Jump to content

I'm an idiot.


Recommended Posts

So, cruising through my files, I accidentally double-clicked on what looked like just a file, but....ended up being an executable.  Tried MSE and MWB a few times, and neither have quite finished the job. Whatever it is has, among other things Im sure, been creating loads of "(installed program)-crack.exe" files, I imagine in an effort to spread itself.  
Help? This is set up as a home theater PC, as such I tend to keep it pretty sparse, so hopefully it won't be too much of a pain.
 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16490
Run by Bear at 17:07:41 on 2013-12-03
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.3522.1715 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\explorer.exe
C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\Bear\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Update\1.3.21.165\GoogleCrashHandler.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\Videos\napsnap.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Users\Bear\Videos\mfcmifc.exe
C:\Users\Bear\AppData\Roaming\Microsoft\ktab.exe
C:\Users\Bear\AppData\Roaming\Microsoft\Windows\rmid.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uWinlogon: Shell = c:\windows\explorer.exe, c:\users\bear\appdata\local\temp\cmiadapter.exe
uRun: [Google Update] "c:\users\bear\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [GoogleChromeAutoLaunch_4C808AD06E65C2EB4B5F0CF6ACEA479D] "c:\users\bear\appdata\local\google\chrome\application\chrome.exe" --no-startup-window
uRunOnce: [MFC Managed Interfaces Library] c:\users\bear\videos\mfcmifc.exe
mRun: [uSB3MON] "c:\program files\intel\intel® usb 3.0 extensible host controller driver\application\iusb3mon.exe"
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [iAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\bear\appdata\roaming\micros~1\windows\startm~1\programs\startup\nzbdro~1.lnk - c:\program files\nzbdrone\NzbDrone.exe
StartupFolder: c:\users\bear\appdata\roaming\micros~1\windows\startm~1\programs\startup\sabnzbd.lnk - c:\program files\sabnzbd\SABnzbd.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\couchp~1.lnk - c:\users\bear\appdata\roaming\couchpotato\application\CouchPotato.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.11.1
TCP: Interfaces\{AE010EAB-71B1-45CC-837D-671983049F4B} : DHCPNameServer = 192.168.11.1
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2012-1-27 13592]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2013-6-28 13592]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2013-6-28 132768]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-9-27 104768]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-12-6 280576]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys [2012-1-27 348440]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers\iusb3xhc.sys [2012-1-27 791832]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-12-3 40776]
R3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2012-7-17 55104]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 NfsClnt;Client for NFS;c:\windows\system32\nfsclnt.exe [2009-7-13 52736]
S3 NfsRdr;Client for NFS Redirector;c:\windows\system32\drivers\nfsrdr.sys [2009-7-13 201216]
S3 RpcXdr;Server for NFS Open RPC (ONCRPC);c:\windows\system32\drivers\rpcxdr.sys [2009-7-13 86528]
.
=============== Created Last 30 ================
.
2013-12-03 21:58:27 -------- d-----w- C:\AdwCleaner
2013-12-03 21:53:55 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-12-03 21:50:39 7772552 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{008971c5-7191-4a5e-93e9-ab9fedb32316}\mpengine.dll
2013-12-03 12:01:09 719224 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2013-12-03 12:01:08 719224 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{87656423-65c9-4306-8945-e6e297ac22e9}\gapaengine.dll
2013-12-03 11:59:49 7772552 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-11-30 19:52:05 1281024 ----a-w- c:\users\bear\appdata\roaming\microsoft\windows\rmid.exe
2013-11-30 15:23:04 474112 ----a-w- c:\users\bear\appdata\roaming\microsoft\ktab.exe
2013-11-30 15:09:25 -------- d-----w- c:\program files\Microsoft Security Client
2013-11-30 15:09:16 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2013-11-29 14:05:15 -------- d-----w- c:\program files\VideoLAN
2013-11-27 17:04:11 -------- d-----w- c:\programdata\NzbDrone
2013-11-27 16:57:29 -------- d-----w- c:\windows\Migration
2013-11-27 16:54:59 -------- d-----w- c:\program files\NzbDrone
.
==================== Find3M  ====================
.
2013-11-19 10:21:30 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-09-27 14:53:06 214696 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-09-27 14:53:06 104768 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-09-12 02:21:54 863344 ----a-w- c:\windows\system32\msvcr110_clr0400.dll
2013-09-12 02:21:54 501872 ----a-w- c:\windows\system32\msvcp110_clr0400.dll
2013-09-12 02:21:54 28776 ----a-w- c:\windows\system32\aspnet_counters.dll
2013-09-12 02:21:54 18000 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
.
============= FINISH: 17:08:19.24 ===============
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate 
Boot Device: \Device\HarddiskVolume1
Install Date: 1/1/2012 3:45:24 PM
System Uptime: 12/3/2013 5:01:45 PM (0 hours ago)
.
Motherboard: Acer |  | Veriton X6620G
Processor: Intel® Core i5-3330 CPU @ 3.00GHz | SOCKET 0 | 3001/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 66.717 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 35.3 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: 
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_1E22&SUBSYS_06681025&REV_04\3&11583659&0&FB
Manufacturer: 
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_1E22&SUBSYS_06681025&REV_04\3&11583659&0&FB
Service: 
.
==== System Restore Points ===================
.
RP72: 12/3/2013 4:48:29 PM - Windows Update
.
==== Installed Programs ======================
.
7-Zip 9.20
Apple Software Update
Bonjour
Bonjour Print Services
CouchPotato
Foxit Reader
Google Chrome
Intel® Control Center
Intel® Network Connections 16.8.46.0
Intel® OpenCL CPU Runtime
Intel® Processor Graphics
Intel® Rapid Storage Technology
Intel® USB 3.0 eXtensible Host Controller Driver
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4.5.1
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Xbox 360 Accessories 1.2
Python 2.7.2
Ralink RT2860 Wireless LAN Card
Realtek High Definition Audio Driver
SABnzbd 0.7.16
VLC media player 2.1.1
Vuze
XBMC
XBMC Movie Set Creator
.
==== Event Viewer Messages From Past Week ========
.
12/3/2013 5:01:58 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  cdrom
12/2/2013 10:31:55 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.163.965.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: Default URL   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10100.0   Error code: 0xc8000710   Error description: The account used is a computer account. Use your global user account or local user account to access this server. 
12/2/2013 10:31:42 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.163.965.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: Default URL   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10100.0   Error code: 0xc8000710   Error description: The account used is a computer account. Use your global user account or local user account to access this server. 
12/1/2013 7:10:44 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.163.965.0   Update Source: Microsoft Update Server   Update Stage: Install   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10100.0   Error code: 0x80240017   Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
12/1/2013 2:10:44 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.163.965.0   Update Source: Microsoft Update Server   Update Stage: Download   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10100.0   Error code: 0x80240022   Error description: The program can't check for definition updates. 
12/1/2013 2:10:44 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.163.965.0   Update Source: Microsoft Update Server   Update Stage: Download   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10100.0   Error code: 0x80240022   Error description: The program can't check for definition updates. 
11/30/2013 4:51:52 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Ainslot.A&threatid=2147641238   Name: Worm:Win32/Ainslot.A   ID: 2147641238   Severity: Severe   Category: Worm   Path: process:_pid:412   Detection Origin: Unknown   Detection Type: Heuristics   Detection Source: User   User: hecubus\Bear   Process Name: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe   Action: Quarantine   Action Status:  No additional actions required   Error Code: 0x80070070   Error description: There is not enough space on the disk.   Signature Version: AV: 1.163.965.0, AS: 1.163.965.0, NIS: 109.17.0.0   Engine Version: AM: 1.1.10100.0, NIS: 2.1.10003.0
11/30/2013 11:28:08 AM, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
11/30/2013 10:16:02 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 0.0.0.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x86&eng=0.0.0.0&sig=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: Network Inspection System   Update Type: Full   User: hecubus\Bear   Current Engine Version:   Previous Engine Version: 0.0.0.0   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:15:56 AM, Error: Microsoft Antimalware [2003]  - Microsoft Antimalware has encountered an error trying to update the engine.   New Engine Version:   Previous Engine Version:   Engine Type: Network Inspection System   User: hecubus\Bear   Error Code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:15:56 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version:   Update Source: User   Update Stage: Install   Source Path:   Signature Type: Network Inspection System   Update Type: Full   User: hecubus\Bear   Current Engine Version:   Previous Engine Version:   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:15:13 AM, Error: Microsoft Antimalware [2003]  - Microsoft Antimalware has encountered an error trying to update the engine.   New Engine Version:   Previous Engine Version:   Engine Type: Network Inspection System   User: hecubus\Bear   Error Code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:15:13 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 0.0.0.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x86&eng=0.0.0.0&sig=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: Network Inspection System   Update Type: Full   User: hecubus\Bear   Current Engine Version:   Previous Engine Version: 0.0.0.0   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:15:13 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version:   Update Source: User   Update Stage: Install   Source Path:   Signature Type: Network Inspection System   Update Type: Full   User: hecubus\Bear   Current Engine Version:   Previous Engine Version:   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:13:32 AM, Error: Microsoft Antimalware [2003]  - Microsoft Antimalware has encountered an error trying to update the engine.   New Engine Version:   Previous Engine Version:   Engine Type: Network Inspection System   User: hecubus\Bear   Error Code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:13:32 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 0.0.0.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x86&eng=0.0.0.0&sig=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: Network Inspection System   Update Type: Full   User: hecubus\Bear   Current Engine Version:   Previous Engine Version: 0.0.0.0   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:13:32 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version:   Update Source: User   Update Stage: Install   Source Path:   Signature Type: Network Inspection System   Update Type: Full   User: hecubus\Bear   Current Engine Version:   Previous Engine Version:   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:12:50 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.163.965.0   Update Source: Microsoft Update Server   Update Stage: Install   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10100.0   Error code: 0x80070643   Error description: Fatal error during installation. 
11/30/2013 10:12:50 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.163.965.0).
11/30/2013 10:12:47 AM, Error: Microsoft Antimalware [2003]  - Microsoft Antimalware has encountered an error trying to update the engine.   New Engine Version:   Previous Engine Version:   Engine Type: Network Inspection System   User: NT AUTHORITY\SYSTEM   Error Code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/30/2013 10:12:47 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version:   Update Source: User   Update Stage: Install   Source Path:   Signature Type: Network Inspection System   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version:   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
11/28/2013 3:32:58 AM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk1\DR1.
11/28/2013 3:32:54 AM, Error: volsnap [35]  - The shadow copies of volume C: were aborted because the shadow copy storage failed to grow.
11/26/2013 1:15:50 AM, Error: bowser [8003]  - The master browser has received a server announcement from the computer BEAR_PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{AE010EAB-71B1-45CC-837D-671983049F. The master browser is stopping or an election is being forced.
.
==== End Of File ==========

 

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin

Link to post
Share on other sites

Also, Malware.Trace is the persistant result in MWB.
 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-12-2013 02
Ran by Bear (administrator) on HECUBUS on 03-12-2013 17:32:50
Running from C:\Users\Bear\Downloads
Microsoft Windows 7 Ultimate  (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Intel Corporation) C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Update\GoogleUpdate.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Update\1.3.21.165\GoogleCrashHandler.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Oracle Corporation) C:\Users\Bear\Videos\napsnap.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
() C:\Users\Bear\Videos\mfcmifc.exe
(Oracle Corporation) C:\Users\Bear\AppData\Roaming\Microsoft\ktab.exe
() C:\Users\Bear\AppData\Roaming\Microsoft\Windows\rmid.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
() C:\Program Files\SABnzbd\SABnzbd.exe
() C:\Program Files\SABnzbd\win\par2\par2.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [uSB3MON] - C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-27] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [11487848 2011-12-05] (Realtek Semiconductor)
HKLM\...\Run: [iAStorIcon] - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [XboxStat] - C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe [718688 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKCU\...\Run: [Google Update] - C:\Users\Bear\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2013-06-28] (Google Inc.)
HKCU\...\Run: [GoogleChromeAutoLaunch_4C808AD06E65C2EB4B5F0CF6ACEA479D] - C:\Users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe [866256 2013-11-18] (Google Inc.)
HKCU\...\RunOnce: [MFC Managed Interfaces Library] - C:\Users\Bear\Videos\mfcmifc.exe [17408 2013-12-03] ()
HKCU\...\Winlogon: [shell] C:\Windows\explorer.exe, C:\Users\Bear\AppData\Local\Temp\cmiadapter.exe <==== ATTENTION 
MountPoints2: {9444e516-3469-11e3-8bd6-eca86b8d5dbe} - E:\HTC_Sync_Manager_PC.exe
HKU\Default\...\Run: [sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\Default User\...\Run: [sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
Startup: C:\Users\Bear\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NzbDrone - Shortcut.lnk
ShortcutTarget: NzbDrone - Shortcut.lnk -> C:\Program Files\NzbDrone\NzbDrone.exe (www.nzbdrone.com)
Startup: C:\Users\Bear\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk
ShortcutTarget: SABnzbd.lnk -> C:\Program Files\SABnzbd\SABnzbd.exe ()
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x3DEE847EEC73CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
SearchScopes: HKLM - DefaultScope value is missing.
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.11.1
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Users\Bear\AppData\Local\Google\Chrome\Application\32.0.1700.19\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Bear\AppData\Local\Google\Chrome\Application\32.0.1700.19\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Bear\AppData\Local\Google\Chrome\Application\32.0.1700.19\pdf.dll ()
CHR Plugin: (Google Update) - C:\Users\Bear\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Extension: (Google Docs) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube Options) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdokagampppgbnjfdlkfpphniapiiifn\1.8.148_0
CHR Extension: (YouTube) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (HelloFax: 50 Free Fax Pages) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\bocmleclimfnadgmcdgecijlblfcmfnm\1.20_0
CHR Extension: (Make this my jam) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdakbflgliddhhegidnfmcgbgpelgknk\0.3.0.2_0
CHR Extension: (Adblock Plus) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.6.1_0
CHR Extension: (Google Search) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (DocuSign) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\goblijolcnempeilmnkmfbhohlpngemd\2.5.0.642_0
CHR Extension: (Don't Starve) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiledapehlkhdehbhppgmekfalnlfajc\1.0.0.37_0
CHR Extension: (Feedly - News, Blogs and Youtube) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipbfijinpcgfogaopmgehiegacbhmob\18.1_0
CHR Extension: (Social Fixer for Facebook) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifmhoabcaeehkljcfclfiieohkohdgbb\8.0_0
CHR Extension: (CouchPotato) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\jochingjncojldfclaicaomboafaiong\0.9.8_0
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb\4.3.1.2_0
CHR Extension: (Autodesk Homestyler) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdmmkfaghgcicheaimnpffeeekheafkb\2.6_0
CHR Extension: (Google Wallet) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_1
CHR Extension: (Psykopaint) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgjchkcfmigkkhedgjedmffdepgmpfil\0.0.0.10_0
CHR Extension: (Evernote Web Clipper) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\pioclpoplcdbaefihamjohnefbikjilc\6.0.3_0
CHR Extension: (Gmail) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR Extension: (Ambient Aurea) - C:\Users\Bear\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkaglmndhfgdaiaccjglghcbnfinfffa\1.0.0.21_0
 
========================== Services (Whitelisted) =================
 
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [274200 2011-12-21] (Intel Corporation)
R2 Intel® PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [132768 2011-11-09] (Intel Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
S3 NfsClnt; C:\Windows\system32\nfsclnt.exe [52736 2009-07-13] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
R3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [358224 2012-08-10] (Intel Corporation)
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [13592 2012-01-27] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [348440 2012-01-27] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [791832 2012-01-27] (Intel Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-12-03] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-17] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
R1 MpKslcdd622db; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{008971C5-7191-4A5E-93E9-AB9FEDB32316}\MpKslcdd622db.sys [40392 2013-12-03] (Microsoft Corporation)
U3 mbr; \??\C:\Users\Bear\AppData\Local\Temp\mbr.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-12-03 17:32 - 2013-12-03 17:33 - 00011667 _____ C:\Users\Bear\Downloads\FRST.txt
2013-12-03 17:32 - 2013-12-03 17:32 - 00000000 ____D C:\FRST
2013-12-03 17:31 - 2013-12-03 17:32 - 01092545 _____ (Farbar) C:\Users\Bear\Downloads\FRST.exe
2013-12-03 17:07 - 2013-12-03 17:07 - 00688992 ____R (Swearware) C:\Users\Bear\Downloads\dds (1).scr
2013-12-03 17:00 - 2013-12-03 17:08 - 00012820 _____ C:\Users\Bear\Desktop\attach.txt
2013-12-03 17:00 - 2013-12-03 17:08 - 00009965 _____ C:\Users\Bear\Desktop\dds.txt
2013-12-03 16:58 - 2013-12-03 17:01 - 00000000 ____D C:\AdwCleaner
2013-12-03 16:58 - 2013-12-03 16:58 - 01110034 _____ C:\Users\Bear\Downloads\AdwCleaner.exe
2013-12-03 16:58 - 2013-12-03 16:58 - 00688992 ____R (Swearware) C:\Users\Bear\Downloads\dds.scr
2013-12-03 16:56 - 2013-12-03 16:56 - 00388608 _____ (Trend Micro Inc.) C:\Users\Bear\Downloads\HijackThis.exe
2013-12-03 16:53 - 2013-12-03 17:02 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-11-30 14:34 - 2013-11-30 14:34 - 05242829 _____ C:\Users\Bear\Downloads\sabnzbd.log
2013-11-30 10:09 - 2013-11-30 10:10 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-11-30 10:09 - 2010-04-09 02:24 - 00240008 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2013-11-30 10:07 - 2013-11-30 10:07 - 11125072 _____ (Microsoft Corporation) C:\Users\Bear\Downloads\mseinstall.exe
2013-11-29 09:08 - 2013-11-29 09:08 - 00143863 _____ C:\Users\Bear\Downloads\BBC.QI.XL.Quite.Interesting.S11E09.Kinetic.nzb
2013-11-29 09:08 - 2013-11-29 09:08 - 00143848 _____ C:\Users\Bear\Downloads\BBC.QI.XL.Quite.Interesting.S11E08.Keys.nzb
2013-11-29 09:06 - 2013-11-30 11:40 - 00000000 ____D C:\Users\Bear\AppData\Roaming\vlc
2013-11-29 09:05 - 2013-11-29 09:05 - 00001028 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-11-29 09:05 - 2013-11-29 09:05 - 00000000 ____D C:\Program Files\VideoLAN
2013-11-29 08:56 - 2013-11-29 08:57 - 24489269 _____ C:\Users\Bear\Downloads\vlc-2.1.1-win32.exe
2013-11-27 12:04 - 2013-12-03 15:54 - 00000000 ____D C:\ProgramData\NzbDrone
2013-11-27 11:55 - 2013-11-27 11:55 - 01021432 _____ (Microsoft Corporation) C:\Users\Bear\Downloads\NDP451-KB2859818-Web.exe
2013-11-27 11:54 - 2013-12-02 17:52 - 00000000 ____D C:\Program Files\NzbDrone
2013-11-27 11:53 - 2013-11-27 11:53 - 06343395 _____ C:\Users\Bear\Downloads\NzbDrone.master.latest.zip
2013-11-26 14:41 - 2013-11-26 14:41 - 00028538 _____ C:\Users\Bear\Downloads\RiffTrax_Live__Christmas_Shorts_Stravaganza_(2009)_BDRip_720p_[A.7646497.TPB.torrent
2013-11-21 15:02 - 2013-11-21 15:02 - 00234003 _____ C:\Users\Bear\Downloads\The.World's.End.2013.720p.BluRay.x264.YIFY.nzb
2013-11-09 15:32 - 2013-11-09 15:33 - 59958328 _____ C:\Users\Bear\Downloads\xbmc-13.0-Gotham_alpha9.exe
 
==================== One Month Modified Files and Folders =======
 
2013-12-03 17:33 - 2013-12-03 17:32 - 00011667 _____ C:\Users\Bear\Downloads\FRST.txt
2013-12-03 17:32 - 2013-12-03 17:32 - 00000000 ____D C:\FRST
2013-12-03 17:32 - 2013-12-03 17:31 - 01092545 _____ (Farbar) C:\Users\Bear\Downloads\FRST.exe
2013-12-03 17:21 - 2013-06-28 05:48 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2640932471-1266867591-1125158052-1000UA.job
2013-12-03 17:21 - 2013-06-28 05:48 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2640932471-1266867591-1125158052-1000Core.job
2013-12-03 17:10 - 2009-07-13 23:34 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-03 17:10 - 2009-07-13 23:34 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-03 17:08 - 2013-12-03 17:00 - 00012820 _____ C:\Users\Bear\Desktop\attach.txt
2013-12-03 17:08 - 2013-12-03 17:00 - 00009965 _____ C:\Users\Bear\Desktop\dds.txt
2013-12-03 17:07 - 2013-12-03 17:07 - 00688992 ____R (Swearware) C:\Users\Bear\Downloads\dds (1).scr
2013-12-03 17:07 - 2012-01-01 15:53 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-03 17:05 - 2012-01-01 15:51 - 02081953 _____ C:\Windows\WindowsUpdate.log
2013-12-03 17:02 - 2013-12-03 16:53 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-12-03 17:01 - 2013-12-03 16:58 - 00000000 ____D C:\AdwCleaner
2013-12-03 17:01 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-03 17:01 - 2009-07-13 23:39 - 00024464 _____ C:\Windows\setupact.log
2013-12-03 16:58 - 2013-12-03 16:58 - 01110034 _____ C:\Users\Bear\Downloads\AdwCleaner.exe
2013-12-03 16:58 - 2013-12-03 16:58 - 00688992 ____R (Swearware) C:\Users\Bear\Downloads\dds.scr
2013-12-03 16:56 - 2013-12-03 16:56 - 00388608 _____ (Trend Micro Inc.) C:\Users\Bear\Downloads\HijackThis.exe
2013-12-03 16:46 - 2013-07-01 20:50 - 00055330 _____ C:\Windows\PFRO.log
2013-12-03 15:58 - 2013-06-28 06:05 - 00000000 ____D C:\Users\Bear\AppData\Roaming\XBMC
2013-12-03 15:54 - 2013-11-27 12:04 - 00000000 ____D C:\ProgramData\NzbDrone
2013-12-03 15:32 - 2013-06-28 14:38 - 00000000 ____D C:\Users\Bear\AppData\Roaming\CouchPotato
2013-12-02 17:52 - 2013-11-27 11:54 - 00000000 ____D C:\Program Files\NzbDrone
2013-11-30 14:34 - 2013-11-30 14:34 - 05242829 _____ C:\Users\Bear\Downloads\sabnzbd.log
2013-11-30 11:40 - 2013-11-29 09:06 - 00000000 ____D C:\Users\Bear\AppData\Roaming\vlc
2013-11-30 10:10 - 2013-11-30 10:09 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-11-30 10:07 - 2013-11-30 10:07 - 11125072 _____ (Microsoft Corporation) C:\Users\Bear\Downloads\mseinstall.exe
2013-11-30 10:04 - 2013-06-28 05:50 - 00000000 ____D C:\Users\Bear\AppData\Roaming\Azureus
2013-11-29 09:08 - 2013-11-29 09:08 - 00143863 _____ C:\Users\Bear\Downloads\BBC.QI.XL.Quite.Interesting.S11E09.Kinetic.nzb
2013-11-29 09:08 - 2013-11-29 09:08 - 00143848 _____ C:\Users\Bear\Downloads\BBC.QI.XL.Quite.Interesting.S11E08.Keys.nzb
2013-11-29 09:05 - 2013-11-29 09:05 - 00001028 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-11-29 09:05 - 2013-11-29 09:05 - 00000000 ____D C:\Program Files\VideoLAN
2013-11-29 08:57 - 2013-11-29 08:56 - 24489269 _____ C:\Users\Bear\Downloads\vlc-2.1.1-win32.exe
2013-11-28 22:51 - 2013-06-28 05:50 - 00001798 _____ C:\Users\Public\Desktop\Vuze.lnk
2013-11-27 12:41 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-11-27 12:18 - 2013-06-28 14:43 - 00000000 ____D C:\Program Files\SickBeard-win32-alpha-build500
2013-11-27 11:55 - 2013-11-27 11:55 - 01021432 _____ (Microsoft Corporation) C:\Users\Bear\Downloads\NDP451-KB2859818-Web.exe
2013-11-27 11:53 - 2013-11-27 11:53 - 06343395 _____ C:\Users\Bear\Downloads\NzbDrone.master.latest.zip
2013-11-26 14:41 - 2013-11-26 14:41 - 00028538 _____ C:\Users\Bear\Downloads\RiffTrax_Live__Christmas_Shorts_Stravaganza_(2009)_BDRip_720p_[A.7646497.TPB.torrent
2013-11-21 15:02 - 2013-11-21 15:02 - 00234003 _____ C:\Users\Bear\Downloads\The.World's.End.2013.720p.BluRay.x264.YIFY.nzb
2013-11-19 11:23 - 2013-06-28 05:48 - 00002384 _____ C:\Users\Bear\Desktop\Google Chrome.lnk
2013-11-19 05:21 - 2013-06-28 06:12 - 00230048 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2013-11-09 15:33 - 2013-11-09 15:32 - 59958328 _____ C:\Users\Bear\Downloads\xbmc-13.0-Gotham_alpha9.exe
 
Some content of TEMP:
====================
C:\Users\Bear\AppData\Local\Temp\13058.exe
C:\Users\Bear\AppData\Local\Temp\17035.exe
C:\Users\Bear\AppData\Local\Temp\19378.exe
C:\Users\Bear\AppData\Local\Temp\24781.exe
C:\Users\Bear\AppData\Local\Temp\31234.exe
C:\Users\Bear\AppData\Local\Temp\31611.exe
C:\Users\Bear\AppData\Local\Temp\42840.exe
C:\Users\Bear\AppData\Local\Temp\46647.exe
C:\Users\Bear\AppData\Local\Temp\51512.exe
C:\Users\Bear\AppData\Local\Temp\52243.exe
C:\Users\Bear\AppData\Local\Temp\53587.exe
C:\Users\Bear\AppData\Local\Temp\53886.exe
C:\Users\Bear\AppData\Local\Temp\54040.exe
C:\Users\Bear\AppData\Local\Temp\54902.exe
C:\Users\Bear\AppData\Local\Temp\54998.exe
C:\Users\Bear\AppData\Local\Temp\58773.exe
C:\Users\Bear\AppData\Local\Temp\63755.exe
C:\Users\Bear\AppData\Local\Temp\64834.exe
C:\Users\Bear\AppData\Local\Temp\66761.exe
C:\Users\Bear\AppData\Local\Temp\69000.exe
C:\Users\Bear\AppData\Local\Temp\69555.exe
C:\Users\Bear\AppData\Local\Temp\71397.exe
C:\Users\Bear\AppData\Local\Temp\72032.exe
C:\Users\Bear\AppData\Local\Temp\77794.exe
C:\Users\Bear\AppData\Local\Temp\91591.exe
C:\Users\Bear\AppData\Local\Temp\i4jdel0.exe
C:\Users\Bear\AppData\Local\Temp\mpam-3a27438b.exe
C:\Users\Bear\AppData\Local\Temp\Quarantine.exe
C:\Users\Bear\AppData\Local\Temp\vbc.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-11-30 15:09
 
==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-12-2013 02
Ran by Bear at 2013-12-03 17:34:01
Running from C:\Users\Bear\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
 
==================== Installed Programs ======================
 
7-Zip 9.20
Apple Software Update (Version: 2.1.3.127)
Bonjour (Version: 2.0.2.0)
Bonjour Print Services (Version: 2.0.2.0)
CouchPotato (Version: 2)
Foxit Reader (Version: 6.0.6.722)
Google Chrome (HKCU Version: 32.0.1700.19)
Intel® Control Center (Version: 1.2.1.1007)
Intel® Network Connections 16.8.46.0 (Version: 16.8.46.0)
Intel® OpenCL CPU Runtime
Intel® Processor Graphics (Version: 8.15.10.2598)
Intel® Rapid Storage Technology (Version: 11.0.0.1032)
Intel® USB 3.0 eXtensible Host Controller Driver (Version: 1.0.3.214)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)
Microsoft Security Client (Version: 4.4.0304.0)
Microsoft Security Essentials (Version: 4.4.304.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Xbox 360 Accessories 1.2 (Version: 1.20.146.0)
Python 2.7.2 (Version: 2.7.2150)
Ralink RT2860 Wireless LAN Card (Version: 1.0.7.0)
Realtek High Definition Audio Driver (Version: 6.0.1.6521)
SABnzbd 0.7.16 (Version: 0.7.16)
VLC media player 2.1.1 (Version: 2.1.1)
Vuze (Version: 5.2.0.0)
XBMC Movie Set Creator (HKCU Version: 0.1.0.56)
 
==================== Restore Points  =========================
 
03-12-2013 21:48:29 Windows Update
 
==================== Hosts content: ==========================
 
2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {7B1FFBA2-43A7-4B9A-8394-ABF49A8EEE01} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {B141BD71-3C65-4F89-B29C-ECCCAE6DCF0B} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2640932471-1266867591-1125158052-1000UA => C:\Users\Bear\AppData\Local\Google\Update\GoogleUpdate.exe [2013-06-28] (Google Inc.)
Task: {F92FB687-5286-4137-8608-0DEC88C9E8DF} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2640932471-1266867591-1125158052-1000Core => C:\Users\Bear\AppData\Local\Google\Update\GoogleUpdate.exe [2013-06-28] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2640932471-1266867591-1125158052-1000Core.job => C:\Users\Bear\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2640932471-1266867591-1125158052-1000UA.job => C:\Users\Bear\AppData\Local\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2011-12-15 16:34 - 2011-12-15 16:34 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
2013-11-19 11:23 - 2013-11-18 18:12 - 00715216 _____ () C:\Users\Bear\AppData\Local\Google\Chrome\Application\32.0.1700.19\libglesv2.dll
2013-11-19 11:23 - 2013-11-18 18:12 - 00099792 _____ () C:\Users\Bear\AppData\Local\Google\Chrome\Application\32.0.1700.19\libegl.dll
2013-11-19 11:23 - 2013-11-18 18:13 - 04054992 _____ () C:\Users\Bear\AppData\Local\Google\Chrome\Application\32.0.1700.19\pdf.dll
2013-11-19 11:23 - 2013-11-18 18:13 - 00399312 _____ () C:\Users\Bear\AppData\Local\Google\Chrome\Application\32.0.1700.19\ppGoogleNaClPluginChrome.dll
2013-11-19 11:23 - 2013-11-18 18:12 - 01634256 _____ () C:\Users\Bear\AppData\Local\Google\Chrome\Application\32.0.1700.19\ffmpegsumo.dll
2013-06-28 14:41 - 2013-09-11 00:40 - 00053248 _____ () C:\Program Files\SABnzbd\lib\_socket.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00671744 _____ () C:\Program Files\SABnzbd\lib\_ssl.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00294912 _____ () C:\Program Files\SABnzbd\lib\_hashlib.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00102400 _____ () C:\Program Files\SABnzbd\lib\win32api.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00118784 _____ () C:\Program Files\SABnzbd\lib\pywintypes25.dll
2013-06-28 14:41 - 2013-09-11 00:40 - 00013824 _____ () C:\Program Files\SABnzbd\lib\win32event.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00036864 _____ () C:\Program Files\SABnzbd\lib\win32service.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00057344 _____ () C:\Program Files\SABnzbd\lib\OpenSSL.crypto.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00007168 _____ () C:\Program Files\SABnzbd\lib\OpenSSL.rand.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00037888 _____ () C:\Program Files\SABnzbd\lib\OpenSSL.SSL.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00086016 _____ () C:\Program Files\SABnzbd\lib\_ctypes.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00049152 _____ () C:\Program Files\SABnzbd\lib\_sqlite3.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00546205 _____ () C:\Program Files\SABnzbd\lib\sqlite3.dll
2013-06-28 14:41 - 2013-09-11 00:40 - 00008192 _____ () C:\Program Files\SABnzbd\lib\select.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00009728 _____ () C:\Program Files\SABnzbd\lib\_yenc.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00012288 _____ () C:\Program Files\SABnzbd\lib\Cheetah._namemapper.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00135168 _____ () C:\Program Files\SABnzbd\lib\pyexpat.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00040960 _____ () C:\Program Files\SABnzbd\lib\win32process.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00110592 _____ () C:\Program Files\SABnzbd\lib\win32file.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00014848 _____ () C:\Program Files\SABnzbd\lib\win32evtlog.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00024576 _____ () C:\Program Files\SABnzbd\lib\servicemanager.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00019968 _____ () C:\Program Files\SABnzbd\lib\win32pipe.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00155648 _____ () C:\Program Files\SABnzbd\lib\win32gui.pyd
2013-06-28 14:41 - 2013-09-11 00:40 - 00176128 _____ () C:\Program Files\SABnzbd\lib\winxpgui.pyd
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
 
==================== Faulty Device Manager Devices =============
 
Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/03/2013 00:30:25 AM) (Source: System Restore) (User: )
Description: The scheduled restore point could not be created.  Additional information: (0x81000101).
 
Error: (12/03/2013 00:30:25 AM) (Source: System Restore) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).
 
Error: (12/02/2013 04:07:15 PM) (Source: ESENT) (User: )
Description: wuaueng.dll (1172) SUS20ClientDataStore: An attempt to write to the file "C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb" at offset 0 (0x0000000000000000) for 98304 (0x00018000) bytes failed after wuaueng.dll0 seconds with system error 112 (0x00000070): "There is not enough space on the disk. ".  The write operation will fail with error -1808 (0xfffff8f0).  If this error persists then the file may be damaged and may need to be restored from a previous backup.
 
Error: (12/02/2013 00:42:37 AM) (Source: System Restore) (User: )
Description: The scheduled restore point could not be created.  Additional information: (0x81000101).
 
Error: (12/02/2013 00:42:37 AM) (Source: System Restore) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).
 
Error: (12/01/2013 00:11:23 AM) (Source: System Restore) (User: )
Description: The scheduled restore point could not be created.  Additional information: (0x81000101).
 
Error: (12/01/2013 00:11:23 AM) (Source: System Restore) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).
 
Error: (11/30/2013 03:38:34 PM) (Source: System Restore) (User: )
Description: The scheduled restore point could not be created.  Additional information: (0x81000101).
 
Error: (11/30/2013 03:38:34 PM) (Source: System Restore) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).
 
Error: (11/30/2013 10:13:53 AM) (Source: Application Error) (User: )
Description: Faulting application name: napsnap.exe, version: 7.0.210.11, time stamp: 0x52911960
Faulting module name: KERNELBASE.dll, version: 6.1.7600.17206, time stamp: 0x50e65f4f
Exception code: 0xe053534f
Fault offset: 0x0000969b
Faulting process id: 0x%9
Faulting application start time: 0xnapsnap.exe0
Faulting application path: napsnap.exe1
Faulting module path: napsnap.exe2
Report Id: napsnap.exe3
 
 
System errors:
=============
Error: (12/03/2013 05:01:58 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (12/03/2013 04:46:46 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (12/03/2013 03:56:21 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (12/02/2013 11:28:59 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (12/02/2013 10:31:55 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.163.965.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (12/02/2013 10:31:42 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.163.965.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (12/01/2013 02:10:44 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.163.965.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (12/01/2013 02:10:44 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.163.965.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (12/01/2013 07:10:44 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.163.965.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (11/30/2013 04:51:52 PM) (Source: Microsoft Antimalware) (User: )
Description: %Worm:Win32/Ainslot.A60 has encountered a critical error when taking action on malware or other potentially unwanted software.
 
For more information please see the following:
%Worm:Win32/Ainslot.A603
 
Name: Worm:Win32/Ainslot.A
 
ID: 2147641238
 
Severity: %Worm:Win32/Ainslot.A600
 
Category: %Worm:Win32/Ainslot.A602
 
Path: 4.4.0304.02
 
Detection Origin: 4.4.0304.04
 
Detection Type: 4.4.0304.08
 
Detection Source: %Worm:Win32/Ainslot.A608
 
User: {59C30B50-F0E1-4DD7-9D07-696FF339534D}9
 
Process Name: %Worm:Win32/Ainslot.A609
 
Action: {59C30B50-F0E1-4DD7-9D07-696FF339534D}1
 
Action Status:  {59C30B50-F0E1-4DD7-9D07-696FF339534D}8
 
Error Code: {59C30B50-F0E1-4DD7-9D07-696FF339534D}3
 
Error description: {59C30B50-F0E1-4DD7-9D07-696FF339534D}4
 
Signature Version: 2013-11-30T17:15:32.060Z1
 
Engine Version: 2013-11-30T17:15:32.060Z2
 
 
Microsoft Office Sessions:
=========================
Error: (12/03/2013 00:30:25 AM) (Source: System Restore)(User: )
Description: 0x81000101
 
Error: (12/03/2013 00:30:25 AM) (Source: System Restore)(User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationScheduled Checkpoint0x81000101
 
Error: (12/02/2013 04:07:15 PM) (Source: ESENT)(User: )
Description: wuaueng.dll1172SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb0 (0x0000000000000000)98304 (0x00018000)-1808 (0xfffff8f0)112 (0x00000070)There is not enough space on the disk. 0
 
Error: (12/02/2013 00:42:37 AM) (Source: System Restore)(User: )
Description: 0x81000101
 
Error: (12/02/2013 00:42:37 AM) (Source: System Restore)(User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationScheduled Checkpoint0x81000101
 
Error: (12/01/2013 00:11:23 AM) (Source: System Restore)(User: )
Description: 0x81000101
 
Error: (12/01/2013 00:11:23 AM) (Source: System Restore)(User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationScheduled Checkpoint0x81000101
 
Error: (11/30/2013 03:38:34 PM) (Source: System Restore)(User: )
Description: 0x81000101
 
Error: (11/30/2013 03:38:34 PM) (Source: System Restore)(User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationScheduled Checkpoint0x81000101
 
Error: (11/30/2013 10:13:53 AM) (Source: Application Error)(User: )
Description: napsnap.exe7.0.210.1152911960KERNELBASE.dll6.1.7600.1720650e65f4fe053534f0000969b
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 63%
Total physical RAM: 3522.36 MB
Available physical RAM: 1283.54 MB
Total Pagefile: 7042.99 MB
Available Pagefile: 4446.25 MB
Total Virtual: 2047.88 MB
Available Virtual: 1894.2 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:465.66 GB) (Free:66.2 GB) NTFS
Drive d: (FreeAgent Drive) (Fixed) (Total:465.76 GB) (Free:35.3 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 1D691CAA)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 466 GB) (Disk ID: A4B57300)
Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.


The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Please download RogueKiller from here:

 

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                     

  • Make sure to get the correct version for your system.
  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept
     
    RKLicence.png
     
  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan
     
    RK1A.png
     
  • When the scan completes select Report, copy and paste that to your reply.
     
    RK2A.png
     
  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller


     
    Post produced logs in next reply...
    fixlist.txt
Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-12-2013 02

Ran by Bear at 2013-12-03 17:59:16 Run:1

Running from C:\Users\Bear\Downloads

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

Start

HKCU\...\Winlogon: [shell] C:\Windows\explorer.exe, C:\Users\Bear\AppData\Local\Temp\cmiadapter.exe <==== ATTENTION 

C:\Users\Bear\AppData\Local\Temp\cmiadapter.exe

MountPoints2: {9444e516-3469-11e3-8bd6-eca86b8d5dbe} - E:\HTC_Sync_Manager_PC.exe

C:\Users\Bear\AppData\Local\Temp\13058.exe

C:\Users\Bear\AppData\Local\Temp\17035.exe

C:\Users\Bear\AppData\Local\Temp\19378.exe

C:\Users\Bear\AppData\Local\Temp\24781.exe

C:\Users\Bear\AppData\Local\Temp\31234.exe

C:\Users\Bear\AppData\Local\Temp\31611.exe

C:\Users\Bear\AppData\Local\Temp\42840.exe

C:\Users\Bear\AppData\Local\Temp\46647.exe

C:\Users\Bear\AppData\Local\Temp\51512.exe

C:\Users\Bear\AppData\Local\Temp\52243.exe

C:\Users\Bear\AppData\Local\Temp\53587.exe

C:\Users\Bear\AppData\Local\Temp\53886.exe

C:\Users\Bear\AppData\Local\Temp\54040.exe

C:\Users\Bear\AppData\Local\Temp\54902.exe

C:\Users\Bear\AppData\Local\Temp\54998.exe

C:\Users\Bear\AppData\Local\Temp\58773.exe

C:\Users\Bear\AppData\Local\Temp\63755.exe

C:\Users\Bear\AppData\Local\Temp\64834.exe

C:\Users\Bear\AppData\Local\Temp\66761.exe

C:\Users\Bear\AppData\Local\Temp\69000.exe

C:\Users\Bear\AppData\Local\Temp\69555.exe

C:\Users\Bear\AppData\Local\Temp\71397.exe

C:\Users\Bear\AppData\Local\Temp\72032.exe

C:\Users\Bear\AppData\Local\Temp\77794.exe

C:\Users\Bear\AppData\Local\Temp\91591.exe

C:\Users\Bear\AppData\Local\Temp\i4jdel0.exe

C:\Users\Bear\AppData\Local\Temp\mpam-3a27438b.exe

C:\Users\Bear\AppData\Local\Temp\Quarantine.exe

C:\Users\Bear\AppData\Local\Temp\vbc.exe

End

 

 

 

*****************

 

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

"C:\Users\Bear\AppData\Local\Temp\cmiadapter.exe" => File/Directory not found.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9444e516-3469-11e3-8bd6-eca86b8d5dbe} => Key deleted successfully.

HKCR\CLSID\{9444e516-3469-11e3-8bd6-eca86b8d5dbe} => Key not found.

C:\Users\Bear\AppData\Local\Temp\13058.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\17035.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\19378.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\24781.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\31234.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\31611.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\42840.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\46647.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\51512.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\52243.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\53587.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\53886.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\54040.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\54902.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\54998.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\58773.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\63755.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\64834.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\66761.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\69000.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\69555.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\71397.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\72032.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\77794.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\91591.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\i4jdel0.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\mpam-3a27438b.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\Quarantine.exe => Moved successfully.

C:\Users\Bear\AppData\Local\Temp\vbc.exe => Moved successfully.

 

==== End of Fixlog ====

 


RogueKiller V8.7.9 [Nov 25 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com




 

Operating System : Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : Bear [Admin rights]

Mode : Scan -- Date : 12/03/2013 18:04:36

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH] ktab.exe -- C:\Users\Bear\AppData\Roaming\Microsoft\ktab.exe [-] -> KILLED [TermProc]

[sUSP PATH] rmid.exe -- C:\Users\Bear\AppData\Roaming\Microsoft\Windows\rmid.exe [-] -> KILLED [TermProc]

 

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) WDC WD5000AAKX-22ERMA0 +++++

--- User ---

[MBR] 2fba00dd5a59292b555bbcc746115811

[bSP] bddabb5e8ff7181695c14a916161be9a : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Seagate FreeAgent Pro USB Device +++++

--- User ---

[MBR] efaae474bf56cd39e5d0462ccb81c6e6

[bSP] 5cab7fac78b6fe5301595cea6da44b25 : Empty MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo

User = LL1 ... OK!

Error reading LL2 MBR! ([0x32] The request is not supported. )

 

Finished : << RKreport[0]_S_12032013_180436.txt >>

Link to post
Share on other sites

Quit all programs that you may have started.

 

  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator" to start
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced logs,

Link to post
Share on other sites

RogueKiller V8.7.9 [Nov 25 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com




 

Operating System : Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : Bear [Admin rights]

Mode : Remove -- Date : 12/03/2013 18:39:44

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 1 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> DELETED

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) WDC WD5000AAKX-22ERMA0 +++++

--- User ---

[MBR] 2fba00dd5a59292b555bbcc746115811

[bSP] bddabb5e8ff7181695c14a916161be9a : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Seagate FreeAgent Pro USB Device +++++

--- User ---

[MBR] efaae474bf56cd39e5d0462ccb81c6e6

[bSP] 5cab7fac78b6fe5301595cea6da44b25 : Empty MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo

User = LL1 ... OK!

Error reading LL2 MBR! ([0x32] The request is not supported. )

 

Finished : << RKreport[0]_D_12032013_183944.txt >>

RKreport[0]_D_12032013_180550.txt;RKreport[0]_D_12032013_183004.txt;RKreport[0]_S_12032013_180436.txt

RKreport[0]_S_12032013_182936.txt;RKreport[0]_S_12032013_183052.txt;RKreport[0]_S_12032013_183940.txt

 

 

 


Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.12.03.09

 

Windows 7 x86 NTFS

Internet Explorer 9.0.8112.16421

Bear :: HECUBUS [administrator]

 

12/3/2013 6:42:23 PM

mbam-log-2013-12-03 (18-42-23).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 191477

Time elapsed: 4 minute(s), 1 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 1

HKCU\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

Link to post
Share on other sites

vbc.exe is a file associated with Visual Studio/Visual Basic. The file is usually found in C:\Windows\Microsoft.NET\Framework\v2.0.50727 folder (that entry does show in FRST logs). If you find it anywhere else it maybe suspicious.

 

Run the following:

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Kevin

Link to post
Share on other sites

ComboFix 13-12-04.04 - Bear 12/05/2013  17:29:20.1.4 - x86

Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.3522.2521 [GMT -5:00]

Running from: c:\users\Bear\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}

SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 * Created a new restore point

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Bear\AppData\Roaming\Microsoft\kl.exe

c:\users\Bear\AppData\Roaming\Microsoft\ktab.exe

c:\users\Bear\AppData\Roaming\Microsoft\Windows\comrepl.exe

c:\users\Bear\AppData\Roaming\Microsoft\Windows\rmid.exe

c:\users\Bear\Documents\Downloads\Common Files-crack.exe

c:\users\Bear\Documents\Downloads\Internet Explorer-crack.exe

c:\users\Bear\Documents\Downloads\Microsoft.NET-crack.exe

c:\users\Bear\Documents\Downloads\MSBuild-crack.exe

c:\users\Bear\Documents\Downloads\Reference Assemblies-crack.exe

c:\users\Bear\Documents\Downloads\Uninstall Information-crack.exe

c:\users\Bear\Documents\Downloads\Windows Media Player-crack.exe

c:\users\Bear\Documents\Downloads\Windows NT-crack.exe

c:\users\Bear\videos\mfcmifc.exe

c:\users\Bear\videos\napsnap.exe

.

.

(((((((((((((((((((((((((   Files Created from 2013-11-05 to 2013-12-05  )))))))))))))))))))))))))))))))

.

.

2013-12-05 22:08 . 2013-12-05 22:09 -------- d-----w- c:\program files\LinuxLive USB Creator

2013-12-05 17:49 . 2013-12-05 17:49 -------- d-----w- c:\users\Bear\AppData\Local\CrashDumps

2013-12-05 03:56 . 2013-12-05 21:38 -------- d-----w- c:\program files\Vuze

2013-12-05 02:25 . 2013-11-07 22:15 7772552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CA1FBA09-F539-49BF-BD8E-80FE09EBB612}\mpengine.dll

2013-12-03 22:32 . 2013-12-03 22:32 -------- d-----w- C:\FRST

2013-12-03 21:58 . 2013-12-03 22:01 -------- d-----w- C:\AdwCleaner

2013-12-03 21:50 . 2013-11-07 22:15 7772552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-12-03 12:01 . 2013-10-17 16:14 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2013-12-03 12:01 . 2013-10-17 16:14 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{87656423-65C9-4306-8945-E6E297AC22E9}\gapaengine.dll

2013-11-30 15:09 . 2013-11-30 15:10 -------- d-----w- c:\program files\Microsoft Security Client

2013-11-30 15:09 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys

2013-11-29 14:06 . 2013-11-30 16:40 -------- d-----w- c:\users\Bear\AppData\Roaming\vlc

2013-11-29 14:05 . 2013-11-29 14:05 -------- d-----w- c:\program files\VideoLAN

2013-11-27 17:04 . 2013-12-05 21:11 -------- d-----w- c:\programdata\NzbDrone

2013-11-27 16:57 . 2013-11-27 16:57 -------- d-----w- c:\windows\Migration

2013-11-27 16:54 . 2013-12-02 22:52 -------- d-----w- c:\program files\NzbDrone

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-11-19 10:21 . 2013-06-28 11:12 230048 ------w- c:\windows\system32\MpSigStub.exe

2013-09-27 14:53 . 2013-09-27 14:53 214696 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2013-09-27 14:53 . 2013-09-27 14:53 104768 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys

2013-09-12 02:21 . 2013-09-12 02:21 863344 ----a-w- c:\windows\system32\msvcr110_clr0400.dll

2013-09-12 02:21 . 2013-09-12 02:21 501872 ----a-w- c:\windows\system32\msvcp110_clr0400.dll

2013-09-12 02:21 . 2013-09-12 02:21 28776 ----a-w- c:\windows\system32\aspnet_counters.dll

2013-09-12 02:21 . 2013-09-12 02:21 18000 ----a-w- c:\windows\system32\msvcr100_clr0400.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GoogleChromeAutoLaunch_4C808AD06E65C2EB4B5F0CF6ACEA479D"="c:\users\Bear\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-12-03 866256]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"USB3MON"="c:\program files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-27 291608]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-12-06 11487848]

"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-11-30 284440]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-12-22 144152]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-12-22 179992]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-12-22 188184]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 718688]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]

.

c:\users\Bear\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

NzbDrone - Shortcut.lnk - c:\program files\NzbDrone\NzbDrone.exe [2013-11-25 44544]

SABnzbd.lnk - c:\program files\SABnzbd\SABnzbd.exe -b0 [2013-6-28 103424]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

CouchPotato.lnk - c:\users\Bear\AppData\Roaming\CouchPotato\application\CouchPotato.exe [2013-6-28 393728]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-11-30 13592]

R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]

R3 NfsClnt;Client for NFS;c:\windows\system32\nfsclnt.exe [2009-07-14 52736]

R3 NfsRdr;Client for NFS Redirector;c:\windows\system32\drivers\nfsrdr.sys [2009-07-13 201216]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-09-27 104768]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-10-23 280288]

R3 RpcXdr;Server for NFS Open RPC (ONCRPC);c:\windows\system32\drivers\rpcxdr.sys [2009-07-13 86528]

S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-27 13592]

S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-11-10 132768]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 280576]

S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-27 348440]

S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-27 791832]

S3 MEI;Intel® Management Engine Interface ;c:\windows\system32\DRIVERS\HECI.sys [2012-07-18 55104]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2013-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2640932471-1266867591-1125158052-1000Core.job

- c:\users\Bear\AppData\Local\Google\Update\GoogleUpdate.exe [2013-06-28 10:47]

.

2013-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2640932471-1266867591-1125158052-1000UA.job

- c:\users\Bear\AppData\Local\Google\Update\GoogleUpdate.exe [2013-06-28 10:47]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.11.1

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\MsMpEng.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2013-12-05  17:35:16 - machine was rebooted

ComboFix-quarantined-files.txt  2013-12-05 22:35

.

Pre-Run: 93,608,312,832 bytes free

Post-Run: 93,925,359,616 bytes free

.

- - End Of File - - A4431110D7538D734CFAE46E8F5239DF

A36C5E4F47E84449FF07ED3517B43A31

Link to post
Share on other sites

Yep Combofix has done a good job, We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report in next reply

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those logs,

 

Kevin....

Link to post
Share on other sites

Looks like everything Eset found is Quarantined or those ___-crack files I can usually just delete.

C:\AdwCleaner\Quarantine\C\Program Files\Vuze\.install4j\BunndleOfferManager.dll.vir a variant of Win32/Bunndle application
C:\FRST\Quarantine\13058.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\17035.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\19378.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\24781.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\31234.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\31611.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\42840.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\46647.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\51512.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\52243.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\53587.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\53886.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\54040.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\54902.exe a variant of MSIL/Spy.Agent.PI trojan
C:\FRST\Quarantine\54998.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\58773.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\63755.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\64834.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\66761.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\69000.exe a variant of MSIL/Spy.Agent.PI trojan
C:\FRST\Quarantine\69555.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\71397.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\72032.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\77794.exe a variant of MSIL/Autorun.Agent.DW worm
C:\FRST\Quarantine\91591.exe a variant of MSIL/Spy.Agent.PI trojan
C:\Qoobox\Quarantine\C\Users\Bear\AppData\Roaming\Microsoft\ktab.exe.vir a variant of MSIL/Spy.Agent.PI trojan
C:\Qoobox\Quarantine\C\Users\Bear\Documents\Downloads\Common Files-crack.exe.vir a variant of MSIL/Autorun.Agent.DW worm
C:\Qoobox\Quarantine\C\Users\Bear\Documents\Downloads\Internet Explorer-crack.exe.vir a variant of MSIL/Autorun.Agent.DW worm
C:\Qoobox\Quarantine\C\Users\Bear\Documents\Downloads\Microsoft.NET-crack.exe.vir a variant of MSIL/Autorun.Agent.DW worm
C:\Qoobox\Quarantine\C\Users\Bear\Documents\Downloads\MSBuild-crack.exe.vir a variant of MSIL/Autorun.Agent.DW worm
C:\Qoobox\Quarantine\C\Users\Bear\Documents\Downloads\Reference Assemblies-crack.exe.vir a variant of MSIL/Autorun.Agent.DW worm
C:\Qoobox\Quarantine\C\Users\Bear\Documents\Downloads\Uninstall Information-crack.exe.vir a variant of MSIL/Autorun.Agent.DW worm
C:\Qoobox\Quarantine\C\Users\Bear\Documents\Downloads\Windows Media Player-crack.exe.vir a variant of MSIL/Autorun.Agent.DW worm
C:\Qoobox\Quarantine\C\Users\Bear\Documents\Downloads\Windows NT-crack.exe.vir a variant of MSIL/Autorun.Agent.DW worm
C:\Qoobox\Quarantine\C\Users\Bear\Videos\mfcmifc.exe.vir MSIL/Spy.Agent.BP trojan
C:\Qoobox\Quarantine\C\Users\Bear\Videos\napsnap.exe.vir MSIL/Spy.Agent.BP trojan
C:\Users\Bear\Documents\Downloads\7-Zip-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Apple Software Update-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Bonjour Print Services-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Bonjour-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\DVD Maker-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Foxit Software-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\headphones-master-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\InstallShield Installation Information-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Intel-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\LinuxLive USB Creator-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Microsoft Security Client-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Microsoft Xbox 360 Accessories-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\NzbDrone-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Realtek-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\SABnzbd-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\SickBeard-win32-alpha-build500-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Temp-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\VideoLAN-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Vuze-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Windows Defender-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Windows Mail-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Windows Photo Viewer-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Windows Portable Devices-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\Windows Sidebar-crack.exe a variant of MSIL/Autorun.Agent.DW worm
C:\Users\Bear\Documents\Downloads\XBMC-crack.exe a variant of MSIL/Autorun.Agent.DW worm

 Results of screen317's Security Check version 0.99.77  
 Windows 7  x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
  (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Google Chrome 32.0.1700.39  
 Google Chrome 32.0.1700.41  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 2% 
````````````````````End of Log`````````````````````` 
 
Link to post
Share on other sites

Not sure what you`ve done since last post, if all is ok tools can be removed...

 

We need to remove FRST,  first it is very important to deal with its Quarantine folder by using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful. 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

Remove Combofix now that we're done with it


Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
CF_Uninstall-1.jpg
 
Please follow the prompts to uninstall Combofix.
You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:


    ComboFix and its associated files and folders.
    VundoFix backups, if present
    The C:_OtMoveIt folder, if present
    Reset the clock settings.
    Hide file extensions, if required.
    Hide System/Hidden files, if required.
    Reset System Restore.

 

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

 

Next,

 

  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

 

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

 

Any tools/logs remaining on the Desktop or downloads folder can be deleted.

 

Let me know if those steps complete, if no remaining issues or concerns we can close out....

 

Kevin

 

fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.