12 replies to this topic

[pocketowl]

My laptop has a Google/scour redirect virus which I have been trying to remove with various anti-malware software. Malwarebytes has found several rootkits in its scans, but cannot seem to get rid of them. Here are the DDS and Attach logs.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.4.0
Run by Rachel at 10:45:41 on 2012-08-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3838.2089 [GMT -4:00]
.
AV: Lavasoft Ad-Aware *Enabled/Outdated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
SP: Lavasoft Ad-Aware *Enabled/Outdated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\atieclxx.exe
C:\windows\Explorer.EXE
C:\windows\system32\Dwm.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
C:\windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~2\AD-AWA~1\AdAware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamservice.exe
"C:\windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\windows\system32\taskeng.exe
C:\windows\System32\svchost.exe -k WerSvcGroup
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: TBSB05810 Class: {a7af277d-1466-4a7b-93af-b043984a5671} - C:\Users\Rachel\Desktop\Glarysoft Toolbar\tbcore3.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Glarysoft Toolbar: {32d47ea5-9473-4cad-805d-9999f15d5ae2} - C:\Users\Rachel\Desktop\Glarysoft Toolbar\tbcore3.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [CLMLServer] "c:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
mRun: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
mRun: [BDRegion] c:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [Camera Assistant Software] "C:\Program Files (x86)\Video Web Camera\traybar.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2A65525C-0B95-401A-A2A9-4C6FE7AAF1D7} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2A65525C-0B95-401A-A2A9-4C6FE7AAF1D7}\358696358616 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2A65525C-0B95-401A-A2A9-4C6FE7AAF1D7}\358696378616 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2A65525C-0B95-401A-A2A9-4C6FE7AAF1D7}\378696378616 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2A65525C-0B95-401A-A2A9-4C6FE7AAF1D7}\7756275686F6573756 : DhcpNameServer = 208.59.247.45 208.59.247.46
TCP: Interfaces\{2A65525C-0B95-401A-A2A9-4C6FE7AAF1D7}\9445740434F657274797162746331353 : DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{2A65525C-0B95-401A-A2A9-4C6FE7AAF1D7}\C696E6B6379737 : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: TBSB05810 Class: {A7AF277D-1466-4A7B-93AF-B043984A5671} - C:\Users\Rachel\Desktop\Glarysoft Toolbar\tbcore3.dll
BHO-X64: TBSB05810 - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: Glarysoft Toolbar: {32D47EA5-9473-4CAD-805D-9999F15D5AE2} - C:\Users\Rachel\Desktop\Glarysoft Toolbar\tbcore3.dll
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [CLMLServer] "c:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
mRun-x64: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
mRun-x64: [BDRegion] c:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun-x64: [Camera Assistant Software] "C:\Program Files (x86)\Video Web Camera\traybar.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\vi4b7844.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - resource:/browserconfig.properties
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\vi4b7844.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}\components\dtTransparency.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SbFw;SbFw;C:\windows\system32\drivers\SbFw.sys --> C:\windows\system32\drivers\SbFw.sys [?]
R1 SBRE;SBRE;C:\Windows\System32\drivers\SBREDrv.sys [2011-10-26 101112]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/05/13 07:28:46];C:\Program Files (x86)\Cyberlink\PowerDVD8\000.fcl [2009-7-7 146928]
R2 Ad-Aware Service;Ad-Aware Service;C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-5-3 1226096]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2010-5-13 844320]
R2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-6-4 1150496]
R2 HsfXAudioService;HsfXAudioService;C:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 MBAMService;MBAMService;C:\Users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-3 655944]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-20 62720]
R2 SBAMSvc;Ad-Aware;C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2011-12-19 3289032]
R2 sbapifs;sbapifs;C:\windows\system32\DRIVERS\sbapifs.sys --> C:\windows\system32\DRIVERS\sbapifs.sys [?]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-8-15 240160]
R3 CAXHWAZL;CAXHWAZL;C:\windows\system32\DRIVERS\CAXHWAZL.sys --> C:\windows\system32\DRIVERS\CAXHWAZL.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\windows\system32\DRIVERS\k57nd60a.sys --> C:\windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]
R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;C:\windows\system32\DRIVERS\SBFWIM.sys --> C:\windows\system32\DRIVERS\SBFWIM.sys [?]
R3 sbwtis;sbwtis;C:\windows\system32\DRIVERS\sbwtis.sys --> C:\windows\system32\DRIVERS\sbwtis.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\windows\system32\DRIVERS\usbfilter.sys --> C:\windows\system32\DRIVERS\usbfilter.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-8 135664]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-8 135664]
S3 hitmanpro36;HitmanPro 3.6 Support Driver;\??\C:\windows\system32\drivers\hitmanpro36.sys --> C:\windows\system32\drivers\hitmanpro36.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-16 113120]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\windows\system32\DRIVERS\netr28x.sys --> C:\windows\system32\DRIVERS\netr28x.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-5-13 225280]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\system32\DRIVERS\rtl8192se.sys --> C:\windows\system32\DRIVERS\rtl8192se.sys [?]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;C:\windows\system32\DRIVERS\sbfwim.sys --> C:\windows\system32\DRIVERS\sbfwim.sys [?]
S3 sbhips;sbhips;C:\windows\system32\drivers\sbhips.sys --> C:\windows\system32\drivers\sbhips.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\windows\system32\DRIVERS\VSTAZL6.SYS --> C:\windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\windows\system32\DRIVERS\VSTDPV6.SYS --> C:\windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-04 01:53:21 -------- d-----w- C:\Program Files\Enigma Software Group
2012-08-04 01:52:55 -------- d-----w- C:\windows\F896D02690164122B9BD957FF092FFE9.TMP
2012-08-04 01:52:53 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-08-03 16:04:55 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-07-30 21:41:41 30496 ----a-w- C:\windows\System32\drivers\hitmanpro36.sys
2012-07-30 21:29:36 -------- d-----w- C:\Program Files\HitmanPro
2012-07-30 21:27:54 -------- d-----w- C:\ProgramData\HitmanPro
2012-07-30 20:39:41 -------- d-----w- C:\Users\Rachel\AppData\Roaming\Malwarebytes
2012-07-30 20:39:18 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-30 19:37:16 -------- d-sh--w- C:\windows\SysWow64\%APPDATA%
2012-07-30 19:32:19 -------- d-----w- C:\ProgramData\0C1D173402FB8E6703093924F875F002
2012-07-16 15:15:44 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-16 15:15:44 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-07-12 15:40:48 3148800 ----a-w- C:\windows\System32\win32k.sys
2012-07-07 19:11:36 -------- d-----w- C:\Users\Rachel\AppData\Local\IsolatedStorage
2012-07-07 19:04:14 -------- d-----w- C:\Program Files\CCleaner
2012-07-07 19:01:17 -------- d-----w- C:\Users\Rachel\AppData\Roaming\GlarySoft
.
==================== Find3M ====================
.
2012-07-30 21:52:44 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-30 21:52:44 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-06-07 22:29:51 687560 ----a-w- C:\windows\SysWow64\deployJava1.dll
2012-06-06 06:06:16 2004480 ----a-w- C:\windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\windows\SysWow64\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
2012-06-02 05:50:10 458704 ----a-w- C:\windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
2012-06-02 03:24:08 476960 ----a-w- C:\windows\SysWow64\npdeployJava1.dll
2012-05-15 04:01:31 1188864 ----a-w- C:\windows\System32\wininet.dll
2012-05-15 03:03:54 981504 ----a-w- C:\windows\SysWow64\wininet.dll
.
============= FINISH: 10:46:40.39 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 8/8/2010 9:24:18 PM
System Uptime: 8/4/2012 10:11:57 AM (0 hours ago)
.
Motherboard: Gateway | | SJV50TR
Processor: AMD Athlon™ II Dual-Core M300 | Socket S1G3 | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 454 GiB total, 409.974 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Ad-Aware Browsing Protection
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.3)
AMD USB Filter Driver
Apple Application Support
Apple Software Update
Backup Manager Basic
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Choice Guard
Compatibility Pack for the 2007 Office system
CyberLink Power2Go
CyberLink PowerDVD 8
Gateway Games
Gateway InfoCentre
Gateway MyBackup
Gateway Power Management
Gateway Recovery Management
Gateway Registration
Gateway ScreenSaver
Gateway Updater
Glary Utilities 2.47.0.1539
Glarysoft Toolbar
Google Toolbar for Internet Explorer
Google Update Helper
Identity Card
Java Auto Updater
Java™ 6 Update 32
Java™ 7 Update 4
Junk Mail filter update
Launch Manager
League of Legends
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Pando Media Booster
QuickTime
Realtek USB 2.0 Card Reader
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Video Web Camera
Welcome Center
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
.
==== Event Viewer Messages From Past Week ========
.
8/4/2012 10:14:18 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
8/4/2012 10:14:18 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
8/4/2012 10:13:28 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
8/4/2012 10:12:19 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0xfffffa8438cf4190, 0x0000000000000002, 0x0000000000000000, 0xfffff80002c23557). A dump was saved in: C:\windows\MEMORY.DMP. Report Id: 080412-19266-01.
8/3/2012 3:25:17 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
8/3/2012 3:25:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/3/2012 3:25:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/3/2012 3:25:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/3/2012 3:25:02 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
8/3/2012 3:25:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8/3/2012 2:37:39 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AudioEndpointBuilder service.
8/3/2012 2:37:09 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
8/3/2012 2:36:39 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
8/3/2012 2:06:18 PM, Error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
8/3/2012 1:58:29 PM, Error: Service Control Manager [7000] - The sbwtis service failed to start due to the following error: There are no more endpoints available from the endpoint mapper.
7/30/2012 5:41:46 PM, Error: Service Control Manager [7024] - The HitmanPro 3.6 Crusader (Boot) service terminated with service-specific error The operation completed successfully..
7/30/2012 5:23:12 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
7/30/2012 5:23:12 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/30/2012 5:21:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/30/2012 5:21:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/30/2012 5:21:24 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
7/30/2012 5:21:24 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
7/30/2012 4:17:50 PM, Error: Service Control Manager [7034] - The Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s).
7/30/2012 4:17:50 PM, Error: Service Control Manager [7000] - The Ad-Aware Service service failed to start due to the following error: The pipe has been ended.
7/30/2012 4:17:50 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "109" attempting to start the service Ad-Aware Service with arguments "" in order to run the server: {706FFEF5-7E90-4149-B038-B39106ECDB99}
7/30/2012 4:17:13 PM, Error: Service Control Manager [7034] - The Ad-Aware service terminated unexpectedly. It has done this 1 time(s).
7/30/2012 4:17:13 PM, Error: Service Control Manager [7034] - The Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
7/30/2012 3:43:48 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
7/30/2012 3:43:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/30/2012 3:43:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/30/2012 3:43:34 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss SbFw spldr tdx vwififlt Wanarpv6 WfpLwf
7/30/2012 3:43:27 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/30/2012 3:43:27 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/30/2012 3:43:27 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/30/2012 3:43:27 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/30/2012 3:43:25 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/30/2012 3:43:25 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/30/2012 3:43:25 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
7/30/2012 3:43:25 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/30/2012 3:43:25 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[pocketowl]

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Rachel [Admin rights]
Mode: Scan -- Date: 08/04/2012 12:25:32

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] mbamgui.exe -- C:\Users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamgui.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKLM\[...]\Wow6432Node\Run : Malwarebytes' Anti-Malware ("C:\Users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray) -> FOUND
[SUSP PATH] GlaryInitialize.job @ : C:\Users\Rachel\Desktop\Computer Help\Glary Utilities\initialize.exe -> FOUND
[SUSP PATH] GlaryInitialize.job @ : C:\Users\Rachel\Desktop\Computer Help\Glary Utilities\initialize.exe -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND
[Susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX
[ZeroAccess][Sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD50 00BEVT-22ZAT0 SATA Disk Device +++++
--- User ---
[MBR] c4b32113b43343579c145be125b48dc2
[BSP] c67a854456abcd36612785b22d981d29 : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 24782848 | Size: 464838 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[MrCharlie]

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

Quote

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive. <------

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• 
  
  Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
  services.exe
  
• Now press the Search button
  
• When the search is complete, search.txt will also be written to your USB
  
• Type exit and reboot the computer normally
  
• Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[pocketowl]

All right, here are the logs from the system recovery.

Scan result of Farbar Recovery Scan Tool Version: 04-08-2012 01
Ran by SYSTEM at 05-08-2012 00:03:37
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [503864 2009-07-20] (Conexant Systems, Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [Acer ePower Management] C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe [828960 2009-08-05] (Acer Incorporated)
HKLM\...\Run: [PLFSetI] C:\windows\PLFSetI.exe [206208 2010-01-12] ()
HKLM\...\Run: [SBRegRebootCleaner] "C:\Program Files (x86)\Ad-Aware Antivirus\SBRC.exe" [200560 2011-12-19] (GFI Software)
HKLM-x32\...\Run: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k [244480 2009-08-20] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-02] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1194504 2009-08-27] (Dritek System Inc.)
HKLM-x32\...\Run: [CLMLServer] "c:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [103720 2009-06-03] (CyberLink)
HKLM-x32\...\Run: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [91432 2009-04-15] (CyberLink Corp.)
HKLM-x32\...\Run: [BDRegion] c:\Program Files (x86)\Cyberlink\Shared Files\brs.exe [75048 2009-07-07] (cyberlink)
HKLM-x32\...\Run: [Camera Assistant Software] "C:\Program Files (x86)\Video Web Camera\traybar.exe" [600688 2010-01-21] (Chicony)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-12-13] (Apple Inc.)
HKLM-x32\...\Run: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run [x]
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\Rachel\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-08-14] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

==================== Services (Whitelisted) ======

2 Ad-Aware Service; "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe" [1226096 2012-05-03] (Lavasoft Limited)
2 MBAMService; "C:\Users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 SBAMSvc; "C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe" [3289032 2011-12-19] (GFI Software)

========================== Drivers (Whitelisted) =============

3 hitmanpro36; C:\Windows\System32\Drivers\hitmanpro36.sys [30496 2012-07-30] ()
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [57976 2011-10-26] (GFI Software)
2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; \??\c:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [146928 2009-07-07] (CyberLink Corp.)
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 USBCCID; C:\Windows\System32\DRIVERS\usbccid.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-04 23:47 - 2012-08-04 23:47 - 00000000 ____D C:\FRST
2012-08-04 12:14 - 2012-08-04 12:14 - 01439619 ____A (Farbar) C:\Users\Rachel\Desktop\FRST64.exe
2012-08-04 12:09 - 2012-08-04 12:09 - 00000488 ____A C:\Windows\WindowsUpdate.log
2012-08-04 08:25 - 2012-08-04 08:25 - 00002533 ____A C:\Users\Rachel\Desktop\RKreport[1].txt
2012-08-04 08:20 - 2012-08-04 08:25 - 00000000 ____D C:\Users\Rachel\Desktop\RK_Quarantine
2012-08-04 08:20 - 2012-08-04 08:20 - 01552896 ____A C:\Users\Rachel\Desktop\RogueKiller.exe
2012-08-04 06:50 - 2012-08-04 06:50 - 00015901 ____A C:\Users\Rachel\Desktop\Attach.txt
2012-08-04 06:48 - 2012-08-04 06:48 - 00021721 ____A C:\Users\Rachel\Desktop\DDS.txt
2012-08-04 06:45 - 2012-08-04 06:45 - 00607260 ____R (Swearware) C:\Users\Rachel\Desktop\dds.scr
2012-08-04 06:12 - 2012-08-04 06:12 - 635587169 ____A C:\Windows\MEMORY.DMP
2012-08-04 06:12 - 2012-08-04 06:12 - 00315256 ____A C:\Windows\Minidump\080412-19266-01.dmp
2012-08-03 18:05 - 2012-08-03 18:06 - 04731392 ____A (AVAST Software) C:\Users\Rachel\Desktop\aswMBR.exe
2012-08-03 17:53 - 2012-08-03 17:53 - 00000000 ____D C:\Program Files\Enigma Software Group
2012-08-03 17:52 - 2012-08-03 18:04 - 00000000 ____D C:\Windows\F896D02690164122B9BD957FF092FFE9.TMP
2012-08-03 11:25 - 2012-08-03 11:25 - 00000000 ____D C:\Qoobox
2012-08-03 09:42 - 2012-08-03 11:25 - 00000000 ___SD C:\32788R22FWJFW
2012-08-03 09:42 - 2012-08-03 11:25 - 00000000 ____D C:\Windows\erdnt
2012-08-03 09:41 - 2012-08-03 09:41 - 04729092 ____R (Swearware) C:\Users\Rachel\Desktop\ComboFix.exe
2012-08-03 09:38 - 2012-08-03 09:38 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Rachel\Desktop\tdsskiller.exe
2012-08-03 09:21 - 2012-08-03 09:21 - 00001188 ____A C:\Windows\SysWOW64\ServiceConfig.xml
2012-08-03 08:04 - 2012-08-03 08:04 - 00000923 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-03 08:04 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-03 08:01 - 2012-08-03 08:01 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Rachel\Downloads\mbam-setup-1.62.0.1300(1).exe
2012-07-31 07:41 - 2012-08-04 19:59 - 00002978 ____A C:\Windows\setupact.log
2012-07-31 07:41 - 2012-08-04 06:12 - 00003840 ____A C:\Windows\PFRO.log
2012-07-31 07:41 - 2012-07-31 07:41 - 00000000 ____A C:\Windows\setuperr.log
2012-07-31 07:38 - 2012-07-31 07:38 - 00001134 ____A C:\Users\Rachel\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-31 07:23 - 2012-07-31 07:23 - 00000000 ____D C:\Users\Rachel\Desktop\Glarysoft Toolbar
2012-07-30 13:41 - 2012-07-30 13:41 - 00030496 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-07-30 13:37 - 2012-07-30 13:37 - 00000886 ____A C:\Windows\System32\.crusader
2012-07-30 13:29 - 2012-07-30 13:29 - 00001900 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2012-07-30 13:29 - 2012-07-30 13:29 - 00000000 ____D C:\Program Files\HitmanPro
2012-07-30 13:28 - 2012-07-30 13:28 - 08854904 ____A (SurfRight B.V.) C:\Users\Rachel\Downloads\HitmanPro36_x64.exe
2012-07-30 13:27 - 2012-07-30 13:37 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-07-30 13:26 - 2012-07-30 13:27 - 07750160 ____A (SurfRight B.V.) C:\Users\Rachel\Downloads\HitmanPro36.exe
2012-07-30 12:39 - 2012-07-30 12:39 - 00000000 ____D C:\Users\Rachel\AppData\Roaming\Malwarebytes
2012-07-30 12:39 - 2012-07-30 12:39 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-30 12:38 - 2012-07-30 12:38 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Rachel\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-30 12:34 - 2012-07-30 12:35 - 00000422 ____A C:\rkill.log
2012-07-30 12:33 - 2012-07-30 12:33 - 01012656 ____A C:\Users\Rachel\Downloads\iExplore.exe
2012-07-30 12:33 - 2012-07-30 12:33 - 00001205 ____A C:\Users\Rachel\Downloads\registryfix.reg
2012-07-30 12:13 - 2012-07-30 12:13 - 00022306 ____A C:\Users\Rachel\Documents\backup registry 7.30.12.reg
2012-07-30 11:45 - 2012-07-30 11:45 - 00000946 ____A C:\Windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
2012-07-30 11:37 - 2012-07-30 11:37 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-30 11:32 - 2012-07-30 11:34 - 00000000 ____D C:\Users\All Users\0C1D173402FB8E6703093924F875F002
2012-07-12 07:40 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 07:49 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 07:49 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 07:49 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 07:49 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 07:49 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 07:49 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 07:49 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 07:49 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-11 07:49 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 07:49 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 07:49 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 07:49 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 07:49 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 07:49 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 07:49 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 07:49 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-11 07:49 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-11 07:49 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-11 07:49 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-07 11:11 - 2012-07-07 11:11 - 00000000 ____D C:\Users\Rachel\AppData\Local\IsolatedStorage
2012-07-07 11:04 - 2012-07-07 11:04 - 00000000 ____D C:\Program Files\CCleaner
2012-07-07 11:01 - 2012-08-04 19:56 - 00000356 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-07-07 11:01 - 2012-07-30 12:17 - 00000000 ____D C:\Users\Rachel\AppData\Roaming\GlarySoft
2012-07-07 10:43 - 2012-08-03 08:04 - 00000000 ____D C:\Users\Rachel\Desktop\Computer Help

============ 3 Months Modified Files ========================

2012-08-04 19:59 - 2012-07-31 07:41 - 00002978 ____A C:\Windows\setupact.log
2012-08-04 19:56 - 2012-07-07 11:01 - 00000356 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-08-04 19:56 - 2012-06-01 19:13 - 00001875 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2012-08-04 19:56 - 2010-08-08 17:49 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-04 19:56 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-04 19:23 - 2009-07-13 21:13 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-04 19:18 - 2010-08-08 17:49 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-04 12:17 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-04 12:17 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-04 12:14 - 2012-08-04 12:14 - 01439619 ____A (Farbar) C:\Users\Rachel\Desktop\FRST64.exe
2012-08-04 12:09 - 2012-08-04 12:09 - 00000488 ____A C:\Windows\WindowsUpdate.log
2012-08-04 08:25 - 2012-08-04 08:25 - 00002533 ____A C:\Users\Rachel\Desktop\RKreport[1].txt
2012-08-04 08:20 - 2012-08-04 08:20 - 01552896 ____A C:\Users\Rachel\Desktop\RogueKiller.exe
2012-08-04 06:50 - 2012-08-04 06:50 - 00015901 ____A C:\Users\Rachel\Desktop\Attach.txt
2012-08-04 06:48 - 2012-08-04 06:48 - 00021721 ____A C:\Users\Rachel\Desktop\DDS.txt
2012-08-04 06:45 - 2012-08-04 06:45 - 00607260 ____R (Swearware) C:\Users\Rachel\Desktop\dds.scr
2012-08-04 06:12 - 2012-08-04 06:12 - 635587169 ____A C:\Windows\MEMORY.DMP
2012-08-04 06:12 - 2012-08-04 06:12 - 00315256 ____A C:\Windows\Minidump\080412-19266-01.dmp
2012-08-04 06:12 - 2012-07-31 07:41 - 00003840 ____A C:\Windows\PFRO.log
2012-08-03 18:06 - 2012-08-03 18:05 - 04731392 ____A (AVAST Software) C:\Users\Rachel\Desktop\aswMBR.exe
2012-08-03 09:41 - 2012-08-03 09:41 - 04729092 ____R (Swearware) C:\Users\Rachel\Desktop\ComboFix.exe
2012-08-03 09:38 - 2012-08-03 09:38 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Rachel\Desktop\tdsskiller.exe
2012-08-03 09:21 - 2012-08-03 09:21 - 00001188 ____A C:\Windows\SysWOW64\ServiceConfig.xml
2012-08-03 08:04 - 2012-08-03 08:04 - 00000923 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-03 08:01 - 2012-08-03 08:01 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Rachel\Downloads\mbam-setup-1.62.0.1300(1).exe
2012-07-31 07:41 - 2012-07-31 07:41 - 00000000 ____A C:\Windows\setuperr.log
2012-07-31 07:38 - 2012-07-31 07:38 - 00001134 ____A C:\Users\Rachel\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-30 13:52 - 2012-06-07 14:45 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-30 13:52 - 2012-06-07 14:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-30 13:41 - 2012-07-30 13:41 - 00030496 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-07-30 13:37 - 2012-07-30 13:37 - 00000886 ____A C:\Windows\System32\.crusader
2012-07-30 13:29 - 2012-07-30 13:29 - 00001900 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2012-07-30 13:28 - 2012-07-30 13:28 - 08854904 ____A (SurfRight B.V.) C:\Users\Rachel\Downloads\HitmanPro36_x64.exe
2012-07-30 13:27 - 2012-07-30 13:26 - 07750160 ____A (SurfRight B.V.) C:\Users\Rachel\Downloads\HitmanPro36.exe
2012-07-30 12:38 - 2012-07-30 12:38 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Rachel\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-30 12:35 - 2012-07-30 12:34 - 00000422 ____A C:\rkill.log
2012-07-30 12:33 - 2012-07-30 12:33 - 01012656 ____A C:\Users\Rachel\Downloads\iExplore.exe
2012-07-30 12:33 - 2012-07-30 12:33 - 00001205 ____A C:\Users\Rachel\Downloads\registryfix.reg
2012-07-30 12:13 - 2012-07-30 12:13 - 00022306 ____A C:\Users\Rachel\Documents\backup registry 7.30.12.reg
2012-07-30 11:45 - 2012-07-30 11:45 - 00000946 ____A C:\Windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
2012-07-16 07:13 - 2009-07-13 20:45 - 00425488 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 07:40 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-12 07:36 - 2010-09-20 07:26 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-03 09:46 - 2012-08-03 08:04 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-11 19:08 - 2012-07-12 07:40 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-11 07:49 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 07:49 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-07 14:32 - 2012-06-07 14:32 - 13085120 ____A (Microsoft Corporation) C:\Users\Rachel\Downloads\Silverlight_x64.exe
2012-06-07 14:29 - 2012-06-07 14:30 - 00227784 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-06-07 14:29 - 2012-06-07 14:30 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-06-07 14:29 - 2012-06-07 14:30 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-06-07 14:29 - 2010-10-05 14:25 - 00687560 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-06-07 14:25 - 2012-06-07 14:21 - 21053392 ____A (Oracle Corporation) C:\Users\Rachel\Downloads\jre-7u4-windows-i586.exe
2012-06-05 22:06 - 2012-07-11 07:49 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 07:49 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 07:49 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 07:49 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 07:49 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 07:49 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-21 04:14 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 04:14 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 04:14 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 04:13 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 04:13 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-21 04:14 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 04:13 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-21 04:13 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-21 04:13 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 08:21 - 2012-06-02 08:19 - 39483256 ____A (Apple Inc.) C:\Users\Rachel\Downloads\QuickTimeInstaller(1).exe
2012-06-01 21:50 - 2012-07-11 07:49 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 07:49 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 07:49 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 07:49 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 07:49 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 07:49 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 07:49 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 07:49 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 07:49 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-06-01 19:24 - 2012-06-01 19:24 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-06-01 19:14 - 2012-06-01 19:14 - 00000012 ____A C:\Users\Rachel\Downloads\FSSC.dat
2012-06-01 19:09 - 2012-06-01 19:09 - 06236280 ____A (Lavasoft Limited) C:\Users\Rachel\Downloads\Adaware_Installer.exe
2012-06-01 19:02 - 2012-01-14 15:36 - 00004408 ____A C:\aaw7boot.log
2012-05-30 08:23 - 2012-01-11 09:22 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2012-05-30 08:23 - 2012-01-11 09:22 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2012-05-14 20:01 - 2012-06-13 02:45 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 19:59 - 2012-06-13 02:45 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 19:03 - 2012-06-13 02:45 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 19:00 - 2012-06-13 02:45 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll


ZeroAccess:
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\@
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\L
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\L\00000004.@
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\L\201d3dde
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\00000004.@
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\00000008.@
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\000000cb.@
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\80000000.@
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\80000032.@
C:\Windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3838.36 MB
Available physical RAM: 3165 MB
Total Pagefile: 3836.51 MB
Available Pagefile: 3153.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (Gateway) (Fixed) (Total:453.94 GB) (Free:409.28 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:3.04 GB) NTFS
4 Drive g: (USB DISK) (Removable) (Total:7.2 GB) (Free:7.2 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7385 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 11 GB 1024 KB
Partition 2 Primary 100 MB 11 GB
Partition 3 Primary 453 GB 11 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 11 GB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Gateway NTFS Partition 453 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7381 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G USB DISK FAT32 Removable 7381 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-28 05:15

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 04-08-2012 01
Ran by SYSTEM at 2012-08-05 00:05:37
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Open notepad. Make sure "word wrap" under Format is unchecked! Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[pocketowl]

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-08-2012 01
Ran by SYSTEM at 2012-08-05 08:26:49 Run:1
Running from G:\

==============================================

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[pocketowl]

Ran Combofix, didn't have any problems with it.

ComboFix 12-08-05.02 - Rachel 08/05/2012 11:24:24.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3838.2753 [GMT -4:00]
Running from: c:\users\Rachel\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Rachel\Documents\~WRL0003.tmp
c:\users\Rachel\Documents\~WRL1590.tmp
c:\windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\@
c:\windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\L\00000004.@
c:\windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\L\201d3dde
c:\windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\00000004.@
c:\windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\00000008.@
c:\windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\000000cb.@
c:\windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\80000000.@
c:\windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\80000032.@
c:\windows\Installer\{95d9691f-4eee-6e9d-9429-c13c38d36958}\U\80000064.@
.
.
((((((((((((((((((((((((( Files Created from 2012-07-05 to 2012-08-05 )))))))))))))))))))))))))))))))
.
.
2012-08-05 16:04 . 2012-08-05 16:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-03 16:04 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-30 21:41 . 2012-07-30 21:41 30496 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-07-30 21:29 . 2012-07-30 21:29 -------- d-----w- c:\program files\HitmanPro
2012-07-30 21:27 . 2012-07-30 21:37 -------- d-----w- c:\programdata\HitmanPro
2012-07-30 20:39 . 2012-07-30 20:39 -------- d-----w- c:\users\Rachel\AppData\Roaming\Malwarebytes
2012-07-30 20:39 . 2012-07-30 20:39 -------- d-----w- c:\programdata\Malwarebytes
2012-07-30 19:37 . 2012-07-30 19:37 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-30 19:32 . 2012-07-30 19:34 -------- d-----w- c:\programdata\0C1D173402FB8E6703093924F875F002
2012-07-16 15:15 . 2012-07-16 15:15 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-16 15:15 . 2012-07-16 15:15 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-07-12 15:40 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-07 19:11 . 2012-07-07 19:11 -------- d-----w- c:\users\Rachel\AppData\Local\IsolatedStorage
2012-07-07 19:04 . 2012-07-07 19:04 -------- d-----w- c:\program files\CCleaner
2012-07-07 19:01 . 2012-07-30 20:17 -------- d-----w- c:\users\Rachel\AppData\Roaming\GlarySoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-30 21:52 . 2012-06-07 22:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-30 21:52 . 2012-06-07 22:45 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 15:36 . 2010-09-20 15:26 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-07 22:29 . 2010-10-05 22:25 687560 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-06-02 22:19 . 2012-06-21 12:13 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 12:14 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 12:14 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 12:14 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 12:13 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 12:14 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 12:13 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 12:13 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-21 12:13 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 03:24 . 2012-06-02 03:24 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-05-15 04:01 . 2012-06-13 10:45 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-13 10:45 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-13 10:45 981504 ----a-w- c:\windows\SysWow64\wininet.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{A7AF277D-1466-4A7B-93AF-B043984A5671}]
2012-06-01 13:35 2669408 ------w- c:\users\Rachel\Desktop\Glarysoft Toolbar\tbcore3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{32D47EA5-9473-4CAD-805D-9999F15D5AE2}"= "c:\users\Rachel\Desktop\Glarysoft Toolbar\tbcore3.dll" [2012-06-01 2669408]
.
[HKEY_CLASSES_ROOT\clsid\{32d47ea5-9473-4cad-805d-9999f15d5ae2}]
[HKEY_CLASSES_ROOT\TBSB05810.TBSB05810.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB05810.TBSB05810]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-08-21 244480]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-08-27 1194504]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-07-07 75048]
"Camera Assistant Software"="c:\program files (x86)\Video Web Camera\traybar.exe" [2010-01-21 600688]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"Malwarebytes' Anti-Malware"="c:\users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SBBD.exe /d \Device\HarddiskVolume3\Program Files (x86)\Ad-Aware Antivirus\Definitions
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-09 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-09 135664]
R3 hitmanpro36;HitmanPro 3.6 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-07-30 30496]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-29 113120]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [2009-06-10 620544]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-08-19 942080]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-09-28 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-01 1255736]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/05/13 07:28];c:\program files (x86)\CyberLink\PowerDVD8\000.fcl [2009-07-07 20:47 146928]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-02 203264]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-08-06 844320]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 MBAMService;MBAMService;c:\users\Rachel\Desktop\Computer Help\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-08-21 62720]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-20 317480]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-04-03 34872]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-05 c:\windows\Tasks\GlaryInitialize.job
- c:\users\Rachel\Desktop\Computer Help\Glary Utilities\initialize.exe [2012-07-07 02:16]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-09 01:49]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-09 01:49]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-20 503864]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-08-06 828960]
"PLFSetI"="c:\windows\PLFSetI.exe" [2010-01-13 206208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\vi4b7844.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - resource:/browserconfig.properties
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
WebBrowser-{32D47EA5-9473-4CAD-805D-9999F15D5AE2} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SBRegRebootCleaner - c:\program files (x86)\Ad-Aware Antivirus\SBRC.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2012-08-05 12:11:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-05 16:11
.
Pre-Run: 439,259,381,760 bytes free
Post-Run: 439,269,793,792 bytes free
.
- - End Of File - - 82A73D07CDD64C589692011C4D427E56

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[pocketowl]

MBAM didn't find anything. Everything seems to be running just fine. Thank you so much!

Do you recommend a particular program or combination of programs to keep things like this rootkit from getting onto this computer again? I had been using Ad-Aware, but it was no longer allowing me to update it without purchasing. I wouldn't mind paying a reasonable price for a program that would keep my computer safe, I have just never been sure which one was worth the expense.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.05.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Rachel :: VOLTRON [administrator]

Protection: Enabled

8/5/2012 1:28:40 PM
mbam-log-2012-08-05 (13-28-40).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195796
Time elapsed: 2 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[MrCharlie]

Great

Carefully read through my Preventive Maintenance to keep the system safe and secure.

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com
http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!