19 replies to this topic

[Vegeta912]

I have recently gotten infected with Trojan.Dropper.BCMiner and Rootkit.0Access and whenever I try to remove it, it just comes back when I scan it again. I looked around on the forum, but it seems that the solutions were made specifically for that person. Please help me, because I'm not too sure what to do here.

[MrCharlie]

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[Vegeta912]

 DDS.txt   18.95K   6 downloads
 Attach.txt   18.45K   3 downloads

 RKreport1.txt   2.91K   6 downloads

Thanks for the quick reply

[MrCharlie]

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

Quote

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------
Being you have Vista, you may or may not be able to do this but please try,

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• 
  
  Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
  services.exe
  
• Now press the Search button
  
• When the search is complete, search.txt will also be written to your USB
  
• Type exit and reboot the computer normally
  
• Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[Vegeta912]

Yeah, it worked perfectly fine with Vista.
Here are the files:

FRST.txt
[spoiler
Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 16-08-2012 13:26:49
Running from D:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [6975520 2009-02-24] (Realtek Semiconductor)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2009-02-13] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [250192 2009-04-24] (Microsoft Corporation)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128232 2009-02-04] (CyberLink Corp.)
HKLM-x32\...\Run: [BrMfcWnd] "C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN [x]
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [BSDAppUpdater] "C:\Program Files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe" [1660232 2011-05-11] (Bootstrap Software Development)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\MS3CORP\...\Run: [MediaGet2] C:\Users\MS3CORP\AppData\Local\MediaGet2\mediaget.exe --minimized [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WNDA3100 Smart Wizard.lnk
ShortcutTarget: NETGEAR WNDA3100 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WNDA3100\WNDA3100.exe (NETGEAR)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
==================== Services (Whitelisted) ======
3 jswpsapi; C:\Program Files (x86)\NETGEAR\WNDA3100\jswpsapi.exe [942080 2008-02-28] (Atheros Communications, Inc.)
2 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
2 MSSQL$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [58345832 2011-09-22] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
4 SQLAgent$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [431464 2011-09-22] (Microsoft Corporation)
3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74384 2008-03-24] (MicroVision Development, Inc.)
3 rpcapd; "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" [x]
========================== Drivers (Whitelisted) =============
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-01-29] (DT Soft Ltd)
3 NAL; \??\C:\Windows\system32\Drivers\iqvw64e.sys [33888 2008-05-23] (Intel Corporation )
3 NPF; C:\Windows\SysWow64\Drivers\NPF.sys [30336 2003-04-04] (Politecnico di Torino)
3 PCAMp50a64; C:\Windows\System32\Drivers\PCAMp50a64.sys [43328 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
3 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
3 WNDA3100; C:\Windows\System32\DRIVERS\WNDA31vx.sys [553472 2008-09-29] (Atheros Communications, Inc.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [x]
3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [x]
3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-08-16 13:26 - 2012-08-16 13:26 - 00000000 ____D C:\FRST
2012-08-16 08:12 - 2012-08-16 08:15 - 00000000 ____D C:\Users\MS3CORP\Desktop\RK_Quarantine
2012-08-14 02:52 - 2012-08-14 02:52 - 00000984 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-14 02:51 - 2012-08-14 02:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-14 02:51 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-12 13:40 - 2012-08-12 13:58 - 03317584 ____A C:\Users\MS3CORP\Desktop\Zenonia4_iPhone
2012-08-11 17:58 - 2012-08-11 17:59 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-11 17:58 - 2012-08-11 17:58 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-11 17:30 - 2012-08-11 17:30 - 00000000 ____D C:\Users\MS3CORP\AppData\Roaming\ExpressFiles
2012-08-09 13:46 - 2012-08-09 13:46 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-02 13:19 - 2012-08-02 13:19 - 00000816 ____A C:\Users\MS3CORP\Desktop\IDA Demo.lnk
2012-08-02 13:19 - 2012-08-02 13:19 - 00000000 ____D C:\Program Files (x86)\IDA Demo 6.3
2012-07-30 11:34 - 2012-07-30 11:34 - 00000436 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2012-07-29 20:17 - 2012-07-29 20:17 - 00000970 ____A C:\Users\Public\Desktop\Paint.NET.lnk
2012-07-29 20:17 - 2012-07-29 20:17 - 00000000 ____D C:\Program Files\Paint.NET
2012-07-29 20:16 - 2012-08-07 14:32 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\Paint.NET
2012-07-29 20:13 - 2012-07-29 20:13 - 00000978 ____A C:\Users\MS3CORP\Desktop\Cheat Engine 6.2.lnk
2012-07-29 20:10 - 2012-07-29 20:11 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\dealcabby
2012-07-29 20:10 - 2012-07-29 20:10 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\Shopping Sidekick
2012-07-29 20:09 - 2012-07-29 20:09 - 00000304 ____A C:\user.js
2012-07-29 20:09 - 2012-07-29 20:09 - 00000258 _RASH C:\Users\MS3CORP\ntuser.pol
2012-07-29 13:21 - 2012-07-29 13:21 - 00461998 ____A C:\Windows\dd_vcredistMSI4C9A.txt
2012-07-29 13:21 - 2012-07-29 13:21 - 00011526 ____A C:\Windows\dd_vcredistUI4C9A.txt
2012-07-28 13:27 - 2012-07-28 13:27 - 00000000 ____D C:\Users\MS3CORP\AppData\Roaming\PDAppFlex
2012-07-28 13:19 - 2012-07-28 13:19 - 00439174 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistMSI7D1B.txt
2012-07-28 13:19 - 2012-07-28 13:19 - 00011686 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistUI7D1B.txt
2012-07-28 13:18 - 2012-07-28 13:33 - 00000000 ____D C:\Program Files\Common Files\Adobe
2012-07-28 13:18 - 2012-07-28 13:19 - 00441260 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistMSI7CA2.txt
2012-07-28 13:18 - 2012-07-28 13:19 - 00011686 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistUI7CA2.txt
2012-07-28 11:58 - 2012-07-28 11:58 - 00000000 ____D C:\Users\MS3CORP\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-07-28 11:57 - 2012-07-28 11:58 - 00000000 ____D C:\Program Files (x86)\Adobe Download Assistant
2012-07-26 10:27 - 2012-07-26 10:27 - 00000000 ____D C:\Program Files (x86)\Cheat Engine 6.2
2012-07-26 09:56 - 2012-07-26 09:57 - 00002392 ____N C:\Users\Public\Desktop\WildTangent Games App - wildgames.lnk
2012-07-26 07:03 - 2012-07-26 07:03 - 00000924 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-25 17:09 - 2012-07-25 17:09 - 00001830 ____A C:\Users\MS3CORP\Desktop\YTD YouTube Downloader & Converter.lnk
2012-07-21 11:36 - 2012-08-12 17:35 - 00002667 ____A C:\Users\MS3CORP\Desktop\Microsoft Photo Editor.lnk
2012-07-21 11:36 - 2012-07-21 11:36 - 00001846 ____A C:\Users\MS3CORP\Desktop\Chess.lnk
2012-07-21 11:35 - 2012-07-21 11:35 - 00000954 ____A C:\Users\MS3CORP\Desktop\DAEMON Tools Lite.lnk
2012-07-21 11:34 - 2012-07-21 11:34 - 00002629 ____A C:\Users\MS3CORP\Desktop\Microsoft Office PowerPoint 2007.lnk
2012-07-21 11:34 - 2012-07-21 11:34 - 00002425 ____A C:\Users\MS3CORP\Desktop\Adobe Reader 9.lnk
2012-07-21 11:33 - 2012-07-21 11:33 - 00000852 ____A C:\Users\MS3CORP\Desktop\WinRAR.lnk
2012-07-21 11:31 - 2012-07-21 11:31 - 00001751 ____A C:\Users\MS3CORP\Desktop\iTunes.lnk
2012-07-21 11:31 - 2012-07-21 11:31 - 00000975 ____A C:\Users\MS3CORP\Desktop\Platinum Hide IP.lnk
2012-07-21 11:29 - 2012-07-21 11:29 - 00000952 ____A C:\Users\MS3CORP\Desktop\iFunbox.lnk
2012-07-21 11:28 - 2012-07-21 11:28 - 00000759 ____A C:\Users\Public\Desktop\HxD.lnk
2012-07-21 11:21 - 2012-07-21 11:21 - 00001036 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
2012-07-20 14:06 - 2012-07-20 14:06 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\patcher_dl
2012-07-19 16:33 - 2012-07-20 13:37 - 00000000 __SHD C:\Windows\SysWOW64\AI_RecycleBin
2012-07-18 19:50 - 2012-07-18 19:50 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\Macromedia
2012-07-18 19:42 - 2012-07-18 19:42 - 00000000 ____D C:\Users\All Users\Mozilla
2012-07-18 18:58 - 2012-07-18 18:58 - 00000000 ____D C:\Users\MS3CORP\AppData\Local\APN
2012-07-18 18:58 - 2012-07-18 18:58 - 00000000 ____D C:\Program Files (x86)\PlatinumHideIP
2012-07-18 18:40 - 2012-07-18 18:40 - 00000000 ____D C:\Users\MS3CORP\AppData\Roaming\C__Users_MS3CORP_Desktop_Platinum Hide IP 3.1.9.6_Crack_PlatinumHideIP.exe
2012-07-18 18:40 - 2012-07-18 18:40 - 00000000 ____D C:\Users\All Users\C__Users_MS3CORP_Desktop_Platinum Hide IP 3.1.9.6_Crack_PlatinumHideIP.exe
============ 3 Months Modified Files ========================
2012-08-16 09:24 - 2006-11-02 07:42 - 00032646 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-16 09:24 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-16 09:22 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-16 09:22 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-16 09:04 - 2006-11-02 04:46 - 00922900 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-16 07:46 - 2012-07-02 10:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-16 07:46 - 2011-12-11 13:58 - 00098220 ____A C:\Windows\PFRO.log
2012-08-16 06:55 - 2012-04-22 08:26 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-16 06:55 - 2011-05-20 12:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-16 06:37 - 2011-08-30 00:09 - 00000600 ____A C:\Users\MS3CORP\AppData\Roaming\winscp.rnd
2012-08-14 02:52 - 2012-08-14 02:52 - 00000984 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-13 05:31 - 2009-07-25 00:18 - 01444696 ____A C:\Windows\WindowsUpdate.log
2012-08-12 17:35 - 2012-07-21 11:36 - 00002667 ____A C:\Users\MS3CORP\Desktop\Microsoft Photo Editor.lnk
2012-08-12 14:15 - 2009-07-30 17:40 - 00006836 ____A C:\Users\MS3CORP\AppData\Local\d3d9caps.dat
2012-08-12 13:58 - 2012-08-12 13:40 - 03317584 ____A C:\Users\MS3CORP\Desktop\Zenonia4_iPhone
2012-08-11 18:02 - 2011-06-09 08:42 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-11 17:59 - 2011-07-23 04:55 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-11 17:58 - 2010-07-09 11:49 - 00937748 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-09 13:19 - 2011-10-02 14:22 - 00000600 ____A C:\Users\MS3CORP\AppData\Local\PUTTY.RND
2012-08-02 13:19 - 2012-08-02 13:19 - 00000816 ____A C:\Users\MS3CORP\Desktop\IDA Demo.lnk
2012-07-30 11:34 - 2012-07-30 11:34 - 00000436 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2012-07-29 20:17 - 2012-07-29 20:17 - 00000970 ____A C:\Users\Public\Desktop\Paint.NET.lnk
2012-07-29 20:13 - 2012-07-29 20:13 - 00000978 ____A C:\Users\MS3CORP\Desktop\Cheat Engine 6.2.lnk
2012-07-29 20:09 - 2012-07-29 20:09 - 00000304 ____A C:\user.js
2012-07-29 20:09 - 2012-07-29 20:09 - 00000258 _RASH C:\Users\MS3CORP\ntuser.pol
2012-07-29 13:21 - 2012-07-29 13:21 - 00461998 ____A C:\Windows\dd_vcredistMSI4C9A.txt
2012-07-29 13:21 - 2012-07-29 13:21 - 00011526 ____A C:\Windows\dd_vcredistUI4C9A.txt
2012-07-28 23:21 - 2006-11-02 07:21 - 05023928 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-28 13:27 - 2009-07-30 15:49 - 00107424 ____A C:\Users\MS3CORP\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-28 13:19 - 2012-07-28 13:19 - 00439174 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistMSI7D1B.txt
2012-07-28 13:19 - 2012-07-28 13:19 - 00011686 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistUI7D1B.txt
2012-07-28 13:19 - 2012-07-28 13:18 - 00441260 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistMSI7CA2.txt
2012-07-28 13:19 - 2012-07-28 13:18 - 00011686 ____A C:\Users\MS3CORP\AppData\Local\dd_vcredistUI7CA2.txt
2012-07-26 09:57 - 2012-07-26 09:56 - 00002392 ____N C:\Users\Public\Desktop\WildTangent Games App - wildgames.lnk
2012-07-26 07:03 - 2012-07-26 07:03 - 00000924 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-25 17:09 - 2012-07-25 17:09 - 00001830 ____A C:\Users\MS3CORP\Desktop\YTD YouTube Downloader & Converter.lnk
2012-07-21 11:36 - 2012-07-21 11:36 - 00001846 ____A C:\Users\MS3CORP\Desktop\Chess.lnk
2012-07-21 11:35 - 2012-07-21 11:35 - 00000954 ____A C:\Users\MS3CORP\Desktop\DAEMON Tools Lite.lnk
2012-07-21 11:34 - 2012-07-21 11:34 - 00002629 ____A C:\Users\MS3CORP\Desktop\Microsoft Office PowerPoint 2007.lnk
2012-07-21 11:34 - 2012-07-21 11:34 - 00002425 ____A C:\Users\MS3CORP\Desktop\Adobe Reader 9.lnk
2012-07-21 11:33 - 2012-07-21 11:33 - 00000852 ____A C:\Users\MS3CORP\Desktop\WinRAR.lnk
2012-07-21 11:31 - 2012-07-21 11:31 - 00001751 ____A C:\Users\MS3CORP\Desktop\iTunes.lnk
2012-07-21 11:31 - 2012-07-21 11:31 - 00000975 ____A C:\Users\MS3CORP\Desktop\Platinum Hide IP.lnk
2012-07-21 11:29 - 2012-07-21 11:29 - 00000952 ____A C:\Users\MS3CORP\Desktop\iFunbox.lnk
2012-07-21 11:28 - 2012-07-21 11:28 - 00000759 ____A C:\Users\Public\Desktop\HxD.lnk
2012-07-21 11:21 - 2012-07-21 11:21 - 00001036 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
2012-07-13 21:19 - 2010-07-09 12:38 - 00002651 ____A C:\Users\MS3CORP\Desktop\Microsoft Office Word 2007.lnk
2012-07-11 10:00 - 2006-11-02 04:34 - 00000302 ____A C:\Windows\win.ini
2012-07-11 09:57 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-04 12:54 - 2012-07-04 12:54 - 00270360 ____A C:\Windows\Minidump\Mini070412-01.dmp
2012-07-04 12:54 - 2012-01-30 18:42 - 544972947 ____A C:\Windows\MEMORY.DMP
2012-07-03 09:46 - 2012-08-14 02:51 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-30 11:51 - 2011-12-14 12:35 - 00002079 ____A C:\Windows\setupact.log
2012-06-17 08:58 - 2012-06-17 08:58 - 00270360 ____A C:\Windows\Minidump\Mini061712-01.dmp
2012-06-13 05:58 - 2012-07-11 09:55 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:59 - 2012-07-11 08:39 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-11 08:39 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 08:47 - 2012-07-11 08:39 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-11 08:39 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-11 08:39 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-11 08:39 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-11 08:39 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-22 09:22 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 09:22 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 09:22 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-22 09:22 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 09:22 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 09:22 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-22 09:22 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-22 09:22 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-22 09:22 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-22 09:22 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 11:19 - 2012-06-22 09:22 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:19 - 2012-06-22 09:22 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 11:15 - 2012-06-22 09:22 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 11:12 - 2012-06-22 09:22 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-02 04:49 - 2012-07-11 09:55 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 09:55 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 09:55 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 09:55 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 09:55 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 09:55 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 09:55 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 09:55 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 09:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 09:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 09:55 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 09:55 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 09:55 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 09:55 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 09:55 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 09:55 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 09:55 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 09:55 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 09:55 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 09:55 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 09:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 09:55 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 09:55 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 09:55 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 09:55 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 09:55 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 09:55 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 09:55 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 16:22 - 2012-07-11 08:39 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-11 08:39 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-11 08:39 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-11 08:39 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-11 08:39 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

ZeroAccess:
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\@
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\L
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\L\00000004.@
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\L\201d3dde
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\00000004.@
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\00000008.@
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\000000cb.@
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\80000000.@
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\80000032.@
C:\Windows\Installer\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\80000064.@
ZeroAccess:
C:\Users\MS3CORP\AppData\Local\807b2a71
C:\Users\MS3CORP\AppData\Local\807b2a71\@
C:\Users\MS3CORP\AppData\Local\807b2a71\loader.tlb
ZeroAccess:
C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}
C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\@
C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\L
C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U
C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\00000004.@
C:\Users\MS3CORP\AppData\Local\{21ea5d7e-c663-36bd-1cd5-30da70641c4d}\U\80000000.@
ZeroAccess:
C:\Windows\assembly\tmp\U
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 9%
Total physical RAM: 6134.26 MB
Available physical RAM: 5569.32 MB
Total Pagefile: 5944.15 MB
Available Pagefile: 5539.14 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
======================= Partitions =========================
1 Drive c: (OS) (Fixed) (Total:581.1 GB) (Free:458.04 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Removable) (Total:3.82 GB) (Free:0 GB) FAT32
5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive x: (RECOVERY) (Fixed) (Total:15 GB) (Free:8.27 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 3913 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 71 MB 32 KB
Partition 2 Primary 15 GB 71 MB
Partition 3 Primary 581 GB 15 GB
==================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 FAT Partition 71 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 X RECOVERY NTFS Partition 15 GB Healthy Boot
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 C OS NTFS Partition 581 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3913 MB 0 B
==================================================================================
Disk: 1
There is no partition selected.
There is no partition selected.
Please select a partition and try again.
==================================================================================
Last Boot: 2012-08-16 09:08
======================= End Of Log ==========================
[/spoiler]

Search.txt

Spoiler

Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 2012-08-16 13:28:52
Running from D:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2011-06-09 08:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2011-06-09 08:42] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719
C:\Windows\SysWOW64\services.exe
[2011-06-09 08:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\System32\services.exe
[2011-06-09 08:42] - [2012-08-11 18:02] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229
====== End Of Search ======

[Vegeta912]

Oh, whoops. I forgot to put "]" in the first spoiler, and it won't let me edit my post. Sorry about that.

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[Vegeta912]

 Fixlog.txt   863bytes   3 downloads

It says successful for everything, so I'm guessing that it worked? o.O

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Vegeta912]

ComboFix.txt

Spoiler

ComboFix 12-08-16.01 - MS3CORP 08/16/2012 14:39:35.1.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6134.4049 [GMT -4:00]
Running from: c:\users\MS3CORP\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\WinPCap
c:\program files (x86)\WinPCap\daemon_mgm.exe
c:\program files (x86)\WinPCap\INSTALL.LOG
c:\program files (x86)\WinPCap\npf_mgm.exe
c:\program files (x86)\WinPCap\rpcapd.exe
c:\program files (x86)\WinPCap\Uninstall.exe
c:\windows\SysWow64\drivers\npf.sys
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-07-16 to 2012-08-16 )))))))))))))))))))))))))))))))
.
.
2012-08-16 21:26 . 2012-08-16 21:26 -------- d-----w- C:\FRST
2012-08-16 18:50 . 2012-08-16 18:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-16 18:32 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BAC49EEB-42A5-481E-8BBE-24A67DE92DD0}\gapaengine.dll
2012-08-16 18:32 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA185178-0238-459B-A31E-812C10602522}\mpengine.dll
2012-08-16 18:30 . 2012-08-16 18:30 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-16 18:30 . 2012-08-16 18:30 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-14 10:51 . 2012-08-14 10:52 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-14 10:51 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-12 01:30 . 2012-08-12 01:30 -------- d-----w- c:\users\MS3CORP\AppData\Roaming\ExpressFiles
2012-08-09 21:46 . 2012-08-09 21:46 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-02 21:19 . 2012-08-02 21:19 -------- d-----w- c:\program files (x86)\IDA Demo 6.3
2012-07-30 04:17 . 2012-07-30 04:17 -------- d-----w- c:\program files\Paint.NET
2012-07-30 04:16 . 2012-08-07 22:32 -------- d-----w- c:\users\MS3CORP\AppData\Local\Paint.NET
2012-07-30 04:10 . 2012-07-30 04:10 -------- d-----w- c:\users\MS3CORP\AppData\Local\Shopping Sidekick
2012-07-30 04:10 . 2012-07-30 04:11 -------- d-----w- c:\users\MS3CORP\AppData\Local\dealcabby
2012-07-30 04:09 . 2012-07-30 04:09 304 ----a-w- C:\user.js
2012-07-28 21:27 . 2012-07-28 21:27 -------- d-----w- c:\users\MS3CORP\AppData\Roaming\PDAppFlex
2012-07-28 21:18 . 2012-07-28 21:33 -------- d-----w- c:\program files\Common Files\Adobe
2012-07-28 19:58 . 2012-07-28 19:58 -------- d-----w- c:\users\MS3CORP\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-07-28 19:57 . 2012-07-28 19:58 -------- d-----w- c:\program files (x86)\Adobe Download Assistant
2012-07-26 18:27 . 2012-07-26 18:27 -------- d-----w- c:\program files (x86)\Cheat Engine 6.2
2012-07-26 02:36 . 2012-07-30 02:49 -------- d-----w- C:\Downloads
2012-07-20 22:06 . 2012-07-20 22:06 -------- d-----w- c:\users\MS3CORP\AppData\Local\patcher_dl
2012-07-20 00:33 . 2012-07-20 21:37 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin
2012-07-19 03:50 . 2012-07-19 03:50 -------- d-----w- c:\users\MS3CORP\AppData\Local\Macromedia
2012-07-19 02:58 . 2012-07-19 02:58 -------- d-----w- c:\users\MS3CORP\AppData\Local\APN
2012-07-19 02:58 . 2012-07-19 02:58 -------- d-----w- c:\program files (x86)\PlatinumHideIP
2012-07-19 02:40 . 2012-07-19 02:40 -------- d-----w- c:\users\MS3CORP\AppData\Roaming\C__Users_MS3CORP_Desktop_Platinum Hide IP 3.1.9.6_Crack_PlatinumHideIP.exe
2012-07-19 02:40 . 2012-07-19 02:40 -------- d-----w- c:\programdata\C__Users_MS3CORP_Desktop_Platinum Hide IP 3.1.9.6_Crack_PlatinumHideIP.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-16 18:56 . 2012-04-22 16:26 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-16 18:56 . 2011-05-20 20:21 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 18:55 . 2012-08-16 18:55 9826504 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-07-11 17:57 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-13 13:58 . 2012-07-11 17:55 2769408 ----a-w- c:\windows\system32\win32k.sys
2012-06-08 17:59 . 2012-07-11 16:39 12899840 ----a-w- c:\windows\system32\shell32.dll
2012-06-05 16:47 . 2012-07-11 16:39 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-05 16:47 . 2012-07-11 16:39 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-05 16:22 . 2012-07-11 16:39 1797120 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:22 . 2012-07-11 16:39 1869824 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:29 . 2012-07-11 16:39 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-22 17:22 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 17:22 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 17:22 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 17:22 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 17:22 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-22 17:22 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-22 17:22 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-22 17:22 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 17:22 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-22 17:22 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 19:19 . 2012-06-22 17:22 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:19 . 2012-06-22 17:22 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 19:15 . 2012-06-22 17:22 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 19:12 . 2012-06-22 17:22 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 12:49 . 2012-07-11 17:55 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:17 . 2012-07-11 17:55 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:12 . 2012-07-11 17:55 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-11 17:55 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-11 17:55 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-11 17:55 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-11 17:55 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-11 17:55 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-11 17:55 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-11 17:55 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-11 17:55 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-11 17:55 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-11 17:55 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-11 17:55 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-11 17:55 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-11 17:55 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-11 17:55 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 17:55 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 17:55 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 00:22 . 2012-07-11 16:39 347136 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:22 . 2012-07-11 16:39 254464 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 00:05 . 2012-07-11 16:39 77312 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 00:04 . 2012-07-11 16:39 278528 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 00:03 . 2012-07-11 16:39 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-05-18 20:51 . 2012-01-08 20:37 188128 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-14 61440]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"BSDAppUpdater"="c:\program files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe" [2011-05-11 1660232]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WNDA3100 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WNDA3100\WNDA3100.exe [2008-4-1 1716224]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-16 250056]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-02-24 88576]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 18:56]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-24 6975520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"combofix"="c:\combofix\CF19785.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=;ftp=;https=;
IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\MS3CORP\AppData\Roaming\Mozilla\Firefox\Profiles\d0p6sk9w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113959&tt=3112_7
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=
FF - user.js: extensions.BabylonToolbar.id - 0e891e5100000000000000223f0b5fa8
FF - user.js: extensions.BabylonToolbar.instlDay - 15551
FF - user.js: extensions.BabylonToolbar.vrsn - 1.5.29.1
FF - user.js: extensions.BabylonToolbar.vrsni - 1.5.29.1
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.29.10:09
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
Wow6432Node-HKCU-Run-MediaGet2 - c:\users\MS3CORP\AppData\Local\MediaGet2\mediaget.exe
Wow6432Node-HKLM-Run-BrMfcWnd - c:\program files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
AddRemove-WinPcapInst - c:\program files (x86)\WinPcap\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell\DellDock\DockLogin.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
.
**************************************************************************
.
Completion time: 2012-08-16 15:05:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-16 19:05
.
Pre-Run: 491,191,570,432 bytes free
Post-Run: 491,575,005,184 bytes free
.
- - End Of File - - 189318768D4B89C3FAFB26BDD7E10AA9

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[Vegeta912]

I can finally open a link in my browser without it redirecting to some ad page

There is one problem, though. Whenever I tried to turn on Security Center, it said it couldn't turn it on. Since the infection is removed, I just uninstalled and reinstalled, and now it is fine, but whenever I try to update something I get this error:

http://i46.tinypic.com/15xpml0.jpg

And whenever I try to turn on automatic updating, I get a popup saying Security Center can't change your automatic updating settings.
Do you know any fix for this?

[MrCharlie]

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
    
  • Windows Defender
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

MrC

[Vegeta912]

FSS.txt

Spoiler

Farbar Service Scanner Version: 06-08-2012
Ran by MS3CORP (administrator) on 16-08-2012 at 22:36:20
Running from "C:\Users\MS3CORP\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2011-06-09 12:42] - [2009-04-11 03:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7
C:\Windows\System32\drivers\afd.sys
[2012-02-16 18:12] - [2012-01-03 10:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-09 20:24] - [2012-03-30 08:45] - 1422720 ____A (Microsoft Corporation) AC8D5728E6AD6A7C4819D9A67008337A
C:\Windows\System32\dnsrslvr.dll
[2011-05-20 16:33] - [2011-03-02 12:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0
C:\Windows\System32\mpssvc.dll
[2011-06-09 12:42] - [2009-04-11 03:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C
C:\Windows\System32\bfe.dll
[2011-06-09 12:42] - [2009-04-11 03:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2011-06-09 12:42] - [2009-04-11 03:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1
C:\Windows\System32\wscsvc.dll
[2011-06-09 12:41] - [2009-04-11 03:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A
C:\Windows\System32\wbem\WMIsvc.dll
[2011-06-09 12:42] - [2009-04-11 03:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2011-06-09 12:42] - [2009-04-11 03:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C
C:\Windows\System32\es.dll
[2011-06-09 12:42] - [2009-04-11 03:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF
C:\Windows\System32\cryptsvc.dll
[2012-06-12 15:17] - [2012-04-23 12:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2011-06-09 12:42] - [2009-04-11 03:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF

**** End of log ****

[MrCharlie]

Give this a try.........

Download and install Complete Internet Repair (it will just install to a folder)

http://www.datum-for...ownloads/?did=4

Open up the folder and run CIntRep.exe

Put a check in the box "Repair Windows / Automatic Updates"

Now Hit Go

When done > Reboot

See if it works now.

MrC

[Vegeta912]

It didn't seem to work for me. Should I post the log for it here? Or should I try something else?

[MrCharlie]

Download bits.reg to your desktop, run it and allow it to merge into the registry:
http://download.blee.../vista/BITS.reg

Reboot, see if you can create a new restore point now, MrC

[Vegeta912]

Yeah, that worked perfectly. Where did you learn all of this? You know a solution for everything

[MrCharlie]

Great

A magician never tells his secrets!

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com
http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!