Re-infected with Zero Access, or False Possitive?

Threeff · October 6, 2013

MrCharlie did a great job helping me with this issue a few months ago. We went thru the process and the computer seemed clean. She started running a little slow so I ran MalwareByte Chameleon and the log is as follows..... (WIndows XP SP3)....

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.06.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
:: YOUR-4105E587B6 [administrator]

10/6/2013 12:07:02 PM
MBAM-log-2013-10-06 (12-23-03).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG (Rootkit.0Access) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab (PUP.Optional.DefaultTab.A) -> No action taken.

Files Detected: 1
C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll (PUP.Optional.DefaultTab) -> No action taken.

(end)

Do I have the same infection, new infection or false possitive? The original thread for this virus is titled "ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte ", 2 aug 2013.

Threeff · October 6, 2013

I've switched from Symantec to Avast, which did not detect anything so far.

MrCharlie · October 6, 2013

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Threeff · October 7, 2013

The first scan using RogueKiller didn't seem to work right, This is the result.....

[Params]
EulaAccepted=true

I ran again with a better result......

RogueKiller V8.7.1 [Oct 3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : CPQ OWNER [Admin rights]
Mode : Scan -- Date : 10/06/2013 22:01:47
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 6 ¤¤¤
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \   \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \   \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS003\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \   \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS003\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520)
[inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630)
[inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370)
[inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0)
[inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20)
[inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90)
[inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0)
[inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0)
[inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0)
[inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980)
[inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400)
[inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0)
[inline] EAT @iexplore.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D118A0)
[inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0)
[inline] EAT @iexplore.exe (UnhookWindowsHookEx) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11A70)
[inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520)
[inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630)
[inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370)
[inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0)
[inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20)
[inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90)
[inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0)
[inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0)
[inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0)
[inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980)
[inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400)
[inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0)
[inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - TOSHIBA MK6025GAS +++++
--- User ---
[MBR] 405dba045b3d8f3e86599d0759ec383d
[bSP] 8b0279795ab923368d682d692e6d4962 : Empty MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57223 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10062013_220147.txt >>

MrCharlie · October 7, 2013

You're infected...please do this:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

Threeff · October 7, 2013

The file {ff24043d-55f8-5ce9-a20a-8337d9b4b888} sees the same as the last infection 2 months ago.

MrCharlie · October 7, 2013

It's in 23,500 other infections also.

MrC

Threeff · October 7, 2013

Should I close RogueKiller before running Farbar?

MrCharlie · October 7, 2013

Yes.....MrC

Threeff · October 7, 2013

Ran Fabar without closing Rogue.... seemed to work

FRST log:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013
Ran by CPQ OWNER (administrator) on YOUR-4105E587B6 on 06-10-2013 22:18:24
Running from C:\Documents and Settings\CPQ OWNER\Desktop\Farbar
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(ATI Technologies Inc.) C:\WINDOWS\system32\Ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\Ati2evxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Skype Technologies S.A.) C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
(ATI Technologies, Inc.) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastUI.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
() C:\Documents and Settings\CPQ OWNER\Desktop\RogueKiller.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Run StartupMonitor] - C:\Windows\StartupMonitor.exe [86016 2000-05-20] ()
HKLM\...\Run: [C:\WINDOWS\system32\V0250Ext.ax] - C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0250Ext.ax
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2010-09-08] (Apple Inc.)
HKLM\...\Run: [ATIPTA] - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2005-07-13] (ATI Technologies, Inc.)
HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4858968 2013-08-30] (AVAST Software)
Winlogon\Notify\AtiExtEvent: C:\Windows\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-02-06] (Google Inc.)
HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [19875432 2013-06-21] (Skype Technologies S.A.)
HKCU\...\Run: [updateMgr] - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [313472 2006-03-30] (Adobe Systems Incorporated)
HKU\Administrator\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation)
HKU\Default User\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym&.intl=us
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {11C0E1A0-5535-4364-A4A4-1603AC408598} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie8
SearchScopes: HKCU - {11C0E1A0-5535-4364-A4A4-1603AC408598} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie8
SearchScopes: HKCU - {4A16CC46-CF4B-4C4C-A5EC-0F91C4243308} URL = http://delicious.com/search?p={searchTerms}
SearchScopes: HKCU - {4BE5F0CE-AB46-4FC8-A5BB-96511AECDC22} URL = http://www.flickr.com/search/?q={searchTerms}
SearchScopes: HKCU - {F13A0B7D-4119-4CBA-8E31-7A8EABF0756D} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll No File
BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
Toolbar: HKCU - No Name - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
Toolbar: HKCU - No Name - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129639333390
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1263.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4/jinstall-win32.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

========================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-08-30] (AVAST Software)
S2 gupdate1c9adae1d0975a6; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-03-25] (Google Inc.)
S3 hpqwmi; C:\Program Files\HPQ\SHARED\HPQWMI.exe [98304 2005-03-04] (Hewlett-Packard Development Company, L.P.)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [38912 2005-02-22] ()
S3 SandraDataSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe [173040 2005-03-01] (SiSoftware)
R2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3273088 2013-09-16] (Skype Technologies S.A.)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [39424 2004-08-11] (Advanced Micro Devices)
R2 ASCTRM; C:\Windows\System32\Drivers\ASCTRM.sys [8552 2005-07-10] (Windows ® 2000 DDK provider)
R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-08-30] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [66336 2013-08-30] (AVAST Software)
R1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [49760 2013-08-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-08-30] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-08-30] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-08-30] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-08-30] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [177864 2013-08-30] ()
R3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [1391104 2008-10-23] (Broadcom Corporation)
S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [55320 2005-01-18] (Broadcom Corporation.)
R1 eabfiltr; C:\WINDOWS\system32\drivers\EABFiltr.sys [7432 2004-04-14] (Hewlett-Packard Company)
S3 eabusb; C:\WINDOWS\system32\drivers\eabusb.sys [5220 2003-06-06] (Hewlett-Packard Company)
S3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [8320 2007-03-08] (GARMIN Corp.)
R3 HSFHWATI; C:\Windows\System32\DRIVERS\HSFHWATI.sys [200192 2004-12-15] (Conexant Systems, Inc.)
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-08-03] ()
R2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2008-05-20] (RealNetworks, Inc.)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
R3 RTL8023xp; C:\Windows\System32\DRIVERS\Rtlnicxp.sys [74496 2005-03-03] (Realtek Semiconductor Corporation )
S3 SMCIRDA; C:\Windows\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R1 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5632 2006-07-24] ()
S3 tbhsd; C:\Windows\System32\drivers\tbhsd.sys [15488 2006-06-21] (RapidSolution Software AG)
U3 TrueSight; C:\WINDOWS\system32\TrueSight.sys [26624 2013-10-06] ()
S3 USB_RNDIS_XP; C:\Windows\System32\DRIVERS\usb8023.sys [12928 2013-02-11] (Microsoft Corporation)
S3 V0250Dev; C:\Windows\System32\DRIVERS\V0250Dev.sys [163840 2006-04-05] (Creative Technology Ltd.)
U5 P3; C:\Windows\System32\Drivers\P3.sys [42752 2008-04-13] (Microsoft Corporation)
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TlntSvr;
S3 wanatw; system32\DRIVERS\wanatw4.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-06 22:17 - 2013-10-06 22:17 - 00000000 ____D C:\FRST
2013-10-06 22:14 - 2013-10-06 22:15 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\Farbar
2013-10-06 22:01 - 2013-10-06 22:01 - 00006221 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RKreport[0]_S_10062013_220147.txt
2013-10-06 21:56 - 2013-10-06 21:56 - 00026624 _____ C:\WINDOWS\system32\TrueSight.sys
2013-10-06 18:08 - 2013-10-06 22:01 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\RK_Quarantine
2013-10-06 18:07 - 2013-10-06 18:07 - 00950272 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RogueKiller.exe
2013-10-01 09:43 - 2013-10-06 11:37 - 00000783 _____ C:\Documents and Settings\CPQ OWNER\Desktop\Vanity Light.txt
2013-09-17 14:59 - 2013-09-17 14:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$
2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$
2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$

==================== One Month Modified Files and Folders =======

2013-10-06 22:17 - 2013-10-06 22:17 - 00000000 ____D C:\FRST
2013-10-06 22:16 - 2006-10-14 09:59 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Application Data\Skype
2013-10-06 22:15 - 2013-10-06 22:14 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\Farbar
2013-10-06 22:01 - 2013-10-06 22:01 - 00006221 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RKreport[0]_S_10062013_220147.txt
2013-10-06 22:01 - 2013-10-06 18:08 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\RK_Quarantine
2013-10-06 21:56 - 2013-10-06 21:56 - 00026624 _____ C:\WINDOWS\system32\TrueSight.sys
2013-10-06 18:10 - 2013-08-27 08:02 - 00400824 _____ C:\WINDOWS\WindowsUpdate.log
2013-10-06 18:07 - 2013-10-06 18:07 - 00950272 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RogueKiller.exe
2013-10-06 17:45 - 2012-04-12 10:10 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-10-06 17:22 - 2009-07-10 15:14 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-06 12:45 - 2013-08-21 09:58 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2013-10-06 12:45 - 2004-08-07 09:16 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl
2013-10-06 12:44 - 2009-07-10 15:14 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-06 12:44 - 2004-08-07 09:16 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-10-06 12:44 - 2004-08-07 01:51 - 00000157 _____ C:\WINDOWS\wiadebug.log
2013-10-06 12:44 - 2004-08-07 01:51 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-10-06 12:43 - 2011-05-01 14:05 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2506212$
2013-10-06 12:41 - 2005-07-04 07:53 - 00000278 ___SH C:\Documents and Settings\CPQ OWNER\ntuser.ini
2013-10-06 12:41 - 2004-08-07 09:16 - 00032650 _____ C:\WINDOWS\SchedLgU.Txt
2013-10-06 11:47 - 2005-07-04 07:53 - 00000000 ____D C:\Documents and Settings\CPQ OWNER
2013-10-06 11:37 - 2013-10-01 09:43 - 00000783 _____ C:\Documents and Settings\CPQ OWNER\Desktop\Vanity Light.txt
2013-10-02 13:01 - 2005-10-10 06:10 - 00000116 _____ C:\WINDOWS\NeroDigital.ini
2013-09-28 19:33 - 2005-07-16 06:13 - 00044544 _____ C:\Documents and Settings\CPQ OWNER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-09-26 21:31 - 2007-07-15 11:45 - 00000000 ___RD C:\Program Files\Skype
2013-09-26 21:31 - 2007-07-15 11:45 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype
2013-09-26 20:50 - 2006-09-11 10:59 - 00457728 ___SH C:\Documents and Settings\CPQ OWNER\Desktop\Thumbs.db
2013-09-26 20:44 - 2005-09-15 07:10 - 00001613 _____ C:\WINDOWS\PStudio.ini
2013-09-26 08:58 - 2004-08-07 08:58 - 00002577 ____C C:\WINDOWS\system32\CONFIG.NT
2013-09-26 08:47 - 2012-04-12 10:09 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-09-26 08:47 - 2011-05-21 13:50 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-09-17 20:46 - 2004-08-07 09:02 - 00312376 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-09-17 15:02 - 2009-05-31 18:00 - 00000000 ____D C:\WINDOWS\ie8updates
2013-09-17 14:59 - 2013-09-17 14:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$
2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$
2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$
2013-09-17 14:53 - 2004-08-07 08:58 - 00000603 _____ C:\WINDOWS\win.ini
2013-09-17 14:51 - 2013-07-16 22:05 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-09-17 14:43 - 2005-09-30 20:52 - 76725432 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-09-17 10:18 - 2013-04-11 14:33 - 00001132 _____ C:\Documents and Settings\CPQ OWNER\Desktop\Aztlan.txt
2013-09-08 11:48 - 2008-12-29 10:21 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\Pictures - New
2013-09-08 11:19 - 2008-01-22 13:50 - 00000000 ____D C:\WINDOWS\system32\FxsTmp

Some content of TEMP:
====================
C:\Documents and Settings\CPQ OWNER\Local Settings\temp\ntdll_dump.dll

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Addition log:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-10-2013
Ran by CPQ OWNER at 2013-10-06 22:19:37
Running from C:\Documents and Settings\CPQ OWNER\Desktop\Farbar
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: avast! Antivirus (Disabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}

==================== Installed Programs ======================

ABBYY FineReader 5.0 Sprint Plus (Version: 5.0.0.3501)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.175)
Adobe Flash Player 11 Plugin (Version: 11.8.800.168)
Adobe Photoshop 7.0 (Version: 7.0)
Adobe Photoshop Album 2.0 Starter Edition (Version: 2.00.100)
Adobe Reader 7.1.0 (Version: 7.1.0)
Apple Application Support (Version: 1.3.2)
Apple Mobile Device Support (Version: 3.2.0.47)
Apple Software Update (Version: 2.1.2.120)
ArcSoft VideoImpression 1.6FP
Athlon 64 Processor Driver (Version: 1.1.0.18)
ATI - Software Uninstall Utility (Version: 6.14.10.1012)
ATI Control Panel (Version: 6.14.10.5160)
ATI Display Driver (Version: 8.16-050713a1-025450C)
Audacity 1.2.4
AutoUpdate (Version: 1.0)
avast! Free Antivirus (Version: 8.0.1497.0)
Bonjour (Version: 2.0.3.0)
Canon ScanGear Toolbox CS 2.2
CCleaner (Version: 2.29)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Conexant AC-Link Audio
Creative Live! Cam Notebook Pro Driver (1.01.03.0405)
Creative Live! Cam Notebook Pro User's Guide (English)
Creative System Information
Creative WebCam Center
Data Fax SoftModem with SmartCP
DivX (Version: 5.2.1)
DivX Player (Version: 2.5.5)
DVD Shrink 3.2
FinePixViewer Ver.2.0
FUJIFILM USB Driver
Garmin Trip and Waypoint Manager v5 (Version: 5.0.0.0)
Genesys USB Mass Storage Device
Get Yahoo! Messenger
Google Earth (Version: 7.1.1.1888)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4413.1752)
Google Update Helper (Version: 1.3.21.153)
Google Video Player
HP Help and Support (Version: 3.200.16.1)
HP Product Detection (Version: 11.15.0009)
HP Software Update (Version: 3.0.5.001)
HP User Guides 0001 (Version: 1.00.0003)
HP Wireless Assistant 1.01 A2 (Version: 1.01 A2)
HpSdpAppCoreApp (Version: 3.00.0000)
InterActual Player
InterVideo WinDVD (Version: 5.0-B11.637)
IrfanView (remove only)
iTunes (Version: 10.0.1.22)
J2SE Runtime Environment 5.0 Update 2 (Version: 1.5.0.20)
Learn2 Player (Uninstall Only)
LS_HSI (Version: 1.0.21.1)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Media Player Codec Pack 4.1.1
MediaMonkey 3.2 (Version: 3.2)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Money 2005 (Version: 14)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 08.04.0623)
MSN
MSXML 4.0 SP2 (KB925672) (Version: 4.20.9839.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
muvee autoProducer 4.0 - SE (Version: 4.00.050)
Nero 6 Demo
NoteBurner 2.31
Picasa 3 (Version: 3.9)
Quick Launch Buttons 5.10 B2 (Version: 5.10 B2)
QuickTime (Version: 7.68.75.0)
RealPlayer Basic
Rhapsody Player Engine (Version: 1.0.604)
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung USB Driver (MCCI 4.34) WHQL v3.4 (Version: 4.34.4)
Sansa Updater
ScanToWeb
SiSoftware Sandra Lite 2005.SR1 (Win64/32/CE) (Version: 10.50.2005.3)
Skype Click to Call (Version: 6.12.13601)
Skype™ 6.6 (Version: 6.6.106)
Sonic Audio Module (Version: 2.0.0)
Sonic Copy Module (Version: 2.0.0)
Sonic Data Module (Version: 2.0.0)
Sonic Express Labeler (Version: 2.0.0)
Sonic MyDVD Plus (Version: 6.1.0)
Sonic Update Manager (Version: 3.0.0)
StartupMonitor (Version: 1.0.2.0)
Synaptics Pointing Device Driver (Version: 7.13.0.1)
Texas Instruments PCIxx21/x515/xx12 drivers. (Version: 1.20.0000)
The Rosetta Stone
TIPCI (Version: 1.20.0000)
Tunatic
Tweak UI
Update for Windows Internet Explorer 8 (KB971180) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676-v2) (Version: 2)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
WD Diagnostics (Version: 1.07.0000)
WD Firewire HID Driver (Version: 1.04.0001)
WebFldrs XP (Version: 9.50.7523)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows XP Service Pack 3 (Version: 20080414.031525)
XnView 1.99.5 (Version: 1.99.5)
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Software Update
Yahoo! Toolbar

==================== Restore Points =========================

21-08-2013 02:49:05 Software Distribution Service 3.0
21-08-2013 13:52:46 avast! Free Antivirus Setup
21-08-2013 14:04:35 Removed Symantec AntiVirus
26-08-2013 13:32:11 System Checkpoint
29-08-2013 01:11:50 Software Distribution Service 3.0
04-09-2013 23:17:57 System Checkpoint
09-09-2013 05:35:55 System Checkpoint
17-09-2013 18:42:42 Software Distribution Service 3.0
27-09-2013 01:43:44 System Checkpoint
28-09-2013 16:09:33 System Checkpoint
04-10-2013 13:22:15 System Checkpoint
05-10-2013 20:43:05 System Checkpoint

==================== Hosts content: ==========================

2004-08-04 04:00 - 2013-08-02 21:16 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-10-06 12:57 - 2013-10-06 10:01 - 02104832 _____ () C:\Program Files\AVAST Software\Avast\defs\13100601\algo.dll
2004-08-04 04:00 - 2008-04-13 20:11 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2004-08-04 04:00 - 2008-04-13 20:11 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2004-08-04 04:00 - 2008-04-13 20:12 - 00192512 _____ () C:\WINDOWS\system32\qcap.dll
2004-08-04 04:00 - 2013-01-02 02:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (10/06/2013 06:08:19 PM) (Source: Application Hang) (User: )
Description: Hanging application AvastUI.exe, version 8.0.1497.376, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/06/2013 10:18:48 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/06/2013 10:18:41 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15782

Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15782

Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (10/03/2013 07:07:32 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/02/2013 01:34:38 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15609

System errors:
=============
Error: (10/06/2013 09:51:30 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Error: (10/06/2013 09:51:01 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Error: (10/06/2013 00:44:39 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AliIde
IntelIde
ViaIde

Error: (10/06/2013 11:32:36 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Error: (10/06/2013 11:32:04 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Error: (10/06/2013 08:55:10 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Error: (10/06/2013 08:54:38 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Error: (10/05/2013 00:33:22 PM) (Source: Dhcp) (User: )
Description: The IP address lease 172.16.3.42 for the Network Card with network address 00904BF14AC6 has been
denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

Error: (10/05/2013 00:33:02 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.

Error: (10/04/2013 04:18:27 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Microsoft Office Sessions:
=========================
Error: (10/06/2013 06:08:19 PM) (Source: Application Hang)(User: )
Description: AvastUI.exe8.0.1497.376hungapp0.0.0.000000000

Error: (10/06/2013 10:18:48 AM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (10/06/2013 10:18:41 AM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15782

Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15782

Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (10/03/2013 07:07:32 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (10/02/2013 01:34:38 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15609

==================== Memory info ===========================

Percentage of memory in use: 85%
Total physical RAM: 1150.48 MB
Available physical RAM: 167.68 MB
Total Pagefile: 2178.03 MB
Available Pagefile: 1174.42 MB
Total Virtual: 2047.88 MB
Available Virtual: 1949.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:55.88 GB) (Free:1.87 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 56 GB) (Disk ID: 94E494E4)
Partition 1: (Active) - (Size=56 GB) - (Type=07 NTFS)

==================== End Of Log ============================

MrCharlie · October 7, 2013

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Threeff · October 7, 2013

Fixlog......

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-10-2013
Ran by CPQ OWNER at 2013-10-06 22:37:45 Run:1
Running from C:\Documents and Settings\CPQ OWNER\Desktop\Farbar
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

*****************

*etadpug => Service deleted successfully.

==== End of Fixlog ====

Will run anti-rootkit now.......

MrCharlie · October 7, 2013

OK, close out RogueKiller, we'll use it later to clean up any leftovers.

MrC

Threeff · October 7, 2013

^{Mbar System log........}

^{^{---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005}}

^{^{© Malwarebytes Corporation 2011-2012}}

^{^{OS version: 5.1.2600 Windows XP Service Pack 3 x86}}

^{^{Account is Administrative}}

^{^{Internet Explorer version: 8.0.6001.18702}}

^{^{File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.600000 GHz
Memory total: 1206370304, free: 559333376}}

^{^{=======================================
Initializing...
DDA Driver installation error.
Driver installed on boot. Reboot required.}}

^{^{System shutdown occurred
=======================================}}

^{^{---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005}}

^{^{© Malwarebytes Corporation 2011-2012}}

^{^{OS version: 5.1.2600 Windows XP Service Pack 3 x86}}

^{^{Account is Administrative}}

^{^{Internet Explorer version: 8.0.6001.18702}}

^{^{File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.600000 GHz
Memory total: 1206370304, free: 855552000}}

^{^{=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 94E494E4}}

^{^{Partition information:}}

^{^{Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 117194112
    Partition file system is NTFS
    Partition is bootable}}

^{^{Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0}}

^{^{Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0}}

^{^{Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0}}

^{^{Disk Size: 60011642880 bytes
Sector size: 512 bytes}}

^{^{Scanning physical sectors of unpartitioned space on drive 0 (1-62-117190240-117210240)...
Done!
Scan finished
=======================================}}

^{^{Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished}}

^{Mbar Log.........}

^{^{Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org}}

^{^{Database version: v2013.07.26.06}}

^{^{Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
CPQ OWNER :: YOUR-4105E587B6 [administrator]}}

^{^{10/6/2013 10:51:31 PM
mbar-log-2013-10-06 (22-51-31).txt}}

^{^{Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 258870
Time elapsed: 23 minute(s), 49 second(s)}}

^{^{Memory Processes Detected: 0
(No malicious items detected)}}

^{^{Memory Modules Detected: 0
(No malicious items detected)}}

^{^{Registry Keys Detected: 0
(No malicious items detected)}}

^{^{Registry Values Detected: 0
(No malicious items detected)}}

^{^{Registry Data Items Detected: 0
(No malicious items detected)}}

^{^{Folders Detected: 0
(No malicious items detected)}}

^{^{Files Detected: 0
(No malicious items detected)}}

^{^{Physical Sectors Detected: 0
(No malicious items detected)}}

^{^(end)}

^{Running Mbar Again...............}

Threeff · October 7, 2013

mbar-log-2013-10-07 (00-02-55).txt system-log.txt2nd Mbar resulys. Found 0Access. WIll run again...

Mbar-log:

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.10.07.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
CPQ OWNER :: YOUR-4105E587B6 [administrator]

10/7/2013 12:02:55 AM
mbar-log-2013-10-07 (00-02-55).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_*202EETADPUG (Rootkit.0Access) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

System-log:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.600000 GHz
Memory total: 1206370304, free: 559333376

=======================================
Initializing...
DDA Driver installation error.
Driver installed on boot. Reboot required.

System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.600000 GHz
Memory total: 1206370304, free: 855552000

=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 94E494E4

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 117194112
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

Disk Size: 60011642880 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-117190240-117210240)...
Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.600000 GHz
Memory total: 1206370304, free: 544288768

Downloaded database version: v2013.10.07.02
Downloaded database version: v2013.09.30.01
=======================================
Initializing...
DDA Driver installation error.
Driver installed on boot. Reboot required.

System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.600000 GHz
Memory total: 1206370304, free: 843599872

=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 94E494E4

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 117194112
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

Disk Size: 60011642880 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-117190240-117210240)...
Done!
Infected: HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_*202EETADPUG --> [Rootkit.0Access]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.600000 GHz
Memory total: 1206370304, free: 884793344

=======================================

MrCharlie · October 7, 2013

OK, run another scan with RogueKiller and post the new log....MrC

Threeff · October 7, 2013

Mbar ran clean. WIll run RogueKiller again.....

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.10.07.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
CPQ OWNER :: YOUR-4105E587B6 [administrator]

10/7/2013 8:32:50 AM
mbar-log-2013-10-07 (08-32-50).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

Threeff · October 7, 2013

RogueKiller log............

RogueKiller V8.7.1 [Oct 3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : CPQ OWNER [Admin rights]
Mode : Scan -- Date : 10/07/2013 09:12:26
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH] StartupMonitor.exe -- C:\WINDOWS\StartupMonitor.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\RunOnce : (A0) (cmd /c "C:\Documents and Settings\CPQ OWNER\Desktop\Mbar\mbar\mbar.exe" /rdv /s [7]) -> FOUND
[sERVICE][ROGUE ST] HKLM\[...]\CCSet\[...]\Services : MBAMSwissArmy (C:\WINDOWS\system32\drivers\48230029.sys [7]) -> FOUND
[sERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : MBAMSwissArmy (C:\WINDOWS\system32\drivers\48230029.sys [7]) -> FOUND
[sERVICE][ROGUE ST] HKLM\[...]\CS003\[...]\Services : MBAMSwissArmy (C:\WINDOWS\system32\drivers\48230029.sys [7]) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[122] : NtOpenProcess @ 0x805C1512 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB85AFC54)
[Address] SSDT[128] : NtOpenThread @ 0x805C179E -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB85AFD44)
[inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520)
[inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630)
[inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370)
[inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0)
[inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20)
[inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90)
[inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0)
[inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0)
[inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0)
[inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980)
[inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400)
[inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0)
[inline] EAT @iexplore.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D118A0)
[inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0)
[inline] EAT @iexplore.exe (UnhookWindowsHookEx) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11A70)
[inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520)
[inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630)
[inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370)
[inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0)
[inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20)
[inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90)
[inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0)
[inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0)
[inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0)
[inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980)
[inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400)
[inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0)
[inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - TOSHIBA MK6025GAS +++++
--- User ---
[MBR] 405dba045b3d8f3e86599d0759ec383d
[bSP] 8b0279795ab923368d682d692e6d4962 : Empty MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57223 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10072013_091225.txt >>
RKreport[0]_S_10062013_220147.txt

MrCharlie · October 7, 2013

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Threeff · October 7, 2013

ComboFix log...................

ComboFix 13-10-04.02 - CPQ OWNER 10/07/2013   9:33.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.698 [GMT -4:00]
Running from: c:\documents and settings\CPQ OWNER\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab
c:\documents and settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-07 to 2013-10-07 )))))))))))))))))))))))))))))))
.
.
2013-10-07 12:32 . 2013-10-07 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-10-07 12:27 . 2013-10-07 12:27 105176 ----a-w- c:\windows\system32\drivers\48230029.sys
2013-10-07 02:17 . 2013-10-07 02:17 -------- d-----w- C:\FRST
2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-26 12:47 . 2012-04-12 14:09 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-26 12:47 . 2011-05-21 17:50 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-30 07:48 . 2013-08-21 13:58 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-08-30 07:48 . 2013-08-21 13:58 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-08-30 07:48 . 2013-08-21 13:58 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-08-30 07:48 . 2013-08-21 13:58 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-08-30 07:48 . 2013-08-21 13:58 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-08-30 07:48 . 2013-08-21 13:58 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-08-30 07:48 . 2013-08-21 13:58 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-08-30 07:48 . 2013-08-21 13:58 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-08-30 07:47 . 2013-08-21 13:54 41664 ----a-w- c:\windows\avastSS.scr
2013-08-30 07:47 . 2013-08-21 13:58 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-08-21 13:50 . 2013-08-21 13:48 117478104 ----a-w- c:\program files\avast_free_antivirus_setup.exe
2013-08-09 01:56 . 2004-08-04 08:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2004-08-04 08:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2004-08-04 08:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2004-08-04 08:00 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
2013-08-05 13:30 . 2004-08-04 08:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 18:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-08-03 15:40 . 2013-08-03 15:40 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-07-10 10:37 . 2004-08-04 08:00 406016 ----a-w- c:\windows\system32\usp10.dll
2010-10-25 18:36 . 2010-10-25 18:36 3524936 ----a-w- c:\program files\noteburner.exe
2010-10-12 02:46 . 2010-10-12 02:46 6153352 ----a-w- c:\program files\mbam-setup-1.46.exe
2010-05-16 21:09 . 2010-05-16 21:09 12383736 ----a-w- c:\program files\picasa36-setup.exe
2008-12-11 20:02 . 2008-12-11 20:02 355136 -c--a-w- c:\program files\SansaUpdaterInstall.exe
2008-10-08 00:52 . 2008-10-08 00:52 2934168 ----a-w- c:\program files\ccsetup212.exe
2008-07-17 14:01 . 2008-07-17 14:01 6104632 -c--a-w- c:\program files\picasaweb-current-setup.exe
2007-07-26 16:57 . 2007-07-26 16:57 470744 ----a-w- c:\program files\msgr8us.exe
2006-12-31 18:23 . 2006-12-31 18:23 12754672 ----a-w- c:\program files\MP10Setup.exe
2006-11-16 16:52 . 2006-11-16 16:52 8037624 -c--a-w- c:\program files\tunebite.exe
2006-10-14 13:58 . 2006-10-14 13:58 12841240 -c--a-w- c:\program files\SkypeSetup.exe
2006-09-10 01:44 . 2006-09-10 01:44 4983528 ----a-w- c:\program files\GoogleVideoPlayerSetup.exe
2006-08-29 22:11 . 2006-08-29 22:11 905216 ----a-w- c:\program files\iview398.exe
2006-05-14 19:50 . 2006-05-14 19:50 12089417 -c--a-w- c:\program files\ysitebuilder.exe
2006-05-14 19:37 . 2006-05-14 19:36 11817800 ----a-w- c:\program files\GoogleEarth.exe
2005-11-04 17:04 . 2005-11-04 17:04 231993 -c--a-w- c:\program files\WSUS.EXE
2005-10-24 22:53 . 2005-10-24 22:53 7680064 ----a-w- c:\program files\DivX521xp2k.exe
2005-09-29 20:37 . 2005-09-29 20:37 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe
2005-09-22 01:42 . 2005-09-22 01:42 1226512 -c--a-w- c:\program files\proxyconn.exe
2005-09-16 03:27 . 2005-09-16 03:08 381480 ----a-w- c:\program files\msgr7us.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-08-30 07:47 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-06 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-21 19875432]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\windows\system32\V0250Ext.ax"="c:\windows\system32\V0250Ext.ax" [X]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"(A0)"="c:\documents and settings\CPQ OWNER\Desktop\Mbar\mbar\mbar.exe" [2013-08-13 1178424]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-07-14 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 21:01 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2004-12-03 20:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-01 22:11 794624 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-07-10 07:03 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-03-04 10:36 36975 ----a-w- c:\program files\Java\jre1.5.0_02\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-06 16:16 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-02 12:11 692316 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-02 12:12 102492 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-07-16 19:17 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [8/21/2013 9:58 AM 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [8/21/2013 9:58 AM 177864]
R0 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\48230029.sys [10/7/2013 8:27 AM 105176]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/21/2013 9:58 AM 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/21/2013 9:58 AM 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/21/2013 9:58 AM 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [8/21/2013 9:58 AM 66336]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 11:18 AM 200192]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [8/3/2013 11:40 AM 35144]
S2 gupdate1c9adae1d0975a6;Google Update Service (gupdate1c9adae1d0975a6);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2009 8:59 PM 133104]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [9/16/2013 12:29 PM 3273088]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/21/2013 9:53 AM 162408]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [12/31/2006 11:18 AM 163840]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 12:48]
.
2013-10-07 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-08-21 07:47]
.
2013-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 00:59]
.
2013-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 00:59]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym&.intl=us
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-07 09:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-10-07 09:49:05
ComboFix-quarantined-files.txt 2013-10-07 13:49
.
Pre-Run: 1,651,900,416 bytes free
Post-Run: 1,726,996,480 bytes free
.
- - End Of File - - BE0FD1D960EBDDDB9134EBB75D9E1241
E5FA06ACA0D60BA9C870D0EF3D9898C9

MrCharlie · October 7, 2013

Looks Good......

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
When it's done you'll see: Pending: Please uncheck elements you don't want removed.
Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
Look over the log especially under Files/Folders for any program you want to save.
If there's a program you may want to save, just uncheck it from AdwCleaner.
If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
If you're ready to clean it all up.....click the Clean button.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
To restore an item that has been deleted:
Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Threeff · October 7, 2013

Pretty sure I don't need any of this, but what do you think? I'd hate to get this far and mess it up!!!

# AdwCleaner v3.006 - Report created 07/10/2013 at 11:55:04
# Updated 01/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : CPQ OWNER - YOUR-4105E587B6
# Running from : C:\Documents and Settings\CPQ OWNER\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [1535 octets] - [07/10/2013 11:55:04]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1595 octets] ##########

MrCharlie · October 7, 2013

Get rid of it and I'll give you the next step also:

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
If you get Unsupported operating system. Aborting now, just reboot and try again.
A Notepad document should open automatically called checkup.txt.
Please Post the contents of that document.
Do Not Attach It!!!

MrC

Threeff · October 7, 2013

ADWCleaner log........ (Mware-b to follow)

# AdwCleaner v3.006 - Report created 07/10/2013 at 12:30:18
# Updated 01/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : CPQ OWNER - YOUR-4105E587B6
# Running from : C:\Documents and Settings\CPQ OWNER\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [1675 octets] - [07/10/2013 11:55:04]
AdwCleaner[s0].txt - [1618 octets] - [07/10/2013 12:30:18]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1678 octets] ##########

Threeff · October 7, 2013

M-Byte - 1 Object Found

Computer is a little fater, but not 100%. While typing on webpage, letters showed-up slowly.

Will Run Security Check.....

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.07.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
CPQ OWNER :: YOUR-4105E587B6 [administrator]

10/7/2013 12:48:14 PM
MBAM-log-2013-10-07 (13-01-13).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Re-infected with Zero Access, or False Possitive?

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information