cryptnet.dll2013-08-14 17:58:27 172544 ----a-w- c:\windows\system32\wintrust.dll2013-07-27 08:00:36 -------- d-----w- c:\windows\system32\MRT.==================== Find3M ====================.2013-08-21 18:21:37 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-08-21 18:21:37 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-07-25 02:32:35 1800704 ----a-w- c:\windows\system32\jscript9.dll2013-07-25 02:26:10 1129472 ----a-w- c:\windows\system32\wininet.dll2013-07-25 02:25:30 1427968 ----a-w- c:\windows\system32\inetcpl.cpl2013-07-25 02:23:59 142848 ----a-w- c:\windows\system32\ieUnatt.exe2013-07-25 02:23:58 420864 ----a-w- c:\windows\system32\vbscript.dll2013-07-25 02:22:35 2382848 ----a-w- c:\windows\system32\mshtml.tlb2013-06-10 23:36:03 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS2013-06-04 01:50:43 2049024 ----a-w- c:\windows\system32\win32k.sys2013-06-01 04:06:08 505344 ----a-w- c:\windows\system32\qedit.dll.============= FINISH: 12:32:32.75 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01)..==== Disk Partitions =========================..==== Disabled Device Manager Items =============.==== System Restore Points ===================.No restore point in system..==== Installed Programs ======================. Update for Microsoft Office 2007 (KB2508958)ABBYY FineReader 6.0 SprintAdobe Digital Editions 2.0Adobe Flash Player 11 ActiveXAdobe Reader X (10.1.7)Adobe Shockwave Player 12.0Adobe SVG Viewer 3.0Advanced Audio FX EngineAdvanced Video FX EngineAGEIA PhysX v7.03.21AgExpert Analyst 2012-05AgExpert Analyst 2013-04Apple Application SupportApple Mobile Device SupportApple Software UpdateAvery Wizard 3.1AviSynth 2.5BonjourBrowser Address Error RedirectorBullzip PDF Printer 6.0.0.744Business Contact Manager for Outlook 2007 SP2Canon PowerShot A3300 IS and A3200 IS and A2200 Camera User GuideCisco Network MagicConexant D850 PCI V.92 ModemContent ManagerD3DX10Dell DockDell Getting Started GuideDell Support Center (Support Software)Dell Webcam CenterDell Webcam ManagerDigital Line DetectEasy DVD CloneEDocsElevated InstallerEmpire Earth IIIEZ-Toolbox Version 2.1.0.3Facebook Plug-InFacebook Video Calling 1.2.0.159Fast MP4 3GP AVI MPG WMV RM MOV FLV Converter 6.3Field Manager PRO Desktop 2013-02Free YouTube Downloader 3.5.136Garmin Communicator PluginGarmin ExpressGarmin Express TrayGarmin Update ServiceGoogle EarthGoogle Toolbar for Internet ExplorerGoogle Update HelperGPL Ghostscript Lite 8.63Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Intel® PRO Network Connections 12.1.11.0iSEEK AnswerWorks English RuntimeiTunesJava 6 Update 5K-Lite Codec Pack 7.1.0 (Basic)KoboLexmark 5400 SeriesLexmark ToolbarLive! Cam Avatar CreatorLive! Cam Avatar v1.0LiveUpdate 3.2 (Symantec Corporation)LiveUpdate Notice (Symantec Corporation)Malwarebytes Anti-Malware version 1.75.0.1300MediaInfo 0.7.58Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Security Update (KB2698023)Microsoft .NET Framework 1.1 Security Update (KB2833941)Microsoft .NET Framework 1.1 Security Update (KB979906)Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Application Error ReportingMicrosoft Office 2003 Web ComponentsMicrosoft Office 2007 Primary Interop AssembliesMicrosoft Office 2007 Service Pack 3 (SP3)Microsoft Office Excel MUI (English) 2007Microsoft Office Outlook MUI (English) 2007Microsoft Office PowerPoint MUI (English) 2007Microsoft Office Proof (English) 2007Microsoft Office Proof (French) 2007Microsoft Office Proof (Spanish) 2007Microsoft Office Proofing (English) 2007Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)Microsoft Office Publisher MUI (English) 2007Microsoft Office Shared MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Small Business 2007Microsoft Office Small Business Connectivity ComponentsMicrosoft Office Word MUI (English) 2007Microsoft SilverlightMicrosoft SQL Server 2005Microsoft SQL Server 2005 Compact Edition [ENU]Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)Microsoft SQL Server Compact 3.5 SP1 EnglishMicrosoft SQL Server Native ClientMicrosoft SQL Server Setup Support Files (English)Microsoft SQL Server VSS WriterMicrosoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft Visual Studio 2005 Tools for Office RuntimeMicrosoft Works 6-9 ConverterModem Diagnostic ToolMonitor Webcam (SP2208WFP) Driver (1.00.08.0720) MSVCRTMSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 (KB941833)MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MSXML 4.0 SP2 Parser and SDKMuseScore 1.3NetWaitingNetwork MagicNorton Internet SecurityNorton Online BackupPicasa 3Pure Networks PlatformQuickBooksQuickBooks EasyStart 2012QuickBooks EasyStart EditionQuicken 2013QuickTimeRealtek High Definition Audio DriverRoxio Creator AudioRoxio Creator CopyRoxio Creator DataRoxio Creator DERoxio Creator ToolsRoxio Express Labeler 3Roxio Update ManagerSamsung ML-2510 SeriesSAMSUNG Mobile Modem Driver SetSamsung Mobile phone USB driver SoftwareSAMSUNG Mobile USB Modem 1.0 SoftwareSAMSUNG Mobile USB Modem SoftwareSamsung New PC StudioSecurity Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)Security Update for Microsoft .NET Framework 4 Extended (KB2736428)Security Update for Microsoft .NET Framework 4 Extended (KB2742595)Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596744) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596754) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596785) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596792) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596871) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2597969) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2687309) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2687311) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2760416) 32-Bit EditionSecurity Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit EditionSecurity Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit EditionSecurity Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit EditionSecurity Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit EditionSecurity Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit EditionSecurity Update for Microsoft Office Word 2007 (KB2760421) 32-Bit EditionSegoe UISkype™ 6.3Spelling Dictionaries Support For Adobe Reader 8Spybot - Search & DestroyswMSMSymantec Technical Support Web ControlsSystem Requirements Lab CYRIT4 Internet - T4 par Internet 9.0TurboTax 2012Update for 2007 Microsoft Office System (KB967642)Update for Microsoft .NET Framework 3.5 SP1 (KB2836940)Update for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Client Profile (KB2836939)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2836939)Update for Microsoft Office 2007 Help for Common Features (KB963673)Update for Microsoft Office 2007 suites (KB2596620) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2596660) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2596848) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2687493) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2767849) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2767916) 32-Bit EditionUpdate for Microsoft Office Excel 2007 Help (KB963678)Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit EditionUpdate for Microsoft Office Outlook 2007 (KB2768023) 32-Bit EditionUpdate for Microsoft Office Outlook 2007 Help (KB963677)Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817642) 32-Bit EditionUpdate for Microsoft Office Powerpoint 2007 Help (KB963669)Update for Microsoft Office Publisher 2007 Help (KB963667)Update for Microsoft Office Script Editor Help (KB963671)Update for Microsoft Office Word 2007 Help (KB963665)Visual C++ 2008 x86 Runtime - (v9.0.30729)Visual C++ 2008 x86 Runtime - v9.0.30729.01Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0)Windows Live Communications PlatformWindows Live EssentialsWindows Live ID Sign-in AssistantWindows Live InstallerWindows Live Movie MakerWindows Live Photo CommonWindows Live Photo GalleryWindows Live PIMT PlatformWindows Live SOXEWindows Live SOXE DefinitionsWindows Live UX PlatformWindows Live UX Platform Language PackWinPatrol 2008.==== End Of File =========================== Link to post Share on other sites More sharing options...
MrCharlie Posted August 24, 2013 ID:719981 Share Posted August 24, 2013 Welcome to the forum. Please download and run RogueKiller 32 Bit to your desktop. RogueKiller 64 Bit <---use this one for 64 bit systems Quit all running programs. For Windows XP, double-click to start. For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run. Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything! Don't run any other options, they're not all bad!!!!!!! Post back the report which should be located on your desktop. (please don't put logs in code or quotes) P2P/Piracy Warning: 1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided. 2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy. Failure to remove such software will result in your topic being closed and no further assistance being provided. MrC Note: Please read all of my instructions completely including these. Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive <+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you. <+>The removal of malware isn't instantaneous, please be patient. <+>When we are done, I'll give to instructions on how to cleanup all the tools and logs <+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. ------->Your topic will be closed if you haven't replied within 3 days!<-------- (If I don't respond within 24 hours, please send me a PM) Link to post Share on other sites More sharing options...
yusfarm Posted August 24, 2013 Author ID:720010 Share Posted August 24, 2013 RogueKiller V8.6.6 [Aug 19 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits versionStarted in : Normal modeUser : yusishen [Admin rights]Mode : Scan -- Date : 08/24/2013 13:24:26| ARK || FAK || MBR |¤¤¤ Bad processes : 1 ¤¤¤[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\ \...\???ﯹ๛\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < [x] -> STOPPED¤¤¤ Registry Entries : 13 ¤¤¤[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\ \...\???ﯹ๛\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < [x]) -> FOUND[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\ \...\???ﯹ๛\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < [x]) -> FOUND[sERVICE][ZeroAccess] HKLM\[...]\CS003\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\ \...\???ﯹ๛\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < [x]) -> FOUND[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND[HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND[HID SVC][Hidden from API] HKLM\[...]\CS003\[...]\Services : . e () -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpRtMon.dll : C:\Program Files\Windows Defender\MpRtMon.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpRtPlug.dll : C:\Program Files\Windows Defender\MpRtPlug.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpSigDwn.dll : C:\Program Files\Windows Defender\MpSigDwn.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpSoftEx.dll : C:\Program Files\Windows Defender\MpSoftEx.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND¤¤¤ Driver : [LOADED] ¤¤¤[Address] SSDT[13] : NtAlertResumeThread @ 0x824AF823 -> HOOKED (Unknown @ 0x8760AE68)[Address] SSDT[14] : NtAlertThread @ 0x8242834F -> HOOKED (Unknown @ 0x8760AF48)[Address] SSDT[18] : NtAllocateVirtualMemory @ 0x8246469D -> HOOKED (Unknown @ 0x87239890)[Address] SSDT[21] : NtAlpcConnectPort @ 0x824068A7 -> HOOKED (Unknown @ 0x8723A8A8)[Address] SSDT[42] : NtAssignProcessToJobObject @ 0x823D9B32 -> HOOKED (Unknown @ 0x87473E10)[Address] SSDT[67] : NtCreateMutant @ 0x8243C993 -> HOOKED (Unknown @ 0x87473710)[Address] SSDT[77] : NtCreateSymbolicLinkObject @ 0x823DC349 -> HOOKED (Unknown @ 0x87459BF0)[Address] SSDT[78] : NtCreateThread @ 0x824ADE40 -> HOOKED (Unknown @ 0x873A1E48)[Address] SSDT[116] : NtDebugActiveProcess @ 0x82480ED4 -> HOOKED (Unknown @ 0x87473EF0)[Address] SSDT[129] : NtDuplicateObject @ 0x82414579 -> HOOKED (Unknown @ 0x87300B70)[Address] SSDT[147] : NtFreeVirtualMemory @ 0x822A0E75 -> HOOKED (Unknown @ 0x875B8F38)[Address] SSDT[156] : NtImpersonateAnonymousToken @ 0x823D6F3F -> HOOKED (Unknown @ 0x87473800)[Address] SSDT[158] : NtImpersonateThread @ 0x823EC589 -> HOOKED (Unknown @ 0x874738C0)[Address] SSDT[165] : NtLoadDriver @ 0x82387E12 -> HOOKED (Unknown @ 0x8723A830)[Address] SSDT[177] : NtMapViewOfSection @ 0x8242C994 -> HOOKED (Unknown @ 0x875B8E58)[Address] SSDT[184] : NtOpenEvent @ 0x82415DF7 -> HOOKED (Unknown @ 0x8725DCE0)[Address] SSDT[194] : NtOpenProcess @ 0x8243D12F -> HOOKED (Unknown @ 0x87236E78)[Address] SSDT[195] : NtOpenProcessToken @ 0x8241DA58 -> HOOKED (Unknown @ 0x87300AB0)[Address] SSDT[197] : NtOpenSection @ 0x8242D78C -> HOOKED (Unknown @ 0x8725DB20)[Address] SSDT[201] : NtOpenThread @ 0x8243862B -> HOOKED (Unknown @ 0x87300DF0)[Address] SSDT[210] : NtProtectVirtualMemory @ 0x824363E2 -> HOOKED (Unknown @ 0x87473D20)[Address] SSDT[282] : NtResumeThread @ 0x82437C4A -> HOOKED (Unknown @ 0x877B2DD0)[Address] SSDT[289] : NtSetContextThread @ 0x824AF2CF -> HOOKED (Unknown @ 0x87459420)[Address] SSDT[305] : NtSetInformationProcess @ 0x824309E6 -> HOOKED (Unknown @ 0x87459500)[Address] SSDT[317] : NtSetSystemInformation @ 0x82402F1E -> HOOKED (Unknown @ 0x87473FD0)[Address] SSDT[330] : NtSuspendProcess @ 0x824AF75F -> HOOKED (Unknown @ 0x8725DC00)[Address] SSDT[331] : NtSuspendThread @ 0x823B6945 -> HOOKED (Unknown @ 0x877B2EB0)[Address] SSDT[334] : NtTerminateProcess @ 0x8240D16B -> HOOKED (Unknown @ 0x873A1F28)[Address] SSDT[335] : unknown @ 0x82438660 -> HOOKED (Unknown @ 0x877B2F90)[Address] SSDT[348] : NtUnmapViewOfSection @ 0x8242CC57 -> HOOKED (Unknown @ 0x874595D0)[Address] SSDT[358] : NtWriteVirtualMemory @ 0x82429A27 -> HOOKED (Unknown @ 0x873A44A8)[Address] SSDT[382] : NtCreateThreadEx @ 0x82438115 -> HOOKED (Unknown @ 0x87459CE0)[Address] Shadow SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x87C9E578)[Address] Shadow SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x888137F0)[Address] Shadow SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x88813730)[Address] Shadow SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x888138B0)[Address] Shadow SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x897B1480)[Address] Shadow SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x897F7008)[Address] Shadow SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x88813660)[Address] Shadow SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x88813590)[Address] Shadow SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x88813C90)[Address] Shadow SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x86D40428)¤¤¤ External Hives: ¤¤¤-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts127.0.0.1 localhost::1 localhost127.0.0.1 www.007guard.com127.0.0.1 007guard.com127.0.0.1 008i.com127.0.0.1 www.008k.com127.0.0.1 008k.com127.0.0.1 www.00hq.com127.0.0.1 00hq.com127.0.0.1 010402.com127.0.0.1 www.032439.com127.0.0.1 032439.com127.0.0.1 www.0scan.com127.0.0.1 0scan.com127.0.0.1 www.100888290cs.com127.0.0.1 100888290cs.com127.0.0.1 www.100sexlinks.com127.0.0.1 100sexlinks.com127.0.0.1 www.10sek.com127.0.0.1 10sek.com[...]¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: +++++--- User ---[MBR] b0fc266a4c01e3685d55e3de3b870c76[bSP] bdf99326810b3ea5b3c85f61013cb3ba : Windows Vista MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 466644 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_08242013_132426.txt >> Link to post Share on other sites More sharing options...
MrCharlie Posted August 24, 2013 ID:720012 Share Posted August 24, 2013 Please read the following information first. You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?http://www.dslreports.com/faq/10451When Should I Format, How Should I Reinstallhttp://www.dslreports.com/faq/10063I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.-----------------------------------------Please download Farbar Recovery Scan Tool and save it to a folder. (32bit version)Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.MrC Link to post Share on other sites More sharing options...
yusfarm Posted August 24, 2013 Author ID:720015 Share Posted August 24, 2013 I will attempt the cleanup at least so I can get the necessary data files copied from the computer before doing a complete reformat/re-install (or just replace, computer is 6 years old). I haven't used any online banking, etc. since I noticed signs of infection but will change all passwords immediately anyway. I'm now using the clean computer for internet access so will copy the next log over to this computer via USB stick and will then post once it is done. Link to post Share on other sites More sharing options...
MrCharlie Posted August 24, 2013 ID:720019 Share Posted August 24, 2013 OK...MrC Link to post Share on other sites More sharing options...
yusfarm Posted August 24, 2013 Author ID:720023 Share Posted August 24, 2013 Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-08-2013 01Ran by yusishen (administrator) on 24-08-2013 13:56:26Running from C:\Users\yusishen\DesktopWindows Vista Home Premium Service Pack 2 (X86) OS Language: English(US)Internet Explorer Version 9Boot Mode: Normal==================== Could not list processes =================================== Registry (Whitelisted) ==================HKLM\...\Run: [NPSStartup] - [x]HKLM\...\Run: [samsung PanelMgr] - C:\Windows\Samsung\PanelMgr\SSMMgr.exe [520192 2007-01-14] ()HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4452352 2007-05-11] (Realtek Semiconductor)HKLM\...\Run: [OEM05Mon.exe] - C:\Windows\OEM05Mon.exe [36864 2007-08-22] (Creative Technology Ltd.)HKLM\...\Run: [nmctxth] - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [648488 2008-09-14] (Cisco Systems, Inc.)HKLM\...\Run: [LXCTCATS] - C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll [106496 2006-11-21] (Lexmark International Inc.)HKLM\...\Run: [EzPrint] - C:\Program Files\Lexmark 5400 Series\ezprint.exe [82864 2007-03-19] (Lexmark International Inc.)HKLM\...\Run: [dellsupportcenter] - C:\Program Files\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)HKLM\...\Run: [lxctmon.exe] - C:\Program Files\Lexmark 5400 Series\lxctmon.exe [291760 2007-03-19] ()HKLM\...\Run: [ECenter] - C:\Dell\E-Center\EULALauncher.exe [17920 2008-02-28] ( )HKLM\...\Run: [dscactivate] - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [16384 2008-03-11] ( )HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)HKLM\...\Run: [intuit SyncManager] - C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2643320 2012-11-28] (Intuit Inc. All rights reserved.)HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)HKCU\...\Run: [AutoStartNPSAgent] - C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe [98304 2009-01-02] (Samsung Electronics Co., Ltd.)HKCU\...\Run: [spybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)HKCU\...\Run: [GarminExpressTrayApp] - C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1100120 2013-03-20] (Garmin Ltd or its subsidiaries)HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.)HKCU\...\Winlogon: [shell] Explorer.exe <==== ATTENTIONMountPoints2: {f43be747-edb1-11df-9bdd-00219b062144} - L:\LaunchU3.exe -aHKU\Network User\...\RunOnce: [] - [x]HKU\Network User\...\Winlogon: [shell] Explorer.exe <==== ATTENTIONStartup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnkShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnkShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Canada ULC.)Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnkShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Canada ULC.)Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnkShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnkShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)Startup: C:\Users\Network User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnkShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)Startup: C:\Users\yusishen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnkShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)==================== Internet (Whitelisted) ====================HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080909HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ieHKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ieSearchScopes: HKLM - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2642709SearchScopes: HKLM - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2642709SearchScopes: HKCU - {5D2B041B-175F-44AC-9942-DF607B94AEF3} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL =BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (Google Inc.)BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)Toolbar: HKLM - &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.)Toolbar: HKLM - Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)Toolbar: HKCU -&Google - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.)Toolbar: HKCU -Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cabDPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)Winsock: Catalog9 18 mswsock.dll File Not found (Microsoft Corporation)Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txtTcpip\Parameters: [DhcpNameServer] 192.168.0.1========================== Services (Whitelisted) =================R2 Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [554352 2007-09-12] (Symantec Corporation)R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [161048 2008-04-28] (Stardock Corporation)R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [186200 2013-03-20] (Garmin Ltd or its subsidiaries)R3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2999664 2007-09-12] (Symantec Corporation)R2 LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll [537992 2008-04-10] (Symantec Corporation)R2 lxct_device; C:\Windows\system32\lxctcoms.exe [537520 2007-03-19] ( )S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)R2 NIS; C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)R2 NMSAccess; C:\Windows\system32\NMSAccess32.exe [71096 2010-01-19] ()R2 nmservice; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [648488 2008-09-14] (Cisco Systems, Inc.)R2 NOBU; C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe [3236224 2013-04-29] (Symantec Corporation)R2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-14] (SupportSoft, Inc.)S3 Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [394704 2008-01-29] (Symantec, Inc.)S2 LiveUpdate Notice Ex; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\ \...\???\{2e481a45-5c7f-3d39-6438-40aebf8d981c}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)==================== Drivers (Whitelisted) ====================S3 61883; C:\Windows\System32\DRIVERS\61883.sys [45696 2008-01-20] (Microsoft Corporation)R1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)S2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [41984 2007-01-04] (Samsung Electronics Co., Ltd.)R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-08-20] (Symantec Corporation)R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)R3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [36608 2009-01-02] ()S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57536 2008-03-13] (FTDI Ltd.)R1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\IPSDefs\20130823.001\IDSvix86.sys [392792 2013-08-19] (Symantec Corporation)S4 mrtRate; C:\Windows\System32\Drivers\mrtRate.sys [34712 2000-05-31] (Marimba, Inc.)R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130823.019\NAVENG.SYS [93272 2013-08-20] (Symantec Corporation)R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130823.019\NAVEX15.SYS [1611992 2013-08-20] (Symantec Corporation)R3 OEM05Afx; C:\Windows\system32\Drivers\OEM05Afx.sys [141376 2007-08-22] (Creative Technology Ltd.)R3 OEM05Vfx; C:\Windows\System32\DRIVERS\OEM05Vfx.sys [7424 2007-08-22] (EyePower Games Pte. Ltd.)R3 OEM05Vid; C:\Windows\System32\DRIVERS\OEM05Vid.sys [235616 2007-08-22] (Creative Technology Ltd.)R2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [24888 2008-09-14] (Pure Networks, Inc.)R2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [26424 2008-09-14] (Pure Networks, Inc.)R3 RLDesignVirtualAudioCableWdm; C:\Windows\System32\DRIVERS\livecamv.sys [31616 2007-01-15] ()R0 SMR322; C:\Windows\System32\drivers\SMR322.SYS [98392 2013-08-24] (Symantec Corporation)R3 SRTSP; C:\Windows\System32\Drivers\NIS\1404000.028\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)R1 SRTSPX; C:\Windows\system32\drivers\NIS\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)R2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2007-01-04] (Samsung Electronics)R0 SymDS; C:\Windows\System32\drivers\NIS\1404000.028\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)R0 SymEFA; C:\Windows\System32\drivers\NIS\1404000.028\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-10] (Symantec Corporation)R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [36512 2013-03-04] (Symantec Corporation)R1 SymIRON; C:\Windows\system32\drivers\NIS\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)R1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1404000.028\SYMTDIV.SYS [352344 2013-04-24] (Symantec Corporation)S3 IpInIp; system32\DRIVERS\ipinip.sys [x]S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]U2 SharedAccess;S3 SYMDNS; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMDNS.SYS [x]S3 SYMFW; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMFW.SYS [x]S3 SYMNDISV; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [x]S3 SYMREDRV; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMREDRV.SYS [x]U3 mbr; \??\C:\Users\yusishen\AppData\Local\Temp\mbr.sys [x]==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-08-24 13:55 - 2013-08-24 13:38 - 01070693 _____ (Farbar) C:\Users\yusishen\Desktop\FRST.exe2013-08-24 13:24 - 2013-08-24 13:25 - 00010011 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08242013_132426.txt2013-08-24 13:12 - 2013-08-24 13:25 - 00000000 ____D C:\Users\yusishen\Desktop\RK_Quarantine2013-08-24 13:12 - 2013-08-24 13:10 - 00923136 _____ C:\Users\yusishen\Desktop\RogueKiller.exe2013-08-24 12:32 - 2013-08-24 12:32 - 00012137 _____ C:\Users\yusishen\Desktop\dds.txt2013-08-24 12:32 - 2013-08-24 12:32 - 00010810 _____ C:\Users\yusishen\Desktop\attach.txt2013-08-24 12:22 - 2013-08-24 12:19 - 00688992 ____R (Swearware) C:\Users\yusishen\Desktop\dds.scr2013-08-24 10:14 - 2013-08-24 10:14 - 00098392 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SMR322.SYS2013-08-24 10:07 - 2013-08-24 10:07 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\FixZeroAccess2013-08-24 01:34 - 2013-08-24 01:34 - 00002072 _____ C:\{30B3FEB5-AD37-47C5-974D-25BFB5CFC765}2013-08-23 12:02 - 2013-08-23 12:02 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2013-08-23 12:02 - 2013-08-23 12:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware2013-08-23 12:02 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys2013-08-23 11:34 - 2013-08-24 10:20 - 00000000 ____D C:\Users\yusishen\AppData\Local\NPE2013-08-15 03:02 - 2013-07-24 21:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll2013-08-15 03:02 - 2013-07-24 21:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll2013-08-15 03:02 - 2013-07-24 21:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll2013-08-15 03:02 - 2013-07-24 21:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll2013-08-15 03:02 - 2013-07-24 21:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll2013-08-15 03:02 - 2013-07-24 21:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl2013-08-15 03:02 - 2013-07-24 21:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll2013-08-15 03:02 - 2013-07-24 21:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll2013-08-15 03:02 - 2013-07-24 21:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll2013-08-15 03:02 - 2013-07-24 21:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll2013-08-15 03:02 - 2013-07-24 21:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll2013-08-15 03:02 - 2013-07-24 21:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll2013-08-15 03:02 - 2013-07-24 21:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe2013-08-15 03:02 - 2013-07-24 21:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb2013-08-15 03:02 - 2013-07-24 21:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll2013-08-15 03:02 - 2013-07-24 21:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll2013-08-14 12:58 - 2013-07-17 14:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll2013-08-14 12:58 - 2013-07-10 04:47 - 00783360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll2013-08-14 12:58 - 2013-07-09 07:10 - 01205168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll2013-08-14 12:58 - 2013-07-07 23:55 - 03603904 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe2013-08-14 12:58 - 2013-07-07 23:55 - 03551680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe2013-08-14 12:58 - 2013-07-07 23:20 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll2013-08-14 12:58 - 2013-07-07 23:16 - 00992768 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll2013-08-14 12:58 - 2013-07-07 23:16 - 00133120 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll2013-08-14 12:58 - 2013-07-07 23:16 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll2013-08-14 12:58 - 2013-07-04 23:53 - 00905664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys2013-08-14 12:58 - 2013-06-15 08:22 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll2013-08-14 12:58 - 2013-06-15 06:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys2013-07-30 07:55 - 2013-07-30 07:55 - 00002075 _____ C:\Users\Public\Desktop\Google Earth.lnk2013-07-27 03:00 - 2013-08-15 03:27 - 00000000 ____D C:\Windows\system32\MRT==================== One Month Modified Files and Folders =======2013-08-24 13:48 - 2009-12-29 20:06 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job2013-08-24 13:38 - 2013-08-24 13:55 - 01070693 _____ (Farbar) C:\Users\yusishen\Desktop\FRST.exe2013-08-24 13:25 - 2013-08-24 13:24 - 00010011 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08242013_132426.txt2013-08-24 13:25 - 2013-08-24 13:12 - 00000000 ____D C:\Users\yusishen\Desktop\RK_Quarantine2013-08-24 13:20 - 2013-02-16 18:36 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job2013-08-24 13:11 - 2012-08-21 18:24 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\Skype2013-08-24 13:10 - 2013-08-24 13:12 - 00923136 _____ C:\Users\yusishen\Desktop\RogueKiller.exe2013-08-24 13:10 - 2009-12-29 20:06 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job2013-08-24 13:09 - 2008-10-03 16:51 - 00000000 ____D C:\Program Files\Lx_cats2013-08-24 13:08 - 2012-05-23 21:52 - 00000940 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3613409154-809846524-3207628668-1003UA.job2013-08-24 12:39 - 2006-11-02 07:47 - 00003744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A02013-08-24 12:39 - 2006-11-02 07:47 - 00003744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A02013-08-24 12:32 - 2013-08-24 12:32 - 00012137 _____ C:\Users\yusishen\Desktop\dds.txt2013-08-24 12:32 - 2013-08-24 12:32 - 00010810 _____ C:\Users\yusishen\Desktop\attach.txt2013-08-24 12:19 - 2013-08-24 12:22 - 00688992 ____R (Swearware) C:\Users\yusishen\Desktop\dds.scr2013-08-24 10:21 - 2008-09-09 03:09 - 02002692 _____ C:\Windows\WindowsUpdate.log2013-08-24 10:20 - 2013-08-23 11:34 - 00000000 ____D C:\Users\yusishen\AppData\Local\NPE2013-08-24 10:17 - 2011-11-02 17:09 - 00000000 ____D C:\ProgramData\boost_interprocess2013-08-24 10:16 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT2013-08-24 10:14 - 2013-08-24 10:14 - 00098392 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SMR322.SYS2013-08-24 10:14 - 2006-11-02 08:01 - 00032600 _____ C:\Windows\Tasks\SCHEDLGU.TXT2013-08-24 10:07 - 2013-08-24 10:07 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\FixZeroAccess2013-08-24 07:55 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Branding2013-08-24 07:09 - 2012-05-23 21:52 - 00000918 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3613409154-809846524-3207628668-1003Core.job2013-08-24 01:34 - 2013-08-24 01:34 - 00002072 _____ C:\{30B3FEB5-AD37-47C5-974D-25BFB5CFC765}2013-08-23 19:09 - 2008-01-20 21:47 - 00290144 _____ C:\Windows\PFRO.log2013-08-23 12:02 - 2013-08-23 12:02 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2013-08-23 12:02 - 2013-08-23 12:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware2013-08-23 11:55 - 2009-10-09 11:51 - 00000472 _____ C:\Windows\Tasks\Ad-Aware Update (Weekly).job2013-08-23 11:34 - 2008-10-17 19:06 - 00000000 ____D C:\ProgramData\Norton2013-08-23 08:28 - 2011-05-06 03:13 - 00000000 ____D C:\Users\yusishen\AppData\Local\CrashDumps2013-08-23 07:32 - 2008-09-09 08:33 - 00000000 ____D C:\Program Files\Google2013-08-21 15:58 - 2012-11-13 16:07 - 00000000 ____D C:\Users\yusishen\Documents\My Digital Editions2013-08-21 13:21 - 2013-02-09 16:20 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe2013-08-21 13:21 - 2013-02-09 16:20 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl2013-08-20 09:26 - 2013-06-21 08:53 - 00002399 _____ C:\Users\yusishen\Desktop\Field Manager PRO Desktop 2013-02.lnk2013-08-19 12:41 - 2009-10-09 10:50 - 00000334 _____ C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job2013-08-19 11:29 - 2009-10-09 10:49 - 00000320 _____ C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job2013-08-16 20:24 - 2006-11-02 05:33 - 00862256 _____ C:\Windows\system32\PerfStringBackup.INI2013-08-15 04:27 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\rescache2013-08-15 04:09 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET2013-08-15 03:27 - 2013-07-27 03:00 - 00000000 ____D C:\Windows\system32\MRT2013-08-15 03:16 - 2006-11-02 05:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe2013-08-15 03:13 - 2008-09-09 08:27 - 00000000 ____D C:\ProgramData\Microsoft Help2013-07-30 16:28 - 2010-07-06 20:23 - 00000680 _____ C:\Users\yusishen\AppData\Local\d3d9caps.dat2013-07-30 07:55 - 2013-07-30 07:55 - 00002075 _____ C:\Users\Public\Desktop\Google Earth.lnk2013-07-25 15:13 - 2012-07-04 22:11 - 00002293 _____ C:\Users\yusishen\Desktop\AgExpert Analyst.lnkFiles to move or delete:====================ZeroAccess:C:\Program Files\Google\Desktop\Install\{2e481a45-5c7f-3d39-6438-40aebf8d981c}C:\Users\yusishen\AppData\Local\Temp\AdobeUpdater12345.exeC:\Users\yusishen\AppData\Local\Temp\_is782D.exeC:\Users\yusishen\AppData\Local\Temp\_isFFE8.exeC:\Users\yusishen\AppData\Local\Temp\{A5FF7511-2B35-4CF5-99C5-D6E687117052}\ISSetup.dllC:\Users\yusishen\AppData\Local\Temp\{A5FF7511-2B35-4CF5-99C5-D6E687117052}\_Setup.dllC:\Users\yusishen\AppData\Local\Temp\{6307B251-DC38-445C-91A1-E1A9BE07C3F5}\ISSetup.dllC:\Users\yusishen\AppData\Local\Temp\{6307B251-DC38-445C-91A1-E1A9BE07C3F5}\_Setup.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\msvcp71.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\msvcr71.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\SymHTML.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\SymTheme.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\Reporter\Reporter.exeC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\NOLU\Lsetup.exeC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\MSI\wiupdate.exeC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\HTMLHelp\External\symhelp.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\SYMSHARE\Options\CLTWrap.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\SYMSHARE\Options\VTCache.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\asLstCtl.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\ASOpts.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\EmlOpts.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\LUOpts.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\Options.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\symDynLd.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\UIHelper.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAddrBk.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAdITsk.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAuAdIm.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asBAList.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEClMnt.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngAB.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngBay.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\ASEngBWL.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngUR.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asFilter.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asFtPxy.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asLogHlp.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asOEHook.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asOELnch.exeC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSetHlp.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSpmEvt.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSpmLog.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asUniPlg.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\bteuclid.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\btutils.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\FRESpam.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\MsouPlug.dllC:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\NASPlug.dll==================== Bamital & volsnap Check =================C:\Windows\explorer.exe => MD5 is legitC:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legitC:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows DefenderLastRegBack: 2013-08-24 11:18==================== End Of Log ============================ I have the addition.txt file but can't figure out how to attach the file to the reply. I'm missing something obvioius, I know. Link to post Share on other sites More sharing options...
MrCharlie Posted August 24, 2013 ID:720028 Share Posted August 24, 2013 Download the attached fixlist.txt to the same folder as FRST. Run FRST and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. Then........ Download Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txtTo attach a log if needed: Bottom right corner of this page. New window that comes up. ~~~~~~~~~~~~~~~~~~~~~~~ Note: If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional: Internet access Windows Update Windows Firewall If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder. Just run fixdamage.exe. Verify that they are now functioning normally. MrC Link to post Share on other sites More sharing options...
yusfarm Posted August 24, 2013 Author ID:720034 Share Posted August 24, 2013 One question before I follow those steps...does the computer need to be connected to the internet to run the anti-rootkit program (you mention updates)? I've been using a clean computer to download files to a USB stick then copying them from the stick to the infected computer as I currently have it disconnected from the internet (as per your instructions above). The addition.txt file from FBRTis attached to this reply.Addition.txt Link to post Share on other sites More sharing options...
yusfarm Posted August 24, 2013 Author ID:720059 Share Posted August 24, 2013 Followed your instructions. While running FRST, I got the following error message: line 15370 file C:\users\yusishen\desktop\FRST\FRST.exe error: subscript used with non-array variable. Log file is attached to reply. I also run and updated MBAR. It said no cleanup required after the first scan was completed. Logs also attached. I have rebooted the computer and am now going to check and see if things are working properly (internet access is okay). I will also re-run a Malwarebytes full scan later and post the results from that.Fixlog.txtmbar-log-2013-08-24 (15-18-28).txtsystem-log.txt Link to post Share on other sites More sharing options...
yusfarm Posted August 24, 2013 Author ID:720061 Share Posted August 24, 2013 Definitely not fixed yet. Still cannot download files. At the end of download, it says "file is infected so deleted" but at the same time, a popup from Norton on the bottom right corner says file is fine. I tried Windows Update and it says I can't check for updates because service is not running. Will disconnect internet now and try Malwarebytes scan to see what that says. Link to post Share on other sites More sharing options...
MrCharlie Posted August 24, 2013 ID:720095 Share Posted August 24, 2013 Please run another scan with RogueKiller and post the new log. MrC Link to post Share on other sites More sharing options...
yusfarm Posted August 25, 2013 Author ID:720245 Share Posted August 25, 2013 RogueKiller V8.6.6 [Aug 19 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : yusishen [Admin rights] Mode : Scan -- Date : 08/25/2013 08:03:41 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 7 ¤¤¤ [HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND [HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND [HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpRtMon.dll : C:\Program Files\Windows Defender\MpRtMon.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpRtPlug.dll : C:\Program Files\Windows Defender\MpRtPlug.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpSigDwn.dll : C:\Program Files\Windows Defender\MpSigDwn.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpSoftEx.dll : C:\Program Files\Windows Defender\MpSoftEx.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND [ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] SSDT[13] : NtAlertResumeThread @ 0x824AC823 -> HOOKED (Unknown @ 0x873F2D68) [Address] SSDT[14] : NtAlertThread @ 0x8242534F -> HOOKED (Unknown @ 0x873F2E48) [Address] SSDT[18] : NtAllocateVirtualMemory @ 0x8246169D -> HOOKED (Unknown @ 0x8744EA30) [Address] SSDT[21] : NtAlpcConnectPort @ 0x824038A7 -> HOOKED (Unknown @ 0x872FF008) [Address] SSDT[42] : NtAssignProcessToJobObject @ 0x823D6B32 -> HOOKED (Unknown @ 0x87452C20) [Address] SSDT[67] : NtCreateMutant @ 0x82439993 -> HOOKED (Unknown @ 0x873F2AB8) [Address] SSDT[77] : NtCreateSymbolicLinkObject @ 0x823D9349 -> HOOKED (Unknown @ 0x87452940) [Address] SSDT[78] : NtCreateThread @ 0x824AAE40 -> HOOKED (Unknown @ 0x8744EE78) [Address] SSDT[116] : NtDebugActiveProcess @ 0x8247DED4 -> HOOKED (Unknown @ 0x87452D00) [Address] SSDT[129] : NtDuplicateObject @ 0x82411579 -> HOOKED (Unknown @ 0x8744EBC0) [Address] SSDT[147] : NtFreeVirtualMemory @ 0x8229DE75 -> HOOKED (Unknown @ 0x873F0ED0) [Address] SSDT[156] : NtImpersonateAnonymousToken @ 0x823D3F3F -> HOOKED (Unknown @ 0x873F2BA8) [Address] SSDT[158] : NtImpersonateThread @ 0x823E9589 -> HOOKED (Unknown @ 0x873F2C88) [Address] SSDT[165] : NtLoadDriver @ 0x82384E12 -> HOOKED (Unknown @ 0x872FFFD0) [Address] SSDT[177] : NtMapViewOfSection @ 0x82429994 -> HOOKED (Unknown @ 0x873F0DD0) [Address] SSDT[184] : NtOpenEvent @ 0x82412DF7 -> HOOKED (Unknown @ 0x873F29D8) [Address] SSDT[194] : NtOpenProcess @ 0x8243A12F -> HOOKED (Unknown @ 0x8744ED60) [Address] SSDT[195] : NtOpenProcessToken @ 0x8241AA58 -> HOOKED (Unknown @ 0x8744EB00) [Address] SSDT[197] : NtOpenSection @ 0x8242A78C -> HOOKED (Unknown @ 0x87452F28) [Address] SSDT[201] : NtOpenThread @ 0x8243562B -> HOOKED (Unknown @ 0x8744EC90) [Address] SSDT[210] : NtProtectVirtualMemory @ 0x824333E2 -> HOOKED (Unknown @ 0x87452B30) [Address] SSDT[282] : NtResumeThread @ 0x82434C4A -> HOOKED (Unknown @ 0x873F2F28) [Address] SSDT[289] : NtSetContextThread @ 0x824AC2CF -> HOOKED (Unknown @ 0x873F0B20) [Address] SSDT[305] : NtSetInformationProcess @ 0x8242D9E6 -> HOOKED (Unknown @ 0x873F0C00) [Address] SSDT[317] : NtSetSystemInformation @ 0x823FFF1E -> HOOKED (Unknown @ 0x87452DE0) [Address] SSDT[330] : NtSuspendProcess @ 0x824AC75F -> HOOKED (Unknown @ 0x873F28F8) [Address] SSDT[331] : NtSuspendThread @ 0x823B3945 -> HOOKED (Unknown @ 0x873F0960) [Address] SSDT[334] : NtTerminateProcess @ 0x8240A16B -> HOOKED (Unknown @ 0x8744EF58) [Address] SSDT[335] : unknown @ 0x82435660 -> HOOKED (Unknown @ 0x873F0A40) [Address] SSDT[348] : NtUnmapViewOfSection @ 0x82429C57 -> HOOKED (Unknown @ 0x873F0CF0) [Address] SSDT[358] : NtWriteVirtualMemory @ 0x82426A27 -> HOOKED (Unknown @ 0x873F0FC0) [Address] SSDT[382] : NtCreateThreadEx @ 0x82435115 -> HOOKED (Unknown @ 0x87452A30) [Address] Shadow SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x87B7DB38) [Address] Shadow SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x87B7D378) [Address] Shadow SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x87B7D298) [Address] Shadow SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x87B7D458) [Address] Shadow SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x87B7D538) [Address] Shadow SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x8AAD7F60) [Address] Shadow SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x87B7D1A8) [Address] Shadow SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x87B7D0B8) [Address] Shadow SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x87B7D6B0) [Address] Shadow SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87B7D008) ¤¤¤ External Hives: ¤¤¤ -> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND] -> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND] -> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND] -> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND] -> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND] -> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND] ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 www.100888290cs.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100sexlinks.com 127.0.0.1 100sexlinks.com 127.0.0.1 www.10sek.com 127.0.0.1 10sek.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] b0fc266a4c01e3685d55e3de3b870c76 [bSP] bdf99326810b3ea5b3c85f61013cb3ba : Windows Vista MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo 2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 466644 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_08252013_080341.txt >> RKreport[0]_S_08242013_132426.txt Link to post Share on other sites More sharing options...
MrCharlie Posted August 25, 2013 ID:720246 Share Posted August 25, 2013 Run another scan with FRST and post the new log....MrC Link to post Share on other sites More sharing options...
yusfarm Posted August 25, 2013 Author ID:720277 Share Posted August 25, 2013 I forgot to rename the fixlist.txt file before running FRST. Log from first run is attached to this message. I then renamed the file so it would only scan. Log from scan is below: Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-08-2013 01 Ran by yusishen (administrator) on 25-08-2013 08:53:28 Running from C:\Users\yusishen\Desktop\FRST Windows Vista Home Premium Service Pack 2 (X86) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Normal ==================== Could not list processes =============== ==================== Registry (Whitelisted) ================== HKLM\...\Run: [NPSStartup] - [x] HKLM\...\Run: [samsung PanelMgr] - C:\Windows\Samsung\PanelMgr\SSMMgr.exe [520192 2007-01-14] () HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4452352 2007-05-11] (Realtek Semiconductor) HKLM\...\Run: [OEM05Mon.exe] - C:\Windows\OEM05Mon.exe [36864 2007-08-22] (Creative Technology Ltd.) HKLM\...\Run: [nmctxth] - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [648488 2008-09-14] (Cisco Systems, Inc.) HKLM\...\Run: [LXCTCATS] - C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll [106496 2006-11-21] (Lexmark International Inc.) HKLM\...\Run: [EzPrint] - C:\Program Files\Lexmark 5400 Series\ezprint.exe [82864 2007-03-19] (Lexmark International Inc.) HKLM\...\Run: [dellsupportcenter] - C:\Program Files\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.) HKLM\...\Run: [lxctmon.exe] - C:\Program Files\Lexmark 5400 Series\lxctmon.exe [291760 2007-03-19] () HKLM\...\Run: [ECenter] - C:\Dell\E-Center\EULALauncher.exe [17920 2008-02-28] ( ) HKLM\...\Run: [dscactivate] - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [16384 2008-03-11] ( ) HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.) HKLM\...\Run: [intuit SyncManager] - C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2643320 2012-11-28] (Intuit Inc. All rights reserved.) HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.) HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated) HKCU\...\Run: [AutoStartNPSAgent] - C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe [98304 2009-01-02] (Samsung Electronics Co., Ltd.) HKCU\...\Run: [spybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.) HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation) HKCU\...\Run: [GarminExpressTrayApp] - C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1100120 2013-03-20] (Garmin Ltd or its subsidiaries) HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.) HKCU\...\Winlogon: [shell] Explorer.exe <==== ATTENTION MountPoints2: {f43be747-edb1-11df-9bdd-00219b062144} - L:\LaunchU3.exe -a HKU\Network User\...\RunOnce: [] - [x] Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software ) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Canada ULC.) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Canada ULC.) Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\Network User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\yusishen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080909 HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie SearchScopes: HKLM - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2642709 SearchScopes: HKLM - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS} SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2642709 SearchScopes: HKCU - {5D2B041B-175F-44AC-9942-DF607B94AEF3} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms} SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS} SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll () BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited) BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation) BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation) BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.) BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (Google Inc.) BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.) BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.) Toolbar: HKLM - &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.) Toolbar: HKLM - Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll () Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation) Toolbar: HKCU -&Google - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.) Toolbar: HKCU -Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll () Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation) DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.) Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll (Intuit Canada, a general partnership/une société en nom collectif.) Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.) Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 18 mswsock.dll File Not found (Microsoft Corporation) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 ========================== Services (Whitelisted) ================= R2 Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [554352 2007-09-12] (Symantec Corporation) R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [161048 2008-04-28] (Stardock Corporation) R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [186200 2013-03-20] (Garmin Ltd or its subsidiaries) S3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2999664 2007-09-12] (Symantec Corporation) R2 LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll [537992 2008-04-10] (Symantec Corporation) R2 lxct_device; C:\Windows\system32\lxctcoms.exe [537520 2007-03-19] ( ) S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation) R2 NIS; C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation) R2 NMSAccess; C:\Windows\system32\NMSAccess32.exe [71096 2010-01-19] () R2 nmservice; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [648488 2008-09-14] (Cisco Systems, Inc.) R2 NOBU; C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe [3236224 2013-04-29] (Symantec Corporation) R2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-14] (SupportSoft, Inc.) S3 Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [394704 2008-01-29] (Symantec, Inc.) S2 LiveUpdate Notice Ex; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x] ==================== Drivers (Whitelisted) ==================== S3 61883; C:\Windows\System32\DRIVERS\61883.sys [45696 2008-01-20] (Microsoft Corporation) R1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation) R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation) R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation) S2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [41984 2007-01-04] (Samsung Electronics Co., Ltd.) R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-08-20] (Symantec Corporation) R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation) R3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [36608 2009-01-02] () S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57536 2008-03-13] (FTDI Ltd.) R1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\IPSDefs\20130823.001\IDSvix86.sys [392792 2013-08-19] (Symantec Corporation) S4 mrtRate; C:\Windows\System32\Drivers\mrtRate.sys [34712 2000-05-31] (Marimba, Inc.) R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130824.007\NAVENG.SYS [93272 2013-08-20] (Symantec Corporation) R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130824.007\NAVEX15.SYS [1611992 2013-08-20] (Symantec Corporation) R3 OEM05Afx; C:\Windows\system32\Drivers\OEM05Afx.sys [141376 2007-08-22] (Creative Technology Ltd.) R3 OEM05Vfx; C:\Windows\System32\DRIVERS\OEM05Vfx.sys [7424 2007-08-22] (EyePower Games Pte. Ltd.) R3 OEM05Vid; C:\Windows\System32\DRIVERS\OEM05Vid.sys [235616 2007-08-22] (Creative Technology Ltd.) R2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [24888 2008-09-14] (Pure Networks, Inc.) R2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [26424 2008-09-14] (Pure Networks, Inc.) R3 RLDesignVirtualAudioCableWdm; C:\Windows\System32\DRIVERS\livecamv.sys [31616 2007-01-15] () R3 SRTSP; C:\Windows\System32\Drivers\NIS\1404000.028\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation) R1 SRTSPX; C:\Windows\system32\drivers\NIS\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation) R2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2007-01-04] (Samsung Electronics) R0 SymDS; C:\Windows\System32\drivers\NIS\1404000.028\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation) R0 SymEFA; C:\Windows\System32\drivers\NIS\1404000.028\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation) R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-10] (Symantec Corporation) R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [36512 2013-03-04] (Symantec Corporation) R1 SymIRON; C:\Windows\system32\drivers\NIS\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation) R1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1404000.028\SYMTDIV.SYS [352344 2013-04-24] (Symantec Corporation) S3 IpInIp; system32\DRIVERS\ipinip.sys [x] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x] U2 SharedAccess; S3 SYMDNS; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMDNS.SYS [x] S3 SYMFW; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMFW.SYS [x] S3 SYMNDISV; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [x] S3 SYMREDRV; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMREDRV.SYS [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-08-24 15:18 - 2013-08-24 15:34 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable) 2013-08-24 15:15 - 2013-08-24 15:34 - 00000000 ____D C:\Users\yusishen\Desktop\mbar 2013-08-24 15:14 - 2013-08-24 15:14 - 00000000 ____D C:\Users\yusishen\Desktop\MBAR Download 2013-08-24 15:11 - 2013-08-25 08:53 - 00000000 ____D C:\Users\yusishen\Desktop\FRST 2013-08-24 13:56 - 2013-08-25 08:52 - 00000000 ____D C:\FRST 2013-08-24 13:24 - 2013-08-24 13:25 - 00010011 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08242013_132426.txt 2013-08-24 13:12 - 2013-08-24 13:25 - 00000000 ____D C:\Users\yusishen\Desktop\RK_Quarantine 2013-08-24 13:12 - 2013-08-24 13:10 - 00923136 _____ C:\Users\yusishen\Desktop\RogueKiller.exe 2013-08-24 12:32 - 2013-08-24 12:32 - 00012137 _____ C:\Users\yusishen\Desktop\dds.txt 2013-08-24 12:32 - 2013-08-24 12:32 - 00010810 _____ C:\Users\yusishen\Desktop\attach.txt 2013-08-24 12:22 - 2013-08-24 12:19 - 00688992 ____R (Swearware) C:\Users\yusishen\Desktop\dds.scr 2013-08-24 10:07 - 2013-08-24 10:07 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\FixZeroAccess 2013-08-24 01:34 - 2013-08-24 01:34 - 00002072 _____ C:\{30B3FEB5-AD37-47C5-974D-25BFB5CFC765} 2013-08-23 12:02 - 2013-08-23 12:02 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2013-08-23 12:02 - 2013-08-23 12:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-08-23 12:02 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2013-08-23 11:34 - 2013-08-24 10:20 - 00000000 ____D C:\Users\yusishen\AppData\Local\NPE 2013-08-15 03:02 - 2013-07-24 21:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2013-08-15 03:02 - 2013-07-24 21:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2013-08-15 03:02 - 2013-07-24 21:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2013-08-15 03:02 - 2013-07-24 21:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2013-08-15 03:02 - 2013-07-24 21:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2013-08-15 03:02 - 2013-07-24 21:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2013-08-15 03:02 - 2013-07-24 21:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll 2013-08-15 03:02 - 2013-07-24 21:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2013-08-15 03:02 - 2013-07-24 21:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2013-08-15 03:02 - 2013-07-24 21:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2013-08-15 03:02 - 2013-07-24 21:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2013-08-15 03:02 - 2013-07-24 21:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2013-08-15 03:02 - 2013-07-24 21:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2013-08-15 03:02 - 2013-07-24 21:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2013-08-15 03:02 - 2013-07-24 21:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2013-08-15 03:02 - 2013-07-24 21:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2013-08-14 12:58 - 2013-07-17 14:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll 2013-08-14 12:58 - 2013-07-10 04:47 - 00783360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll 2013-08-14 12:58 - 2013-07-09 07:10 - 01205168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll 2013-08-14 12:58 - 2013-07-07 23:55 - 03603904 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe 2013-08-14 12:58 - 2013-07-07 23:55 - 03551680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2013-08-14 12:58 - 2013-07-07 23:20 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll 2013-08-14 12:58 - 2013-07-07 23:16 - 00992768 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll 2013-08-14 12:58 - 2013-07-07 23:16 - 00133120 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll 2013-08-14 12:58 - 2013-07-07 23:16 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll 2013-08-14 12:58 - 2013-07-04 23:53 - 00905664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys 2013-08-14 12:58 - 2013-06-15 08:22 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll 2013-08-14 12:58 - 2013-06-15 06:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys 2013-07-30 07:55 - 2013-07-30 07:55 - 00002075 _____ C:\Users\Public\Desktop\Google Earth.lnk 2013-07-27 03:00 - 2013-08-15 03:27 - 00000000 ____D C:\Windows\system32\MRT ==================== One Month Modified Files and Folders ======= 2013-08-25 08:52 - 2013-08-24 13:56 - 00000000 ____D C:\FRST 2013-08-25 08:48 - 2009-12-29 20:06 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-08-25 08:20 - 2013-02-16 18:36 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-08-25 08:03 - 2013-08-25 08:03 - 00008880 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08252013_080341.txt 2013-08-25 07:37 - 2006-11-02 07:47 - 00003744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2013-08-25 07:37 - 2006-11-02 07:47 - 00003744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2013-08-25 07:09 - 2012-05-23 21:52 - 00000940 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3613409154-809846524-3207628668-1003UA.job 2013-08-25 07:09 - 2012-05-23 21:52 - 00000918 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3613409154-809846524-3207628668-1003Core.job 2013-08-24 15:56 - 2008-09-17 20:50 - 00000049 __RSH C:\Users\Public\Documents\HBEPGUID.TXT 2013-08-24 15:41 - 2008-09-09 03:09 - 02003787 _____ C:\Windows\WindowsUpdate.log 2013-08-24 15:38 - 2011-11-02 17:09 - 00000000 ____D C:\ProgramData\boost_interprocess 2013-08-24 15:37 - 2012-08-21 18:24 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\Skype 2013-08-24 15:37 - 2008-10-03 16:51 - 00000000 ____D C:\Program Files\Lx_cats 2013-08-24 15:36 - 2009-12-29 20:06 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-08-24 15:36 - 2008-01-20 21:47 - 00290556 _____ C:\Windows\PFRO.log 2013-08-24 15:36 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-08-24 15:35 - 2006-11-02 08:01 - 00032600 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2013-08-24 15:34 - 2013-08-24 15:18 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable) 2013-08-24 15:34 - 2013-08-24 15:15 - 00000000 ____D C:\Users\yusishen\Desktop\mbar 2013-08-24 15:14 - 2013-08-24 15:14 - 00000000 ____D C:\Users\yusishen\Desktop\MBAR Download 2013-08-24 13:25 - 2013-08-24 13:24 - 00010011 _____ C:\Users\yusishen\Desktop\RKreport[0]_S_08242013_132426.txt 2013-08-24 13:25 - 2013-08-24 13:12 - 00000000 ____D C:\Users\yusishen\Desktop\RK_Quarantine 2013-08-24 13:10 - 2013-08-24 13:12 - 00923136 _____ C:\Users\yusishen\Desktop\RogueKiller.exe 2013-08-24 12:32 - 2013-08-24 12:32 - 00012137 _____ C:\Users\yusishen\Desktop\dds.txt 2013-08-24 12:32 - 2013-08-24 12:32 - 00010810 _____ C:\Users\yusishen\Desktop\attach.txt 2013-08-24 12:19 - 2013-08-24 12:22 - 00688992 ____R (Swearware) C:\Users\yusishen\Desktop\dds.scr 2013-08-24 10:20 - 2013-08-23 11:34 - 00000000 ____D C:\Users\yusishen\AppData\Local\NPE 2013-08-24 10:07 - 2013-08-24 10:07 - 00000000 ____D C:\Users\yusishen\AppData\Roaming\FixZeroAccess 2013-08-24 07:55 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Branding 2013-08-24 01:34 - 2013-08-24 01:34 - 00002072 _____ C:\{30B3FEB5-AD37-47C5-974D-25BFB5CFC765} 2013-08-23 12:02 - 2013-08-23 12:02 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2013-08-23 12:02 - 2013-08-23 12:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-08-23 11:55 - 2009-10-09 11:51 - 00000472 _____ C:\Windows\Tasks\Ad-Aware Update (Weekly).job 2013-08-23 11:34 - 2008-10-17 19:06 - 00000000 ____D C:\ProgramData\Norton 2013-08-23 08:28 - 2011-05-06 03:13 - 00000000 ____D C:\Users\yusishen\AppData\Local\CrashDumps 2013-08-23 07:32 - 2008-09-09 08:33 - 00000000 ____D C:\Program Files\Google 2013-08-21 15:58 - 2012-11-13 16:07 - 00000000 ____D C:\Users\yusishen\Documents\My Digital Editions 2013-08-21 13:21 - 2013-02-09 16:20 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe 2013-08-21 13:21 - 2013-02-09 16:20 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl 2013-08-20 09:26 - 2013-06-21 08:53 - 00002399 _____ C:\Users\yusishen\Desktop\Field Manager PRO Desktop 2013-02.lnk 2013-08-19 12:41 - 2009-10-09 10:50 - 00000334 _____ C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job 2013-08-19 11:29 - 2009-10-09 10:49 - 00000320 _____ C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job 2013-08-16 20:24 - 2006-11-02 05:33 - 00862256 _____ C:\Windows\system32\PerfStringBackup.INI 2013-08-15 04:27 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\rescache 2013-08-15 04:09 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET 2013-08-15 03:27 - 2013-07-27 03:00 - 00000000 ____D C:\Windows\system32\MRT 2013-08-15 03:16 - 2006-11-02 05:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe 2013-08-15 03:13 - 2008-09-09 08:27 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-07-30 16:28 - 2010-07-06 20:23 - 00000680 _____ C:\Users\yusishen\AppData\Local\d3d9caps.dat 2013-07-30 07:55 - 2013-07-30 07:55 - 00002075 _____ C:\Users\Public\Desktop\Google Earth.lnk Files to move or delete: ==================== C:\Users\yusishen\AppData\Local\Temp\_is782D.exe C:\Users\yusishen\AppData\Local\Temp\_isFFE8.exe C:\Users\yusishen\AppData\Local\Temp\{A5FF7511-2B35-4CF5-99C5-D6E687117052}\ISSetup.dll C:\Users\yusishen\AppData\Local\Temp\{A5FF7511-2B35-4CF5-99C5-D6E687117052}\_Setup.dll C:\Users\yusishen\AppData\Local\Temp\{6307B251-DC38-445C-91A1-E1A9BE07C3F5}\ISSetup.dll C:\Users\yusishen\AppData\Local\Temp\{6307B251-DC38-445C-91A1-E1A9BE07C3F5}\_Setup.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\msvcp71.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\msvcr71.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\SymHTML.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\SymTheme.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\Reporter\Reporter.exe C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\NOLU\Lsetup.exe C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\MSI\wiupdate.exe C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\HTMLHelp\External\symhelp.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\SYMSHARE\Options\CLTWrap.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\SYMSHARE\Options\VTCache.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\asLstCtl.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\ASOpts.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\EmlOpts.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\LUOpts.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\Options.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\symDynLd.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\Options\UIHelper.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAddrBk.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAdITsk.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asAuAdIm.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asBAList.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEClMnt.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngAB.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngBay.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\ASEngBWL.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asEngUR.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asFilter.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asFtPxy.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asLogHlp.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asOEHook.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asOELnch.exe C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSetHlp.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSpmEvt.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asSpmLog.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\asUniPlg.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\bteuclid.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\btutils.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\FRESpam.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\MsouPlug.dll C:\Users\yusishen\AppData\Local\Temp\BP1.1.0.38\Support\AntiSpam\asCore\AntiSpam\NASPlug.dll ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender LastRegBack: 2013-08-25 03:48 ==================== End Of Log ============================Fixlog.txt Link to post Share on other sites More sharing options...
MrCharlie Posted August 25, 2013 ID:720290 Share Posted August 25, 2013 Download the attached fixlist.txt to the same folder as FRST. Run FRST and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. Then run MBAR: Download Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txtTo attach a log if needed: Bottom right corner of this page. New window that comes up. ~~~~~~~~~~~~~~~~~~~~~~~ Note: If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional: Internet access Windows Update Windows Firewall If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder. Just run fixdamage.exe. Verify that they are now functioning normally. MrC Link to post Share on other sites More sharing options...
yusfarm Posted August 25, 2013 Author ID:720406 Share Posted August 25, 2013 FRST and MBAR run. MBAR did not find anything needing cleanup. Logs are attached. I am now going to verify if system is working and if not, will run fixdamage.exe (realized I forgot that step last time). Fixlog.txtmbar-log-2013-08-25 (12-45-30).txtsystem-log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted August 25, 2013 ID:720411 Share Posted August 25, 2013 OK...Let me know.....MrC Link to post Share on other sites More sharing options...
yusfarm Posted August 25, 2013 Author ID:720420 Share Posted August 25, 2013 Downloads are now working correctly. Windows Update/Firewall were not functioning so I ran fixdamage.exe and re-booted computer. They now seem to be running fine. Anything else I should check? Link to post Share on other sites More sharing options...
MrCharlie Posted August 25, 2013 ID:720422 Share Posted August 25, 2013 If you would like to check for any adware on the system..... Please download AdwCleaner by Xplode and save to your Desktop.Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As AdministratorClick on the Scan button.AdwCleaner will begin...be patient as the scan may take some time to complete.After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.Copy and paste the contents of that logfile in your next reply.A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.If you agree with everything listed to be removed........... Double click on AdwCleaner.exe to run the tool again.Click on the Scan button.AdwCleaner will begin to scan your computer like it did before.After the scan has finished...This time click on the Clean button.Press OK when asked to close all programs and follow the onscreen prompts.Press OK again to allow AdwCleaner to restart the computer and complete the removal process.After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.Copy and paste the contents of that logfile in your next reply.A copy of that logfile will also be saved in the C:\AdwCleaner folder.Then.................. Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal. Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report. Make sure that everything is checked, and click Remove Selected. Please let me know how computer is running now, MrC Link to post Share on other sites More sharing options...
yusfarm Posted August 25, 2013 Author ID:720425 Share Posted August 25, 2013 It actually ran very quickly. Here's the log. I don't recognize any of this so I assume I can probably go ahead and remove it all? Will wait for your confirmation. # AdwCleaner v3.001 - Report created 25/08/2013 at 13:34:38 # Updated 24/08/2013 by Xplode # Operating System : Windows Vista Home Premium Service Pack 2 (32 bits) # Username : yusishen - OFFICE-PC # Running from : C:\Users\yusishen\Desktop\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Found C:\Program Files\Conduit Folder Found C:\ProgramData\boost_interprocess Folder Found C:\Users\yusishen\AppData\LocalLow\PriceGong ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\AppDataLow\Software\Conduit Key Found : HKCU\Software\AppDataLow\Software\PriceGong Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com Key Found : HKCU\Software\YahooPartnerToolbar Key Found : HKLM\Software\Description Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16502 ************************* AdwCleaner[R0].txt - [1520 octets] - [25/08/2013 13:34:38] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1580 octets] ########## Link to post Share on other sites More sharing options...
yusfarm Posted August 25, 2013 Author ID:720451 Share Posted August 25, 2013 AdwCleaner log after removal: # AdwCleaner v3.001 - Report created 25/08/2013 at 14:22:54 # Updated 24/08/2013 by Xplode # Operating System : Windows Vista Home Premium Service Pack 2 (32 bits) # Username : yusishen - OFFICE-PC # Running from : C:\Users\yusishen\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\ProgramData\boost_interprocess Folder Deleted : C:\Program Files\Conduit Folder Deleted : C:\Users\yusishen\AppData\LocalLow\PriceGong ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Deleted : HKCU\Software\YahooPartnerToolbar Key Deleted : HKCU\Software\AppDataLow\Software\Conduit Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong Key Deleted : HKLM\Software\Description ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16502 ************************* AdwCleaner[R0].txt - [1660 octets] - [25/08/2013 13:34:38] AdwCleaner[s0].txt - [1613 octets] - [25/08/2013 14:22:54] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1673 octets] ########## Malwarebytes scan running now. Will update when finished. Link to post Share on other sites More sharing options...
MrCharlie Posted August 25, 2013 ID:720454 Share Posted August 25, 2013 OK....MrC Link to post Share on other sites More sharing options...
yusfarm Posted August 25, 2013 Author ID:720465 Share Posted August 25, 2013 Here's the Malwarebytes log. Looks clean. Now I guess I need to cleanup the various tools I installed. Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.08.25.05 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 yusishen :: OFFICE-PC [administrator] 25/08/2013 2:28:44 PM mbam-log-2013-08-25 (14-28-44).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 247282 Time elapsed: 11 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
MrCharlie Posted August 25, 2013 ID:720469 Share Posted August 25, 2013 OK...... A little clean up to do.... Please Uninstall ComboFix: (if you used it) Press the Windows logo key + R to bring up the "run box" Copy and paste next command in the field: ComboFix /uninstall Make sure there's a space between Combofix and / Then hit enter. This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point (If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller) --------------------------------- If you used FRST: Download the fixlist.txt to the same folder as FRST. Run FRST and click Fix only once and wait That will delete the quarantine folder created by FRST. ----------------------------- If you used DeFogger to disable your CD Emulation drivers, please re-enable them. ------------------------------- Please download OTC to your desktop. http://oldtimer.geekstogo.com/OTC.exe Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator") Click on the CleanUp! button and follow the prompts. (If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.) You will be asked to reboot the machine to finish the Cleanup process, choose Yes. After the reboot all the tools we used should be gone. Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind. Any other programs or logs you can manually delete. IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall. ------------------------------- Any questions...please post back. If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed. Take a look at My Preventive Maintenance to avoid being infected again. Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Recommended Posts