Jump to content

Extortion Virus-CryptoLocker on a Server


Recommended Posts

It is on a Windows 2003 server.  The dds doesn't run on this system.  Long story short one of our users got a the cryptolocker virus, it infected our shared/active director server.  The MBAM clean up shows nothing, but I am still getting warnings from McAfee's scanner that the autorun.worm.aaeh!pheur as attacking various users in our systems.  Here is the original log file of the MBAM that ran.  Also I believe several of our data files maybe corrupted/encrypted, however I do have a backup of the data, that I could potentially recover.  Any help getting rid of this would be welcomed.

 

 
 
9/17/2013 9:03:25 AM Engine version                          = 5600.1067
9/17/2013 9:03:25 AM AntiVirus   DAT version                 = 7200.0
9/17/2013 9:03:25 AM Number of detection signatures in EXTRA.DAT = None
9/17/2013 9:03:25 AM Names of detection signatures in EXTRA.DAT  = None
9/17/2013 9:03:25 AM Scan Started EWIRELESS\Administrator On-Demand Scan
9/17/2013 9:18:33 AM Not scanned (The file is encrypted) d:\it\IT_AntiVirus\avira_free_antivirus_en.exe
9/17/2013 9:19:10 AM Not scanned (The file is encrypted) d:\it\IT_Roamtalk\ROAMTALK.zip
9/17/2013 9:41:12 AM Not scanned (The file is encrypted) d:\users\mickeyl\My Documents\99icons.zip
9/17/2013 9:58:07 AM Deleted Administrator ODS d:\users\mtapili\1-03 cingular buy.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:08 AM Deleted Administrator ODS d:\users\mtapili\04-05-05 Verizon Available Numbers.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:09 AM Deleted Administrator ODS d:\users\mtapili\ACCT 200106372 FOR LARRY MAEATAANOA.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:11 AM Deleted Administrator ODS d:\users\mtapili\20130911101234.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:12 AM Deleted Administrator ODS d:\users\mtapili\Auntie Oilau's Funeral.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:13 AM Deleted Administrator ODS d:\users\mtapili\bioteu.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:15 AM Deleted Administrator ODS d:\users\mtapili\Auto accident.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:16 AM Deleted Administrator ODS d:\users\mtapili\cingular changes.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:18 AM Deleted Administrator ODS d:\users\mtapili\DESKTOP.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:20 AM Deleted Administrator ODS d:\users\mtapili\Merla Backup 03-06.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:21 AM Deleted Administrator ODS d:\users\mtapili\COPIES OF DOCUMENTS FOR AFLAC - CLAIM DOCUMENTS.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:23 AM Deleted Administrator ODS d:\users\mtapili\MERLA TAPILI W2 FORM INFO.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:24 AM Deleted Administrator ODS d:\users\mtapili\MIKE PENNINGTON - DECEMBER 2012 BILL.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:26 AM Deleted Administrator ODS d:\users\mtapili\Mike Gearins activations report     2-29-2012.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:28 AM Deleted Administrator ODS d:\users\mtapili\MICHAEL BAGNUOLO'S IPHONE 5 INVOICE.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:29 AM Deleted Administrator ODS d:\users\mtapili\Miss Daisy Funera.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:31 AM Deleted Administrator ODS d:\users\mtapili\NAME CHANGE FOR ZARE.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:32 AM Deleted Administrator ODS d:\users\mtapili\NOVEMBER 2012 BILL.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:33 AM Deleted Administrator ODS d:\users\mtapili\MITSUBISHI ACCOUN CHANGE FOR JOSE C. LEMUS.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:35 AM Deleted Administrator ODS d:\users\mtapili\October, 2012 - Anthony Rothman.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:36 AM Deleted Administrator ODS d:\users\mtapili\OCTOBER BILLING - 1143668.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:37 AM Deleted Administrator ODS d:\users\mtapili\Odelia Mirzadeh - account summary 1153337.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:38 AM Deleted Administrator ODS d:\users\mtapili\PACIFIC DOCUMENT SIGNING INC. ATTN - FARAMARZ SIMAB.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:50 AM Deleted Administrator ODS d:\users\mtapili\NOVEMBER BILL - 1135557.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:51 AM Deleted Administrator ODS d:\users\mtapili\Passwords.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:52 AM Deleted Administrator ODS d:\users\mtapili\Porn.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:55 AM Deleted Administrator ODS d:\users\mtapili\PHONE INSURANCE FORMS.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:56 AM Deleted Administrator ODS d:\users\mtapili\RAVI.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:57 AM Deleted Administrator ODS d:\users\mtapili\SAFER & SOUND SYSTEMS BILLING.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:58:59 AM Deleted Administrator ODS d:\users\mtapili\RATE PLAN CHANGE FOR 1157494 - ELIZABETH L. BERG .exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:59:00 AM Deleted Administrator ODS d:\users\mtapili\SEPTEMBER BILLING - 1143668.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:59:00 AM Delete failed (Clean failed) Administrator ODS d:\users\mtapili\Sexy.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:59:00 AM Delete failed (Clean failed) Administrator ODS d:\users\mtapili\SHAM 12-24-2012.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:59:01 AM Deleted Administrator ODS d:\users\mtapili\SIGNED TAX INTERVIEW FORM - MERLA TAPILI.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:59:02 AM Deleted Administrator ODS d:\users\mtapili\SALAR TAHOUR BILLING.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:59:04 AM Deleted Administrator ODS d:\users\mtapili\VERIZON.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 9:59:07 AM Deleted Administrator ODS d:\users\mtapili\Secret.exe W32/Autorun.worm.aaeh!pheur (Virus)
9/17/2013 10:45:13 AM Not scanned (The file is encrypted) d:\users\khris\Adobe.CS3.Master.Collection.Corporate.rar
9/17/2013 11:24:29 AM Not scanned (The file is encrypted) d:\it\IT_Applications\Watchguard VPN Client\Install\NCP Client - Better\vpn.zip
9/17/2013 11:24:32 AM Not scanned (The file is encrypted) d:\it\IT_Applications\Watchguard VPN Client\Install\Shrew Client\vpn.zip
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Scan Summary
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Processes scanned    : 61
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Processes detected   : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Processes cleaned    : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Boot sectors scanned : 4
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Boot sectors detected: 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Boot sectors cleaned : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Files scanned        : 141712
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Files with detections: 37
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator File detections      : 37
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Files cleaned        : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Files deleted        : 35
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Files not scanned    : 50
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Scan Summary (Registry Scanning)
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Keys scanned         : 26108
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Keys detected        : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Keys cleaned         : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Keys deleted         : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Scan Summary (Cookie Scanning)
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Cookies scanned      : 102
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Cookies detected     : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Cookies cleaned      : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Cookies deleted      : 0
9/17/2013 1:00:25 PM Scan Summary EWIRELESS\Administrator Run time             : 3:57:01
9/17/2013 1:00:25 PM Scan Complete EWIRELESS\Administrator On-Demand Scan
 
Link to post
Share on other sites

Welcome to the forum.

Here's a topic on it..it's 24 pages long right now:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/?p=3150230

We could probably get rid of the virus but the locked files is another story.

I never worked with a server but I'll give it a try.

See if you can do this:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
------------------------------------

You may want to kill autorun with MS Fixit:

http://support.microsoft.com/kb/967715

MrC

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-09-2013 01

Ran by Administrator (administrator) on EWDC2 on 20-09-2013 08:26:47

Running from F:\

Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Normal

 

==================== Processes (Whitelisted) ===================

 

(Microsoft Corporation) C:\WINDOWS\system32\Dfssvc.exe

(Microsoft Corporation) C:\WINDOWS\System32\dns.exe

(Microsoft Corporation) C:\WINDOWS\System32\ismserv.exe

(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\FrameworkService.exe

(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

(McAfee, Inc.) C:\WINDOWS\system32\mfevtps.exe

(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe

(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

(Microsoft Corporation) C:\WINDOWS\system32\ntfrs.exe

(iAnywhere Solutions, Inc.) C:\Program Files\Lathem Time Corporation\PayClock\dbsrv11.exe

(Lathem Time Corporation) C:\Program Files\Lathem Time Corporation\PayClock\Lathem.USBTM.Service.PC600.Service.exe

(iAnywhere Solutions, Inc.) C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

(Microsoft Corporation) C:\WINDOWS\system32\tcpsvcs.exe

(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\udaterui.exe

(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe

(Microsoft Corporation) C:\WINDOWS\system32\oobechk.exe

(Microsoft Corporation) C:\WINDOWS\system32\mshta.exe

(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\McTray.exe

(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [McAfeeUpdaterUI] - C:\Program Files\McAfee\Common Framework\udaterui.exe [333376 2011-11-15] (McAfee, Inc.)

HKLM\...\Run: [shStatEXE] - C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [215656 2012-08-14] (McAfee, Inc.)

HKLM\...\Winlogon: [uIHost] %SystemRoot%\system32\logonui.exe [x ] ()

HKLM\...\Policies\Explorer: [showSuperHidden] 1

HKLM\...\Policies\Explorer: [NoControlPanel] 0

HKLM\...\Command Processor:  <======= ATTENTION

HKU\Default User\...\RunOnce: [tscuninstall] - C:\Windows\system32\tscupgrd.exe [ 2006-03-22] (Microsoft Corporation)

Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli

 

==================== Internet (Whitelisted) ====================

 


HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = 

BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130413213922.dll (McAfee, Inc.)

Winsock: Catalog5 03 %SystemRoot%\System32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Tcpip\..\Interfaces\{59125035-44F7-484E-88D4-B4A2EB5273EB}: [NameServer]192.168.1.11

 

========================== Services (Whitelisted) =================

 

R2 Dfs; C:\Windows\system32\Dfssvc.exe [164864 2007-02-17] (Microsoft Corporation)

R2 DHCPServer; C:\Windows\system32\tcpsvcs.exe [21504 2006-03-22] (Microsoft Corporation)

R2 DNS; C:\Windows\System32\dns.exe [450560 2012-01-30] (Microsoft Corporation)

R2 IsmServ; C:\Windows\System32\ismserv.exe [40448 2007-02-17] (Microsoft Corporation)

R2 kdc; C:\Windows\System32\lsass.exe [13312 2006-03-22] (Microsoft Corporation)

S4 LicenseService; C:\Windows\System32\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)

R2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [132672 2011-11-15] (McAfee, Inc.)

R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [167856 2012-09-25] (McAfee, Inc.)

R2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [210056 2012-08-14] (McAfee, Inc.)

R2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [160152 2012-09-25] (McAfee, Inc.)

R2 NtFrs; C:\Windows\system32\ntfrs.exe [792064 2007-02-17] (Microsoft Corporation)

R2 PayClock_Sql_32; C:\Program Files\Lathem Time Corporation\PayClock\dbsrv11.exe [141176 2011-05-16] (iAnywhere Solutions, Inc.)

R2 PayClock_Terminal_Service; C:\Program Files\Lathem Time Corporation\PayClock\Lathem.USBTM.Service.PC600.Service.exe [20776 2013-05-28] (Lathem Time Corporation)

R2 QuickBooksDB17; C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [128536 2006-09-13] (iAnywhere Solutions, Inc.)

S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [67072 2007-02-17] (Microsoft Corporation)

S3 sacsvr; C:\Windows\system32\sacsvr.dll [12288 2006-03-22] (Microsoft Corporation)

S3 SrmReports; C:\Windows\system32\srmhost.exe [10752 2005-11-23] (Microsoft Corporation)

R2 SrmSvc; C:\Windows\system32\srmsvc.dll [1593344 2007-02-17] (Microsoft Corporation)

S4 TrkSvr; C:\Windows\system32\trksvr.dll [50688 2006-03-22] (Microsoft Corporation)

S4 Tssdis; C:\Windows\System32\tssdis.exe [71168 2007-02-17] (Microsoft Corporation)

R2 Eventlog;  [x]

S3 WinHttpAutoProxySvc; winhttp.dll [x]

 

==================== Drivers (Whitelisted) ====================

 

S4 ClusDisk; C:\Windows\System32\DRIVERS\ClusDisk.sys [69120 2007-02-17] (Microsoft Corporation)

R0 Datascrn; C:\Windows\System32\DRIVERS\datascrn.sys [48640 2007-02-17] (Microsoft Corporation)

R3 dcdbas; C:\Windows\System32\DRIVERS\dcdbas32.sys [31480 2007-06-07] (Dell Inc.)

R0 DfsDriver; C:\Windows\System32\drivers\Dfs.sys [34816 2007-02-17] (Microsoft Corporation)

R3 E1000; C:\Windows\System32\DRIVERS\e1000325.sys [176128 2004-11-22] (Intel Corporation)

R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [125600 2012-09-25] (McAfee, Inc.)

R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [218760 2012-09-25] (McAfee, Inc.)

R3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [63128 2012-09-25] (McAfee, Inc.)

R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [481320 2012-09-25] (McAfee, Inc.)

S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87816 2012-09-25] (McAfee, Inc.)

R1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [90368 2012-09-25] (McAfee, Inc.)

S3 PORTACCESSOR_1; C:\Program Files\PowerEdge Diagnostics\oldiags\packages\PORTACCESSOR32.sys [10104 2007-06-07] (Dell Inc.)

R0 Quota; C:\Windows\System32\DRIVERS\quota.sys [88064 2007-02-17] (Microsoft Corporation)

S3 WLBS; C:\Windows\System32\DRIVERS\wlbs.sys [169984 2007-02-17] (Microsoft Corporation)

S4 adpu320; No ImagePath

S4 afcnt; No ImagePath

S4 cpqarry2; No ImagePath

S4 cpqcissm; No ImagePath

S4 cpqfcalm; No ImagePath

S4 dellcerc; No ImagePath

S4 elxstor; No ImagePath

S4 hpt3xx; No ImagePath

S4 iirsp; No ImagePath

S3 IpInIp; system32\DRIVERS\ipinip.sys [x]

S4 ipsraidn; No ImagePath

U3 LicenseInfo; No ImagePath

S4 lp6nds35; No ImagePath

U3 mfeavfk01; No ImagePath

S4 nfrd960; No ImagePath

S4 ql2100; No ImagePath

S4 ql2200; No ImagePath

S4 ql2300; No ImagePath

U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-17] (Microsoft Corporation)

U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [105472 2007-02-17] (Microsoft Corporation)

S4 symmpi; No ImagePath

U1 WS2IFSL; 

 

==================== NetSvcs (Whitelisted) ===================

 

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)

 

==================== One Month Created Files and Folders ========

 

2013-09-20 08:26 - 2013-09-20 08:26 - 00000000 ____D C:\FRST

2013-09-18 09:21 - 2013-09-18 09:21 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$

2013-09-18 09:21 - 2013-09-18 09:21 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$

2013-09-18 09:20 - 2013-09-18 09:20 - 00011932 _____ C:\WINDOWS\KB2870699-IE8.log

2013-09-18 09:20 - 2013-09-18 09:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$

2013-09-17 14:11 - 2013-09-17 14:11 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-09-17 14:11 - 2013-09-17 14:11 - 00000000 ____D C:\Documents and Settings\Administrator.EWIRELESS\Application Data\Malwarebytes

2013-09-17 14:11 - 2013-09-17 14:02 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\Administrator.EWIRELESS\Desktop\mbam-setup-1.75.0.1300.exe

2013-09-17 14:11 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys

2013-09-11 03:04 - 2013-09-18 09:21 - 00014757 _____ C:\WINDOWS\KB2876217.log

2013-09-11 03:04 - 2013-09-18 09:21 - 00014255 _____ C:\WINDOWS\KB2876315.log

2013-09-11 03:04 - 2013-09-18 09:20 - 00009968 _____ C:\WINDOWS\KB2864063.log

2013-09-11 03:04 - 2013-08-08 04:06 - 11113472 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll

2013-09-11 03:04 - 2013-08-08 04:06 - 06017536 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll

2013-09-11 03:04 - 2013-08-08 04:06 - 02006016 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll

2013-09-11 03:04 - 2013-08-08 04:06 - 01215488 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll

2013-09-11 03:04 - 2013-08-08 04:06 - 00920064 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll

2013-09-11 03:04 - 2013-08-08 04:06 - 00630272 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll

2013-09-11 03:04 - 2013-08-08 04:06 - 00105984 _____ (Microsoft Corporation) C:\WINDOWS\system32\url.dll

2013-09-11 03:04 - 2013-08-08 04:06 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeedsbs.dll

2013-09-04 06:00 - 2013-09-04 06:00 - 00000000 ____D C:\StorageReports

2013-09-03 21:09 - 2013-09-18 09:20 - 00000000 ____D C:\WINDOWS\system32\MRT

2013-09-03 21:08 - 2013-09-03 21:08 - 00013194 _____ C:\WINDOWS\KB2862772-IE8.log

2013-09-03 21:08 - 2013-09-03 21:08 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2849470$

2013-09-03 21:08 - 2013-09-03 21:08 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2803821-v2$

2013-09-03 21:07 - 2013-09-03 21:07 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2863058$

2013-09-03 21:07 - 2013-09-03 21:07 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2859537$

2013-09-03 21:07 - 2013-09-03 21:07 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2850869$

2013-09-03 21:06 - 2013-09-03 21:07 - 00004224 _____ C:\WINDOWS\KB2863058.log

2013-08-28 00:56 - 2013-09-03 21:08 - 00010577 _____ C:\WINDOWS\KB2803821-v2.log

2013-08-27 10:25 - 2013-08-27 10:25 - 00000000 ____D C:\WINDOWS\system32\srm

2013-08-27 10:25 - 2005-11-23 05:00 - 00264040 ____N C:\WINDOWS\system32\dfsrHealthReport.xsl

2013-08-27 10:25 - 2005-11-23 05:00 - 00200704 ____N (Microsoft Corporation) C:\WINDOWS\system32\dfsrAdmin.exe

2013-08-27 10:25 - 2005-11-23 05:00 - 00125952 ____N (Microsoft Corporation) C:\WINDOWS\system32\storrept.exe

2013-08-27 10:25 - 2005-11-23 05:00 - 00105472 ____N (Microsoft Corporation) C:\WINDOWS\system32\srm.dll

2013-08-27 10:25 - 2005-11-23 05:00 - 00043046 ____N C:\WINDOWS\system32\Fs.msc

2013-08-27 10:25 - 2005-11-23 05:00 - 00042496 ____N (Microsoft Corporation) C:\WINDOWS\system32\dfsext.dll

2013-08-27 10:25 - 2005-11-23 05:00 - 00042121 ____N C:\WINDOWS\system32\fsrm.msc

2013-08-27 10:25 - 2005-11-23 05:00 - 00041964 ____N C:\WINDOWS\system32\dfsmgmt.msc

2013-08-27 10:25 - 2005-11-23 05:00 - 00011118 ____N C:\WINDOWS\system32\FsmConfiguration.xml

2013-08-27 10:25 - 2005-11-23 05:00 - 00010752 ____N (Microsoft Corporation) C:\WINDOWS\system32\srmhost.exe

2013-08-27 10:25 - 2005-11-23 05:00 - 00010240 ____N (Microsoft Corporation) C:\WINDOWS\system32\srmclient.dll

2013-08-27 10:25 - 2005-11-23 05:00 - 00008192 ____N (Microsoft Corporation) C:\WINDOWS\system32\interop.dfsrhelper.dll

2013-08-27 10:25 - 2005-11-23 05:00 - 00007168 ____N (Microsoft Corporation) C:\WINDOWS\system32\srmsched_ps.dll

2013-08-27 10:25 - 2005-11-23 05:00 - 00005120 ____N (Microsoft Corporation) C:\WINDOWS\system32\dfsres.dll

 

==================== One Month Modified Files and Folders =======

 

2013-09-20 08:26 - 2013-09-20 08:26 - 00000000 ____D C:\FRST

2013-09-20 08:24 - 2012-11-30 15:21 - 00000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{634805AD-3B75-45FE-914C-63B6BFE865D2}.job

2013-09-20 08:16 - 2012-12-18 15:59 - 00000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{2E647214-9B8A-4E9F-9DB6-3695EC4EE906}.job

2013-09-20 07:37 - 2012-11-29 10:58 - 00000000 ____D C:\WINDOWS\system32\dhcp

2013-09-20 07:09 - 2012-11-30 10:46 - 00032244 _____ C:\WINDOWS\Tasks\SchedLgU.Txt

2013-09-20 07:03 - 2012-11-30 10:38 - 01606425 _____ C:\WINDOWS\WindowsUpdate.log

2013-09-20 06:06 - 2013-01-02 13:50 - 00000000 ____D C:\WINDOWS\system32\NtmsData

2013-09-20 06:05 - 2013-08-13 09:10 - 00000916 _____ C:\WINDOWS\Tasks\system_state.job

2013-09-20 06:00 - 2012-11-29 10:58 - 00000000 ____D C:\WINDOWS\repair

2013-09-20 00:48 - 2012-11-29 10:58 - 00000000 ____D C:\WINDOWS\security

2013-09-19 20:59 - 2013-01-14 10:57 - 00000874 _____ C:\WINDOWS\Tasks\diff_backup.job

2013-09-19 20:52 - 2013-01-19 11:38 - 00000000 ____D C:\QUARANTINE

2013-09-19 08:41 - 2012-11-29 11:12 - 00608454 _____ C:\WINDOWS\system32\PerfStringBackup.INI

2013-09-19 08:37 - 2012-12-18 12:59 - 00002368 _____ C:\WINDOWS\system32\config\netlogon.dnb

2013-09-19 08:37 - 2012-12-18 12:59 - 00002235 _____ C:\WINDOWS\system32\config\netlogon.dns

2013-09-19 08:36 - 2012-12-18 12:53 - 00000000 ____D C:\WINDOWS\NTDS

2013-09-19 08:36 - 2012-11-30 10:46 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT

2013-09-19 08:36 - 2012-11-29 11:11 - 00093480 _____ C:\WINDOWS\system32\FNTCACHE.DAT

2013-09-18 09:21 - 2013-09-18 09:21 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$

2013-09-18 09:21 - 2013-09-18 09:21 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$

2013-09-18 09:21 - 2013-09-11 03:04 - 00014757 _____ C:\WINDOWS\KB2876217.log

2013-09-18 09:21 - 2013-09-11 03:04 - 00014255 _____ C:\WINDOWS\KB2876315.log

2013-09-18 09:21 - 2012-11-30 12:31 - 00153191 _____ C:\WINDOWS\updspapi.log

2013-09-18 09:21 - 2012-11-30 10:48 - 00589083 _____ C:\WINDOWS\nfsocm.log

2013-09-18 09:21 - 2012-11-30 10:48 - 00226782 _____ C:\WINDOWS\sfuocgen.log

2013-09-18 09:21 - 2012-11-30 10:48 - 00061615 _____ C:\WINDOWS\ocwss.log

2013-09-18 09:21 - 2012-11-30 10:48 - 00061461 _____ C:\WINDOWS\AdfsOcm.log

2013-09-18 09:21 - 2012-11-29 11:12 - 01777460 _____ C:\WINDOWS\ocgen.log

2013-09-18 09:21 - 2012-11-29 11:12 - 01769948 _____ C:\WINDOWS\iis6.log

2013-09-18 09:21 - 2012-11-29 11:12 - 01585054 _____ C:\WINDOWS\FaxSetup.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00772034 _____ C:\WINDOWS\uddisetup.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00679625 _____ C:\WINDOWS\tsoc.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00658950 _____ C:\WINDOWS\msmqinst.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00478585 _____ C:\WINDOWS\comsetup.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00342488 _____ C:\WINDOWS\certocm.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00305719 _____ C:\WINDOWS\ntdtcsetup.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00264111 _____ C:\WINDOWS\netfxocm.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00224274 _____ C:\WINDOWS\aspnetocm.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00160258 _____ C:\WINDOWS\LicenOc.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00079306 _____ C:\WINDOWS\pop3oc.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00003423 _____ C:\WINDOWS\imsins.log

2013-09-18 09:21 - 2012-11-29 11:12 - 00003423 _____ C:\WINDOWS\imsins.BAK

2013-09-18 09:21 - 2012-11-29 11:11 - 00525260 _____ C:\WINDOWS\setupapi.log

2013-09-18 09:20 - 2013-09-18 09:20 - 00011932 _____ C:\WINDOWS\KB2870699-IE8.log

2013-09-18 09:20 - 2013-09-18 09:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$

2013-09-18 09:20 - 2013-09-11 03:04 - 00009968 _____ C:\WINDOWS\KB2864063.log

2013-09-18 09:20 - 2013-09-03 21:09 - 00000000 ____D C:\WINDOWS\system32\MRT

2013-09-18 09:20 - 2012-11-30 14:38 - 00000000 ____D C:\WINDOWS\ie8updates

2013-09-18 09:18 - 2013-08-10 15:40 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy

2013-09-18 09:17 - 2012-11-30 14:36 - 76725432 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

2013-09-18 08:38 - 2006-03-22 05:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl

2013-09-18 08:37 - 2012-11-30 14:54 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB978542$

2013-09-18 08:37 - 2012-11-30 10:45 - 00819850 _____ C:\WINDOWS\PFRO.log

2013-09-18 08:35 - 2012-12-18 12:54 - 00524288 _____ C:\WINDOWS\system32\config\NTDS.Evt

2013-09-18 08:35 - 2012-11-30 16:00 - 00065536 _____ C:\WINDOWS\system32\config\NtFrs.Evt

2013-09-18 08:35 - 2012-11-30 15:50 - 00065536 _____ C:\WINDOWS\system32\config\DnsEvent.Evt

2013-09-18 08:35 - 2012-11-30 15:48 - 00000178 ___SH C:\Documents and Settings\Administrator.EWIRELESS\ntuser.ini

2013-09-17 14:11 - 2013-09-17 14:11 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-09-17 14:11 - 2013-09-17 14:11 - 00000000 ____D C:\Documents and Settings\Administrator.EWIRELESS\Application Data\Malwarebytes

2013-09-17 14:02 - 2013-09-17 14:11 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\Administrator.EWIRELESS\Desktop\mbam-setup-1.75.0.1300.exe

2013-09-04 06:00 - 2013-09-04 06:00 - 00000000 ____D C:\StorageReports

2013-09-03 21:32 - 2012-11-29 10:58 - 00000000 ____D C:\WINDOWS\Microsoft.NET

2013-09-03 21:21 - 2013-08-10 15:40 - 00065536 _____ C:\WINDOWS\system32\config\WindowsPowerShell.evt

2013-09-03 21:21 - 2013-08-10 15:40 - 00065536 _____ C:\WINDOWS\system32\config\FwdEvents.Evt

2013-09-03 21:21 - 2013-08-10 15:40 - 00065536 _____ C:\WINDOWS\system32\config\EventForwarding-Operational.Evt

2013-09-03 21:21 - 2013-08-10 15:40 - 00065536 _____ C:\WINDOWS\system32\config\EventCollector-Operational.Evt

2013-09-03 21:08 - 2013-09-03 21:08 - 00013194 _____ C:\WINDOWS\KB2862772-IE8.log

2013-09-03 21:08 - 2013-09-03 21:08 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2849470$

2013-09-03 21:08 - 2013-09-03 21:08 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2803821-v2$

2013-09-03 21:08 - 2013-08-28 00:56 - 00010577 _____ C:\WINDOWS\KB2803821-v2.log

2013-09-03 21:07 - 2013-09-03 21:07 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2863058$

2013-09-03 21:07 - 2013-09-03 21:07 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2859537$

2013-09-03 21:07 - 2013-09-03 21:07 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2850869$

2013-09-03 21:07 - 2013-09-03 21:06 - 00004224 _____ C:\WINDOWS\KB2863058.log

2013-09-03 21:07 - 2013-08-13 22:30 - 00013285 _____ C:\WINDOWS\KB2859537.log

2013-09-03 21:07 - 2013-08-13 22:30 - 00010508 _____ C:\WINDOWS\KB2850869.log

2013-09-03 21:07 - 2012-11-30 13:36 - 00230334 _____ C:\WINDOWS\system32\TZLog.log

2013-09-01 16:44 - 2013-01-07 11:35 - 00000862 _____ C:\WINDOWS\Tasks\full_backup.job

2013-08-27 10:25 - 2013-08-27 10:25 - 00000000 ____D C:\WINDOWS\system32\srm

2013-08-27 10:23 - 2013-02-13 22:18 - 00000000 ____D C:\WINDOWS\PMCSnap

 

==================== Bamital & volsnap Check =================

 

C:\Windows\explorer.exe

[2012-11-30 12:31] - [2007-02-17 03:58] - 1053184 ____A (Microsoft Corporation) A26C39540F8BE3729846E360E2C57344

 

C:\Windows\System32\winlogon.exe

[2012-11-30 12:31] - [2007-02-17 05:09] - 0528384 ____A (Microsoft Corporation) B4AA8AE0F18E5DFCF99A671A181D3EDC

 

C:\Windows\System32\svchost.exe

[2012-11-30 12:31] - [2007-02-17 05:04] - 0014848 ____A (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

 

C:\Windows\System32\services.exe

[2006-03-22 05:00] - [2009-02-03 04:07] - 0113152 ____A (Microsoft Corporation) CF500580CDD83B145646A4DCFCE1CF3C

 

C:\Windows\System32\User32.dll

[2012-11-30 12:03] - [2007-03-01 23:38] - 0583680 ____A (Microsoft Corporation) 1959150096B010BA953A78B0D6B0B4E4

 

C:\Windows\System32\userinit.exe

[2006-03-22 05:00] - [2007-02-17 05:07] - 0026112 ____A (Microsoft Corporation) B5FEB3B971A8B8C81CE9DE65031A87E5

 

C:\Windows\System32\Drivers\volsnap.sys

[2006-03-22 05:00] - [2012-08-21 05:56] - 0153600 ____A (Microsoft Corporation) 701D86EC9D221F68C8528CC47D3958E6

 

C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

 

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

I don't see much...this is the "user" with the virus??
 

Ran by Administrator (administrator) on EWDC2 on 20-09-2013 08:26:47
Running from F:\
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

 

We can clean this one up:

Download the attached fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Let me know....MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-09-2013 01

Ran by Administrator at 2013-09-20 14:05:20 Run:1

Running from F:\

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

HKLM\...\Command Processor:  <======= ATTENTION

*****************

 

HKLM\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.

 

==== End of Fixlog ====

Link to post
Share on other sites

Update:  One of our system users was experiencing issues late Friday, I wasn't able to run much from the system, so I tried to use FABAR but it needed the 64 bit version.  I was able to get dds to run on it.   

 

Note:  I did not run MBAM on this particular machine but if I need to first, then let me know or for that matter any of the anti virus.  He was having issues with getting any files or .exe programs to run.  I kept getting that these files were virus' and wouldn't run error.  

 

Anyway here is the dds log and attached files.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16686
Run by mark at 12:28:21 on 2013-09-23
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.1961.817 [GMT -7:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Century\TinyTERM\NetUtils\Cenlpd.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\HPSIsvc.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Users\mark\AppData\Roaming\Jyru\nievik.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskhost.exe
C:\Users\mark\AppData\Local\Temp\IGKAAB7\lx24.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\mark\AppData\Local\Temp\SXS38E9\dtp7.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130410110638.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Nievik] C:\Users\mark\AppData\Roaming\Jyru\nievik.exe
uRun: [pebqoxxetxuz] C:\Users\mark\pebqoxxetxuz.exe
uRun: [cartapnubsyc] C:\Users\mark\cartapnubsyc.exe
uRun: [wicusealuddi] C:\Users\mark\wicusealuddi.exe
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [shStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.1.11
TCP: Interfaces\{55255F41-65A2-4869-ADF2-4A4B9BDED77A} : DHCPNameServer = 192.168.1.11
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130410110638.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe
x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
x64-RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\mark\AppData\Roaming\Mozilla\Firefox\Profiles\7mwejkcn.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2013-4-2 673624]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2013-4-2 305280]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-10-27 55856]
R2 CenLPD;CenLPD;C:\Program Files (x86)\Century\TinyTERM\NetUtils\CenLPD.exe [2012-1-18 102400]
R2 HPSIService;HP SI Service;C:\Windows\System32\HPSIsvc.exe [2011-12-19 127800]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2013-6-7 376144]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2013-4-30 16056]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2013-9-16 72216]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2012-9-5 132712]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2013-4-2 202376]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [2012-8-14 210056]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2013-4-2 170440]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-10-27 317440]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2013-4-2 282736]
R3 mvusbews;USB EWS Device;C:\Windows\System32\drivers\mvusbews.sys [2011-12-19 20480]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-10-27 539240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2013-4-2 101200]
S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-21 168448]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-21 22528]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-19 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-09-23 15:47:44 66560 ----a-w- C:\Users\mark\wicusealuddi.exe
2013-09-23 08:47:10 64000 ----a-w- C:\Users\mark\cartapnubsyc.exe
2013-09-20 20:07:28 -------- d-----w- C:\Program Files (x86)\ESET
2013-09-17 00:56:42 -------- d-----w- C:\QUARANTINE
2013-09-16 22:14:46 -------- d-----w- C:\Users\mark\AppData\Local\LogMeIn
2013-09-16 22:14:42 60744 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\LMIproc.dll
2013-09-16 22:14:42 35656 ----a-w- C:\Windows\System32\LMIport.dll
2013-09-16 22:14:41 72216 ----a-w- C:\Windows\System32\drivers\LMIRfsDriver.sys
2013-09-16 22:14:41 107368 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
2013-09-16 22:14:38 100680 ----a-w- C:\Windows\System32\LMIinit.dll
2013-09-16 22:14:33 -------- d-----w- C:\ProgramData\LogMeIn
2013-09-16 22:14:20 -------- d-----w- C:\Program Files (x86)\LogMeIn
2013-09-16 22:11:40 -------- d-----w- C:\Users\mark\AppData\Local\Apps
2013-09-16 22:11:39 -------- d-----w- C:\Users\mark\AppData\Local\Deployment
.
==================== Find3M  ====================
.
2013-09-20 08:50:15 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-20 08:50:15 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-08-10 05:22:18 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-08-10 05:20:59 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-08-10 05:20:55 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-08-10 05:20:55 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-08-10 03:59:10 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-08-10 03:17:38 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-08-10 03:07:50 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-08-10 02:27:59 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-10 02:17:19 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-08-08 01:20:43 3155456 ----a-w- C:\Windows\System32\win32k.sys
2013-08-05 02:25:45 155584 ----a-w- C:\Windows\System32\drivers\ataport.sys
2013-08-02 02:23:53 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-02 02:15:44 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-02 02:15:03 362496 ----a-w- C:\Windows\System32\wow64win.dll
2013-08-02 02:15:03 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-02 02:15:03 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2013-08-02 02:14:57 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-08-02 02:14:11 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2013-08-02 02:13:34 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-08-02 01:59:30 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-02 01:50:42 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-02 01:50:42 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17 338432 ----a-w- C:\Windows\System32\conhost.exe
2013-08-02 00:59:09 112640 ----a-w- C:\Windows\System32\smss.exe
2013-08-02 00:45:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-02 00:45:36 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-02 00:45:35 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-02 00:45:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-02 00:43:05 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-07-09 05:52:52 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-07-09 05:51:16 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20 1472512 ----a-w- C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-07-09 04:52:33 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:10 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-07-06 06:03:53 1910208 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 12:29:11.00 ===============
 

attach.txt

Link to post
Share on other sites

Can't fix anything with DDS but from the log.......these are bad:


C:\Users\mark\AppData\Roaming\Jyru\nievik.exe
C:\Users\mark\AppData\Local\Temp\SXS38E9\dtp7.exe
uRun: [Nievik] C:\Users\mark\AppData\Roaming\Jyru\nievik.exe
uRun: [pebqoxxetxuz] C:\Users\mark\pebqoxxetxuz.exe
uRun: [cartapnubsyc] C:\Users\mark\cartapnubsyc.exe
uRun: [wicusealuddi] C:\Users\mark\wicusealuddi.exe

2013-09-23 15:47:44 66560 ----a-w- C:\Users\mark\wicusealuddi.exe
2013-09-23 08:47:10 64000 ----a-w- C:\Users\mark\cartapnubsyc.exe


If you could run RogueKiller that would be good.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes and use the default font)

MrC

Link to post
Share on other sites

RogueKiller V8.6.12 _x64_ [sep 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com




 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : mark [Admin rights]

Mode : Scan -- Date : 09/24/2013 09:16:28

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 25 ¤¤¤

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sUSP PATH] lx24.exe -- C:\Users\mark\AppData\Local\Temp\IGKAAB7\lx24.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sUSP PATH] dtp7.exe -- C:\Users\mark\AppData\Local\Temp\SXS38E9\dtp7.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [-] -> KILLED [TermProc]

 

¤¤¤ Registry Entries : 19 ¤¤¤

[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\mark\AppData\Local\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\???\???\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" >) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : pebqoxxetxuz (C:\Users\mark\pebqoxxetxuz.exe [x]) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : cartapnubsyc (C:\Users\mark\cartapnubsyc.exe [-]) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : wicusealuddi (C:\Users\mark\wicusealuddi.exe [-]) -> FOUND

[RUN][ZeroAccess] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1339\[...]\Run : Google Update ("C:\Users\mark\AppData\Local\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\???\???\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" >) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1339\[...]\Run : pebqoxxetxuz (C:\Users\mark\pebqoxxetxuz.exe [x]) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1339\[...]\Run : cartapnubsyc (C:\Users\mark\cartapnubsyc.exe [-]) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1339\[...]\Run : wicusealuddi (C:\Users\mark\wicusealuddi.exe [-]) -> FOUND

[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\   \...\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" < [x]) -> FOUND

[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\   \...\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" < [x]) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND

[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Folder] Install : C:\Users\mark\AppData\Local\Google\Desktop\Install [-] --> FOUND

 

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection : ZeroAccess ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST3250312AS ATA Device +++++

--- User ---

[MBR] f85a9c5b41f9f2c5094742aa1f572590

[bSP] a4506bc62a4c110fe78c6c653e69f8cf : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 16138 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33132544 | Size: 222296 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - Corsair Voyager USB Device +++++

--- User ---

[MBR] 6476da95bc9ffaebf3a0c96cbffeee9d

[bSP] 4d98459d102461d8401cbd979d7653d4 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 15334 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

 

Finished : << RKreport[0]_S_09242013_091628.txt >>
Link to post
Share on other sites

so another one of our users got hit with the Antivirus Pro virus.  Here is a printout of the Rogue Killer log, dds wouldn't log it.  It gave me a popup.  

 

RogueKiller V8.6.12 _x64_ [sep 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Steve [Admin rights]
Mode : Scan -- Date : 09/24/2013 10:34:22
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[Rogue.AntiSpy-ST] ph373g33.exe -- C:\ProgramData\ph373g33\ph373g33.exe[-] -> KILLED [TermProc]
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files (x86)\Google\Desktop\Install\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\   \...\???ﯹ๛\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\GoogleUpdate.exe" < [x] -> STOPPED
 
¤¤¤ Registry Entries : 29 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\steve\AppData\Local\Google\Desktop\Install\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\???\???\???ﯹ๛\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\GoogleUpdate.exe" >) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : qiaapa (C:\Users\steve\qiaapa.exe /x [x]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : pebqoxxetxuz (C:\Users\steve\pebqoxxetxuz.exe [x]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : cartapnubsyc (C:\Users\steve\cartapnubsyc.exe [-]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : wicusealuddi (C:\Users\steve\wicusealuddi.exe [-]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : papkulhudmud (C:\Users\steve\papkulhudmud.exe [-]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : fonvisfetery (C:\Users\steve\fonvisfetery.exe [-]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : AS2014 (C:\ProgramData\ph373g33\ph373g33.exe [-]) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1145\[...]\Run : Google Update ("C:\Users\steve\AppData\Local\Google\Desktop\Install\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\???\???\???ﯹ๛\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\GoogleUpdate.exe" >) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1145\[...]\Run : qiaapa (C:\Users\steve\qiaapa.exe /x [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1145\[...]\Run : pebqoxxetxuz (C:\Users\steve\pebqoxxetxuz.exe [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1145\[...]\Run : cartapnubsyc (C:\Users\steve\cartapnubsyc.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1145\[...]\Run : wicusealuddi (C:\Users\steve\wicusealuddi.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1145\[...]\Run : papkulhudmud (C:\Users\steve\papkulhudmud.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1145\[...]\Run : fonvisfetery (C:\Users\steve\fonvisfetery.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1145\[...]\Run : AS2014 (C:\ProgramData\ph373g33\ph373g33.exe [-]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\   \...\???ﯹ๛\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\   \...\???ﯹ๛\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\   \...\???ﯹ๛\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS002\[...]\Services : . e () -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Users\steve\AppData\Local\Google\Desktop\Install [-] --> FOUND
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection : ZeroAccess|Rogue.AntiSpy-ST ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST250DM000-1BD141 ATA Device +++++
--- User ---
[MBR] 335d3c8b6eef52f37810ebbc0f74f215
[bSP] c271a16670aa093e8da9ab96dea69dc9 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 16540 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33955840 | Size: 221892 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: \\.\PHYSICALDRIVE1 +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
 
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) (Standard disk drives) - Corsair Voyager USB Device +++++
--- User ---
[MBR] 6476da95bc9ffaebf3a0c96cbffeee9d
[bSP] 4d98459d102461d8401cbd979d7653d4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 15334 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[0]_S_09242013_103422.txt >>
Link to post
Share on other sites

The computer is infected very badly, run RogueKiller again > Clcik Scan and then make sure everything is selected and click Delete.
Re-scan and check again for any bad entries.

If you can run a scan with MBAR:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.
reply1.jpg

New window that comes up.
replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note: (You Must Run This)!!!!!!!
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

-----------------------------

or run a scan with FRST:



Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

Link to post
Share on other sites

I ran the mbar 3x but the last one came up clean.

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1005

 

© Malwarebytes Corporation 2011-2012

 

OS version: 5.1.2600 Windows XP Service Pack 3 x86

 

Account is Administrative

 

Internet Explorer version: 8.0.6001.18702

 

File system is: FAT32

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.992000 GHz

Memory total: 2136055808, free: 580796416

 

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1005

 

© Malwarebytes Corporation 2011-2012

 

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

 

Account is Administrative

 

Internet Explorer version: 10.0.9200.16686

 

Java version: 1.6.0_30

 

File system is: FAT32

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 2055868416, free: 974974976

 

=======================================

Initializing...

------------ Kernel report ------------

     09/24/2013 18:16:46

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\intelide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\mfehidk.sys

\SystemRoot\System32\Drivers\PxHlpa64.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\mfewfpk.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vpcnfltr.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\vpcvmm.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\igdkmd64.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\vpcusb.sys

\SystemRoot\system32\DRIVERS\usbrpm.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\vpchbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\CHDRT64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\IntcDAud.sys

\SystemRoot\system32\drivers\mfeavfk.sys

\SystemRoot\system32\DRIVERS\udfs.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\Drivers\mvusbews.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\drivers\rdpdr.sys

\SystemRoot\system32\drivers\tdtcp.sys

\SystemRoot\System32\DRIVERS\tssecsrv.sys

\SystemRoot\System32\Drivers\RDPWD.SYS

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys

\SystemRoot\system32\DRIVERS\lmimirr.sys

\??\C:\Windows\system32\drivers\LMIRfsDriver.sys

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\mfeapfk.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR4

Upper Device Object: 0xfffffa80064cd790

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000083\

Lower Device Object: 0xfffffa80076b6b60

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa8004160060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa8003ad4060

Lower Device Driver Name: \Driver\atapi\

<<<2>>>

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa8004160060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8004001890, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8004160060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8003abe520, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8003ad4060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 59BFA23C

 

Partition information:

 

    Partition 0 type is Other (0xde)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 63  Numsec = 80262

 

    Partition 1 type is Primary (0x7)

    Partition is ACTIVE.

    Partition starts at LBA: 81920  Numsec = 33050624

    Partition file system is NTFS

    Partition is bootable

 

    Partition 2 type is Primary (0x7)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 33132544  Numsec = 455262208

 

    Partition 3 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

Disk Size: 250059350016 bytes

Sector size: 512 bytes

 

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...

Done!

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa80064cd790, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80033cc500, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80064cd790, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa80076b6b60, DeviceName: \Device\00000083\, DriverName: \Driver\USBSTOR\

------------ End ----------

Alternate DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 43B109D3

 

Partition information:

 

    Partition 0 type is Other (0xc)

    Partition is ACTIVE.

    Partition starts at LBA: 63  Numsec = 31405761

    Partition file system is FAT32

    Partition is not bootable

 

    Partition 1 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

    Partition 2 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

    Partition 3 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

Disk Size: 16079781888 bytes

Sector size: 512 bytes

 

Done!

Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS|DeleteFlag --> [Trojan.ZeroAccess]

Scan finished

Creating System Restore point...

Cleaning up...

Executing an action fixdamage.exe...

Success!

Queuing an action fixdamage.exe

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

 

 

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1005

 

© Malwarebytes Corporation 2011-2012

 

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

 

Account is Administrative

 

Internet Explorer version: 10.0.9200.16686

 

Java version: 1.6.0_30

 

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 2055868416, free: 1163464704

 

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1005

 

© Malwarebytes Corporation 2011-2012

 

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

 

Account is Administrative

 

Internet Explorer version: 10.0.9200.16686

 

Java version: 1.6.0_30

 

File system is: FAT32

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 2055868416, free: 958595072

 

Downloaded database version: v2013.09.25.07

Downloaded database version: v2013.09.23.01

=======================================

Initializing...

------------ Kernel report ------------

     09/25/2013 12:36:10

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\System32\drivers\imofugc.sys

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\intelide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\mfehidk.sys

\SystemRoot\System32\Drivers\PxHlpa64.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\mfewfpk.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vpcnfltr.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\vpcvmm.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\igdkmd64.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\lmimirr.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\vpcusb.sys

\SystemRoot\system32\DRIVERS\usbrpm.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\vpchbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\CHDRT64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\IntcDAud.sys

\SystemRoot\system32\drivers\mfeavfk.sys

\SystemRoot\system32\DRIVERS\udfs.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\Drivers\mvusbews.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys

\??\C:\Windows\system32\drivers\LMIRfsDriver.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\drivers\rdpdr.sys

\SystemRoot\system32\drivers\tdtcp.sys

\SystemRoot\System32\DRIVERS\tssecsrv.sys

\SystemRoot\System32\Drivers\RDPWD.SYS

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\drivers\mfeapfk.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\wininet.dll

\Windows\System32\gdi32.dll

\Windows\System32\sechost.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\normaliz.dll

\Windows\System32\difxapi.dll

\Windows\System32\imagehlp.dll

\Windows\System32\comdlg32.dll

\Windows\System32\msvcrt.dll

\Windows\System32\lpk.dll

\Windows\System32\psapi.dll

\Windows\System32\nsi.dll

\Windows\System32\urlmon.dll

\Windows\System32\msctf.dll

\Windows\System32\Wldap32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\ole32.dll

\Windows\System32\imm32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\advapi32.dll

\Windows\System32\iertutil.dll

\Windows\System32\user32.dll

\Windows\System32\kernel32.dll

\Windows\System32\ws2_32.dll

\Windows\System32\usp10.dll

\Windows\System32\shell32.dll

\Windows\System32\setupapi.dll

\Windows\System32\shlwapi.dll

\Windows\System32\comctl32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll

\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll

\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll

\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll

\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll

\Windows\System32\wintrust.dll

\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

\Windows\System32\devobj.dll

\Windows\System32\crypt32.dll

\Windows\System32\KernelBase.dll

\Windows\System32\msasn1.dll

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa80050f6060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000073\

Lower Device Object: 0xfffffa80050d4860

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800415b060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa8003eb4060

Lower Device Driver Name: \Driver\atapi\

<<<2>>>

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800415b060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800415bab0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800415b060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8003deb520, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8003eb4060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 59BFA23C

 

Partition information:

 

    Partition 0 type is Other (0xde)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 63  Numsec = 80262

 

    Partition 1 type is Primary (0x7)

    Partition is ACTIVE.

    Partition starts at LBA: 81920  Numsec = 33050624

    Partition file system is NTFS

    Partition is bootable

 

    Partition 2 type is Primary (0x7)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 33132544  Numsec = 455262208

 

    Partition 3 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

Disk Size: 250059350016 bytes

Sector size: 512 bytes

 

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...

Done!

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa80050f6060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80050f6b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80050f6060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa80050d4860, DeviceName: \Device\00000073\, DriverName: \Driver\USBSTOR\

------------ End ----------

Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 43B109D3

 

Partition information:

 

    Partition 0 type is Other (0xc)

    Partition is ACTIVE.

    Partition starts at LBA: 63  Numsec = 31405761

    Partition file system is FAT32

    Partition is not bootable

 

    Partition 1 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

    Partition 2 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

    Partition 3 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

Disk Size: 16079781888 bytes

Sector size: 512 bytes

 

Done!

Infected: c:\program files (x86)\google\desktop\install\{ad884ada-701a-b315-0036-1eb93e6b235c}\    --> [Trojan.0Access]

Infected: c:\program files (x86)\google\desktop\install\{ad884ada-701a-b315-0036-1eb93e6b235c}\   \... --> [Trojan.0Access]

Infected: c:\program files (x86)\google\desktop\install\{ad884ada-701a-b315-0036-1eb93e6b235c}\   \...\‮ﯹ๛ --> [Trojan.0Access]

Infected: c:\program files (x86)\google\desktop\install\{ad884ada-701a-b315-0036-1eb93e6b235c}\   \...\‮ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c} --> [Trojan.0Access]

Infected: c:\program files (x86)\google\desktop\install\{ad884ada-701a-b315-0036-1eb93e6b235c}\   \...\‮ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\l --> [Trojan.0Access]

Infected: c:\program files (x86)\google\desktop\install\{ad884ada-701a-b315-0036-1eb93e6b235c}\   \...\‮ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\u --> [Trojan.0Access]

Infected: C:\Program Files (x86)\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c} --> [Trojan.0Access]

Scan finished

Creating System Restore point...

Cleaning up...

Executing an action fixdamage.exe...

Success!

Queuing an action fixdamage.exe

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

 

 

Removal queue found; removal started

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_81920_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_1_0_63_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...

Removal finished

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1005

 

© Malwarebytes Corporation 2011-2012

 

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

 

Account is Administrative

 

Internet Explorer version: 10.0.9200.16686

 

Java version: 1.6.0_30

 

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 2055868416, free: 584704000

 

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1005

 

© Malwarebytes Corporation 2011-2012

 

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

 

Account is Administrative

 

Internet Explorer version: 10.0.9200.16686

 

Java version: 1.6.0_30

 

File system is: FAT32

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 2055868416, free: 544391168

 

Initializing...

=======================================

------------ Kernel report ------------

     09/25/2013 13:03:30

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\System32\drivers\imofugc.sys

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\intelide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\mfehidk.sys

\SystemRoot\System32\Drivers\PxHlpa64.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\mfewfpk.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vpcnfltr.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\vpcvmm.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\igdkmd64.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\lmimirr.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\vpcusb.sys

\SystemRoot\system32\DRIVERS\usbrpm.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\vpchbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\CHDRT64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\IntcDAud.sys

\SystemRoot\system32\drivers\mfeavfk.sys

\SystemRoot\system32\DRIVERS\udfs.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\Drivers\mvusbews.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys

\??\C:\Windows\system32\drivers\LMIRfsDriver.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\drivers\rdpdr.sys

\SystemRoot\system32\drivers\tdtcp.sys

\SystemRoot\System32\DRIVERS\tssecsrv.sys

\SystemRoot\System32\Drivers\RDPWD.SYS

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\drivers\mfeapfk.sys

\SystemRoot\system32\drivers\spsys.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\msctf.dll

\Windows\System32\iertutil.dll

\Windows\System32\shlwapi.dll

\Windows\System32\wininet.dll

\Windows\System32\ws2_32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\imagehlp.dll

\Windows\System32\urlmon.dll

\Windows\System32\difxapi.dll

\Windows\System32\clbcatq.dll

\Windows\System32\kernel32.dll

\Windows\System32\nsi.dll

\Windows\System32\ole32.dll

\Windows\System32\usp10.dll

\Windows\System32\sechost.dll

\Windows\System32\setupapi.dll

\Windows\System32\psapi.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\advapi32.dll

\Windows\System32\Wldap32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\gdi32.dll

\Windows\System32\shell32.dll

\Windows\System32\imm32.dll

\Windows\System32\user32.dll

\Windows\System32\normaliz.dll

\Windows\System32\msvcrt.dll

\Windows\System32\lpk.dll

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa8005585060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000073\

Lower Device Object: 0xfffffa80055873f0

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa8004142060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa8003e10060

Lower Device Driver Name: \Driver\atapi\

<<<2>>>

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa8004142060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8004142b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8004142060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8003059cf0, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8003e10060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 59BFA23C

 

Partition information:

 

    Partition 0 type is Other (0xde)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 63  Numsec = 80262

 

    Partition 1 type is Primary (0x7)

    Partition is ACTIVE.

    Partition starts at LBA: 81920  Numsec = 33050624

    Partition file system is NTFS

    Partition is bootable

 

    Partition 2 type is Primary (0x7)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 33132544  Numsec = 455262208

 

    Partition 3 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

Disk Size: 250059350016 bytes

Sector size: 512 bytes

 

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...

Done!

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa8005585060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8005587a50, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8005585060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa80055873f0, DeviceName: \Device\00000073\, DriverName: \Driver\USBSTOR\

------------ End ----------

Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 43B109D3

 

Partition information:

 

    Partition 0 type is Other (0xc)

    Partition is ACTIVE.

    Partition starts at LBA: 63  Numsec = 31405761

    Partition file system is FAT32

    Partition is not bootable

 

    Partition 1 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

    Partition 2 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

    Partition 3 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0

 

Disk Size: 16079781888 bytes

Sector size: 512 bytes

 

Done!

Scan finished

=======================================

 

 

Removal queue found; removal started

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_81920_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_1_0_63_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...

Removal finished

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1005

 

© Malwarebytes Corporation 2011-2012

 

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

 

Account is Administrative

 

Internet Explorer version: 10.0.9200.16686

 

Java version: 1.6.0_30

 

File system is: FAT32

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 2055868416, free: 1114169344

 

=======================================

Initializing...

------------ Kernel report ------------

     09/25/2013 14:13:11

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\System32\drivers\imofugc.sys

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\intelide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\mfehidk.sys

\SystemRoot\System32\Drivers\PxHlpa64.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\mfewfpk.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vpcnfltr.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\vpcvmm.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\igdkmd64.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\lmimirr.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\vpcusb.sys

\SystemRoot\system32\DRIVERS\usbrpm.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\vpchbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\CHDRT64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\IntcDAud.sys

\SystemRoot\system32\drivers\mfeavfk.sys

\SystemRoot\system32\DRIVERS\udfs.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\Drivers\mvusbews.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys

\??\C:\Windows\system32\drivers\LMIRfsDriver.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\drivers\rdpdr.sys

\SystemRoot\system32\drivers\tdtcp.sys

\SystemRoot\System32\DRIVERS\tssecsrv.sys

\SystemRoot\System32\Drivers\RDPWD.SYS

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\drivers\mfeapfk.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\msctf.dll

\Windows\System32\iertutil.dll

\Windows\System32\shlwapi.dll

\Windows\System32\wininet.dll

\Windows\System32\ws2_32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\imagehlp.dll

\Windows\System32\urlmon.dll

\Windows\System32\difxapi.dll

\Windows\System32\clbcatq.dll

\Windows\System32\kernel32.dll

\Windows\System32\nsi.dll

\Windows\System32\ole32.dll

\Windows\System32\usp10.dll

\Windows\System32\sechost.dll

\Windows\System32\setupapi.dll

\Windows\System32\psapi.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\advapi32.dll

\Windows\System32\Wldap32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\gdi32.dll

\Windows\System32\shell32.dll

\Windows\System32\imm32.dll

\Windows\System32\user32.dll

\Windows\System32\normaliz.dll

\Windows\System32\msvcrt.dll

\Windows\System32\lpk.dll

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa8005585060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000073\

Lower Device Object: 0xfffffa80055873f0

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa8004142060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa8003e10060

Lower Device Driver Name: \Driver\atapi\

<<<2>>>

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa8004142060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8004142b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8004142060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8003059cf0, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8003e10060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scan Interrupted

Scan was aborted.

=======================================

 

 

mbar-log-2013-09-24 (18-16-57).txt

mbar-log-2013-09-25 (12-36-21).txt

mbar-log-2013-09-25 (13-03-48).txt

Link to post
Share on other sites

Got two logs when I did this.  It's still showing items in the registry.  I haven't touched it although it prompted me to delete.  I still have the program running so I can always do that.  

 

RogueKiller V8.6.12 _x64_ [sep 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mark [Admin rights]
Mode : Scan -- Date : 09/26/2013 09:43:20
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\mark\AppData\Local\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\???\???\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1339\[...]\Run : Google Update ("C:\Users\mark\AppData\Local\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\???\???\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" >) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST3250312AS ATA Device +++++
--- User ---
[MBR] f85a9c5b41f9f2c5094742aa1f572590
[bSP] a4506bc62a4c110fe78c6c653e69f8cf : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 16138 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33132544 | Size: 222296 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - Corsair Voyager USB Device +++++
--- User ---
[MBR] 6476da95bc9ffaebf3a0c96cbffeee9d
[bSP] 4d98459d102461d8401cbd979d7653d4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 15334 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[0]_S_09262013_094320.txt >>
RKreport[0]_D_09242013_173851.txt;RKreport[0]_D_09242013_174050.txt;RKreport[0]_S_09242013_091628.txt
RKreport[0]_S_09242013_173558.txt;RKreport[0]_S_09242013_173954.txt;RKreport[0]_S_09242013_174044.txt
RKreport[0]_S_09262013_093103.txt
 
 
 

RKreport0_S_09262013_093103.txt

Link to post
Share on other sites

They're just registry entries:

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

 

[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\mark\AppData\Local\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\???\???\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" >) -> FOUND

[RUN][ZeroAccess] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1339\[...]\Run : Google Update ("C:\Users\mark\AppData\Local\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\???\???\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" >) -> FOUND

Now click Delete on the right hand column under Options

-------------

Reboot and run another scan to be sure they're gone.

MrC

Link to post
Share on other sites

They won't delete.  I've run the scan and tried to delete multiple times.  

 

RogueKiller V8.6.12 _x64_ [sep 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mark [Admin rights]
Mode : Scan -- Date : 09/26/2013 11:12:08
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\mark\AppData\Local\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\???\???\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-1161076497-1869969079-2570105235-1339\[...]\Run : Google Update ("C:\Users\mark\AppData\Local\Google\Desktop\Install\{ad884ada-701a-b315-0036-1eb93e6b235c}\???\???\???ﯹ๛\{ad884ada-701a-b315-0036-1eb93e6b235c}\GoogleUpdate.exe" >) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST3250312AS ATA Device +++++
--- User ---
[MBR] f85a9c5b41f9f2c5094742aa1f572590
[bSP] a4506bc62a4c110fe78c6c653e69f8cf : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 16138 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33132544 | Size: 222296 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - Corsair Voyager USB Device +++++
--- User ---
[MBR] 6476da95bc9ffaebf3a0c96cbffeee9d
[bSP] 4d98459d102461d8401cbd979d7653d4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 15334 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[0]_S_09262013_111208.txt >>
Link to post
Share on other sites

OK...we have to use FRST:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-09-2013

Ran by mark (administrator) on EWPC09 on 27-09-2013 09:25:38

Running from E:\

Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 10

Boot Mode: Normal

 

==================== Processes (Whitelisted) =================

 

() C:\Program Files (x86)\Century\TinyTERM\NetUtils\Cenlpd.exe

(HP) C:\Windows\system32\HPSIsvc.exe

(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe

(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe

(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe

(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe

(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe

(McAfee, Inc.) C:\Windows\system32\mfevtps.exe

(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe

(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe

(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe

(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe

() C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe

(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe

(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\McTray.exe

(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()

HKLM\...\Run: [DBRMTray] - C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)

HKLM\...\Run: [LogMeIn GUI] - C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-04-30] (LogMeIn, Inc.)

HKLM\...\RunOnce: [DBRMTray] - C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKLM\...\Policies\Explorer: [NoControlPanel] 0

HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)

MountPoints2: {fa1c0c2e-2a6f-11e1-b0f0-d067e502f012} - E:\SISetup.exe

HKLM-x32\...\Run: [] - [x]

HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)

HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()

HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [McAfeeUpdaterUI] - C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe [333416 2012-09-05] (McAfee, Inc.)

HKLM-x32\...\Run: [shStatEXE] - C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE [215656 2012-08-14] (McAfee, Inc.)

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1

SearchScopes: HKLM - DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLSDF8&pc=MDDS&src=IE-SearchBox

SearchScopes: HKLM-x32 - DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLSDF8&pc=MDDS&src=IE-SearchBox

SearchScopes: HKCU - DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = 

SearchScopes: HKCU - {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = 

BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130410110638.dll (McAfee, Inc.)

BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130410110638.dll (McAfee, Inc.)

BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.11

 

FireFox:

========

FF ProfilePath: C:\Users\mark\AppData\Roaming\Mozilla\Firefox\Profiles\7mwejkcn.default

FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF Plugin-x32: @microsoft.com/GENUINE - disabled No File

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore

FF Extension: IDS_SS_NAME - C:\Program Files (x86)\Common Files\McAfee\SystemCore

 

Chrome: 

=======



CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}

CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\pdf.dll ()

CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)

CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)

CHR Plugin: (Java Platform SE 6 U30) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File

CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File

CHR Extension: (Chrome In-App Payments service) - C:\Users\mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0

 

==================== Services (Whitelisted) =================

 

R2 CenLPD; C:\Program Files (x86)\Century\TinyTERM\NetUtils\Cenlpd.exe [102400 2004-03-04] ()

R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2013-06-07] (LogMeIn, Inc.)

R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2013-06-07] (LogMeIn, Inc.)

R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-04-30] (LogMeIn, Inc.)

R2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [132712 2012-09-05] (McAfee, Inc.)

R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [202376 2012-09-25] (McAfee, Inc.)

R2 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [210056 2012-08-14] (McAfee, Inc.)

R2 mfevtp; C:\Windows\system32\mfevtps.exe [170440 2012-09-25] (McAfee, Inc.)

 

==================== Drivers (Whitelisted) ====================

 

R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-04-30] (LogMeIn, Inc.)

R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [169192 2012-09-25] (McAfee, Inc.)

R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [282736 2012-09-25] (McAfee, Inc.)

R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [673624 2012-09-25] (McAfee, Inc.)

S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [101200 2012-09-25] (McAfee, Inc.)

R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [305280 2012-09-25] (McAfee, Inc.)

R3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2010-10-13] (Marvell Semiconductor, Inc.)

S4 LMIRfsClientNP; No ImagePath

U3 mfeavfk01; No ImagePath

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-09-27 09:25 - 2013-09-27 09:25 - 00000000 ____D C:\FRST

2013-09-26 12:54 - 2013-09-26 14:17 - 00029184 _____ C:\Users\mark\Desktop\Paper Turns Ins aug 26 to sept 6.xls

2013-09-26 11:07 - 2013-09-26 11:11 - 00000000 ____D C:\Users\mark\Desktop\RK_Quarantine

2013-09-24 18:16 - 2013-09-24 18:16 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-09-23 16:44 - 2013-09-23 16:44 - 00012804 ____H C:\Users\mark\Documents\~WRL3495.tmp

2013-09-23 12:27 - 2013-09-23 12:27 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2013-09-20 13:07 - 2013-09-20 13:07 - 02347384 _____ (ESET) C:\Users\mark\Downloads\esetsmartinstaller_enu (2).exe

2013-09-20 13:07 - 2013-09-20 13:07 - 00000000 ____D C:\Program Files (x86)\ESET

2013-09-20 13:06 - 2013-09-20 13:07 - 02347384 _____ (ESET) C:\Users\mark\Downloads\esetsmartinstaller_enu (1).exe

2013-09-20 13:06 - 2013-09-20 13:06 - 02347384 _____ (ESET) C:\Users\mark\Downloads\esetsmartinstaller_enu.exe

2013-09-19 13:32 - 2013-09-19 15:58 - 00220712 _____ C:\Users\mark\Documents\staver plan.fdd

2013-09-19 13:30 - 2013-09-19 13:30 - 00201968 _____ C:\Users\mark\Documents\staver credit app.fdd

2013-09-19 13:26 - 2013-09-19 13:31 - 00024928 _____ C:\Users\mark\Documents\Staver insurance.fdd

2013-09-19 13:19 - 2013-09-19 13:21 - 00220744 _____ C:\Users\mark\Downloads\Staver plan.fdd

2013-09-16 17:56 - 2013-09-24 18:28 - 00000000 ____D C:\QUARANTINE

2013-09-16 15:14 - 2013-09-27 08:38 - 00000000 ____D C:\ProgramData\LogMeIn

2013-09-16 15:14 - 2013-09-16 15:33 - 00000000 ____D C:\Program Files (x86)\LogMeIn

2013-09-16 15:14 - 2013-09-16 15:14 - 00001024 _____ C:\.rnd

2013-09-16 15:14 - 2013-09-16 15:14 - 00000000 ____D C:\Users\mark\AppData\Local\LogMeIn

2013-09-16 15:14 - 2013-06-07 23:28 - 00107368 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIRfsClientNP.dll

2013-09-16 15:14 - 2013-06-07 23:28 - 00100680 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIinit.dll

2013-09-16 15:14 - 2013-06-07 23:28 - 00035656 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIport.dll

2013-09-16 15:14 - 2013-04-30 10:57 - 00072216 _____ (LogMeIn, Inc.) C:\Windows\system32\Drivers\LMIRfsDriver.sys

2013-09-16 15:11 - 2013-09-16 15:12 - 00000000 ____D C:\Users\mark\AppData\Local\Deployment

2013-09-16 15:11 - 2013-09-16 15:11 - 00000000 ____D C:\Users\mark\AppData\Local\Apps\2.0

2013-09-11 19:46 - 2013-08-09 22:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2013-09-11 19:46 - 2013-08-09 22:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2013-09-11 19:46 - 2013-08-09 22:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2013-09-11 19:46 - 2013-08-09 22:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2013-09-11 19:46 - 2013-08-09 22:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2013-09-11 19:46 - 2013-08-09 22:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2013-09-11 19:46 - 2013-08-09 22:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2013-09-11 19:46 - 2013-08-09 22:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2013-09-11 19:46 - 2013-08-09 22:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2013-09-11 19:46 - 2013-08-09 22:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

2013-09-11 19:46 - 2013-08-09 22:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2013-09-11 19:46 - 2013-08-09 22:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll

2013-09-11 19:46 - 2013-08-09 22:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll

2013-09-11 19:46 - 2013-08-09 22:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll

2013-09-11 19:46 - 2013-08-09 20:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-09-11 19:46 - 2013-08-09 20:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-09-11 19:46 - 2013-08-09 20:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-09-11 19:46 - 2013-08-09 20:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2013-09-11 19:46 - 2013-08-09 20:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-09-11 19:46 - 2013-08-09 19:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe

2013-09-11 19:46 - 2013-08-09 19:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-09-11 19:45 - 2013-08-09 20:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-09-11 03:35 - 2013-08-07 18:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2013-09-11 03:35 - 2013-08-04 19:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ataport.sys

2013-09-11 03:35 - 2013-08-01 19:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe

2013-09-11 03:35 - 2013-08-01 19:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll

2013-09-11 03:35 - 2013-08-01 19:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll

2013-09-11 03:35 - 2013-08-01 19:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll

2013-09-11 03:35 - 2013-08-01 19:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll

2013-09-11 03:35 - 2013-08-01 19:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll

2013-09-11 03:35 - 2013-08-01 19:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll

2013-09-11 03:35 - 2013-08-01 19:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll

2013-09-11 03:35 - 2013-08-01 19:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2013-09-11 03:35 - 2013-08-01 18:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2013-09-11 03:35 - 2013-08-01 18:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll

2013-09-11 03:35 - 2013-08-01 18:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

2013-09-11 03:35 - 2013-08-01 18:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2013-09-11 03:35 - 2013-08-01 18:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 18:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe

2013-09-11 03:35 - 2013-08-01 17:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe

2013-09-11 03:35 - 2013-08-01 17:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2013-09-11 03:35 - 2013-08-01 17:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2013-09-11 03:35 - 2013-08-01 17:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2013-09-11 03:35 - 2013-08-01 17:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2013-09-11 03:35 - 2013-08-01 17:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 17:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 17:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

2013-09-11 03:35 - 2013-08-01 17:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

2013-09-11 03:35 - 2013-07-25 19:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll

2013-09-11 03:35 - 2013-07-25 19:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll

2013-09-11 03:35 - 2013-07-25 18:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-09-11 03:35 - 2013-07-25 18:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-09-05 11:57 - 2013-09-25 14:00 - 00031232 _____ C:\Users\mark\Desktop\Paper Turn Ins aug 12 to aug 23 2013.xls

 

==================== One Month Modified Files and Folders =======

 

2013-09-27 09:25 - 2013-09-27 09:25 - 00000000 ____D C:\FRST

2013-09-27 09:24 - 2012-11-12 13:29 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-09-27 09:24 - 2011-12-16 18:08 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl

2013-09-27 08:50 - 2012-04-11 12:38 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-09-27 08:38 - 2013-09-16 15:14 - 00000000 ____D C:\ProgramData\LogMeIn

2013-09-27 08:35 - 2012-11-12 13:29 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-09-27 08:07 - 2011-10-27 23:05 - 01919562 _____ C:\Windows\WindowsUpdate.log

2013-09-26 19:57 - 2009-07-13 21:45 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-09-26 19:57 - 2009-07-13 21:45 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-09-26 19:49 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2013-09-26 19:49 - 2009-07-13 21:51 - 00039627 _____ C:\Windows\setupact.log

2013-09-26 17:00 - 2011-12-16 18:03 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job

2013-09-26 14:17 - 2013-09-26 12:54 - 00029184 _____ C:\Users\mark\Desktop\Paper Turns Ins aug 26 to sept 6.xls

2013-09-26 11:11 - 2013-09-26 11:07 - 00000000 ____D C:\Users\mark\Desktop\RK_Quarantine

2013-09-26 03:25 - 2010-11-20 20:47 - 00073978 _____ C:\Windows\PFRO.log

2013-09-26 03:08 - 2011-12-19 10:05 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-09-26 03:08 - 2009-07-13 19:34 - 00000478 _____ C:\Windows\win.ini

2013-09-25 14:00 - 2013-09-05 11:57 - 00031232 _____ C:\Users\mark\Desktop\Paper Turn Ins aug 12 to aug 23 2013.xls

2013-09-24 18:28 - 2013-09-16 17:56 - 00000000 ____D C:\QUARANTINE

2013-09-24 18:16 - 2013-09-24 18:16 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-09-24 17:35 - 2011-12-16 18:17 - 00000000 ____D C:\Users\mark

2013-09-23 20:08 - 2011-12-19 19:48 - 00000000 ____D C:\Users\mark\AppData\Roaming\Jyru

2013-09-23 16:44 - 2013-09-23 16:44 - 00012804 ____H C:\Users\mark\Documents\~WRL3495.tmp

2013-09-23 12:29 - 2009-07-13 22:13 - 00782732 _____ C:\Windows\system32\PerfStringBackup.INI

2013-09-23 12:27 - 2013-09-23 12:27 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2013-09-21 13:38 - 2012-11-12 13:30 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk

2013-09-20 13:07 - 2013-09-20 13:07 - 02347384 _____ (ESET) C:\Users\mark\Downloads\esetsmartinstaller_enu (2).exe

2013-09-20 13:07 - 2013-09-20 13:07 - 00000000 ____D C:\Program Files (x86)\ESET

2013-09-20 13:07 - 2013-09-20 13:06 - 02347384 _____ (ESET) C:\Users\mark\Downloads\esetsmartinstaller_enu (1).exe

2013-09-20 13:06 - 2013-09-20 13:06 - 02347384 _____ (ESET) C:\Users\mark\Downloads\esetsmartinstaller_enu.exe

2013-09-20 01:50 - 2012-04-11 12:38 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-09-20 01:50 - 2012-04-11 12:38 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater

2013-09-20 01:50 - 2011-10-27 21:10 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-09-19 15:58 - 2013-09-19 13:32 - 00220712 _____ C:\Users\mark\Documents\staver plan.fdd

2013-09-19 13:35 - 2011-12-19 11:21 - 00000000 ____D C:\Users\mark\Documents\Outlook Files

2013-09-19 13:31 - 2013-09-19 13:26 - 00024928 _____ C:\Users\mark\Documents\Staver insurance.fdd

2013-09-19 13:30 - 2013-09-19 13:30 - 00201968 _____ C:\Users\mark\Documents\staver credit app.fdd

2013-09-19 13:21 - 2013-09-19 13:19 - 00220744 _____ C:\Users\mark\Downloads\Staver plan.fdd

2013-09-18 14:39 - 2011-12-19 11:52 - 00000000 ____D C:\Users\mark\AppData\Roaming\Macromedia

2013-09-16 17:57 - 2012-11-12 13:29 - 00000000 ____D C:\Program Files (x86)\Google

2013-09-16 17:56 - 2012-11-12 13:29 - 00000000 ____D C:\Users\mark\AppData\Local\Google

2013-09-16 15:33 - 2013-09-16 15:14 - 00000000 ____D C:\Program Files (x86)\LogMeIn

2013-09-16 15:14 - 2013-09-16 15:14 - 00001024 _____ C:\.rnd

2013-09-16 15:14 - 2013-09-16 15:14 - 00000000 ____D C:\Users\mark\AppData\Local\LogMeIn

2013-09-16 15:12 - 2013-09-16 15:11 - 00000000 ____D C:\Users\mark\AppData\Local\Deployment

2013-09-16 15:11 - 2013-09-16 15:11 - 00000000 ____D C:\Users\mark\AppData\Local\Apps\2.0

2013-09-13 05:00 - 2011-12-16 18:03 - 00000564 _____ C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job

2013-09-12 14:30 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache

2013-09-12 13:50 - 2011-12-16 18:17 - 00000000 ___RD C:\Users\mark\Virtual Machines

2013-09-12 13:50 - 2011-12-16 18:17 - 00000000 ___RD C:\Users\mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

2013-09-12 13:50 - 2011-12-16 18:17 - 00000000 ___RD C:\Users\mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools

2013-09-12 13:49 - 2009-07-13 21:45 - 00399896 _____ C:\Windows\system32\FNTCACHE.DAT

2013-09-11 19:45 - 2013-08-14 18:55 - 00000000 ____D C:\Windows\system32\MRT

2013-09-11 19:30 - 2011-12-19 09:54 - 79143768 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2013-09-11 19:21 - 2011-02-10 07:33 - 00778900 _____ C:\Windows\SysWOW64\PerfStringBackup.INI

 

Files to move or delete:

====================

ZeroAccess:

C:\Program Files (x86)\Google\Desktop\Install

 

 

Some content of TEMP:

====================

C:\Users\administrator.EWIRELESS\AppData\Local\Temp\AskSLib.dll

C:\Users\administrator.EWIRELESS\AppData\Local\Temp\MSN191D.exe

C:\Users\mark\AppData\Local\Temp\InstallFlashPlayer.exe

C:\Users\mark\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe

C:\Users\mark\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe

C:\Users\mark\AppData\Local\Temp\siinst.exe

C:\Users\mark\AppData\Local\Temp\strings.dll

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

 

LastRegBack: 2013-09-21 00:33

 

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.
reply1.jpg

New window that comes up.
replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

 

-----------------------

Last..run another scan with RogueKiller and delete any ZeroAccess entries.

Let me know.........MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-09-2013 02

Ran by mark at 2013-09-30 09:12:46 Run:1

Running from E:\

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

HKCU\...\Run: [Google Update*] - [x] 

C:\Program Files (x86)\Google\Desktop\Install

C:\Users\administrator.EWIRELESS\AppData\Local\Temp\AskSLib.dll

C:\Users\administrator.EWIRELESS\AppData\Local\Temp\MSN191D.exe

C:\Users\mark\AppData\Local\Temp\InstallFlashPlayer.exe

C:\Users\mark\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe

C:\Users\mark\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe

C:\Users\mark\AppData\Local\Temp\siinst.exe

C:\Users\mark\AppData\Local\Temp\strings.dll

 

*****************

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.

C:\Program Files (x86)\Google\Desktop\Install => Moved successfully.

C:\Users\administrator.EWIRELESS\AppData\Local\Temp\AskSLib.dll => Moved successfully.

C:\Users\administrator.EWIRELESS\AppData\Local\Temp\MSN191D.exe => Moved successfully.

C:\Users\mark\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.

C:\Users\mark\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe => Moved successfully.

C:\Users\mark\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe => Moved successfully.

C:\Users\mark\AppData\Local\Temp\siinst.exe => Moved successfully.

C:\Users\mark\AppData\Local\Temp\strings.dll => Moved successfully.

 

==== End of Fixlog ====

 

all clear it seems

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.