Trojan zaccess

alfromny · August 27, 2013

I've run Maleware Bytes and it cleaned up XP AntiVirus Pro 2013, but I am still left with the Trojan.zaccess virus. I tried Kaspersky root kit fix with no luck! Here are my scans.

Thanks for your help!

DDS:

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by acitron at 12:23:52 on 2013-08-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1638 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.

uProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adobe CSS5.1 Manager] c:\documents and settings\acitron\local settings\application data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe
uRunOnce: [Adobe CSS5.1 Manager] c:\documents and settings\acitron\local settings\application data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [Client Access PC5250 Sound] "c:\program files\ibm\client access\emulator\pcssnd.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [screwDrivers RDP Plugin] c:\program files\tricerat\simplify printing\screwdrivers client v4\install_rdp.exe
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [ygaho] c:\docume~1\networ~1\locals~1\applic~1\ygaho.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10t_ActiveX.exe -update activex
uExplorerRun: [cbaeecbfddaad] c:\documents and settings\acitron\local settings\application data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableVirtualization = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.

TCP: Interfaces\{24327642-445D-44CA-8AC9-1E21742947A4} : DHCPNameServer = 192.168.20.21 8.8.8.8 4.2.2.2
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\acitron\application data\mozilla\firefox\profiles\ld09q662.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59030
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
S1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
S1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-10 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-11 701512]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2012-1-2 22136]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-11 22856]
S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\tsusb2.sys --> c:\windows\system32\drivers\TSUSB2.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S4 vsdatant;vsdatant;a --> a [?]
.
=============== Created Last 30 ================
.
2013-08-27 15:52:41 -------- d-----w- C:\TDSSKiller_Quarantine
2013-08-27 14:21:44 -------- d-----w- C:\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-26 17:22:27 -------- d-----w- c:\documents and settings\all users\Kaspersky Lab Setup Files
2013-08-26 15:31:52 -------- d-----w- c:\program files\Trend Micro
2013-08-23 17:32:16 -------- d-sh--w- C:\found.000
2013-08-23 15:28:03 60928 ----a-w- c:\windows\drivfunc.dll
2013-08-23 15:11:12 60928 ----a-w- c:\windows\system32\drivfunc.dll
2013-08-23 14:57:56 -------- d-----w- c:\documents and settings\acitron\local settings\application data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-19 18:59:00 8592 ----a-w- c:\windows\system32\ractrlkeyhook.dll
.
==================== Find3M ====================
.
.
============= FINISH: 12:29:12.85 ===============

Attach:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/27/2008 11:43:09 PM
System Uptime: 8/27/2013 12:05:32 PM (0 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel® Core2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 38.75 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems SSL VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems SSL VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CSVirtA
.
==== System Restore Points ===================
.
RP1155: 5/27/2013 2:00:59 PM - System Checkpoint
RP1156: 5/28/2013 2:06:27 PM - System Checkpoint
RP1157: 5/29/2013 2:35:50 PM - System Checkpoint
RP1158: 5/30/2013 5:07:10 PM - System Checkpoint
RP1159: 5/31/2013 5:33:37 PM - System Checkpoint
RP1160: 6/3/2013 11:56:12 AM - System Checkpoint
RP1161: 6/4/2013 12:19:56 PM - System Checkpoint
RP1162: 6/5/2013 2:03:19 PM - System Checkpoint
RP1163: 6/6/2013 2:08:31 PM - System Checkpoint
RP1164: 6/7/2013 2:14:14 PM - System Checkpoint
RP1165: 6/8/2013 2:31:56 PM - System Checkpoint
RP1166: 6/10/2013 10:05:53 AM - System Checkpoint
RP1167: 6/11/2013 10:15:09 AM - System Checkpoint
RP1168: 6/12/2013 11:22:52 AM - System Checkpoint
RP1169: 6/13/2013 2:02:06 PM - System Checkpoint
RP1170: 6/14/2013 2:40:06 PM - System Checkpoint
RP1171: 6/15/2013 2:40:38 PM - System Checkpoint
RP1172: 6/17/2013 11:52:29 AM - System Checkpoint
RP1173: 6/18/2013 2:01:12 PM - System Checkpoint
RP1174: 6/19/2013 3:11:36 PM - System Checkpoint
RP1175: 6/20/2013 5:19:51 PM - System Checkpoint
RP1176: 6/24/2013 1:54:55 PM - System Checkpoint
RP1177: 6/25/2013 2:20:54 PM - System Checkpoint
RP1178: 7/1/2013 1:48:51 PM - System Checkpoint
RP1179: 7/2/2013 1:52:32 PM - System Checkpoint
RP1180: 7/3/2013 3:04:21 PM - System Checkpoint
RP1181: 7/4/2013 3:34:01 PM - System Checkpoint
RP1182: 7/5/2013 4:34:01 PM - System Checkpoint
RP1183: 7/6/2013 5:34:00 PM - System Checkpoint
RP1184: 7/8/2013 10:25:35 AM - System Checkpoint
RP1185: 7/9/2013 1:53:37 PM - System Checkpoint
RP1186: 7/10/2013 3:06:59 PM - System Checkpoint
RP1187: 7/11/2013 3:34:56 PM - System Checkpoint
RP1188: 7/12/2013 4:17:42 PM - System Checkpoint
RP1189: 7/13/2013 5:17:42 PM - System Checkpoint
RP1190: 7/15/2013 1:49:55 PM - System Checkpoint
RP1191: 7/17/2013 10:02:23 AM - System Checkpoint
RP1192: 7/18/2013 1:54:07 PM - System Checkpoint
RP1193: 7/19/2013 2:35:09 PM - System Checkpoint
RP1194: 7/22/2013 1:53:49 PM - System Checkpoint
RP1195: 7/23/2013 1:54:47 PM - System Checkpoint
RP1196: 7/24/2013 2:51:46 PM - System Checkpoint
RP1197: 7/25/2013 6:01:39 PM - System Checkpoint
RP1198: 7/29/2013 1:55:11 PM - System Checkpoint
RP1199: 7/30/2013 3:00:52 PM - System Checkpoint
RP1200: 7/31/2013 3:06:34 PM - System Checkpoint
RP1201: 8/1/2013 5:11:03 PM - System Checkpoint
RP1202: 8/5/2013 1:55:15 PM - System Checkpoint
RP1203: 8/6/2013 3:07:08 PM - System Checkpoint
RP1204: 8/7/2013 3:10:47 PM - System Checkpoint
RP1205: 8/8/2013 5:35:29 PM - System Checkpoint
RP1206: 8/9/2013 5:36:19 PM - System Checkpoint
RP1207: 8/12/2013 1:51:25 PM - System Checkpoint
RP1208: 8/13/2013 1:54:39 PM - System Checkpoint
RP1209: 8/14/2013 1:56:54 PM - System Checkpoint
RP1210: 8/15/2013 2:40:56 PM - System Checkpoint
RP1211: 8/16/2013 2:45:51 PM - System Checkpoint
RP1212: 8/17/2013 3:45:50 PM - System Checkpoint
RP1213: 8/19/2013 12:38:42 PM - System Checkpoint
RP1214: 8/20/2013 12:47:04 PM - System Checkpoint
RP1215: 8/21/2013 1:55:48 PM - System Checkpoint
RP1216: 8/22/2013 5:26:13 PM - System Checkpoint
.
==== Installed Programs ======================
.
A-PDF Content Splitter 3.3
Adobe Acrobat 8 Standard
Adobe Acrobat 8.1.5 - CPSID_49013
Adobe Acrobat 8.1.5 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11
AvidInvoice Client
BardecodeFiler Evaluation 1.5.9
BatchCreator
Brother MFC-8480DN
Bullzip PDF Printer 7.2.0.1304
Cisco SSL VPN Client
Citrix XenApp Plugin for Hosted Apps
Communications Utility
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Crystal Reports 9
Device Explorer
Elon Management VPN Connection
ELONUMM
EPMSearch
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
Google Talk Plugin
GoToAssist 8.0.0.514
GoToMeeting 5.5.0.1132
GPL Ghostscript Lite 8.70
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
IBM iSeries Access for Windows
Java Auto Updater
Java 6 Update 20
Java 6 Update 7
join.me
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
LuraDocument PDF Compressor Desktop
LuraDocument PDF Compressor Desktop 4.2.0441
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Live Meeting 2007
Microsoft Office Professional Edition 2003
Microsoft Office Project 2007 Service Pack 2 (SP2)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Standard 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Report Viewer Redistributable 2008 (KB971119)
Microsoft Security Client
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Millennium 3
Mozilla Firefox (3.6.3)
mp
mpmri
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Network Configuration and Address Book Editor Common
NVIDIA Drivers
Panasonic Communications Utility
Panasonic Device Explorer
Panasonic Network Configuration and Address Book Editor Common
Panasonic Network Configuration and Address Book Editor Model
Panasonic Quick Image Navigator
Panasonic Windows Firewall Setting Tool
Quick Image Navigator
Screencaster Plug-in for IE
ScrewDrivers Client v4
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Skype Toolbars
Skype™ 4.2
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Symantec pcAnywhere
UMM
UMM - 1
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Project 2007 Help (KB963668)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Vim 7.2 (self-installing)
VisionX
VLC media player 1.1.5
VPN Client
Warning
WebEx
WebFldrs XP
Windows Firewall Setting Tool
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell 1.0 MUI pack
Windows Presentation Foundation
WinDriver6 USB Driver
WinZip 17.5
XML Notepad 2007
XML Paper Specification Shared Components Pack 1.0
Yardi Systems CheckScan Client Tool
yCheck
.
==== Event Viewer Messages From Past Week ========
.
8/26/2013 11:45:39 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
8/26/2013 11:44:40 AM, error: NETLOGON [5719] - No Domain Controller is available for domain EPMAPTS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
8/26/2013 11:43:09 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/26/2013 11:42:49 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error message: The referenced assembly is not installed on your system. .
8/26/2013 11:42:49 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Trend Micro\TTi_HE_Download_32bit\Vizor32\VizorUniclientLibrary.dll. Reference error message: The operation completed successfully. .
8/26/2013 11:42:49 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
8/26/2013 11:42:34 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
8/26/2013 11:29:26 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy AW_HOST Fips intelppm MpFilter
8/24/2013 9:47:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy AW_HOST Fips intelppm MpFilter ohci1394
8/24/2013 10:32:15 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
8/24/2013 10:30:47 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
8/23/2013 11:56:21 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
.
==== End Of File ===========================

MrCharlie · August 27, 2013

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

alfromny · August 27, 2013

Thanks - Here is the Rougekiller report:

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User : acitron [Admin rights]
Mode : Scan -- Date : 08/27/2013 14:23:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH][DLL] explorer.exe -- C:\WINDOWS\drivfunc.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 21 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Desktop\Install\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\???\???\???ﯹ๛\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\GoogleUpdate.exe" >) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-19\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-20\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-3774402678-1038661908-2601123593-3176\[...]\Run : Google Update ("C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Desktop\Install\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\???\???\???ﯹ๛\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\GoogleUpdate.exe" >) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-3774402678-1038661908-2601123593-3176\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> FOUND
[RUN][sUSP PATH] HKUS\.DEFAULT\[...]\RunOnce : ygaho (C:\DOCUME~1\NETWOR~1\LOCALS~1\APPLIC~1\ygaho.exe [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-19\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-20\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-3774402678-1038661908-2601123593-3176\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-18\[...]\RunOnce : ygaho (C:\DOCUME~1\NETWOR~1\LOCALS~1\APPLIC~1\ygaho.exe [x]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : cbaeecbfddaad (C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-3774402678-1038661908-2601123593-3176\[...]\Run : cbaeecbfddaad (C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[sERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : 10173 (C:\Documents and Settings\acitron\Local Settings\Temp\10173.sys [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\ \ \???ﯹ๛\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][sUSP PATH] {6864CB23-21C8-4EDB-B557-C27578EAE6BA}.job : C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-] -> FOUND
[V1][sUSP PATH] {35AAC2CA-73B7-42E4-9E12-5090F0B5A9DF}.job : C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-] -> FOUND
[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176UA.job : C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [x][x] -> FOUND
[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176Core.job : C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe - /c [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[FF][PROXY] ld09q662.default : user_pref("network.proxy.hxxp", "127.0.0.1"); -> FOUND
[FF][PROXY] ld09q662.default : user_pref("network.proxy.hxxp_port", 59030); -> FOUND
[FF][PROXY] ld09q662.default : user_pref("network.proxy.type", 1); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\WINDOWS\Installer\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\@ [-] --> FOUND
[ZeroAccess][File] @ : C:\Documents and Settings\acitron\Local Settings\Application Data\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\WINDOWS\Installer\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\Documents and Settings\acitron\Local Settings\Application Data\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\WINDOWS\Installer\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\Documents and Settings\acitron\Local Settings\Application Data\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\L [-] --> FOUND
[ZeroAccess][Junction] Antimalware : C:\Program Files\Microsoft Security Client\Antimalware >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] Backup : C:\Program Files\Microsoft Security Client\Backup >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] en-us : C:\Program Files\Microsoft Security Client\en-us >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [NOT LOADED 0x2] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST980813ASG +++++
--- User ---
[MBR] 45b865fdce2713d4dc2d3c2e7cc3f5d6
[bSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08272013_142346.txt >>

MrCharlie · August 27, 2013

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.
BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.
I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

alfromny · August 27, 2013

Here is the frst.txt file. I don't see a way to attach a file(I'm sure it's here somewhere, but in Safe Mode ny screen resolution is so large I'm having trouble navagating!), so I'm also including the addition.txt.

Frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-08-2013 03
Ran by acitron (administrator) on 27-08-2013 14:57:59
Running from C:\Documents and Settings\acitron\Desktop\Farbar
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvCplDaemon] - C:\WINDOWS\system32\NvCpl.dll [13594624 2009-03-11] (NVIDIA Corporation)
HKLM\...\Run: [nwiz] - nwiz.exe /installquiet [x]
HKLM\...\Run: [NVHotkey] - C:\Windows\System32\nvHotkey.dll [90112 2009-03-11] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] - C:\WINDOWS\system32\NvMcTray.dll [86016 2009-03-11] (NVIDIA Corporation)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [248040 2010-02-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [Client Access Service] - C:\Program Files\IBM\Client Access\cwbsvstr.exe [20480 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Client Access Help Update] - C:\Program Files\IBM\Client Access\cwbinhlp.exe [24576 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Client Access Check Version] - C:\Program Files\IBM\Client Access\cwbckver.exe [45106 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Client Access Express Welcome] - C:\Program Files\IBM\Client Access\cwbwlwiz.exe [20480 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Client Access PC5250 Sound] - C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe [40960 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Acrobat Assistant 8.0] - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [623992 2008-10-14] (Adobe Systems Inc.)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [screwDrivers RDP Plugin] - C:\Program Files\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe [45384 2011-08-26] ()
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] - rundll32.exe "C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1127496 2013-04-04] (Malwarebytes Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [X]
Winlogon\Notify\PCANotify: PCANotify.dll (Symantec Corporation)
HKLM\...\InprocServer32: [Default-wbemess] wbemess.dll ATTENTION! ====> ZeroAccess?
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [Adobe CSS5.1 Manager] - C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [282624 2013-08-23] () <===== ATTENTION
HKCU\...\RunOnce: [Adobe CSS5.1 Manager] - C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [282624 2013-08-23] () <===== ATTENTION
HKCU\...\Policies\Explorer\Run: [cbaeecbfddaad] - C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [282624 2013-08-23] ( ())
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
ShortcutTarget: Cisco Systems VPN Client.lnk -> C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKCU - DefaultScope {910D7C6E-6236-44B6-B06C-405F09CCF9CB} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
SearchScopes: HKCU - {645701DB-0A59-AE3F-8D62-BAA040AFB663} URL = http://www.bing.com/search?q={searchTerms}&pc=Z007&form=ZGAIDF
SearchScopes: HKCU - {910D7C6E-6236-44B6-B06C-405F09CCF9CB} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU -Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU -No Name - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} https://vpn.empirecorporate.com/CACHE/stc/1/binaries/stcweb.cab
DPF: {2CCFEB42-1C81-4191-807C-708F4043D179} https://rdc-commercial3.wachovia.com/merchantcapturewebclient/CaptureControlUtility.cab
DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} https://www.yardiasptx11.com/58924empire/activexviewer9.cab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} https://rdc-commercial3.wachovia.com/MerchantCaptureWebClient/Reserved.ReportViewerWebControl.axd?ReportSession=kx4jq1451h1gypmz3iysbw45&ControlID=b00231b5dbd44fdf87e3924c093b854d&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} https://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C53EE992-020F-40B8-A1B4-16518D8C7948} https://www.yardiasp14.com/40435elon/ysiNetClientInstaller.CAB
DPF: {C5E4DA8E-FB29-4961-A64A-11EF015CC903} https://rdc-commercial3.wachovia.com/merchantcapturewebclient/AfsDevice_TellerScan.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CED616F0-2859-4BF8-8538-9DAF544AF2CB} https://www.yardiasptx11.com/58924empire/ysiComm.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://protus.webex.com/client/T27L10NSP11/webex/ieatgpc.cab
DPF: {F48DE781-C525-44C9-9529-C5ADE3EF5F70} https://www.yardiasp14.com/40435elon/gdpicturepro5.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://beta.logmein.com//activex/ractrl.cab?lmi=1007
Handler: ipp - No CLSID Value -
Handler: msdaipp - No CLSID Value -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default

FF SelectedSearchEngine: Bing

FF NetworkProxy: "http", "127.0.0.1"
FF NetworkProxy: "http_port", 59030
FF NetworkProxy: "type", 1
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Documents and Settings\acitron\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Documents and Settings\acitron\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll No File
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll No File
FF SearchPlugin: C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\searchplugins\bing-zugo.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\bing-zugo.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: No Name - C:\Documents and Settings\acitron\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
FF Extension: Yontoo Layers - C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\Extensions\plugin@yontoo.com
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: Default - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff

========================== Services (Whitelisted) =================

S3 awhost32; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [106496 2004-11-01] (Symantec Corporation)
S2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1445912 2004-08-04] (Cisco Systems, Inc.)
S3 Cwbrxd; C:\WINDOWS\CWBRXD.EXE [57344 2005-06-05] (IBM Corporation)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45408 2008-11-24] (Microsoft Corporation)
S2 STacSV; C:\WINDOWS\system32\StacSV.exe [94208 2007-05-10] (SigmaTel, Inc.)
S2 STCAgent; C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe [267320 2012-01-02] (Cisco Systems, Inc.)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

S1 awecho; C:\Windows\System32\drivers\awechomd.sys [8368 2004-03-05] (Symantec Corporation)
S1 awlegacy; C:\Windows\System32\Drivers\awlegacy.sys [11165 2003-11-17] (Symantec Corporation)
S1 AW_HOST; C:\Windows\System32\drivers\aw_host5.sys [16984 2003-10-23] (Symantec Corporation)
R3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [161792 2007-10-22] (Broadcom Corporation)
S3 CSVirtA; C:\Windows\System32\DRIVERS\CSVirtA.sys [22136 2012-01-02] (Cisco Systems, Inc.)
S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5220 2003-05-01] (Cisco Systems, Inc.)
S2 CVPNDRVA; C:\WINDOWS\system32\Drivers\CVPNDRVA.sys [269387 2004-08-04] (Cisco Systems, Inc.)
S3 dfmirage; C:\Windows\System32\DRIVERS\dfmirage.sys [31896 2009-03-28] (DemoForge, LLC)
R3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [139604 2003-07-24] (Deterministic Networks, Inc.)
R0 Gernuwa; C:\Windows\System32\Drivers\Gernuwa.sys [13898 2003-04-21] (Symantec Corporation)
S3 guardian2; C:\Windows\System32\Drivers\oz776.sys [62208 2007-03-26] (O2Micro)
S3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSFHWAZL.sys [209152 2006-11-02] (Conexant Systems, Inc.)
S3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [989696 2006-11-02] (Conexant Systems, Inc.)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation)
R3 NETw4x32; C:\Windows\System32\DRIVERS\NETw4x32.sys [2210816 2007-08-28] (Intel Corporation)
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1222840 2007-05-10] (SigmaTel, Inc.)
S3 SymEvent; C:\Program Files\Symantec\SYMEVENT.SYS [104144 2009-12-29] (Symantec Corporation)
S3 WinDriver6; C:\Windows\System32\DRIVERS\Windrvr6.sys [197416 2009-02-03] (Jungo)
S3 catchme; \??\C:\DOCUME~1\acitron\LOCALS~1\Temp\catchme.sys [x]
S4 IntelIde; No ImagePath
U2 TMAgent;
U3 TrueSight; \??\C:\WINDOWS\system32\TrueSight.sys [x]
S3 TSUSB2; system32\DRIVERS\TSUSB2.sys [x]
S4 vsdatant; a [x]
U1 WS2IFSL;
U3 mbr; \??\C:\DOCUME~1\acitron\LOCALS~1\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: SSHNAS -> No Registry Path.

==================== One Month Created Files and Folders ========

2013-08-27 14:56 - 2013-08-27 14:57 - 00000000 ____D C:\Documents and Settings\acitron\Desktop\Farbar
2013-08-27 14:23 - 2013-08-27 14:23 - 00007700 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_142346.txt
2013-08-27 14:22 - 2013-08-27 14:57 - 00000000 ____D C:\Documents and Settings\acitron\Desktop\RK_Quarantine
2013-08-27 14:21 - 2013-08-27 14:21 - 00923136 _____ C:\Documents and Settings\acitron\Desktop\RogueKiller.exe
2013-08-27 12:29 - 2013-08-27 12:29 - 00017363 _____ C:\Documents and Settings\acitron\Desktop\attach.txt
2013-08-27 12:29 - 2013-08-27 12:29 - 00012635 _____ C:\Documents and Settings\acitron\Desktop\dds.txt
2013-08-27 12:23 - 2013-08-27 12:23 - 00688992 ____R (Swearware) C:\Documents and Settings\acitron\Desktop\dds.scr
2013-08-27 11:52 - 2013-08-27 11:52 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-08-27 11:13 - 2013-08-27 11:13 - 00001324 _____ C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2013-08-27 10:21 - 2013-08-27 10:21 - 00000000 ____D C:\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-26 13:22 - 2013-08-26 13:22 - 00000000 ____D C:\Documents and Settings\All Users\Kaspersky Lab Setup Files
2013-08-26 11:39 - 2013-08-26 11:40 - 74455064 _____ (Trend Micro Inc.) C:\Documents and Settings\All Users\Desktop\TTi_HE_Download_32bit.exe
2013-08-26 11:33 - 2013-08-26 21:59 - 00000908 _____ C:\Documents and Settings\All Users\Desktop\Trend Micro Titanium Maximum Security Installer.lnk
2013-08-26 11:31 - 2013-08-26 21:58 - 00000000 ____D C:\Program Files\Trend Micro
2013-08-26 10:33 - 2013-08-26 10:52 - 00000664 _____ C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
2013-08-23 13:36 - 2013-08-23 13:37 - 00010476 _____ C:\Documents and Settings\acitron\Desktop\Rkill.txt
2013-08-23 13:32 - 2013-08-23 13:32 - 00000000 __SHD C:\found.000
2013-08-23 12:00 - 2013-08-27 11:00 - 00000426 ____H C:\WINDOWS\Tasks\{35AAC2CA-73B7-42E4-9E12-5090F0B5A9DF}.job
2013-08-23 12:00 - 2013-08-23 12:00 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-23 11:28 - 2013-08-23 11:57 - 00060928 _____ C:\WINDOWS\drivfunc.dll
2013-08-23 11:11 - 2013-08-23 11:51 - 00060928 _____ C:\WINDOWS\system32\drivfunc.dll
2013-08-23 11:09 - 2013-08-23 11:09 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-23 10:59 - 2013-08-23 10:59 - 00182276 _____ C:\WINDOWS\system32\c_7265174.nls
2013-08-23 10:57 - 2013-08-27 11:00 - 00000404 ____H C:\WINDOWS\Tasks\{6864CB23-21C8-4EDB-B557-C27578EAE6BA}.job
2013-08-23 10:57 - 2013-08-23 10:57 - 00000000 ____D C:\Program Files\Google
2013-08-23 10:57 - 2013-08-23 10:57 - 00000000 ____D C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-19 14:59 - 2011-05-16 12:31 - 00008592 _____ C:\WINDOWS\system32\ractrlkeyhook.dll

==================== One Month Modified Files and Folders =======

2013-08-27 14:57 - 2013-08-27 14:57 - 00000000 ____D C:\FRST
2013-08-27 14:57 - 2013-08-27 14:56 - 00000000 ____D C:\Documents and Settings\acitron\Desktop\Farbar
2013-08-27 14:57 - 2013-08-27 14:22 - 00000000 ____D C:\Documents and Settings\acitron\Desktop\RK_Quarantine
2013-08-27 14:23 - 2013-08-27 14:23 - 00007700 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_142346.txt
2013-08-27 14:21 - 2013-08-27 14:21 - 00923136 _____ C:\Documents and Settings\acitron\Desktop\RogueKiller.exe
2013-08-27 12:29 - 2013-08-27 12:29 - 00017363 _____ C:\Documents and Settings\acitron\Desktop\attach.txt
2013-08-27 12:29 - 2013-08-27 12:29 - 00012635 _____ C:\Documents and Settings\acitron\Desktop\dds.txt
2013-08-27 12:23 - 2013-08-27 12:23 - 00688992 ____R (Swearware) C:\Documents and Settings\acitron\Desktop\dds.scr
2013-08-27 12:05 - 2008-09-28 17:11 - 00000368 ___SH C:\Documents and Settings\acitron\ntuser.ini
2013-08-27 12:05 - 2008-09-27 23:44 - 00032650 _____ C:\WINDOWS\SchedLgU.Txt
2013-08-27 12:05 - 2008-09-27 23:44 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-08-27 12:05 - 2008-09-27 23:38 - 01130266 _____ C:\WINDOWS\WindowsUpdate.log
2013-08-27 12:01 - 2008-09-27 23:48 - 00539955 _____ C:\WINDOWS\system32\nvModes.001
2013-08-27 12:01 - 2008-09-27 19:18 - 00194745 _____ C:\WINDOWS\system32\nvapps.xml
2013-08-27 11:52 - 2013-08-27 11:52 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-08-27 11:52 - 2010-04-22 09:27 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-08-27 11:47 - 2008-09-27 23:45 - 00000000 __SHD C:\WINDOWS\CSC
2013-08-27 11:13 - 2013-08-27 11:13 - 00001324 _____ C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2013-08-27 11:13 - 2010-06-01 13:27 - 00000426 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{EF0C38ED-00ED-4766-9EFA-D9FF4BC6659E}.job
2013-08-27 11:00 - 2013-08-23 12:00 - 00000426 ____H C:\WINDOWS\Tasks\{35AAC2CA-73B7-42E4-9E12-5090F0B5A9DF}.job
2013-08-27 11:00 - 2013-08-23 10:57 - 00000404 ____H C:\WINDOWS\Tasks\{6864CB23-21C8-4EDB-B557-C27578EAE6BA}.job
2013-08-27 10:25 - 2010-08-27 11:55 - 00000986 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176UA.job
2013-08-27 10:21 - 2013-08-27 10:21 - 00000000 ____D C:\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-27 10:21 - 2011-12-14 13:23 - 00000000 ____D C:\YardiASP
2013-08-27 09:25 - 2010-08-27 11:55 - 00000934 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176Core.job
2013-08-27 00:20 - 2009-10-14 09:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB974112$
2013-08-26 22:25 - 2008-09-27 19:14 - 00000361 __RSH C:\boot.ini
2013-08-26 21:59 - 2013-08-26 11:33 - 00000908 _____ C:\Documents and Settings\All Users\Desktop\Trend Micro Titanium Maximum Security Installer.lnk
2013-08-26 21:58 - 2013-08-26 11:31 - 00000000 ____D C:\Program Files\Trend Micro
2013-08-26 13:22 - 2013-08-26 13:22 - 00000000 ____D C:\Documents and Settings\All Users\Kaspersky Lab Setup Files
2013-08-26 13:02 - 2009-06-08 10:04 - 00000000 ____D C:\Utilities
2013-08-26 12:30 - 2011-01-11 17:54 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-08-26 12:23 - 2008-09-27 19:19 - 00000216 _____ C:\WINDOWS\wiadebug.log
2013-08-26 12:07 - 2008-09-27 19:19 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-08-26 11:40 - 2013-08-26 11:39 - 74455064 _____ (Trend Micro Inc.) C:\Documents and Settings\All Users\Desktop\TTi_HE_Download_32bit.exe
2013-08-26 10:52 - 2013-08-26 10:33 - 00000664 _____ C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
2013-08-26 09:45 - 2004-08-04 08:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-08-24 22:30 - 2008-09-28 03:03 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB951066$
2013-08-23 13:37 - 2013-08-23 13:36 - 00010476 _____ C:\Documents and Settings\acitron\Desktop\Rkill.txt
2013-08-23 13:32 - 2013-08-23 13:32 - 00000000 __SHD C:\found.000
2013-08-23 12:00 - 2013-08-23 12:00 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-23 11:57 - 2013-08-23 11:28 - 00060928 _____ C:\WINDOWS\drivfunc.dll
2013-08-23 11:51 - 2013-08-23 11:11 - 00060928 _____ C:\WINDOWS\system32\drivfunc.dll
2013-08-23 11:31 - 2011-01-11 15:29 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-08-23 11:09 - 2013-08-23 11:09 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-23 10:59 - 2013-08-23 10:59 - 00182276 _____ C:\WINDOWS\system32\c_7265174.nls
2013-08-23 10:57 - 2013-08-23 10:57 - 00000000 ____D C:\Program Files\Google
2013-08-23 10:57 - 2013-08-23 10:57 - 00000000 ____D C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-23 10:57 - 2010-08-27 11:55 - 00000000 ____D C:\Documents and Settings\acitron\Local Settings\Application Data\Google
2013-08-19 14:59 - 2008-09-27 19:15 - 00808461 _____ C:\WINDOWS\setupapi.log
2013-08-14 13:32 - 2004-08-04 08:00 - 00000664 _____ C:\WINDOWS\win.ini
2013-08-12 11:30 - 2011-12-22 14:34 - 00000000 ____D C:\Documents and Settings\acitron\My Documents\Elon
2013-08-12 10:21 - 2013-07-02 12:52 - 00000000 ____D C:\Documents and Settings\acitron\Local Settings\Application Data\YSI.NetClient
2013-08-07 13:01 - 2008-10-13 13:11 - 00000000 ____D C:\alan
2013-07-30 10:20 - 2008-09-27 19:16 - 00591256 _____ C:\WINDOWS\system32\PerfStringBackup.INI

ZeroAccess:
C:\Windows\Installer\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}
C:\Windows\Installer\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\@
C:\Windows\Installer\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\U\00000001.@

ZeroAccess:
C:\Documents and Settings\acitron\Local Settings\Application Data\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}
C:\Documents and Settings\acitron\Local Settings\Application Data\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\@

Files to move or delete:
====================
C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe
ZeroAccess:
C:\DOCUME~1\acitron\LOCALS~1\Application Data\Google\Desktop\Install\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}
ZeroAccess:
ZeroAccess:
C:\Program Files\Google\Desktop\Install\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}
C:\Documents and Settings\acitron\DimdimSetup.exe
C:\Documents and Settings\acitron\GoToAssistDownloadHelper.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\G2MInstallerExtractor.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\install_reader10_en_air_gtbd_aih[1].exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-6u33-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-6u37-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-7u10-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-7u15-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-7u21-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\{E47EC140-EC18-4979-B421-F4CEE87D4B83}\_Setup.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\{475E6FBB-9803-4EDA-B342-A9A0A07994A1}\_Setup.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_2\npCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_2\npMozCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_1\npCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_1\npMozCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_0\npCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_0\npMozCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\VSD1B.tmp\DotNetFX\dotnetchk.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temporary Directory 1 for setup.zip\setup.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temporary Directory 1 for Paint.NET.3.5.8.Install[1].zip\Paint.NET.3.5.8.Install.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temporary Directory 1 for MyVisionX.zip\Dev\setup.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temp8-Fg2e8\Common.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temp8-Fg2e8\STCExe.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temp8-Fg2e8\STCResource.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\nst5.tmp\setup.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\nsnC.tmp\setup.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\g2mA.tmp\G2MCoreInstExtractor.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\g2m8B.tmp\G2MCoreInstExtractor.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\g2m1.tmp\G2MCoreInstExtractor.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_V6EH\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_V6EH\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_V6EH\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_U54V\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_U54V\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_U54V\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_SOQ7\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_SOQ7\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_SOQ7\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MTXH\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MTXH\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MTXH\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MFT5\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MFT5\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MFT5\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_811Q\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_811Q\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_811Q\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_7U70\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_7U70\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_7U70\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_5JCB\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_5JCB\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_5JCB\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_50QU\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_50QU\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_50QU\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_1ZFA\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_1ZFA\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_1ZFA\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\95.dir\InstallFlashPlayer.exe
C:\Windows\Tasks\{35AAC2CA-73B7-42E4-9E12-5090F0B5A9DF}.job
C:\Windows\Tasks\{6864CB23-21C8-4EDB-B557-C27578EAE6BA}.job

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Microsoft Security Client\Antimalware => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== End Of Log ============================

Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 27-08-2013 03
Ran by acitron at 2013-08-27 15:00:51
Running from C:\Documents and Settings\acitron\Desktop\Farbar
Boot Mode: Safe Mode (with Networking)
==========================================================

==================== Installed Programs =======================

Adobe Acrobat 8 Standard (Version: 8.1.5)
Adobe Acrobat 8.1.5 - CPSID_49013
Adobe Acrobat 8.1.5 Standard (Version: 8.1.5)
Adobe Flash Player 10 ActiveX (Version: 10.3.181.26)
Adobe Reader X (10.1.3) (Version: 10.1.3)
Adobe Shockwave Player 11 (Version: 11)
A-PDF Content Splitter 3.3
AvidInvoice Client (HKCU Version: 3.1.4.1922)
BardecodeFiler Evaluation 1.5.9 (Version: 1.5.9)
BatchCreator (HKCU Version: 1.0.0.11)
Brother MFC-8480DN (Version: 1.00)
Bullzip PDF Printer 7.2.0.1304 (Version: 7.2.0.1304)
Cisco SSL VPN Client (Version: 1.1.3.173)
Citrix XenApp Plugin for Hosted Apps (Version: 11.0.150.5357)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Conexant HDA D330 MDC V.92 Modem
Coupon Printer for Windows (Version: 5.0.0.1)
Critical Update for Windows Media Player 11 (KB959772)
Crystal Reports 9 (Version: 9.2.0.439)
Elon Management VPN Connection (Version: 1.0)
ELONUMM (HKCU Version: 1.1.1.139)
EPMSearch (HKCU Version: 1.0.0.2)
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892) (Version: 9.3.4053)
Google Talk Plugin (Version: 2.3.2.0)
GoToAssist 8.0.0.514
GoToMeeting 5.5.0.1132 (HKCU Version: 5.5.0.1132)
GPL Ghostscript Lite 8.70
IBM iSeries Access for Windows
Java Auto Updater (Version: 2.0.2.1)
Java 6 Update 20 (Version: 6.0.200)
Java 6 Update 7 (Version: 1.6.0.70)
join.me (HKCU Version: 1.9.1.204)
LiveReg (Symantec Corporation) (Version: 2.4.2.2295)
LiveUpdate 2.5 (Symantec Corporation) (Version: 2.5.56.0)
LuraDocument PDF Compressor Desktop (Version: 4.2.0441)
LuraDocument PDF Compressor Desktop 4.2.0441 (Version: 4.2.0441)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Antimalware (Version: 3.0.8107.0)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Live Meeting 2007 (Version: 8.0.6362.187)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Office Project 2007 Service Pack 2 (SP2)
Microsoft Office Project MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Project Standard 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Report Viewer Redistributable 2008 (KB971119)
Microsoft Report Viewer Redistributable 2008 (KB971119) (Version: 9.0.30731)
Microsoft Security Client (Version: 2.0.0657.0)
Microsoft Silverlight (Version: 3.0.50106.0)
Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6425.1000)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) (Version: 9.3.4035.00)
Microsoft SQL Server Management Studio Express (Version: 9.00.3042.00)
Microsoft SQL Server Native Client (Version: 9.00.4035.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.4035.00)
Microsoft SQL Server VSS Writer (Version: 9.00.4035.00)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Millennium 3 (Version: 3.18)
Mozilla Firefox (3.6.3) (Version: 3.6.3 (en-US))
mp (Version: 05.03.0000)
mpmri (Version: 05.03.0000)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (Version: 6.10.1129.0)
NVIDIA Drivers (Version: 1.3)
Panasonic Communications Utility (Version: 1.000)
Panasonic Device Explorer (Version: 1.000)
Panasonic Network Configuration and Address Book Editor Common (Version: 1.000)
Panasonic Network Configuration and Address Book Editor Model (Version: 1.00.000)
Panasonic Quick Image Navigator (Version: 1.000)
Panasonic Windows Firewall Setting Tool (Version: 1.00.0004)
Screencaster Plug-in for IE (Version: 5.1.0.0)
ScrewDrivers Client v4 (Version: 4.6.01.09)
Skype Toolbars (Version: 1.0.4051)
Skype™ 4.2 (Version: 4.2.163)
Spelling Dictionaries Support For Adobe Reader 8 (Version: 8.0.0)
Spybot - Search & Destroy (Version: 1.6.2)
Symantec pcAnywhere (Version: 11.5.0)
UMM - 1 (HKCU Version: 1.1.1.118)
UMM (HKCU Version: 1.1.1.60)
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Project 2007 Help (KB963668)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB973874) (Version: 1)
Update for Windows Internet Explorer 8 (KB975364) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB978506) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB980302) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Vim 7.2 (self-installing)
VisionX (Version: 3.3.2)
VLC media player 1.1.5 (Version: 1.1.5)
Warning
WebEx
WebFldrs XP (Version: 9.50.7523)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows PowerShell 1.0 MUI pack (Version: 2)
Windows Presentation Foundation (Version: 3.0.6920.0)
WinDriver6 USB Driver
WinZip 17.5 (Version: 17.5.10480)
XML Notepad 2007 (Version: 2.3.0.0)
XML Paper Specification Shared Components Pack 1.0
Yardi Systems CheckScan Client Tool (Version: 3.0.0)
Yardi Systems CheckScan Client Tool (Version: 4.0.0)
yCheck

==================== Restore Points =========================

27-05-2013 18:00:59 System Checkpoint
28-05-2013 18:06:27 System Checkpoint
29-05-2013 18:35:50 System Checkpoint
30-05-2013 21:07:10 System Checkpoint
31-05-2013 21:33:37 System Checkpoint
03-06-2013 15:56:12 System Checkpoint
04-06-2013 16:19:56 System Checkpoint
05-06-2013 18:03:19 System Checkpoint
06-06-2013 18:08:31 System Checkpoint
07-06-2013 18:14:14 System Checkpoint
08-06-2013 18:31:56 System Checkpoint
10-06-2013 14:05:53 System Checkpoint
11-06-2013 14:15:09 System Checkpoint
12-06-2013 15:22:52 System Checkpoint
13-06-2013 18:02:06 System Checkpoint
14-06-2013 18:40:06 System Checkpoint
15-06-2013 18:40:38 System Checkpoint
17-06-2013 15:52:29 System Checkpoint
18-06-2013 18:01:12 System Checkpoint
19-06-2013 19:11:36 System Checkpoint
20-06-2013 21:19:51 System Checkpoint
24-06-2013 17:54:55 System Checkpoint
25-06-2013 18:20:54 System Checkpoint
01-07-2013 17:48:51 System Checkpoint
02-07-2013 17:52:32 System Checkpoint
03-07-2013 19:04:21 System Checkpoint
04-07-2013 19:34:01 System Checkpoint
05-07-2013 20:34:01 System Checkpoint
06-07-2013 21:34:00 System Checkpoint
08-07-2013 14:25:35 System Checkpoint
09-07-2013 17:53:37 System Checkpoint
10-07-2013 19:06:59 System Checkpoint
11-07-2013 19:34:56 System Checkpoint
12-07-2013 20:17:42 System Checkpoint
13-07-2013 21:17:42 System Checkpoint
15-07-2013 17:49:55 System Checkpoint
17-07-2013 14:02:23 System Checkpoint
18-07-2013 17:54:07 System Checkpoint
19-07-2013 18:35:09 System Checkpoint
22-07-2013 17:53:49 System Checkpoint
23-07-2013 17:54:47 System Checkpoint
24-07-2013 18:51:46 System Checkpoint
25-07-2013 22:01:39 System Checkpoint
29-07-2013 17:55:11 System Checkpoint
30-07-2013 19:00:52 System Checkpoint
31-07-2013 19:06:34 System Checkpoint
01-08-2013 21:11:03 System Checkpoint
05-08-2013 17:55:15 System Checkpoint
06-08-2013 19:07:08 System Checkpoint
07-08-2013 19:10:47 System Checkpoint
08-08-2013 21:35:29 System Checkpoint
09-08-2013 21:36:19 System Checkpoint
12-08-2013 17:51:25 System Checkpoint
13-08-2013 17:54:39 System Checkpoint
14-08-2013 17:56:54 System Checkpoint
15-08-2013 18:40:56 System Checkpoint
16-08-2013 18:45:51 System Checkpoint
17-08-2013 19:45:50 System Checkpoint
19-08-2013 16:38:42 System Checkpoint
20-08-2013 16:47:04 System Checkpoint
21-08-2013 17:55:48 System Checkpoint
22-08-2013 21:26:13 System Checkpoint

==================== Hosts content: ==========================

2004-08-04 08:00 - 2013-08-23 10:59 - 00000761 _RASH C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176Core.job => C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176UA.job => C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{EF0C38ED-00ED-4766-9EFA-D9FF4BC6659E}.job => C:\WINDOWS\system32\msfeedssync.exe
Task: C:\WINDOWS\Tasks\{35AAC2CA-73B7-42E4-9E12-5090F0B5A9DF}.job => C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe
Task: C:\WINDOWS\Tasks\{6864CB23-21C8-4EDB-B557-C27578EAE6BA}.job => C:\Documents and Settings\acitron\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe

==================== Alternate Data Streams (whitelisted) ==========

==================== Faulty Device Manager Devices =============

Name: Cisco Systems VPN Adapter
Description: Cisco Systems VPN Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Cisco Systems
Service: CVirtA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Cisco Systems SSL VPN Adapter
Description: Cisco Systems SSL VPN Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Cisco Systems
Service: CSVirtA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (08/27/2013 00:09:16 PM) (Source: UserInit) (User: )
Description: Could not execute the following script login.bat. The system cannot find the file specified.
.

Error: (08/27/2013 00:09:09 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Error: (08/27/2013 00:09:06 PM) (Source: Userenv) (User: EPMAPTS)
Description: Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

DETAIL - The network path was not found.

Error: (08/27/2013 00:06:25 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Error: (08/27/2013 00:02:33 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for EPMAPTS\acitron failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Error: (08/27/2013 00:01:31 PM) (Source: STCAgent) (User: )
Description: Termination reason code 10 [FAST_USER_SWITCH]

Error: (08/27/2013 00:01:29 PM) (Source: UserInit) (User: )
Description: Could not execute the following script login.bat. The system cannot find the file specified.
.

Error: (08/27/2013 00:01:22 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Error: (08/27/2013 00:01:19 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

DETAIL - The network path was not found.

Error: (08/27/2013 00:01:08 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

System errors:
=============
Error: (08/27/2013 00:09:30 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/27/2013 00:07:32 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (08/27/2013 00:07:32 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
awlegacy
AW_HOST
Fips
intelppm
MpFilter

Error: (08/27/2013 00:06:24 PM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain EPMAPTS due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (08/27/2013 00:02:07 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (08/27/2013 00:01:12 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (08/27/2013 00:01:07 PM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain EPMAPTS due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (08/27/2013 11:55:25 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (08/27/2013 11:54:35 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Percentage of memory in use: 24%
Total physical RAM: 2045.89 MB
Available physical RAM: 1542.91 MB
Total Pagefile: 3942.45 MB
Available Pagefile: 3664.67 MB
Total Virtual: 2047.88 MB
Available Virtual: 1939.65 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:74.53 GB) (Free:38.68 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: 41AB2316)
Partition 1: (Active) - (Size=75 GB) - (Type=07 NTFS)

==================== End Of Log ============================

MrCharlie · August 27, 2013

To attach a log:

Bottom right corner of this page.

New window that comes up.

MrC

MrCharlie · August 27, 2013

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

alfromny · August 27, 2013

Thanks MrCharlie!!

Looks like it worked. It still seems a bit sluggish, but that just might be my imagination. I don't see the fix damage tool that you mentioned.

Original mbar.txt:

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.08.27.07

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
acitron :: ACITRON-LAPTOP [administrator]

8/27/2013 3:38:40 PM
mbar-log-2013-08-27 (15-38-40).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\SYSTEM32\drivers\acpi.sys (Rootkit.RLoader) -> Replace on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

mbar text after clean-up

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.08.27.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
acitron :: ACITRON-LAPTOP [administrator]

8/27/2013 4:00:48 PM
mbar-log-2013-08-27 (16-00-48).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

system-log.txt

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

OS version: 5.1.2600 Windows XP Service Pack 3 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_20

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 2145275904, free: 1582182400

Downloaded database version: v2013.08.27.07
Downloaded database version: v2013.08.06.01
Initializing...
======================
------------ Kernel report ------------
08/27/2013 15:38:27
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
pcmcia.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Gernuwa.sys
Mup.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw4x32.sys
\SystemRoot\system32\DRIVERS\b57xp32.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\dne2000.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\??\C:\DOCUME~1\acitron\LOCALS~1\Temp\mbr.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8aa5fab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\
Lower Device Object: 0xffffffff8a994030
Lower Device Driver Name: \Driver\atapi\
IRP handler 15 of \Driver\atapi is hooked
Unhooking enabled.
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8aa5fab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\
Lower Device Object: 0xffffffff8a994030
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Load Function returned 0x0
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8aa5fab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8aa5c930, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8aa5fab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a994030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe294d4d0, 0xffffffff8aa5fab8, 0xffffffff878b5040
Lower DeviceData: 0xffffffffe13fb8e0, 0xffffffff8a994030, 0xffffffff876c1798
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Replacement file found for a file C:\WINDOWS\SYSTEM32\drivers\acpi.sys
Infected: C:\WINDOWS\SYSTEM32\drivers\acpi.sys --> [Rootkit.RLoader]
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 41AB2316

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 156296322
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

Disk Size: 80026361856 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)...
Done!
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_20

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 2145275904, free: 1597931520

=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_20

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 2145275904, free: 1547345920

=======================================
Initializing...
------------ Kernel report ------------
08/27/2013 16:00:34
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
pcmcia.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Gernuwa.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\drivers\aw_host5.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw4x32.sys
\SystemRoot\system32\DRIVERS\b57xp32.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\dfmirage.sys
\SystemRoot\system32\DRIVERS\dne2000.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\Windrvr6.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\drivers\sthda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\HSFHWAZL.sys
\SystemRoot\system32\DRIVERS\HSF_DPV.sys
\SystemRoot\system32\DRIVERS\HSF_CNXT.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\tcusb.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\system32\drivers\awechomd.sys
\SystemRoot\System32\Drivers\awlegacy.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\Drivers\oz776.sys
\SystemRoot\System32\Drivers\SMCLIB.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\??\C:\WINDOWS\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\drivers\kmixer.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8ab1bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\
Lower Device Object: 0xffffffff8aabe520
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8ab1bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a9d9e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ab1bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8aabe520, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 41AB2316

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 156296322
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

Disk Size: 80026361856 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)...
Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_20

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 2145275904, free: 1589272576

=======================================

MrCharlie · August 27, 2013

Run another scan with RogueKiller and post the new log....MrC

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

alfromny · August 27, 2013

Here is the latest roguekiller file. As I said it could very well be that I'm back to where I was, just it "seems" as if Windows takes an extra couple of seconds to draw the initial desktop and taskbar on startup. It is certainly very functional, just want to make sure nothing is still lurking.

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : acitron [Admin rights]
Mode : Scan -- Date : 08/27/2013 16:57:29
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH][DLL] explorer.exe -- C:\WINDOWS\drivfunc.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][sUSP PATH] HKUS\S-1-5-19\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-20\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\.DEFAULT\[...]\RunOnce : ygaho (C:\DOCUME~1\NETWOR~1\LOCALS~1\APPLIC~1\ygaho.exe [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-19\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-20\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-18\[...]\RunOnce : ygaho (C:\DOCUME~1\NETWOR~1\LOCALS~1\APPLIC~1\ygaho.exe [x]) -> FOUND
[sERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : 10173 (C:\Documents and Settings\acitron\Local Settings\Temp\10173.sys [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\ \ \???ﯹ๛\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176UA.job : C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [x][x] -> FOUND
[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176Core.job : C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe - /c [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[FF][PROXY] ld09q662.default : user_pref("network.proxy.hxxp", "127.0.0.1"); -> FOUND
[FF][PROXY] ld09q662.default : user_pref("network.proxy.hxxp_port", 59030); -> FOUND
[FF][PROXY] ld09q662.default : user_pref("network.proxy.type", 1); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST980813ASG +++++
--- User ---
[MBR] 45b865fdce2713d4dc2d3c2e7cc3f5d6
[bSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08272013_165729.txt >>
RKreport[0]_S_08272013_142346.txt

MrCharlie · August 27, 2013

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKUS\S-1-5-19\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-20\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\.DEFAULT\[...]\RunOnce : ygaho (C:\DOCUME~1\NETWOR~1\LOCALS~1\APPLIC~1\ygaho.exe [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-19\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-20\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-18\[...]\RunOnce : ygaho (C:\DOCUME~1\NETWOR~1\LOCALS~1\APPLIC~1\ygaho.exe [x]) -> FOUND
[sERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : 10173 (C:\Documents and Settings\acitron\Local Settings\Temp\10173.sys [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\ \ \???ﯹ๛\{90fb1b1b-ebd2-da34-5e2f-73ed7a935269}\GoogleUpdate.exe" < [x]) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][Folder] Install : C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Processes tab and put a check next to these and uncheck the rest. (if found)

[sUSP PATH][DLL] explorer.exe -- C:\WINDOWS\drivfunc.dll [x] -> UNLOADED

Now click Delete on the right hand column under Options

-------------

Reboot and run another scan to ensure they're gone.

-------------

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
Copy and paste the contents of that logfile in your next reply.
A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

If you agree with everything listed to be removed in the folders section...........

Double click on AdwCleaner.exe to run the tool again.

Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...
This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

alfromny · August 27, 2013

Not sure what you mean by run AdwCleaner to run tool again. I've never been instructed to run it!

>> Double click on AdwCleaner.exe to run the tool again.

MrCharlie · August 27, 2013

I fixed it....MrC

alfromny · August 27, 2013

Computer is running great - might be a slight hesitation when starting IE, but if it is clean I am very happy!! Thanks!

Original adwcleaner log:

# AdwCleaner v3.001 - Report created 27/08/2013 at 17:47:14
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : acitron - ACITRON-LAPTOP
# Running from : C:\Documents and Settings\acitron\Desktop\Farbar\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found : C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\Extensions\plugin@yontoo.com
Folder Found C:\Documents and Settings\acitron\IECompatCache
Folder Found C:\Program Files\Yontoo Layers Client

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Found : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Found : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Layers
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Layers.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKLM\Software\Tarma Installer
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v3.6.3 (en-US)

[ File : C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [4248 octets] - [27/08/2013 17:47:14]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4308 octets] ##########

Log after clean

# AdwCleaner v3.001 - Report created 27/08/2013 at 18:52:31
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : acitron - ACITRON-LAPTOP
# Running from : C:\Documents and Settings\acitron\Desktop\Farbar\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Yontoo Layers Client
Folder Deleted : C:\Documents and Settings\acitron\IECompatCache
Folder Deleted : C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\Extensions\plugin@yontoo.com

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Layers
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Layers.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}]
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Tarma Installer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v3.6.3 (en-US)

[ File : C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [4388 octets] - [27/08/2013 17:47:14]
AdwCleaner[R1].txt - [4448 octets] - [27/08/2013 18:51:52]
AdwCleaner[s0].txt - [4451 octets] - [27/08/2013 18:52:31]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4511 octets] ##########

Malwarebytes log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.27.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
acitron :: ACITRON-LAPTOP [administrator]

8/27/2013 7:00:38 PM
mbam-log-2013-08-27 (19-00-38).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

MrCharlie · August 28, 2013

Good...IE sucks..use Google Chrome!!!

------------------------

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
If you get Unsupported operating system. Aborting now, just reboot and try again.
A Notepad document should open automatically called checkup.txt.
Please Post the contents of that document.
Do Not Attach It!!!

MrC

alfromny · August 28, 2013

One of my on-line apps only runs on IE

The other time it seems slow is when Windows first starts - it takes about 10 seconds for the desktop icons and task bar to appear after the background picture displays. Again not an issue as far as usability - just as long as I am clean!

Results of screen317's Security Check version 0.99.73
Windows XP Service Pack 3 x86 (UAC is disabled!)
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.75.0.1300
Java 6 Update 20
Java 6 Update 7
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Adobe Reader 10.1.3 Adobe Reader out of Date!
Mozilla Firefox (3.6.3) Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 23% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

MrCharlie · August 28, 2013

Out dated programs on the system are vulnerable to malware.

Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~

Please uninstall these and all other Java listed in your add/remove programs:

Java™ 6 Update 20

Java™ 6 Update 7

Java version out of Date! <-------Download and install the latest version (Java™ 7 Update 25) from Here.

Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

----------------------------------

Adobe Flash Player 10 Flash Player out of Date! <--------please check for an update if available

---------------------------------------

Adobe Reader 8 Adobe Reader out of Date! <----please uninstall from your add/remove programs

Adobe Reader 10.1.3 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

---------------------------------------

Mozilla Firefox (3.6.3) Firefox out of Date! <----please check for an update if available

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used FRST:

Download the fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

That will delete the quarantine folder created by FRST.

-----------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTC to your desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

LDTate · August 28, 2013

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

MrCharlie · August 28, 2013

What seems to be the problem??? MrC

alfromny · August 28, 2013

I updated the software suggested and everything seemed to be running fine. I did a google search and it redirected me to a shopping site I ran the malewarebytes antirootkit and it didn't find anything. Unfortunately I am not at that computer right now.

MrCharlie · August 28, 2013

OK......

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

MrC

alfromny · August 28, 2013

Thanks for continuing!

Here is the log file

RogueKiller V8.6.7 [Aug 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : acitron [Admin rights]
Mode : Scan -- Date : 08/28/2013 13:55:24
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH][DLL] explorer.exe -- C:\WINDOWS\drivfunc.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\RunOnce : (A0) (cmd /c "C:\Documents and Settings\acitron\Desktop\Farbar\New Folder\mbar\mbar.exe" /rdv /s [7]) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176UA.job : C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [x][x] -> FOUND
[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176Core.job : C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe - /c [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[FF][PROXY] ld09q662.default : user_pref("network.proxy.hxxp", "127.0.0.1"); -> FOUND
[FF][PROXY] ld09q662.default : user_pref("network.proxy.hxxp_port", 59030); -> FOUND
[FF][PROXY] ld09q662.default : user_pref("network.proxy.type", 1); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[122] : NtOpenProcess @ 0x805CB3FA -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB1C99A24)
[Address] SSDT[128] : NtOpenThread @ 0x805CB686 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB1C99B70)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST980813ASG +++++
--- User ---
[MBR] 45b865fdce2713d4dc2d3c2e7cc3f5d6
[bSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08282013_135524.txt >>
RKreport[0]_D_08272013_171931.txt;RKreport[0]_D_08272013_174346.txt;RKreport[0]_S_08272013_142346.txt
RKreport[0]_S_08272013_165729.txt;RKreport[0]_S_08272013_171644.txt;RKreport[0]_S_08272013_172624.txt
RKreport[0]_S_08272013_174310.txt;RKreport[0]_S_08272013_182518.txt;RKreport[0]_S_08282013_105041.txt

MrCharlie · August 28, 2013

What browser is redirected?

You have some proxy set up in FireFox:

[FF][PROXY] ld09q662.default : user_pref("network.proxy.hxxp", "127.0.0.1"); -> FOUND
[FF][PROXY] ld09q662.default : user_pref("network.proxy.hxxp_port", 59030); -> FOUND
[FF][PROXY] ld09q662.default : user_pref("network.proxy.type", 1); -> FOUND

MrC

alfromny · August 28, 2013

IE 8

alfromny · August 28, 2013

I am also sometimes getting an 502 bad gateway error

Trojan zaccess

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information