Jump to content

MalwareBytes regularly detects Rootkit.0Access on my laptop


CtrlF8

Recommended Posts

About once a week I scan my system with both MalwareBytes and AdAware. Every now and then they both come up with and remove various malware as expected. However, I have started to notice a patteren where MalwareBytes detects "Rootkit.0Access" roughly on every other week's scan. Today's scan log (Nov 12, 2013) detected nothing else except for a registry key. Here is that section of the log file:

 

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG

(Rootkit.0Access) -> Quarantined and deleted successfully.

 

After recognizing "Rootkit.0Access" as a regular offender and reading some threads in various forums, I am starting to wonder whether I have a back-door or something similarly serious as that. In the past week I have definitely noticed exceptional lag at times. For instance, I might be writing a message on a forum and when I type, I am a line or two ahead of what is displaying slowly on the screen. I type at a rate of about 60 words per minutes, so simple text displaying should not be going that painfully slow.

Other than the malware scanning, I make it a habit to shut down my computer when it is not in use. I also take the extra precaution of not using WiFi and instead connect to the ethernet via a hard-line only at home. Even when I am doing that I usually disconnect the ethernet cable when I am not doing anything on-line.

These days I mainly use my computer for e-mail, some word processing, maybe creating some graphics, and the usual web browsing, so I do not make a habit of downloading strange programs. I have no idea when I may have gotten something as serious as a back-door since this an older laptop of mine, which had to replace my burnt out desktop a few months ago. I would hate to go through completely formatting my laptop to get rid of the problem (if it even persists) because whatever important data I had backed up from my dead desktop is left on this laptop.

 

Any suggestions on the matter would be appreciated. As the forum guidelines dictate, I have downloaded/ran dds.scr and I am copy/pasting the resulting txt files below. Thanks in advance.

 

_TONE_

 

---

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.40.2
Run by Tone at 11:36:48 on 2013-11-12
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.615 [GMT -5:00]
.
AV: Lavasoft Ad-Aware *Disabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Norton Internet Worm Protection *Disabled*
FW: Lavasoft Ad-Aware *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.


BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.9012.1008\swg.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [cdloader] "c:\documents and settings\tone\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [EPSON Stylus Photo R260 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibna.exe /fu "c:\windows\temp\E_S84.tmp" /EF "HKCU"
uRun: [EPSON Stylus Photo R260 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatibna.exe /fu "c:\windows\temp\E_S31.tmp" /EF "HKCU"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Alcohol.exe Autorun] c:\program files\alcohol soft\alcohol 120\Alcohol.exe /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
mRun: [sunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"
StartupFolder: c:\docume~1\tone\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe







TCP: NameServer = 192.168.1.1
TCP: Interfaces\{4468982D-4F91-4FF4-8122-60CE194E47D3} : DHCPNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tone\application data\mozilla\firefox\profiles\d5prdnbd.default\

FF - component: c:\documents and settings\tone\application data\mozilla\firefox\profiles\d5prdnbd.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}\components\dtTransparency.dll
FF - plugin: c:\program files\google\update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-10-29 10:34; {87934c42-161d-45bc-8cef-ef18abe2a30c}; c:\documents and settings\tone\application data\mozilla\firefox\profiles\d5prdnbd.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
.
============= SERVICES / DRIVERS ===============
.
R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [2003-4-27 8704]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2012-7-16 21240]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-7-16 335224]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2012-7-16 217976]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-5-3 1226096]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-7-16 77816]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-8 1247600]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-18 24652]
R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-7-16 94584]
R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [2003-4-27 99360]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-10-26 101112]
S2 IHA_MessageCenter;IHA_MessageCenter;"c:\program files\verizon\iha_messagecenter\bin\verizon_ihamessagecenter.exe" --> c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [?]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\tone\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\tone\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2011-12-19 3289032]
S3 gtermddo;gtermddo;\??\c:\docume~1\tone\locals~1\temp\gtermddo.sys --> c:\docume~1\tone\locals~1\temp\gtermddo.sys [?]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-7-16 94584]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-7-16 93816]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys --> c:\windows\system32\drivers\vaxscsi.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-2 19677]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\WORDPAD.EXE="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [userChoice]
FileExt: .ini: Applications\WORDPAD.EXE="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [userChoice]
.
=============== Created Last 30 ================
.
2013-11-10 09:02:06    1409    ----a-w-    c:\windows\QTFont.for
2013-10-30 14:56:28    16824    ----a-w-    c:\program files\mozilla firefox\plugin-container.exe
.
==================== Find3M  ====================
.
2013-10-23 17:20:23    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-23 17:20:21    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-27 04:59:12    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-09-27 04:58:59    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-09-27 04:58:55    868264    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-09-27 04:58:55    790440    ----a-w-    c:\windows\system32\deployJava1.dll
2013-09-23 18:33:58    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-09-23 18:33:57    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-09-23 18:06:48    385024    ----a-w-    c:\windows\system32\html.iec
2013-08-29 01:31:44    1878656    ----a-w-    c:\windows\system32\win32k.sys
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8735E1D8]<<
_asm { MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX; PUSH 0x8735e008; MOV EAX, 0xf7418d70; CALL EAX;  }
1 ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\Harddisk0\DR0[0x869BD030]
3 CLASSPNP[0xF7642FD7] -> ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\0000008c[0x872BBA18]
5 ACPI[0xF73BA620] -> ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\Ide\IAAStorageDevice-0[0x86DBE030]
\Driver\iaStor[0x872C23D8] -> IRP_MJ_CREATE -> 0x8735E1D8
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a;  }
detected disk devices:
detected hooks:
\Driver\atapi -> 0x863d31c0
\Driver\iaStor -> 0x8735e1d8
user != kernel MBR !!!
Warning: possible MBR rootkit infection !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 11:37:55.67 ===============
 

 

 

 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/2/2006 9:35:56 PM
System Uptime: 11/12/2013 10:27:07 AM (1 hours ago)
.
Motherboard: Hewlett-Packard  |  | 30A7
Processor: Genuine Intel® CPU           T2500  @ 2.00GHz | U1 | 1994/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 83 GiB total, 23.334 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 1.354 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: ST3WOLF SCSI Controller
Device ID: ROOT\*ST3T33\0000
Manufacturer: (Standard mass storage controllers)
Name: ST3WOLF SCSI Controller
PNP Device ID: ROOT\*ST3T33\0000
Service: st3wolf
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_135B103C&REV_02\4&38B5BDF7&0&00E2
Manufacturer: Intel Corporation
Name: Intel® PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_135B103C&REV_02\4&38B5BDF7&0&00E2
Service: w39n51
.
==== System Restore Points ===================
.
RP275: 9/28/2013 3:13:05 PM - System Checkpoint
RP276: 10/4/2013 10:38:01 AM - System Checkpoint
RP277: 10/8/2013 10:54:44 AM - System Checkpoint
RP278: 10/10/2013 6:06:50 PM - System Checkpoint
RP279: 10/11/2013 1:35:14 AM - Software Distribution Service 3.0
RP280: 10/14/2013 11:59:11 AM - System Checkpoint
RP281: 10/15/2013 3:00:27 AM - Software Distribution Service 3.0
RP282: 10/17/2013 9:49:12 AM - System Checkpoint
RP283: 10/20/2013 4:13:17 PM - System Checkpoint
RP284: 10/23/2013 3:09:35 PM - System Checkpoint
RP285: 10/24/2013 9:39:03 PM - System Checkpoint
RP286: 10/29/2013 10:16:03 AM - System Checkpoint
RP287: 10/30/2013 5:07:43 PM - System Checkpoint
RP288: 10/31/2013 5:57:54 PM - System Checkpoint
RP289: 11/1/2013 6:57:54 PM - System Checkpoint
RP290: 11/2/2013 7:57:54 PM - System Checkpoint
RP291: 11/3/2013 7:58:05 PM - System Checkpoint
RP292: 11/6/2013 11:26:22 AM - System Checkpoint
RP293: 11/8/2013 6:07:39 PM - System Checkpoint
RP294: 11/10/2013 12:41:22 AM - System Checkpoint
RP295: 11/12/2013 4:00:11 AM - System Checkpoint
.
==== Installed Programs ======================
.
Action Replay XBOX 1.41
Ad-Aware Antivirus
Ad-Aware Browsing Protection
Ad-Aware Security Toolbar
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Illustrator 9.0
Adobe Photoshop 6.0
Adobe Reader 7.0
Adobe SVG Viewer
Apple Software Update
AutoUpdate
BufferChm
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Crayon Physics Deluxe - release 53
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DivX Codec
DivX Player
DivX Web Player
EA Download Manager
Easy Internet Sign-up
EPSON Printer Software
FullDPAppQFolder
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB981793)
HP Game Console and games
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.1
HP Update
HP User Guides--System Recovery
HP User Guides 0019
HP Wireless Assistant 2.00 H1
HpSdpAppCoreApp
IHA_MessageCenter
InstantShareDevices
Intel® PRO Network Connections Drivers
Ipswitch WS_FTP Pro
iTunes
Java 7 Update 40
Java Auto Updater
KhalSetup
LEGO Creator
LightScribe  1.4.105.1
LiveUpdate 3.0 (Symantec Corporation)
Logitech SetPoint
Macromedia Flash Player 8
magicJack
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Standard Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Move Networks Media Player for Internet Explorer
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
Mozilla Thunderbird 24.1.0 (x86 en-US)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 4.5
Netflix Movie Viewer
Netscape Browser (remove only)
NetWaiting
NVIDIA Drivers
Office 2003 Trial Assistant
OpenOffice 4.0.0
OptionalContentQFolder
PhotoGallery
QuickTime
RandMap
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2862772)
Security Update for Windows Internet Explorer 8 (KB2870699)
Security Update for Windows Internet Explorer 8 (KB2879017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834904-v2)
Security Update for Windows Media Player (KB2834904)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2847311)
Security Update for Windows XP (KB2849470)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2862330)
Security Update for Windows XP (KB2862335)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2868038)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2876315)
Security Update for Windows XP (KB2883150)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SkinsHP1
SmartAudio
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
SPORE™
Symantec KB-DocID:2003093015493306
Synaptics Pointing Device Driver
TeamSpeak 2 RC2
Texas Instruments PCIxx21/x515/xx12 drivers.
The Neverhood
Thief - Deadly Shadows
Thief 2
TIPCI
TourSetup
Unload
Unreal Tournament G.O.T.Y. Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2863058)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Vongo
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wireless Home Network Setup
XPort 360
.
==== Event Viewer Messages From Past Week ========
.
11/7/2013 10:08:34 AM, error: Service Control Manager [7034]  - The DHCP Client service terminated unexpectedly.  It has done this 1 time(s).
11/7/2013 10:08:34 AM, error: Service Control Manager [7034]  - The Cryptographic Services service terminated unexpectedly.  It has done this 1 time(s).
11/6/2013 10:59:55 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AliIde PCIIde ViaIde
11/6/2013 10:59:52 AM, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
11/6/2013 10:59:52 AM, error: Service Control Manager [7000]  - The IHA_MessageCenter service failed to start due to the following error:  The system cannot find the path specified.
11/6/2013 10:59:52 AM, error: Service Control Manager [7000]  - The HP Pci Information service failed to start due to the following error:  The system cannot find the path specified.
.
==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

MrCharlie, thanks for responding so quickly, and for the assistance of course.

I did as you requested by downloading the 32-bit RogueKiller program, and ran it, then performed a scan WITHOUT checking/unchecking any options. When the scan was done it automatically directed a browser to go to a page on adlice.com, which had instruction on how to remove "zeroaccess" malware. As you directed, I did NOT do anything further to try to remove anything. I just performed the scan. As you said, there is a scan-log file on the desktop. However, there is also a new folder on the desktop labeled "RK_Quarantine". I have not opened this folder or messed with it in any way. Eventually I would like the quarantine folder off my desktop, but for now I presume I should leave it alone until you tell me to otherwise. Below is the copy/pasted text from RogueKiller's scan log as requested.

Sincere thanks,

_TONE_

 

---

 

RogueKiller V8.7.7 [Nov 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Tone [Admin rights]
Mode : Scan -- Date : 11/13/2013 10:35:48
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \   \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Documents and Settings\Tone\Local Settings\Application Data\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\???\???\???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-1495993953-2124430205-905638205-1006\[...]\Run : Google Update ("C:\Documents and Settings\Tone\Local Settings\Application Data\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\???\???\???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" >) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \   \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \   \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[bROK VAL] HKCR\[...]\command :  () -> MISSING

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Documents and Settings\Tone\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[inline] IAT @explorer.exe (CreateThread) : KERNEL32.dll -> HOOKED (Unknown @ 0x00D705A8)
[inline] IAT @explorer.exe (VirtualAlloc) : KERNEL32.dll -> HOOKED (Unknown @ 0x00D70008)
[inline] IAT @explorer.exe (CreateProcessW) : KERNEL32.dll -> HOOKED (Unknown @ 0x00D702D8)
[inline] EAT @explorer.exe (NtAllocateVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x00D710E8)
[inline] EAT @explorer.exe (NtCreateThread) : ntdll.dll -> HOOKED (Unknown @ 0x00D71208)
[inline] EAT @explorer.exe (NtProtectVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x00D71178)
[inline] EAT @explorer.exe (ZwAllocateVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x00D710E8)
[inline] EAT @explorer.exe (ZwCreateThread) : ntdll.dll -> HOOKED (Unknown @ 0x00D71208)
[inline] EAT @explorer.exe (ZwProtectVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x00D71178)
[inline] EAT @explorer.exe (CreateProcessA) : kernel32.dll -> HOOKED (Unknown @ 0x00D70248)
[inline] EAT @explorer.exe (CreateProcessInternalA) : kernel32.dll -> HOOKED (Unknown @ 0x00D70368)
[inline] EAT @explorer.exe (CreateProcessInternalW) : kernel32.dll -> HOOKED (Unknown @ 0x00D703F8)
[inline] EAT @explorer.exe (CreateProcessW) : kernel32.dll -> HOOKED (Unknown @ 0x00D702D8)
[inline] EAT @explorer.exe (CreateRemoteThread) : kernel32.dll -> HOOKED (Unknown @ 0x00D70518)
[inline] EAT @explorer.exe (CreateThread) : kernel32.dll -> HOOKED (Unknown @ 0x00D705A8)
[inline] EAT @explorer.exe (SetThreadContext) : kernel32.dll -> HOOKED (Unknown @ 0x00D70638)
[inline] EAT @explorer.exe (VirtualAlloc) : kernel32.dll -> HOOKED (Unknown @ 0x00D70008)
[inline] EAT @explorer.exe (VirtualAllocEx) : kernel32.dll -> HOOKED (Unknown @ 0x00D70128)
[inline] EAT @explorer.exe (VirtualProtect) : kernel32.dll -> HOOKED (Unknown @ 0x00D70098)
[inline] EAT @explorer.exe (VirtualProtectEx) : kernel32.dll -> HOOKED (Unknown @ 0x00D701B8)
[inline] EAT @explorer.exe (WinExec) : kernel32.dll -> HOOKED (Unknown @ 0x00D70488)
[inline] EAT @explorer.exe (WriteProcessMemory) : kernel32.dll -> HOOKED (Unknown @ 0x00D706C8)
[inline] EAT @explorer.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (Unknown @ 0x00D70758)
[inline] EAT @explorer.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (Unknown @ 0x00D707E8)
[inline] EAT @explorer.exe (InternetConnectA) : WININET.dll -> HOOKED (Unknown @ 0x00D70FC8)
[inline] EAT @explorer.exe (InternetConnectW) : WININET.dll -> HOOKED (Unknown @ 0x00D71058)
[inline] EAT @explorer.exe (InternetOpenA) : WININET.dll -> HOOKED (Unknown @ 0x00D70D88)
[inline] EAT @explorer.exe (InternetOpenUrlA) : WININET.dll -> HOOKED (Unknown @ 0x00D70EA8)
[inline] EAT @explorer.exe (InternetOpenUrlW) : WININET.dll -> HOOKED (Unknown @ 0x00D70F38)
[inline] EAT @explorer.exe (InternetOpenW) : WININET.dll -> HOOKED (Unknown @ 0x00D70E18)
[inline] EAT @explorer.exe (URLDownloadA) : urlmon.dll -> HOOKED (Unknown @ 0x00D70AB8)
[inline] EAT @explorer.exe (URLDownloadToCacheFileA) : urlmon.dll -> HOOKED (Unknown @ 0x00D70CF8)
[inline] EAT @explorer.exe (URLDownloadToCacheFileW) : urlmon.dll -> HOOKED (Unknown @ 0x00D70C68)
[inline] EAT @explorer.exe (URLDownloadToFileA) : urlmon.dll -> HOOKED (Unknown @ 0x00D70BD8)
[inline] EAT @explorer.exe (URLDownloadToFileW) : urlmon.dll -> HOOKED (Unknown @ 0x00D70B48)
[inline] EAT @explorer.exe (URLDownloadW) : urlmon.dll -> HOOKED (Unknown @ 0x00D70A28)
[inline] EAT @explorer.exe (bind) : WS2_32.dll -> HOOKED (Unknown @ 0x00D70878)
[inline] EAT @explorer.exe (connect) : WS2_32.dll -> HOOKED (Unknown @ 0x00D70998)
[inline] EAT @explorer.exe (socket) : WS2_32.dll -> HOOKED (Unknown @ 0x00D70908)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) FUJITSU MHV2100BH PL +++++
--- User ---
[MBR] 72345b50019a0d85ebd983ee13f06d74
[bSP] 08a9369fa3c1f8478a5e6508e9f3488e : Toshiba MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 84623 Mo
1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 173325285 | Size: 9734 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 193261950 | Size: 1027 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_11132013_103548.txt >>

Link to post
Share on other sites

Please read the following information first.

 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

As a stated in my original post, I was afraid I might have a back-door program. In your advice you mention disconnecting my laptop from the internet. I did that, but I am still using the laptop to type this response. When I am finished typing it up, then I will briefly reconnect the ethernet cable to send out the response.

 

Previously I mentioned my old busted primary desktop computer, and how there are a number of items backed up from that computer on my infected laptop. I really do not want to format the laptop because I am not even sure I have enough external data storage capabilities to save eveything to. Money has been pretty tight as well because we have had one serious thing after another needing replacement or fixed around the house and car recently, so I do not think I can spend money on extra data storage or a new laptop. Furthermore, though I am not totally sure and would have to check, I believe my version of Windows XP came pre-installed on my laptop without receiving any extra installation disks, even though I specficially asked for such discs when I ordered my laptop. Therefore, I do not even know whether I could reinstall Windows XP after a format. I seem to recall older versions of Windows and DOS having a way to create an installation disc, but perhaps I am thinking of a boot disc only. I suppose I could got out and buy a version of Windows 8 or something since Windows XP will no longer be supported some time in 2014 anyway, but I am not even sure whether Windows 8 will be compatible with my laptop's older hardware. Maybe I should try switching to a linux/unix based operating system to help avoid future infections since I have heard most malware is developed mainly for Microsoft operating systems, but I do not have much experience in that realm.

 

There is also one other slight obstacle to formatting. My HP-brand laptop came setup with a dual-partitioned hard drive. The OS and critical foundation programs were on the "boot" partition and anything else I later installed or saved on my latop was on the other larger partition. I presume when you mention formatting, it would be necessary to format both partitions and perhaps join them back into one. It has been quite a while since I have handled total formatting and partitioning of drives, etc. I did that years ago on my desktop though to have both a FAT32 and whatever the other possibly older format was (I forget the format type because it has been so long).

 

I think that there is also something else, which might complicate matters. To safely format/repair this laptop I would obviously have to download anything I needed for the effort from the internet by using a secondary unifected computer. My wife has a MAC, which I believe will still enable me to download those PC-based files and transfer them over via USB drives, etc. If for some reason I could not download and transfer the required files from a MAC operating system, then I am pretty much screwed. We moved to where we live a few years ago and I really do not have any close friends in the area who I could count on with this amount of technical burden. In the worst case scenario, I could always browse the web to get to this forum and do research via the limited version of internet explorer, which is available through our Xbox 360 console (Do not laugh at me too hard for that). Unfortunately, I do not think I could download and transfer any recovery programs from the XBox. After writing this paragraph, I am starting to wonder about something else too. My wife has been complaining lately about her MAC being slow. Unlike my paranoia, she mainly uses our WiFi network to connect to the internet, so she just thought the delays were due to a slower WiFi connection or something. We have generally thought MACs were much less susceptible to malware, but perhaps we should be more concerned at what is going on in her MAC.

 

Of course, I followed and read the web pages from those included links regarding identity theft/fraud and suggested reformatting circumstances. My infected Windows XP laptop is a home computer, which I use primarily for personal use and just a tiny bit of freelance graphic design. Therefore, there is not any financial or business information saved on it. I actually keep my one and only credit card info memorized, and I NEVER allow any websites to automatically log in for me. The only thing saved on my laptop, which is even close to that type of information, is possibly my resume and work history. That would NOT include a social security number. I guess the primary worry I have about this back-door is if someone has installed any kind of key-logging software. A couple of times a month I do log into a handful of web sites to pay bills (mostly with my one and only credit card) or keep track of credit card/banking activity. If there is/was a key-logger, then those user accounts and passwords could be compromised. Since I have noticed my laptop running slowly for a while, I supsect I have been infected for a while as well, and I have not noticed any suspicious activity on my accounts. Is there any way to determine for sure whether I had a key-logger at some point? I presume the answer is "No," but I have to ask. Usually when MalwareBytes or AdAware found things in their scans I would read whatever information the scanner programs offered about the suspicious files, and I think I would have paid attention to any key-logging stuff, but it may not have been that obvious either.

 

I apologize if I am rambling with my out-loud thinking and speculation. What it boils down to is IDEALLY, I think I would like to get a new laptop (stripped down to be as streamlined as possible with perhaps even a Unix/Linux OS), then I would just use my current infected laptop as an internet-disconnected glorified harddrive for my old data. However, due to REALITY and finances at the moment, I sadly will have to opt for at least attempting to clean my machine. That is, if you think you can put up with me. As I mentioned, I have disconnected my laptop, but I am still typing this response on it, and I will only reconnect to the internet to quicly post the reply. To be on the safe side, I will not even bother risking the additional on-line time it would take to download the Farbar Recovery Scan Tool you recommend in the next step. For that I will have to wait for my wife to come home after work tonight so I can use her MAC laptop. I realize I could avoid wasting more of your time, by not sending out this relatively non-productive message and instead waiting to post until after I use my wife's MAC to dowload the Farbar Recovery Scan Tool. However, considering my wife's MAC has also recently been slow, I thought it best to be cautious and see what you might have to say. Should my wife and I take some precautions with her MAC to make sure she is not infected, or is our perception of MAcs not being as easily susceptible to Malware correct?

 

You have my sincere appreciation for your time on this matter of mine. I use to be a lot more tech savy and would help friends with their technicaly issues myself, so I know how much of a headache it can be. Thank you!

_TONE_

Link to post
Share on other sites

Your are correct, my HP is supposed to have a system recovery feature. By bringing that up are you suggesting I should try that? I simply presumed I most likely had the infection for a while now and so the infection may have predated the earliest available recovery point. To be honest I never really used the recovery feature except to glance at it shortly after getting the laptop. Even if I could restore to a safe point, I figured a back door would still be a threat.

 

Apart from the restore point on my HP... I now have access to my wife's MacBook Pro as a safe internet-connected system (presuming it is clean of malware). I went ahead and downloaded/ran the Farbar Recovery Scan Tool. Below this response I am copy/pasting both the FRST.txt and Addition.txt log files. I think it might be relevant to mention those scans will show a third drive (two partitioned drives of the laptop and my USB drive). Obviously I needed something to transfer the files over, but there is another reason why the USB drive might be important to note.

 

My USB drive has a program on it called HitmanPro and another called Kickstarter. Several months ago while my desktop was still operational, I was infected with hijacking malware. It was the kind that threatens you with a fine from the FBI/NSA for either violating copyright, piracy, or pornography laws, and it instructs the infected user to send payment via a purchased credit card pre-loaded with a certain amount of money. Until an infected person sends the payment, it completely locks the system and only boots up to show the FBI/NSA warning screen. Clearly it was an absolute scam. The HitmnaPro program and Kickstarter helped circumvent the lock-out and cleared that malware up. Well, after my desktop died (old power supply crackled on a boot up and everything went dead) I switched over to my back up laptop. Within a week or two of using the laptop I was slammed with an updated version of the bogus FBI/NSA warning. I can only guess a particular web site I happened to visit again caused the infection because I had not used the laptop for months prior to the desktop dying or being hijacked. Luckily, I still kept HitmanPro and Kickstarter on my USB drive, so I quickly removed the threat/annoyance. I figured I should tell you about that hijacking in case that might be somehow connected to the current ongoing infection.

 

Speaking of suspicious activity, last night I noticed my laptop notified me of a Windows update (that yellow shield in the task bar), then when I was shutting down it showed a window, which said the updates would be applied before shutdown within 15, 14, 13... seconds. This may not sound that unusual, but my laptop was disconnected from the ethernet cable and I always keep WiFi disabled. Therefore, how can the laptop even acquire and install any updates? Perhaps I am being paranoid now, and I know this is only speculation, but could the back door include an automatic program to enable the WiFi and circumvent my attempts to shut out my laptop from the grid? If so, then it could be masquerading as a Windows update to update itself. It did not matter because I know youinstructed me not to apply any updates, etc., so I cancelled out of that window and went straight to shut down.

 

Just to verify, so far with all the tools you have had me download and run, I have not utilized any of their removal features, and I have not selected any extra options in the scans other than the defaults. You will also probably notice in some of the scan logs its says AdAware is disabled. I just want to make it clear I normally have it running in the background, but as I understood your instructions, you wanted me to run the scans without any other programs running.

 

Before I copy/paste the last scan's logs, I wanted to thank you once more and also apologize about my last message's indecisive babbling. I can tell you with 100% certainty I now want to clean my laptop and take this thing out! After talking it over with my wife, my plan is to clean my laptop, but afterward primarily use it for off-line use, such as graphics creation and other heavy processor/memory programs. For the day to day communications, recreation, and web stuff, which I previously used my computer for the majority of the time, I will be looking into getting a relatively inexpensive Chromebook over the holidays. This way in the future I will have much less concern about becoming infected on the Chromebook, while the much more vulnerable PC laptop can avoid being infected by not being on-line at all. I know I will have to adapt to cloud computing and always have a foothold in the google network, but the newer Chromebooks have a lot more off-line options than they did in the past, which I fully plan on taking advantage of. If I end up not liking it, then I will not be totally out of $250-$500 because I can modify the Chromebook so it either shares  a dual operating system with a version of Linux called Ubuntu (spelling?), or I can run Ubuntu all on its own. I use to actually love DOS, and I only switched to windows when NT was available, so I should be fairly comfortable in a Linux-based environment.

 

Anyway, enough of the chatter. I will try to keep that to a minimum from now on to waste less of your time. Below are the log files.

Thank you,

_TONE_

 

---

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-11-2013
Ran by Tone (administrator) on PORTONE on 14-11-2013 10:46:43
Running from C:\Documents and Settings\Tone\My Documents\Received Files\MalwarebytesForum-1stResponse\Step03-FarbarSystemRecoveryTool-ScanOnly
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(Lavasoft Limited) C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
(Symantec Corporation) C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Rocket Division Software) C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
() C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
(Viewpoint Corporation) C:\Program Files\Viewpoint\Common\ViewpointService.exe
(Starz Entertainment Group LLC) C:\Program Files\Vongo\VongoService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(CyberLink Corp.) C:\Program Files\HP\QuickPlay\QPService.exe
(Macrovision Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
() C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
(Viewpoint Corporation) C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
(Hewlett-Packard Co.) C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Lavasoft) C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\SoftwareDistribution\Download\0ff4ce25d7154324b7917c29076bdd2a\update\update.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe [380928 2006-08-12] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [nwiz] - nwiz.exe /installquiet /nodetect
HKLM\...\Run: [High Definition Audio Property Page Shortcut] - C:\WINDOWS\system32\CHDAudPropShortcut.exe [61952 2006-04-18] (Windows ® Server 2003 DDK provider)
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [794713 2006-06-16] (Synaptics, Inc.)
HKLM\...\Run: [QPService] - C:\Program Files\Hp\QuickPlay\QPService.exe [102400 2006-04-11] (CyberLink Corp.)
HKLM\...\Run: [iSUSPM Startup] - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [249856 2005-08-11] (Macrovision Corporation)
HKLM\...\Run: [iSUSScheduler] - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2005-08-11] (Macrovision Corporation)
HKLM\...\Run: [QlbCtrl] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe [163840 2006-06-19] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [Cpqset] - C:\Program Files\HPQ\Default Settings\Cpqset.exe [40960 2006-02-22] ()
HKLM\...\Run: [RecGuard] - C:\WINDOWS\SMINST\Recguard.exe [1187840 2005-10-11] ()
HKLM\...\Run: [Reminder] - C:\WINDOWS\CREATOR\Remind_XP.exe [643072 2006-02-09] (SoftThinks)
HKLM\...\Run: [Logitech Hardware Abstraction Layer] - C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe [94208 2006-07-19] (Logitech Inc.)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] - C:\WINDOWS\KHALMNPR.Exe [94208 2006-07-19] (Logitech Inc.)
HKLM\...\Run: [Alcohol.exe Autorun] - C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe [1666944 2006-11-19] (Alcohol Soft Development Team)
HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe [49152 2005-02-16] (Hewlett-Packard Co.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [282624 2007-04-27] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [257088 2007-05-26] (Apple Inc.)
HKLM\...\Run: [Ad-Aware Browsing Protection] - C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe [198032 2011-10-21] (Lavasoft)
HKLM\...\Run: [Ad-Aware Antivirus] - "C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
HKLM\...\Run: [sunJavaUpdateSched] - "C:\Program Files\Java\jre7\bin\jusched.exe"
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-09-26] (Google Inc.)
HKCU\...\Run: [cdloader] - C:\Documents and Settings\Tone\Application Data\mjusbsp\cdloader2.exe [50592 2011-08-23] (magicJack L.P.)
HKCU\...\Run: [EPSON Stylus Photo R260 Series] - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S84.tmp" /EF "HKCU"
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [EPSON Stylus Photo R260 Series (Copy 1)] - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S31.tmp" /EF "HKCU"
MountPoints2: D - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
MountPoints2: I - I:\Photokinz.exe
HKU\Default User\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
ShortcutTarget: Adobe Reader Speed Launch.lnk -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
Startup: C:\Documents and Settings\Tone\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/advanced_search?hl=en
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {C4069E3A-68F1-403E-B40E-20066696354B} -  No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Tone\Application Data\Mozilla\Firefox\Profiles\d5prdnbd.default
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF Plugin: @java.com/DTPlugin,version=10.40.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.40.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.11.2571 - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.2.2629 - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.1739 - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @viewpoint.com/VMP - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll No File
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: Lavasoft Search Plugin - C:\Documents and Settings\Tone\Application Data\Mozilla\Firefox\Profiles\d5prdnbd.default\Extensions\jid1-yZwVFzbsyfMrqQ@jetpack
FF Extension: Ad-Aware Security Add-on - C:\Documents and Settings\Tone\Application Data\Mozilla\Firefox\Profiles\d5prdnbd.default\Extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
 
========================== Services (Whitelisted) =================
 
R2 Ad-Aware Service; C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe [1226096 2012-05-03] (Lavasoft Limited)
R2 Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [100032 2006-07-25] (Symantec Corporation)
S3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2119360 2006-07-25] (Symantec Corporation)
S2 SBAMSvc; C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe [3289032 2011-12-19] (GFI Software)
R2 StarWindService; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe [217600 2005-04-01] (Rocket Division Software)
R2 Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [1247600 2007-09-25] ()
R2 Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [24652 2007-01-04] (Viewpoint Corporation)
S2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \   \???\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-18] (Microsoft Corporation)
S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [57096 2006-03-02] (Broadcom Corporation.)
S3 BVRPMPR5; C:\WINDOWS\system32\drivers\BVRPMPR5.SYS [49904 2010-06-06] (Avanquest Software)
R1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [7808 2005-09-19] (Hewlett-Packard Development Company, L.P.)
S3 eabusb; C:\Windows\System32\DRIVERS\eabusb.sys [5760 2005-09-19] (Hewlett-Packard Development Company, L.P.)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [387384 2006-12-02] (Symantec Corporation)
R3 HdAudAddService; C:\Windows\System32\drivers\CHDAud.sys [569856 2006-04-18] (Conexant Systems Inc.)
R3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSFHWAZL.sys [201600 2005-08-22] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [1035008 2005-08-22] (Conexant Systems, Inc.)
S3 MREMPR5; C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [19345 2007-03-11] (Motive, Inc.)
S3 MRENDIS5; C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [18003 2007-03-11] (Motive, Inc.)
S3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2004-08-04] (Realtek Semiconductor Corporation)
R1 sbaphd; C:\Windows\System32\drivers\sbaphd.sys [21240 2011-11-29] (GFI Software)
R2 sbapifs; C:\Windows\System32\drivers\sbapifs.sys [77816 2011-11-29] (GFI Software)
R1 SbFw; C:\Windows\System32\drivers\SbFw.sys [335224 2011-12-19] (GFI Software)
S3 SBFWIMCL; C:\Windows\System32\DRIVERS\sbfwim.sys [94584 2011-09-29] (GFI Software)
R3 SBFWIMCLMP; C:\Windows\System32\DRIVERS\SBFWIM.sys [94584 2011-09-29] (GFI Software)
S3 sbhips; C:\Windows\System32\drivers\sbhips.sys [93816 2011-12-19] (GFI Software)
S1 SBRE; C:\WINDOWS\system32\drivers\SBREdrv.sys [101112 2011-10-26] (GFI Software)
R1 sbtis; C:\Windows\System32\drivers\sbtis.sys [217976 2011-12-19] (GFI Software)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [639224 2007-01-24] ()
R3 st3wolf; C:\Windows\System32\DRIVERS\st3wolf.sys [99360 2003-04-27] ( )
R0 stwlfbus; C:\Windows\System32\DRIVERS\stwlfbus.sys [8704 2003-04-27] ( )
R2 symlcbrd; C:\WINDOWS\system32\drivers\symlcbrd.sys [10344 2006-05-08] (Symantec Corporation)
S3 w39n51; C:\Windows\System32\DRIVERS\w39n51.sys [1428480 2006-03-14] (Intel® Corporation)
S3 xbreader; C:\Windows\System32\Drivers\xbreader.sys [19677 2001-01-02] (Thesycon GmbH, Germany)
S3 gtermddo; \??\C:\DOCUME~1\Tone\LOCALS~1\Temp\gtermddo.sys [x]
S2 pciinfo; \??\C:\DOCUME~1\Tone\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 vaxscsi; \SystemRoot\System32\Drivers\vaxscsi.sys [x]
U1 WS2IFSL; 
U3 akm1qd96; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-11-14 10:46 - 2013-11-14 10:46 - 00000000 ____D C:\FRST
2013-11-14 10:45 - 2013-11-14 10:46 - 00011549 _____ C:\WINDOWS\KB2888505-IE8.log
2013-11-14 10:45 - 2013-11-14 10:45 - 00000000 ____D C:\WINDOWS\LastGood
2013-11-13 10:52 - 2013-11-13 10:52 - 00004096 _____ C:\WINDOWS\KB2868626.log
2013-11-13 10:52 - 2013-11-13 10:52 - 00004092 _____ C:\WINDOWS\KB2862152.log
2013-11-13 10:51 - 2013-11-13 10:52 - 00008825 _____ C:\WINDOWS\KB2876331.log
2013-11-13 10:51 - 2013-10-13 02:25 - 06021120 _____ (Microsoft Corporation) C:\WINDOWS\system32\SETF.tmp
2013-11-13 10:51 - 2013-10-13 02:25 - 01215488 _____ (Microsoft Corporation) C:\WINDOWS\system32\SETA.tmp
2013-11-13 10:51 - 2013-10-13 02:25 - 00920064 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET9.tmp
2013-11-13 10:51 - 2013-10-13 02:25 - 00630272 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET11.tmp
2013-11-13 10:51 - 2013-10-13 02:25 - 00105984 _____ (Microsoft Corporation) C:\WINDOWS\system32\SETB.tmp
2013-11-13 10:51 - 2013-10-13 02:25 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET10.tmp
2013-11-13 10:51 - 2013-10-13 02:24 - 11113472 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET17.tmp
2013-11-13 10:51 - 2013-10-13 02:24 - 02006016 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET15.tmp
2013-11-13 10:29 - 2013-11-13 10:35 - 00000000 ____D C:\Documents and Settings\Tone\Desktop\RK_Quarantine
2013-11-10 04:02 - 2013-11-10 04:02 - 00054156 ____H C:\WINDOWS\QTFont.qfn
2013-11-10 04:02 - 2013-11-10 04:02 - 00001409 _____ C:\WINDOWS\QTFont.for
2013-11-07 14:42 - 2013-11-07 15:51 - 00000000 ____D C:\Program Files\Mozilla Thunderbird
 
==================== One Month Modified Files and Folders =======
 
2013-11-14 10:46 - 2013-11-14 10:46 - 00000000 ____D C:\FRST
2013-11-14 10:46 - 2013-11-14 10:45 - 00011549 _____ C:\WINDOWS\KB2888505-IE8.log
2013-11-14 10:46 - 2013-10-11 00:37 - 00005648 _____ C:\WINDOWS\updspapi.log
2013-11-14 10:46 - 2013-10-11 00:36 - 00043280 _____ C:\WINDOWS\FaxSetup.log
2013-11-14 10:46 - 2013-10-11 00:36 - 00020692 _____ C:\WINDOWS\ocgen.log
2013-11-14 10:46 - 2013-10-11 00:36 - 00016513 _____ C:\WINDOWS\tsoc.log
2013-11-14 10:46 - 2013-10-11 00:36 - 00014383 _____ C:\WINDOWS\comsetup.log
2013-11-14 10:46 - 2013-10-11 00:36 - 00008718 _____ C:\WINDOWS\ntdtcsetup.log
2013-11-14 10:46 - 2013-10-11 00:36 - 00006912 _____ C:\WINDOWS\iis6.log
2013-11-14 10:46 - 2013-10-11 00:36 - 00002394 _____ C:\WINDOWS\ocmsn.log
2013-11-14 10:46 - 2013-10-11 00:36 - 00002163 _____ C:\WINDOWS\msgsocm.log
2013-11-14 10:46 - 2013-10-11 00:36 - 00001393 _____ C:\WINDOWS\imsins.log
2013-11-14 10:46 - 2013-10-11 00:35 - 00018937 _____ C:\WINDOWS\setupapi.log
2013-11-14 10:46 - 2010-06-07 07:35 - 00000000 ____D C:\WINDOWS\ie8updates
2013-11-14 10:46 - 2006-03-27 12:00 - 01179436 _____ C:\WINDOWS\WindowsUpdate.log
2013-11-14 10:45 - 2013-11-14 10:45 - 00000000 ____D C:\WINDOWS\LastGood
2013-11-14 10:45 - 2013-08-15 09:10 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-11-14 10:41 - 2007-01-09 18:28 - 80340640 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-11-14 10:40 - 2006-05-08 06:03 - 00002132 _____ C:\hpqp.ini
2013-11-14 10:40 - 2006-05-08 06:03 - 00000039 _____ C:\XP_TV.ini
2013-11-14 10:39 - 2012-07-16 15:55 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-14 10:39 - 2006-05-08 04:42 - 00050868 _____ C:\WINDOWS\system32\nvapps.xml
2013-11-14 10:39 - 2006-03-27 12:00 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-11-14 10:39 - 2006-03-27 02:53 - 00000157 _____ C:\WINDOWS\wiadebug.log
2013-11-14 10:39 - 2006-03-27 02:53 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-11-13 19:35 - 2006-12-02 21:37 - 00000278 ___SH C:\Documents and Settings\Tone\ntuser.ini
2013-11-13 19:35 - 2006-03-27 12:00 - 00032534 _____ C:\WINDOWS\SchedLgU.Txt
2013-11-13 19:21 - 2012-07-16 15:55 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-13 12:43 - 2010-05-01 10:06 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-13 10:52 - 2013-11-13 10:52 - 00004096 _____ C:\WINDOWS\KB2868626.log
2013-11-13 10:52 - 2013-11-13 10:52 - 00004092 _____ C:\WINDOWS\KB2862152.log
2013-11-13 10:52 - 2013-11-13 10:51 - 00008825 _____ C:\WINDOWS\KB2876331.log
2013-11-13 10:35 - 2013-11-13 10:29 - 00000000 ____D C:\Documents and Settings\Tone\Desktop\RK_Quarantine
2013-11-13 10:18 - 2006-03-27 12:00 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl
2013-11-12 11:33 - 2006-12-03 01:06 - 00000000 ____D C:\Documents and Settings\Tone\My Documents\Received Files
2013-11-12 10:27 - 2011-09-26 14:22 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2503665$
2013-11-10 04:02 - 2013-11-10 04:02 - 00054156 ____H C:\WINDOWS\QTFont.qfn
2013-11-10 04:02 - 2013-11-10 04:02 - 00001409 _____ C:\WINDOWS\QTFont.for
2013-11-08 15:06 - 2006-03-27 11:07 - 00522448 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-11-08 14:59 - 2013-08-12 12:47 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-11-07 15:51 - 2013-11-07 14:42 - 00000000 ____D C:\Program Files\Mozilla Thunderbird
2013-11-06 10:57 - 2007-01-09 02:51 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB923689$
2013-11-03 12:00 - 2012-07-16 15:42 - 00000942 _____ C:\WINDOWS\Tasks\Ad-Aware Antivirus Scheduled Scan.job
2013-10-24 08:42 - 2012-01-05 10:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2641690$
2013-10-23 12:20 - 2013-10-04 09:43 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-10-23 12:20 - 2011-06-27 21:52 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-10-15 19:11 - 2006-12-02 21:37 - 00000000 ____D C:\Documents and Settings\Tone
2013-10-15 02:05 - 2006-05-08 03:38 - 00000000 ____D C:\WINDOWS\Microsoft.NET
 
Files to move or delete:
====================
ZeroAccess:
C:\Documents and Settings\Tone\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install
C:\Documents and Settings\Tone\jagex_runescape_preferences.dat
C:\Documents and Settings\Tone\jagex_runescape_preferences2.dat
 
 
Some content of TEMP:
====================
C:\Documents and Settings\Tone\Local Settings\Temp\jre-7u40-windows-i586-iftw.exe
C:\Documents and Settings\Tone\Local Settings\Temp\ntdll_dump.dll
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 14-11-2013
Ran by Tone at 2013-11-14 10:47:38
Running from C:\Documents and Settings\Tone\My Documents\Received Files\MalwarebytesForum-1stResponse\Step03-FarbarSystemRecoveryTool-ScanOnly
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: Lavasoft Ad-Aware (Disabled - Up to date) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Norton Internet Worm Protection (Disabled) {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Lavasoft Ad-Aware (Disabled) {FF1CD5B7-1553-4625-A258-1775385CED33}
 
==================== Installed Programs ======================
 
Action Replay XBOX 1.41
Ad-Aware Antivirus (Version: 10.1.211.3382)
Ad-Aware Browsing Protection (Version: 0.9.0.2)
Ad-Aware Security Toolbar (Version: 2.1.0.20)
Adobe Flash Player 10 Plugin (Version: 10.1.82.76)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Illustrator 9.0 (Version: 9.0)
Adobe Photoshop 6.0 (Version: 6.0)
Adobe Reader 7.0 (Version: 7.0.0)
Adobe SVG Viewer (Version: 1.0)
Apple Software Update (Version: 1.0.2.1)
AutoUpdate (Version: 1.1)
BufferChm (Version: 60.0.155.000)
Conexant HD Audio
CP_AtenaShokunin1Config (Version: 60.0.155.000)
CP_CalendarTemplates1 (Version: 60.0.155.000)
cp_LightScribeConfig (Version: 60.0.155.000)
cp_OnlineProjectsConfig (Version: 60.0.155.000)
CP_Package_Basic1 (Version: 60.0.155.000)
CP_Package_Variety1 (Version: 60.0.155.000)
CP_Package_Variety2 (Version: 60.0.155.000)
CP_Package_Variety3 (Version: 60.0.155.000)
CP_Panorama1Config (Version: 60.0.155.000)
cp_PosterPrintConfig (Version: 60.0.155.000)
cp_UpdateProjectsConfig (Version: 60.0.155.000)
Crayon Physics Deluxe - release 53
Critical Update for Windows Media Player 11 (KB959772)
CueTour (Version: 60.0.155.000)
Customer Experience Enhancement (Version: Customer Experience Enhancement -1.0.0.1680)
Destinations (Version: 60.0.155.000)
DeviceManagementQFolder (Version: 1.00.0000)
DivX Codec (Version: 6.4.0)
DivX Player (Version: 6.4.1)
DivX Web Player (Version: 1.3.0)
EA Download Manager (Version: 5.0.0.203)
Easy Internet Sign-up (Version: FE UI-4.1.0.1680)
EPSON Printer Software
FullDPAppQFolder (Version: 1.00.0000)
Google Earth (Version: 4.0.2722)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4601.54)
Google Update Helper (Version: 1.3.21.165)
HDAUDIO Soft Data Fax Modem with SmartCP
HP Game Console and games
HP Help and Support (Version: 4.2.0006)
HP Imaging Device Functions 6.0 (Version: 6.0)
HP Photosmart Premier Software 6.0 (Version: 6.0)
HP Quick Launch Buttons 6.10 A2 (Version: 6.10 A2)
HP QuickPlay 2.1
HP Update (Version: 4.000.005.007)
HP User Guides 0019 (Version: 1.00.0003)
HP User Guides--System Recovery (Version: 1.00.0001)
HP Wireless Assistant 2.00 H1 (Version: 2.00 H1)
HpSdpAppCoreApp (Version: 3.00.0000)
IHA_MessageCenter (Version: 1.6.0)
InstantShareDevices (Version: 60.0.155.000)
Intel® PRO Network Connections Drivers
Ipswitch WS_FTP Pro
iTunes (Version: 7.2.0.34)
Java 7 Update 40 (Version: 7.0.400)
Java Auto Updater (Version: 2.1.9.8)
KhalSetup (Version: 1.00.0000)
LEGO Creator
LightScribe  1.4.105.1 (Version: 1.4.105.1)
LiveUpdate 3.0 (Symantec Corporation) (Version: 3.0.0.171)
Logitech SetPoint (Version: 3.1)
Macromedia Flash Player 8 (Version: 8.0.22.0)
magicJack (HKCU Version: 2.0.6073.4252)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Standard Edition 2003 (Version: 11.0.8173.0)
Microsoft Office XP Professional with FrontPage (Version: 10.0.6626.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 08.04.0623)
Move Networks Media Player for Internet Explorer
Mozilla Firefox 12.0 (x86 en-US) (Version: 12.0)
Mozilla Maintenance Service (Version: 24.1.0)
Mozilla Thunderbird 24.1.0 (x86 en-US) (Version: 24.1.0)
MSN
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
muvee autoProducer 4.5 (Version: 4.50.050)
Netflix Movie Viewer (Version: 1.2.211)
Netscape Browser (remove only)
NetWaiting (Version: 2.5.28)
NVIDIA Drivers
Office 2003 Trial Assistant (Version: 1.0.0)
OpenOffice 4.0.0 (Version: 4.00.9702)
OptionalContentQFolder (Version: 1.00.0000)
PhotoGallery (Version: 60.0.155.000)
QuickTime (Version: 7.1.6.200)
RandMap (Version: 60.0.155.000)
RealPlayer
SkinsHP1 (Version: 60.0.155.000)
SmartAudio (Version: 1.3.7)
Sonic Audio Module (Version: 2.0.4)
Sonic Copy Module (Version: 2.0.4)
Sonic Data Module (Version: 2.0.4)
Sonic Express Labeler (Version: 2.0.0)
Sonic MyDVD Plus (Version: 6.2.0)
Sonic Update Manager (Version: 3.0.0)
Sonic_PrimoSDK (Version: 60.0.155.000)
SPORE™ (Version: 1.00.0000)
Symantec KB-DocID:2003093015493306 (Version: 1.0.0.1)
Synaptics Pointing Device Driver (Version: 8.3.8.0)
TeamSpeak 2 RC2 (Version: 2.0.32.60)
Texas Instruments PCIxx21/x515/xx12 drivers. (Version: 1.20.0000)
The Neverhood
Thief - Deadly Shadows (Version: 1.0)
Thief 2
TIPCI (Version: 1.20.0000)
TourSetup (Version: 1.0.0)
Unload (Version: 6.0.0)
Unreal Tournament G.O.T.Y. Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB982632) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Vongo (Version: 1.27)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
Wireless Home Network Setup (Version: 1.1.154.1)
XPort 360
 
==================== Restore Points  =========================
 
28-09-2013 19:13:05 System Checkpoint
04-10-2013 14:38:01 System Checkpoint
08-10-2013 14:54:44 System Checkpoint
10-10-2013 22:06:50 System Checkpoint
11-10-2013 05:35:14 Software Distribution Service 3.0
14-10-2013 15:59:11 System Checkpoint
15-10-2013 07:00:27 Software Distribution Service 3.0
17-10-2013 13:49:12 System Checkpoint
20-10-2013 20:13:17 System Checkpoint
23-10-2013 19:09:35 System Checkpoint
25-10-2013 01:39:03 System Checkpoint
29-10-2013 14:16:03 System Checkpoint
30-10-2013 21:07:43 System Checkpoint
31-10-2013 21:57:54 System Checkpoint
01-11-2013 22:57:54 System Checkpoint
02-11-2013 23:57:54 System Checkpoint
04-11-2013 00:58:05 System Checkpoint
06-11-2013 16:26:22 System Checkpoint
08-11-2013 23:07:39 System Checkpoint
10-11-2013 05:41:22 System Checkpoint
12-11-2013 09:00:11 System Checkpoint
13-11-2013 20:04:42 System Checkpoint
14-11-2013 15:41:36 Software Distribution Service 3.0
 
==================== Hosts content: ==========================
 
2004-08-04 16:00 - 2004-08-04 16:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: C:\WINDOWS\Tasks\Ad-Aware Antivirus Scheduled Scan.job => C:\PROGRA~1\AD-AWA~1\AdAwareLauncher.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2006-05-08 06:13 - 2007-09-25 09:11 - 00361328 _____ () C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcnet.dll
2006-03-14 09:51 - 2006-03-14 09:51 - 00159744 _____ () C:\Program Files\Vongo\CaPolMgr.dll
2006-03-12 08:07 - 2006-03-12 08:07 - 03940352 _____ () C:\Program Files\Vongo\qt-mt335.dll
2006-03-12 08:07 - 2006-03-12 08:07 - 00184320 ____R () C:\Program Files\Vongo\sqldrivers\qsqlite.dll
2007-01-21 18:23 - 2001-01-16 19:46 - 00015360 _____ () C:\Program Files\WS_FTP Pro\nsftpch.dll
2006-05-08 03:39 - 2006-04-15 13:26 - 00466944 _____ () C:\WINDOWS\system32\nvshell.dll
2007-01-21 15:23 - 2002-05-14 18:22 - 00122880 _____ () C:\Program Files\WinRAR\rarext.dll
2007-01-21 18:23 - 2001-05-31 12:30 - 00778752 _____ () C:\Program Files\WS_FTP Pro\sslsvc.dll
2007-01-21 18:23 - 2001-06-07 10:31 - 00049152 _____ () C:\Program Files\WS_FTP Pro\wshosts.dll
2006-05-08 06:02 - 2006-04-11 23:54 - 00167936 _____ () C:\Program Files\HP\QuickPlay\Kernel\common\CLDataSync.dll
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service => ""="Ad-Aware Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ad-Aware Service => ""="Ad-Aware Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"
 
==================== Faulty Device Manager Devices =============
 
Name: ST3WOLF SCSI Controller
Description: ST3WOLF SCSI Controller
Class Guid: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard mass storage controllers)
Service: st3wolf
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: Intel® PRO/Wireless 3945ABG Network Connection
Description: Intel® PRO/Wireless 3945ABG Network Connection
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel Corporation
Service: w39n51
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
 
System errors:
=============
Error: (11/14/2013 10:40:16 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error: 
%%1060
 
Error: (11/14/2013 10:40:16 AM) (Source: Service Control Manager) (User: )
Description: The HP Pci Information service failed to start due to the following error: 
%%3
 
Error: (11/14/2013 10:40:16 AM) (Source: Service Control Manager) (User: )
Description: The IHA_MessageCenter service failed to start due to the following error: 
%%3
 
Error: (11/13/2013 10:24:27 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error: 
%%1060
 
Error: (11/13/2013 10:24:27 AM) (Source: Service Control Manager) (User: )
Description: The HP Pci Information service failed to start due to the following error: 
%%3
 
Error: (11/13/2013 10:24:27 AM) (Source: Service Control Manager) (User: )
Description: The IHA_MessageCenter service failed to start due to the following error: 
%%3
 
Error: (11/13/2013 10:15:33 AM) (Source: Service Control Manager) (User: )
Description: The Help and Support service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
 
Error: (11/13/2013 10:03:30 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error: 
%%1060
 
Error: (11/13/2013 10:03:30 AM) (Source: Service Control Manager) (User: )
Description: The HP Pci Information service failed to start due to the following error: 
%%3
 
Error: (11/13/2013 10:03:30 AM) (Source: Service Control Manager) (User: )
Description: The IHA_MessageCenter service failed to start due to the following error: 
%%3
 
 
Microsoft Office Sessions:
=========================
 
==================== Memory info =========================== 
 
Percentage of memory in use: 42%
Total physical RAM: 1022.04 MB
Available physical RAM: 584.66 MB
Total Pagefile: 2458.02 MB
Available Pagefile: 2192.4 MB
Total Virtual: 2047.88 MB
Available Virtual: 1945.11 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:82.64 GB) (Free:23.02 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (HP_RECOVERY) (Fixed) (Total:9.49 GB) (Free:1.35 GB) FAT32 ==>[Drive with boot components (Windows XP)]
Drive h: (NINJABIKER) (Removable) (Total:3.72 GB) (Free:3.69 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 6E53F36C)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)
 
==================== End Of Log ============================
Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Okay, I followed all of your directions, keeping in mind your previous instruction to keep the infected computer disconnected from the internet. I had to briefly connect it to the internet to download any updates for the Malwarebytes Anti-Rootkit. When I performed the first scan it did find one offender, which the cleanup seemed to remove. Upon reboout and rescan, it no longer found anything. I should mention the computer was still disconnected from the internet from the time I downloaded the updates and disconnected the connection. Before it scanned the second time, I did not think it was necessary to reconnect and download any updates since it had only been about an hour from when I updated previously. I hope that was okay.

 

I checked all the items your follow up notes suggested. Right now while typing this reply I am reconnected to the internet with my previously infected laptop (fingers crossed), so for the time being it seems to be functioning normally. Within the Windows Security Center window it indicates both the Firewall and Automatic Updates are "On." It also says Virus Protection is off, but that is because I have been keeping it off, as per your instructions.

 

I am still wondering about the Automatic Updates for Windows. I told you before that Windows seemed to be trying to update itself despite being disconnected from the internet (At least through both ethernet and supposed disabled WiFi. I do not know what the "1394 Connection" is in the Network Connections list). After I wrote that message telling you about that Windows Update attempt, the next time I booted up the system it said the system had been updated despite me cancelling the update when I shut down the last time and still being disconnected from the internet. I found that suspicious. Can you explain that if it is legitimate?

 

If I encounter additional problems, I will run fixdamage.exe as suggested. Would it risk anything to run it even if I do not encounter any further problems? For instance, can I run it just to be extra cautious, or do you really suggest only running it if I run into more issues?

 

As requested I am attaching all the log files, but there are four of them. There are 2 mbar-log.txt files, one from the first scan with infected results and one from the second scan with clean results. I was not sure which one you were more interested in, so I did not think attaching both would be negative. I will await any more instructions or advice, which you might have to offer.

Sincere thanks,

_TONE_

 

Fixlog.txt

mbar-log-2013-11-15 (12-09-35).txt

mbar-log-2013-11-15 (13-07-20).txt

system-log.txt

Link to post
Share on other sites

You can connect to the net now.

Run fixdamage.exe

Then......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Run another scan with RogueKiller and post the new log.

 

Then......

 

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

You told me to run another scan (presumably without fixing anything just like the first time) with RogueKiller again and post the log, so I am doing that now and attaching the log file below. However, you also told me to use some adware/spware removal tools after I posted, so I have not done that just yet. I will do so and report back again.

 

I do want to point out something. When I ran the original RogueKiller program, which I downloaded and ran the first time, after a short scan it brought up an error message about it being out of date, and besides cancelling it offered the ability to be directed to the updated version's download page. That was:

http://www.adlice.com/softwares/roguekiller/

...which was not the same URL you originally provided me. As a precaution I re-downloaded RogueKiller through the URL you originally provided me with. When I ran that one, I did not encounter any update messages. After the log was produced I went back to check the version numbers under the properties of both of the RogueKiller.exe files. The first one I had downloaded was version 8.7.7.0 and the second one was 8.7.8.0

I suppose I was just being paranoid and being over-cautious, but in retrospect it looks like the update error was legitimate. Anyway, I just thought you should know.

_TONE_

 

RKreport0_S_11152013_214640.txt

Link to post
Share on other sites

I followed all the rest of your directions, which followed the second RogueKiller scan. AdwCleaner found a few things, but they did not seem to be anything I cared for, so I just cleaned it all out.

 

Before AdwCleaner rebooted the system though, I noticed one of those text bubbles pop up from a non-typical icon on the task bar. It kind of looked like the Google Chrome logo, but I do not have Chrome on my system. The text bublle said something about Google blocking AdwCleaner because AdwCleaner was trying to alter the home page. I wanted to click on the icon to see if there was more info, and to maybe give AdwCleaner permission to change the home page setting, but the bubble and icon disappeared too quickly. I did not think it was worth running AdwCleaner all over again after the system rebooted, but let me know if that google home page blockage is a worthwhile indicator to rerun AdwCleaner.

 

As for the MalwareBytes quick scan, nothing was found. I will still attach the log file from the scan though. Previously you also asked me how my computer is now running after going through AdwCleaner. I have not gotten a chance to put it through a major test or anything, but in general it seems to be booting up faster and loading programs quicker. The only anomoly I have really noticed so far has been when I try to run the FireFox Browser. It seems to immediately pull up a tab for a FireFox update page, but then it freezes. That might be a problem on their end, but FireFox becomes unresponsive according to the system. The two or three times FireFox became that way I used Ctrl-Alt-Del to bring up the Task Manager to end the program. After that I would just use Internet Explorer as my browser.I should also mention Ctrl-Alt-Del brings up the Task Manager MUCH faster than it did in the past few weeks!

 

By the way, as far as I am concerned, you can take as long as you want in assisting me, so there is no problem with you being "back in the AM." You have actually been surprising me with how quickly you have been responding. Considering I am a complete stranger to you, my expectations were WAY lower.

 

Sincerely,

_TONE_

 

Below is the attached MalwareBytes log and following that is the copy/pasted log file from AdwCleaner.

 

mbam-log-2013-11-15 (22-31-33).txt

 

# AdwCleaner v3.012 - Report created 15/11/2013 at 22:17:00

# Updated 11/11/2013 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : Tone - PORTONE

# Running from : C:\Documents and Settings\Tone\Desktop\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

Service Deleted : Viewpoint Manager Service

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint

Folder Deleted : C:\Program Files\adawaretb

Folder Deleted : C:\Program Files\Toolbar Cleaner

Folder Deleted : C:\Program Files\Viewpoint

Folder Deleted : C:\Documents and Settings\Tone\Application Data\adawaretb

Folder Deleted : C:\Documents and Settings\Tone\Application Data\Viewpoint

Folder Deleted : C:\Documents and Settings\Tone\Application Data\Mozilla\Firefox\Profiles\d5prdnbd.default\adawaretb

***** [ Shortcuts ] *****

 

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]

Key Deleted : HKCU\Software\adawaretb

Key Deleted : HKCU\Software\Viewpoint

Key Deleted : HKCU\Software\YahooPartnerToolbar

Key Deleted : HKLM\Software\MetaStream

Key Deleted : HKLM\Software\Toolbar Cleaner

Key Deleted : HKLM\Software\Viewpoint

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adawaretb

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\adawaretb

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Viewpoint Manager

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

 

-\\ Mozilla Firefox v12.0 (en-US)

[ File : C:\Documents and Settings\Tone\Application Data\Mozilla\Firefox\Profiles\d5prdnbd.default\prefs.js ]

 

*************************

AdwCleaner[R0].txt - [3987 octets] - [15/11/2013 22:11:04]

AdwCleaner[s0].txt - [4004 octets] - [15/11/2013 22:17:00]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4064 octets] ##########

Link to post
Share on other sites

After booting up this morning FireFox was able to run without completely freezing. It was also finally able to access the web page it was automatically trying to get to last night. That page was/is:

https://www.mozilla.org/en-US/plugincheck/

When that page did load up the first time, it first told me JAVA was out of date and I should update it, so I did. I hope that is ok.

After updating JAVA it told me I had to restart any browsers I was using for JAVA to take effect, so I quit out of FireFox and restarted it. Again it brought me to that same update page. This time it told me Adobe Reader was out of date, so I updated that too. After Adobe Reader updated I could not get back to that update page, so I thought I would quit out of FireFox and restart it so that it would bring up that page again, asuming it used that page to check for updates every time FireFox started up. I had noticed that page had listed several out-of-date plug-ins/programs, so I wanted to go back to update stuff. in particular it mentioned RealPlayer, QuickTime, ShockWave Flash, and DIVX Web player, which it listed as all being vulnerable. However, this time when I started FireFox again, it did not automatically bring up the update page. I still found the page though by looking through the Mozilla.org site, and I bookmarked it for future usage.

 

I am guessing FireFox required mandatory updates for JAVA and Adobe Reader, but the others were not critical. Before I update any of those vulnerable plug-ins, I thought I would check with you. Apart from that, I would say my system is functioning rather smoothly.

_TONE_

Link to post
Share on other sites

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

I ran SecurityCheck, and I am copy/pasting the contents of checkup.txt at the end of my message.

 

Before I followed the instructions for SecurityCheck though, I noticed the system brought up the task bar icon tray "red shield" warning, specifically warning me about there being no firewall enabled. I found that to be very odd because after the earlier ComboFix step, I made sure my firewall(s) and anti-malware programs were all running again. Should I be concerned about my firewall being turned off for no apparent reason???

 

Just so you know, ever since you told me it was safe to re-connect to the internet in the combo fix step, I have been pretty much connected to the net, but I have been limiting my usual activity to avoid additional infections.Also, if I left my computer running without me there I would disconnect the ethernet cable as a precaution, just like I always did.

 

In your past couple of messages you have asked me how my computer has been running, I thought it worthy to mention occasionally it seems to be slower than I have recently reported. By that I mean I sometimes experience that slow-type-displaying issue I spoke about in one of my first messages, as if there is lag not just in my internet connection but in my processing. It is no where as bad as it was before you began assisting me though. There are also times where I might just be sitting by/near my computer doing nothing with it while it is turned on and connected to the internet, and I can see the network icon in the system tray on the task bar showing activity (one or both of the little computer monitors in the icon light up, etc.) However, I can not be certain whether this network activity is due to automatic program updates, etc. Every now and then I will also hear the laptop "kicking in." I have always associated that with the processor and/or fan working double-time or whatever. I am definitely not a electronics expert or anything, so it might simply be a normal regular heat-sink fan type function. Although, I keep my laptop on a metal wire-shelf, which has plenty of air circulation, so it should not be heating up too bad.

 

From what you are saying, it sounds like we might be coming to the end of cleaning my computer. That is great, but I am guessing if I encounter a reappearance of the "Rootkit.0Access" detection in a future MalwareBytes scan, then I should do a follow up reply, right?

 

_TONE_

 

---

 

 Results of screen317's Security Check version 0.99.77  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 Ad-Aware Antivirus     
`````````Anti-malware/Other Utilities Check:`````````
 Ad-Aware
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 45  
 Adobe Flash Player 10 Flash Player out of Date!
  Adobe Flash Player     10.1.82.76 Flash Player out of Date!  
 Adobe Reader XI  
 Mozilla Firefox 12.0 Firefox out of Date!  
 Mozilla Thunderbird (24.1.0)
````````Process Check: objlist.exe by Laurent````````  
 Ad-Aware AAWService.exe is disabled!
 Ad-Aware AAWTray.exe is disabled!
 Ad-Aware Antivirus AdAwareService.exe   
 Ad-Aware Antivirus SBAMSvc.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 5%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

I forgot to mention I did re-enable the firewall after the system tray warned me about there being no fire wall engaged. That is why SecurityCheck lists my firewall as being enabled in its log. I did not want there to be any confusion In case the log file made you think I was claiming a false alarm or something.

_TONE_

Link to post
Share on other sites

1. Should I be concerned about my firewall being turned off for no apparent reason???

As long as you enabled it and it stays that way, you're OK


2. network activity <------this is normal, I see the same on my XP machine.

3. Slow computer and lagging.......I would suggest you install CCleaner to clean out temp files, just stay away from the registry cleaner.
There's also some links to trouble shooting  slow computers in My Preventive Maintenance below.

Download, install and run CCleaner free to clean out temp files.
Here's a Tutorial if needed.
You may want to uncheck "cookies" and please stay away from the registry cleaner.

4. You won't see ZA anymore, it's gone.

-----------------------------------------------------------

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adobe Flash Player 10 Flash Player out of Date! <---please uninstall from your add/remove programs
Adobe Flash Player 10.1.82.76 Flash Player out of Date! <-----Check for an update if available

---------------------------------------

Mozilla Firefox 12.0 Firefox out of Date! <----please check for an update if available. (25)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (also HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

1) Firewall turning off/on...

When I booted up my computer this morning the system tray warned me about there being no firewall again, but the notice quickly went away. After that I opened up the Windows Security Center and it told me the firewall was on, so I do not know what is up with that. Does Windows XP have to turn on the firewall every time it boots up or something, which would cause it to detect the firewall being off briefly?

 

2) Network activity being normal...

OK, no problem. I was just checking as a precaution.

 

3) Slow computer/lagging...

I ran CCleaner. It cleared out over 300 megabytes of stuff. It seems like a good program to keep around. I wish I knew about it sooner. I promise never to mess with the registry section!

 

4) "You won't see ZA anymore, it's gone."

I presume ZA is an abbreviation for ZeroAccess. If so, then I sincerely hope you are correct and it will never come back.

 

Other stuff...

 

 A) I uninstalled Adobe Flash Player 10 via the "add/remove programs."

 

B) I updated Adobe Flash Player.

 

C) I updated Mozilla FireFox. Generally, in most programs I prefer to set it up so I am notified of updates. In FireFox's case their notice briefly pops up above the system tray, then I forget. I changed FireFox's settings to simply automatically update. I also learned you could go to the "About FireFox" option under the help tab and it will automatically check what version you have an update it. They shoudl really change that to "About/update FireFox."

 

D) Something a little odd occured when I tried to uninstall ComboFix. After entering the suggested text in the run box, it brought up what looked like an installation of ComboFix (a bunch of files were extracting), and it also sprung up a window about an update being avaialble. I was not sure whether that was part of the "uninstall," so I figured it would not hurt to just go along with the update and perhaps run the uninstall process afterwards.

 

Well, after it seemed to update, a warning box came up telling me ComboFix detected AdAware and I would be running ComboFix at my own risk. At this point I believed an update had actually been installed and ComboFix had automaticaly started. I knew ComboFix is supposed to be run without any malware running, so I cancelled out of the warning notice by clicking the close-out X in the upper right of that window. Unfortunately, that just caused another follow up warning message to occur. I was not sure if ComboFix was about to run and possibly mess up AdAware, so before I clicked any more things in the window I went to competely quit out of AdAware, even though AdAware seemed to close out on its own (system tray icon dissappeared). As a precaution, I restarted AdAware and manually closed it out completely. This all occured with the ComboFix warning window still open.

 

At that point I hit Ctrl-Alt-Del to get the task manager and under the applications tab I ended the task, which was connected to the ComboFix window. This seemed to terminate the series of ComboFix warning windows, and when the warning window dissappeared hidden under neath it was a much smaller notice window. That smaller window said ComboFix was uninstalled, and the only option was to close out the window. I was not confident in ComboFix being uninstalled considering all the drama, so I simply re-entered the run box to uninstall ComboFix. When I tried that, the system just told me there was no CmoboFix to uninstall, so I guess the uninstall worked. The whole update and AdAware warning just confused/worried me.

 

E) I ran OTC and it automatically rebooted the system. AdwCleaner and SecurityCheck are still on my desktop. Furthermore, AdWCleaner is in my C:root and CCleaner is in my C:/Program Files. I have not looked deep into my folder structure to check for traces of any of the other programs. Both AdWCleaner and CCleaner seem like they might be useful in the future, so I do not mind having them around. Regardlng SecurityCheck being on my desktop, I prefer to keep my desktop very minimal, so I would like to delete that off my desktop. Is there somewhere else I should check for traces of SecurityCheck? I would also like to remove AdwCleaner from my desktop, so I was thinking I can move it to the AdwCleaner folder in my C:root, then whenevr I run it I can temporarily move it back to my desktop. Is this sensible?

 

F) As for all the other programs, At the beginning of this entire process I set up a folder, and inside the folder I created several sub-folders as I followed the process. Each subfolder is prefixed with "Step01-", "Step-02", etc., so with each program you directed me to download/run, I expanded on the name of the consecutively named sub-folder and saved any files and logs inside that sub-folder. I also ended the name of the sub-folder with a basic directive. For instance, the first step's sub-folder is entitled "Step01-RogueKiller-ScanOnly" while the AdwCleaner step is entitled "Step10-AdwCleaner-RunFromDESKTOP" Some folders do not have anything in them, but are just placeholders to remind me about there being something to do except downloading/running something. In total there are 15 sub-folders, and they collective take up 58.1 MB. Unless you have some objection, I think I would like to keep all of these as a record of the process. Perhaps someday if I have another problem I can follow some of the steps to help clean out my system. Do not worry though, I realize a potential future infection would likely not be the same as this one, so the steps needed to be taken would be different. Therefore, I certainly would not try running such things as ComboFix and FRST with the FixList without professional guidance. Mostly I am thinking of running the scans only, maybe AdwCleaner, and CCleaner. that way if AdAware or MalwareBytes does not find anything when I am paranoid about my system behaving funny, then I can run the other scans to alleviate my fears before bothering someone such as yourself on the forum.

 

G) Apart from that, if you can think of locations where the various tools would have snuck in files elsewhere, then I would want to manually delete them. FYI, those sub-folders I made (explained in the "F)" heading, only contain the original files of downloaded programs and any "*.txt" logs they created. I never moved any quartine folders into them, so the quarantine folder created on my desktop (from FRST?) has already been removed.

 

H) You have been more than terrific in helping me, and I have already left very positive feedback, although from the looks of things... everyone loves you already.

 

I) I have bookmarked your "My Preventive Maintenance" guide, and have read through it. It is spectacular in that it has just about everything a PC user should need to avoid malware. I WISH I had known about it sooner. I have not followed its suggestions just yet, but I will definitely persue a number of the recommended tactics. THANK YOU!

Link to post
Share on other sites

Immediate follow up...

 

I created a restore point (I found it odd that my system said restore points were disabled, but I enabled them), and I removed all the prior restore points as the "My Preventive Maintenance" guide suggested. However, when I followed the Windows Update link provided in the guide after the restore point section, there was an error. It seems like that Windows Update link is broken in both the guide on the malwarebytes.org forum and madoktor2.com. I thought you would want to know.

 

I have not yet followed anything else in the preventetive maintenance guide, but I did notice it suggested using only one anti-virus program, one firewall, and one anti-malware program. I already suspected the firewall in only Windows XP was failry useless, but I have a firewall available in AdAware Antivirus. Is it okay to turn on both the Windows XP and AdAware firewalls simultaneously? Regarding anti-virus/anti-malware, I thought viruses fell into the malware category. At the moment I have AdAware running real time protection and I occasionally run MalwareBytes manually. Since the guide distinguishes between anti-viral and anti-malware, is it suggesting I get the real time protection of MalwareBytes on top of AdAware? I presume you were the original auther of the guide, so it contains all of your suggestions.

 

Thanks again,

_TONE_

Link to post
Share on other sites

1) Firewall turning off/on...
When I booted up my computer this morning the system tray warned me about there being no firewall again, but the notice quickly went away. After that I opened up the Windows Security Center and it told me the firewall was on, so I do not know what is up with that. Does Windows XP have to turn on the firewall every time it boots up or something, which would cause it to detect the firewall being off briefly?


The XP firewall is not good enough, I suggest you install PC Tools firewall. (Make sure the Windows Firewall is disabled) Once installed it has to go through a learning process but after that it's easy to use.

You can also use the one with AdAware Antivirus.
You don't want 2 firewalls installed and running

-----------------------------------------------

3) Slow computer/lagging...
I ran CCleaner. It cleared out over 300 megabytes of stuff. It seems like a good program to keep around. I wish I knew about it sooner. I promise never to mess with the registry section!


Yes keep it

----------------------------------------------

ComboFix.......If the first way doesn't work, just download and run the uninstaller. OTC also will uninstall it.

Instructions to uninstall or delete all the tools were given to you
----------------------------------------------

AdAware Antivirus........I would ad Malwarebytes Pro to provide realtime protection

---------------------------------------------



AdwCleaner.........You always have to download a fresh copy as the database is updated frequently.

-------------------------------------------

MrC

Link to post
Share on other sites

1) Firewall... I am now only running the AdAware advanced firewall, and have made sure the windows firewall is off.

 

2) ComboFix... does seem to be gone since the second time I ran the uninstall from the run box, it told me there was no ComboFix to uninstall, and it is not on my desktop or anywhere else I can find.

 

3) AdwCleaner... I uninstalled it and it seems to be gone.

 

4) SecurityCheck... does not seem to have an uninstall option, so I just deleted it from the desktop.

 

5) FRST... I had to used the secondary fixlist.txt to delete the quarantine folder, then I could delete the rest of the FRST folder on the C:root. Now FRST seems to be completely gone.

 

 

I think that about wraps things up. Thanks for your help!

_TONE_

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.