Jump to content

Malwarebytes

Trojan.dropper.BCMiner

- - - - -
Started by Morisk, Jul 21 2012 04:53 PM
SVChost

17 replies to this topic

#1
Morisk
Posted 21 July 2012 - 04:53 PM

    New Member

  • Members
  • Pip
  • 10 posts
I see that several others have had the same issue with this. It also said that instructions were for specific computers, so I will start my own.

I have had this issue for a while now. I purchased the full version of MB in hopes that it would help.... it has not. I can't get rid of this thing. It is always accompanied by 2 other issues, One is a file and the other a memory process, both svchost.

I am not big on reformatting etc, not even sure I have a disk anymore. I am running Win 7 64bit.

All help and suggestions are appreciated.

Thanks,

Morisk

#2
MrCharlie
Posted 21 July 2012 - 06:49 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,524 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3
Morisk
Posted 22 July 2012 - 10:39 AM

    New Member

  • Members
  • Pip
  • 10 posts
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Owner at 11:29:25 on 2012-07-22
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.9207.6901 [GMT -4:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://mail.hortech.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\syswow64\userinit.exe,
BHO: {0FF1C4C3-343F-49B0-B613-557EFD390574} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - C:\Program Files (x86)\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - C:\Program Files (x86)\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [Panda Security URL Filtering] "C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe"
mRun: [PSUNMain] "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
dRun: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: $talisma_url$
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{8EE4E723-D9AA-4617-9744-B7141FED3950} : DhcpNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: {0FF1C4C3-343F-49B0-B613-557EFD390574} - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
BHO-X64: Panda Security Toolbar - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [Panda Security URL Filtering] "C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe"
mRun-x64: [PSUNMain] "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Owner\AppData\Local\HuluDesktop\instances\0.9.14.1\nphdplg.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 ElRawDisk;ElRawDisk;\??\C:\Windows\system32\drivers\ElRawDsk.sys --> C:\Windows\system32\drivers\ElRawDsk.sys [?]
R1 PSINKNC;PSINKNC;C:\Windows\system32\DRIVERS\psinknc.sys --> C:\Windows\system32\DRIVERS\psinknc.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-7-22 44808]
R2 BingDesktopUpdate;Bing Desktop Update service;C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [2012-3-30 151656]
R2 ioloSystemService;iolo System Service;C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2012-5-6 1047336]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-21 655944]
R2 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2011-7-24 517632]
R2 NanoServiceMain;Panda Cloud Antivirus Service;C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2011-4-28 140608]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-7-23 2253120]
R2 PSINAflt;PSINAflt;C:\Windows\system32\DRIVERS\PSINAflt.sys --> C:\Windows\system32\DRIVERS\PSINAflt.sys [?]
R2 PSINFile;PSINFile;C:\Windows\system32\DRIVERS\PSINFile.sys --> C:\Windows\system32\DRIVERS\PSINFile.sys [?]
R2 PSINProc;PSINProc;C:\Windows\system32\DRIVERS\PSINProc.sys --> C:\Windows\system32\DRIVERS\PSINProc.sys [?]
R2 PSINProt;PSINProt;C:\Windows\system32\DRIVERS\PSINProt.sys --> C:\Windows\system32\DRIVERS\PSINProt.sys [?]
R3 hcw18bda;Hauppauge WinTV 418 Driver;C:\Windows\system32\drivers\hcw18bda.sys --> C:\Windows\system32\drivers\hcw18bda.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-1-26 136176]
S2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2012-5-6 1047336]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-7-22 1153368]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-8 250056]
S3 FlyUsb;FLY Fusion;C:\Windows\system32\DRIVERS\FlyUsb.sys --> C:\Windows\system32\DRIVERS\FlyUsb.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-1-26 136176]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;C:\Windows\system32\DRIVERS\btblan.sys --> C:\Windows\system32\DRIVERS\btblan.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-3 113120]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-07-21 00:56:37 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2012-07-20 14:51:14 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-20 14:51:14 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-03 17:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-03 16:21:52 958400 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-07-03 16:21:52 71064 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-07-03 16:21:52 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-07-03 16:21:32 41224 ----a-w- C:\Windows\avastSS.scr
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
.
============= FINISH: 11:31:59.61 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 1/15/2011 2:25:20 PM
System Uptime: 7/22/2012 10:10:21 AM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | CG5290
Processor: Intel® Core™ i7 CPU 920 @ 2.67GHz | LGA1366 | 2668/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 931 GiB total, 679.481 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Android Phone
Device ID: USB\VID_0BB4&PID_0CBA&MI_01\6&58649D0&0&0001
Manufacturer:
Name: Android Phone
PNP Device ID: USB\VID_0BB4&PID_0CBA&MI_01\6&58649D0&0&0001
Service:
.
==== System Restore Points ===================
.
RP181: 7/8/2012 - Scheduled Checkpoint
RP182: 7/15/2012 12:00:05 AM - Scheduled Checkpoint
RP183: 7/21/2012 5:24:09 PM - Windows Live Essentials
RP184: 7/22/2012 9:30:58 AM - avast! Free Antivirus Setup
RP185: 7/22/2012 9:32:05 AM - avast! Free Antivirus Setup
RP186: 7/22/2012 9:57:44 AM - avast! Free Antivirus Setup
RP187: 7/22/2012 10:02:29 AM - Windows Live Essentials
RP188: 7/22/2012 10:03:03 AM - Installed DirectX
RP189: 7/22/2012 10:03:21 AM - Installed DirectX
RP190: 7/22/2012 10:04:05 AM - WLSetup
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11.5
Amazon MP3 Downloader 1.0.12
Apple Application Support
Apple Software Update
avast! Free Antivirus
Bing Desktop
Curse Client
D3DX10
Dropbox
eReg
Facebook Photo Uploader
Facebook Video Calling 1.2.0.159
Google Chrome
Google Earth
Google Update Helper
HP Officejet Pro 8500 A910 Help
HP Update
Hulu Desktop
I.R.I.S. OCR
Internet TV for Windows Media Center
iolo technologies' System Mechanic
Java Auto Updater
Java™ 6 Update 31
Junk Mail filter update
K-Lite Codec Pack 7.0.0 (Standard)
LeapFrog Connect
LeapFrog LeapPad Explorer Plugin
LeapFrog Tag Plugin
Logitech Harmony Remote Software 7
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
Mumble 1.2.3
NVIDIA 3D Vision Controller Driver
NVIDIA PhysX
Octoshape add-in for Adobe Flash Player
Panda Cloud Antivirus
Panda Security Toolbar
Panda Security URL Filtering
Picasa 3
QuickTime
Remote Control USB Driver
Rootkit Unhooker Uninstall
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Spotify
Spybot - Search & Destroy
TERA
Toolbar Cleaner 1.0
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Use the entry named LeapFrog Connect to uninstall (LeapFrog LeapPad Explorer Plugin)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Center Add-in for Silverlight
World of Warcraft
World of Warcraft Beta
.
==== Event Viewer Messages From Past Week ========
.
7/22/2012 9:13:45 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Portable Device Enumerator Service service, but this action failed with the following error: An instance of the service is already running.
7/22/2012 9:13:45 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Human Interface Device Access service, but this action failed with the following error: An instance of the service is already running.
7/22/2012 9:12:45 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Audio Endpoint Builder service, but this action failed with the following error: Circular service dependency was specified.
7/22/2012 9:12:45 AM, Error: Service Control Manager [7019] - The Windows Audio Endpoint Builder service depends on a service in a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.
7/22/2012 9:12:45 AM, Error: Service Control Manager [7017] - Detected circular dependencies demand starting Windows Audio Endpoint Builder. Check the service dependency tree.
7/22/2012 9:12:33 AM, Error: Service Control Manager [7031] - The Network Store Interface Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
7/22/2012 9:12:29 AM, Error: Service Control Manager [7034] - The RPC Endpoint Mapper service terminated unexpectedly. It has done this 5 time(s).
7/22/2012 9:12:29 AM, Error: Service Control Manager [7001] - The User Profile Service service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The pipe has been ended.
7/22/2012 9:12:29 AM, Error: Service Control Manager [7001] - The System Event Notification Service service depends on the COM+ Event System service which failed to start because of the following error: The operation completed successfully.
7/22/2012 9:12:29 AM, Error: Service Control Manager [7000] - The Remote Procedure Call (RPC) service failed to start due to the following error: The pipe has been ended.
7/22/2012 9:12:22 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the DHCP Client service to connect.
7/22/2012 9:12:22 AM, Error: Service Control Manager [7000] - The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:12:21 AM, Error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
7/22/2012 9:12:15 AM, Error: Service Control Manager [7031] - The Network Connections service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
7/22/2012 9:12:15 AM, Error: Service Control Manager [7024] - The Remote Procedure Call (RPC) service terminated with service-specific error Access is denied..
7/22/2012 9:12:15 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Network Connections service to connect.
7/22/2012 9:12:15 AM, Error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:12:10 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the DNS Client service to connect.
7/22/2012 9:12:10 AM, Error: Service Control Manager [7000] - The DNS Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:12:07 AM, Error: Service Control Manager [7034] - The RPC Endpoint Mapper service terminated unexpectedly. It has done this 4 time(s).
7/22/2012 9:12:07 AM, Error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
7/22/2012 9:11:53 AM, Error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:11:45 AM, Error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:11:45 AM, Error: Service Control Manager [7031] - The Windows Audio Endpoint Builder service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:11:45 AM, Error: Service Control Manager [7031] - The Superfetch service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:11:45 AM, Error: Service Control Manager [7031] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:11:45 AM, Error: Service Control Manager [7031] - The Portable Device Enumerator Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:11:45 AM, Error: Service Control Manager [7031] - The Network Connections service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
7/22/2012 9:11:45 AM, Error: Service Control Manager [7031] - The Human Interface Device Access service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:11:45 AM, Error: Service Control Manager [7031] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:11:45 AM, Error: Service Control Manager [7031] - The Desktop Window Manager Session Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:11:44 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Network Store Interface Service service to connect.
7/22/2012 9:11:44 AM, Error: Service Control Manager [7000] - The Network Store Interface Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:30 AM, Error: Service Control Manager [7034] - The RPC Endpoint Mapper service terminated unexpectedly. It has done this 3 time(s).
7/22/2012 9:11:29 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Update service to connect.
7/22/2012 9:11:29 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Event Log service to connect.
7/22/2012 9:11:29 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Shell Hardware Detection service to connect.
7/22/2012 9:11:29 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Server service to connect.
7/22/2012 9:11:29 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Application Experience service to connect.
7/22/2012 9:11:29 AM, Error: Service Control Manager [7001] - The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:29 AM, Error: Service Control Manager [7000] - The Windows Update service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:29 AM, Error: Service Control Manager [7000] - The Windows Event Log service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:29 AM, Error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:29 AM, Error: Service Control Manager [7000] - The Application Experience service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:28 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Themes service to connect.
7/22/2012 9:11:28 AM, Error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:27 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Diagnostic Policy Service service to connect.
7/22/2012 9:11:27 AM, Error: Service Control Manager [7000] - The Diagnostic Policy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:22 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Multimedia Class Scheduler service to connect.
7/22/2012 9:11:22 AM, Error: Service Control Manager [7001] - The Windows Audio service depends on the Multimedia Class Scheduler service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:22 AM, Error: Service Control Manager [7000] - The Plug and Play service failed to start due to the following error: The pipe has been ended.
7/22/2012 9:11:22 AM, Error: Service Control Manager [7000] - The Multimedia Class Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:20 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the RPC Endpoint Mapper service, but this action failed with the following error: An instance of the service is already running.
7/22/2012 9:11:17 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Cryptographic Services service to connect.
7/22/2012 9:11:17 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:17 AM, Error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:16 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Remote Desktop Services service to connect.
7/22/2012 9:11:16 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the DCOM Server Process Launcher service to connect.
7/22/2012 9:11:16 AM, Error: Service Control Manager [7000] - The Remote Desktop Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:16 AM, Error: Service Control Manager [7000] - The DCOM Server Process Launcher service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:11:07 AM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
7/22/2012 9:10:49 AM, Error: Service Control Manager [7031] - The RPC Endpoint Mapper service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:10:28 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:22 AM, Error: Service Control Manager [7031] - The Windows Event Log service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:22 AM, Error: Service Control Manager [7031] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:22 AM, Error: Service Control Manager [7031] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
7/22/2012 9:10:22 AM, Error: Service Control Manager [7031] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:10:22 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the TCP/IP NetBIOS Helper service to connect.
7/22/2012 9:10:22 AM, Error: Service Control Manager [7000] - The TCP/IP NetBIOS Helper service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:10:10 AM, Error: Service Control Manager [7031] - The Workstation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:10 AM, Error: Service Control Manager [7031] - The Remote Desktop Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:10 AM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
7/22/2012 9:10:10 AM, Error: Service Control Manager [7031] - The DNS Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:10:10 AM, Error: Service Control Manager [7031] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:10:10 AM, Error: Service Control Manager [7024] - The Remote Procedure Call (RPC) service terminated with service-specific error The type universal unique identifier (UUID) has already been registered..
7/22/2012 9:10:10 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The operation completed successfully.
7/22/2012 9:09:56 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Power service, but this action failed with the following error: A system shutdown has already been scheduled.
7/22/2012 9:09:56 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error: A system shutdown has already been scheduled.
7/22/2012 9:09:56 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error: A system shutdown has already been scheduled.
7/22/2012 9:09:56 AM, Error: Service Control Manager [7031] - The Power service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
7/22/2012 9:09:56 AM, Error: Service Control Manager [7031] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
7/22/2012 9:09:50 AM, Error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/22/2012 9:09:46 AM, Error: Service Control Manager [7001] - The COM+ Event System service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The operation completed successfully.
7/22/2012 9:09:45 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the WinHTTP Web Proxy Auto-Discovery Service service to connect.
7/22/2012 9:09:45 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Network List Service service to connect.
7/22/2012 9:09:45 AM, Error: Service Control Manager [7000] - The WinHTTP Web Proxy Auto-Discovery Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:09:45 AM, Error: Service Control Manager [7000] - The Network List Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:09:43 AM, Error: Service Control Manager [7034] - The Function Discovery Provider Host service terminated unexpectedly. It has done this 1 time(s).
7/22/2012 9:09:43 AM, Error: Service Control Manager [7031] - The WinHTTP Web Proxy Auto-Discovery Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
7/22/2012 9:09:43 AM, Error: Service Control Manager [7031] - The Network Store Interface Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:09:43 AM, Error: Service Control Manager [7031] - The Network List Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
7/22/2012 9:09:43 AM, Error: Service Control Manager [7031] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
7/22/2012 9:09:27 AM, Error: Service Control Manager [7031] - The Diagnostic Policy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:09:20 AM, Error: Service Control Manager [7031] - The RPC Endpoint Mapper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/22/2012 9:09:15 AM, Error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
7/22/2012 9:04:10 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
7/22/2012 9:04:10 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 9:04:10 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/22/2012 9:04:01 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
7/22/2012 9:04:01 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
7/22/2012 12:41:21 AM, Error: Service Control Manager [7001] - The Windows Driver Foundation - User-mode Driver Framework service depends on the Plug and Play service which failed to start because of the following error: A system shutdown is in progress.
7/22/2012 12:41:21 AM, Error: Service Control Manager [7000] - The Plug and Play service failed to start due to the following error: A system shutdown is in progress.
7/22/2012 12:41:21 AM, Error: Service Control Manager [7000] - The Human Interface Device Access service failed to start due to the following error: A system shutdown is in progress.
7/22/2012 12:41:21 AM, Error: Service Control Manager [7000] - The Distributed Link Tracking Client service failed to start due to the following error: A system shutdown is in progress.
7/22/2012 12:41:21 AM, Error: Service Control Manager [7000] - The Desktop Window Manager Session Manager service failed to start due to the following error: A system shutdown is in progress.
7/22/2012 12:39:21 AM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 1 time(s).
7/22/2012 11:26:20 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {88F5E7B2-09B9-471E-895A-25247585905C} and APPID Unavailable to the user Owner-PC\UpdatusUser SID (S-1-5-21-2064912402-3754680767-1499082353-1003) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/22/2012 11:21:19 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
7/22/2012 11:21:19 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
7/22/2012 11:16:14 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: luafv
7/22/2012 11:15:55 AM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.
7/22/2012 11:15:55 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
7/22/2012 11:15:51 AM, Error: Service Control Manager [7000] - The iolo FileInfoList Service service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
7/22/2012 11:15:45 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
7/22/2012 11:15:38 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/21/2012 5:27:45 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running.
7/21/2012 2:06:26 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
7/19/2012 11:00:12 PM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
7/19/2012 10:41:05 PM, Error: Service Control Manager [7003] - The Internet Connection Sharing (ICS) service depends the following service: BFE. This service might not be installed.
.
==== End Of File ===========================

#4
Morisk
Posted 22 July 2012 - 10:42 AM

    New Member

  • Members
  • Pip
  • 10 posts
RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan -- Date: 07/22/2012 11:40:52

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 10 ¤¤¤
[Rans.Gendarm] HKUS\S-1-5-19[...]\Run : Update (rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\iolo\iolo\yvfpemrj.dll",DllRegisterServer) -> FOUND
[Rans.Gendarm] HKUS\S-1-5-20[...]\Run : Update (rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\iolo\iolo\yvfpemrj.dll",DllRegisterServer) -> FOUND
[Rans.Gendarm] HKUS\S-1-5-21-2064912402-3754680767-1499082353-1003[...]\Run : Update (rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\iolo\iolo\yvfpemrj.dll",DllRegisterServer) -> FOUND
[SUSP PATH] {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4}.job @ : C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Rans.Gendarm ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST31000528AS ATA Device +++++
--- User ---
[MBR] caa0e4f9b86e472ab2695c4a79329e44
[BSP] 81010de7eee2a39357903369d8d12b73 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#5
MrCharlie
Posted 22 July 2012 - 10:43 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,524 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Your computer is infected with a nasty rootkit. Please read the following information first.

Quote

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
    services.exe
  • Now press the Search button
  • When the search is complete, search.txt will also be written to your USB
  • Type exit and reboot the computer normally
  • Please copy and paste both logs in your reply.(FRST.txt and Search.txt)
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#6
Morisk
Posted 22 July 2012 - 11:15 AM

    New Member

  • Members
  • Pip
  • 10 posts
Scan result of Farbar Recovery Scan Tool Version: 20-07-2012 01
Ran by SYSTEM at 22-07-2012 12:07:22
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1744152 2011-10-07] (Logitech, Inc.)
HKLM-x32\...\Run: [Panda Security URL Filtering] "C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe" [217256 2012-03-19] (Panda Security)
HKLM-x32\...\Run: [PSUNMain] "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar [439616 2011-04-28] (Panda Security, S.L.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4273976 2012-07-03] (AVAST Software)
HKU\Owner\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59240 2012-02-23] (Apple Inc.)
HKU\Owner\...\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59240 2012-02-23] (Apple Inc.)
HKU\Owner\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\UpdatusUser\...\Run: [Update] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\iolo\iolo\yvfpemrj.dll",DllRegisterServer [x]
HKLM-x32\...\Winlogon: [Userinit] c:\windows\syswow64\userinit.exe, [x]
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

==================== Services (Whitelisted) ======

2 AEADIFilters; C:\Windows\System32\AEADISRV.EXE [111616 2009-06-05] (Andrea Electronics Corporation)
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-07-03] (AVAST Software)
2 BingDesktopUpdate; "C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe" [151656 2012-03-30] (Microsoft Corp.)
2 CarboniteService; "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [6684304 2012-03-16] (Carbonite, Inc. (www.carbonite.com))
2 ioloFileInfoList; "C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe" [1047336 2012-04-17] (iolo technologies, LLC)
2 ioloSystemService; "C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe" [1047336 2012-04-17] (iolo technologies, LLC)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 McciCMService64; "C:\Program Files\Common Files\Motive\McciCMService.exe" [517632 2011-06-30] (Alcatel-Lucent)
2 NanoServiceMain; "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSANHost.exe" [140608 2011-04-28] (Panda Security, S.L.)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

========================== Drivers (Whitelisted) =============

3 ADIHdAudAddService; C:\Windows\System32\drivers\ADIHdAud.sys [475136 2009-06-05] (Analog Devices, Inc.)
2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-07-03] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71064 2012-07-03] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-07-03] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [958400 2012-07-03] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [355856 2012-07-03] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-07-03] (AVAST Software)
1 ElRawDisk; \??\C:\Windows\system32\drivers\ElRawDsk.sys [23464 2008-12-09] (EldoS Corporation)
3 FlyUsb; C:\Windows\System32\Drivers\FlyUsb.sys [24576 2008-04-01] (LeapFrog)
3 hcw18bda; C:\Windows\System32\Drivers\hcw18bda.sys [509056 2009-05-28] (Hauppauge Computer Works, Inc)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-28] ()
2 PSINAflt; C:\Windows\System32\Drivers\PSINAflt.sys [161032 2012-01-05] (Panda Security, S.L.)
2 PSINFile; C:\Windows\System32\Drivers\PSINFile.sys [114760 2011-04-28] (Panda Security, S.L.)
1 PSINKNC; C:\Windows\System32\Drivers\PSINKNC.sys [149768 2011-11-23] (Panda Security, S.L.)
2 PSINProc; C:\Windows\System32\Drivers\PSINProc.sys [121928 2011-04-28] (Panda Security, S.L.)
2 PSINProt; C:\Windows\System32\Drivers\PSINProt.sys [128264 2011-11-30] (Panda Security, S.L.)
3 rkhdrv40; C:\Windows\SysWow64\Drivers\rkhdrv40.sys [24448 2012-03-28] ()
3 MREMP50; \??\C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [x]
3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
3 MRESP50; \??\C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [x]
3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-22 12:07 - 2012-07-22 12:07 - 00000000 ____D C:\FRST
2012-07-22 07:57 - 2012-07-22 07:57 - 01437781 ____A (Farbar) C:\Users\Owner\Downloads\FRST64.exe
2012-07-22 07:40 - 2012-07-22 07:40 - 01552384 ____A C:\Users\Owner\Downloads\RogueKiller.exe
2012-07-22 07:40 - 2012-07-22 07:40 - 00003181 ____A C:\Users\Owner\Desktop\RKreport[1].txt
2012-07-22 07:40 - 2012-07-22 07:40 - 00000000 ____D C:\Users\Owner\Desktop\RK_Quarantine
2012-07-22 07:35 - 2012-07-22 07:35 - 00033234 ____A C:\Users\Owner\Desktop\Attach.txt
2012-07-22 07:35 - 2012-07-22 07:35 - 00016255 ____A C:\Users\Owner\Desktop\DDS.txt
2012-07-22 07:29 - 2012-07-22 07:29 - 00000000 ____D C:\avast! sandbox
2012-07-22 07:28 - 2012-07-22 07:28 - 00607260 ____R (Swearware) C:\Users\Owner\Downloads\dds.scr
2012-07-22 06:06 - 2012-07-22 06:06 - 00000000 ____D C:\Windows\en
2012-07-22 06:04 - 2012-07-22 06:04 - 00000000 ____D C:\Program Files\Windows Live
2012-07-22 06:03 - 2012-07-22 06:03 - 00000380 ____A C:\Windows\DirectX.log
2012-07-22 06:01 - 2012-07-22 06:01 - 00000000 ____D C:\Users\Owner\AppData\Local\{5FBBC42B-C96B-49A1-84F6-9054E9A4FF89}
2012-07-22 06:00 - 2012-07-22 06:01 - 00000000 ____D C:\Users\Owner\AppData\Local\{48839BB2-B6E6-4C29-BEB6-FD5062DDA27B}
2012-07-22 06:00 - 2012-07-22 06:00 - 00000000 ____D C:\Users\Owner\AppData\Local\{D98C2AB7-D16F-4064-B8F9-DECC7A3E6201}
2012-07-22 06:00 - 2012-07-22 06:00 - 00000000 ____D C:\Users\Owner\AppData\Local\{509F6C97-D93A-40EC-93FD-0444AA4396D3}
2012-07-22 06:00 - 2012-07-22 06:00 - 00000000 ____D C:\Users\Owner\AppData\Local\{23BC7DB4-9E7C-481A-913F-757E7D46E826}
2012-07-22 05:59 - 2012-07-22 07:22 - 00002091 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-22 05:59 - 2012-07-22 06:00 - 00000000 ____D C:\Users\Owner\AppData\Local\{7C18DAFB-3603-4A0E-B9D6-3CF8C8046D3E}
2012-07-22 05:59 - 2012-07-22 05:59 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-07-22 05:59 - 2012-07-03 08:21 - 00958400 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-07-22 05:59 - 2012-07-03 08:21 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-22 05:59 - 2012-07-03 08:21 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-07-22 05:59 - 2012-07-03 08:21 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-22 05:59 - 2012-07-03 08:21 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-22 05:59 - 2012-07-03 08:21 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-07-22 05:59 - 2012-07-03 08:21 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-22 05:58 - 2012-07-03 08:21 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-07-22 05:58 - 2012-07-03 08:21 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-07-22 05:50 - 2011-12-22 12:11 - 00000833 ____A C:\Windows\System32\Drivers\etc\hosts.20120722-095005.backup
2012-07-22 05:31 - 2012-07-22 05:57 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-07-22 05:31 - 2012-07-22 05:57 - 00000000 ____D C:\Program Files\AVAST Software
2012-07-22 05:30 - 2012-07-22 05:57 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-07-22 05:30 - 2012-07-22 05:36 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-07-22 05:30 - 2012-07-22 05:30 - 00001262 ____A C:\Users\Owner\Desktop\Spybot - Search & Destroy.lnk
2012-07-22 05:27 - 2012-07-22 05:29 - 89340632 ____A C:\Users\Owner\Downloads\avast_free_antivirus_setup.exe
2012-07-22 05:27 - 2012-07-22 05:27 - 16409960 ____A (Safer Networking Limited ) C:\Users\Owner\Downloads\spybotsd162.exe
2012-07-22 05:03 - 2012-07-22 07:15 - 00000168 ____A C:\Windows\setupact.log
2012-07-22 05:03 - 2012-07-22 05:03 - 00000712 ____A C:\Windows\PFRO.log
2012-07-22 05:03 - 2012-07-22 05:03 - 00000000 ____A C:\Windows\setuperr.log
2012-07-21 22:04 - 2012-07-21 22:04 - 03889704 ____A (Piriform Ltd) C:\Users\Owner\Downloads\ccsetup320.exe
2012-07-21 20:19 - 2012-07-21 20:19 - 00000000 ____D C:\Windows\Hewlett-Packard
2012-07-21 10:51 - 2012-07-21 10:51 - 00000000 ____D C:\Users\Owner\AppData\Local\{AA546CA1-9F58-43B8-866E-B1BD2E877BB3}
2012-07-21 10:38 - 2012-07-21 10:46 - 00000000 ____D C:\Users\Owner\My Movies
2012-07-21 10:35 - 2012-07-21 10:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\HandBrake
2012-07-21 10:19 - 2012-07-21 10:19 - 07210075 ____A C:\Users\Owner\Downloads\HandBrake-0.9.8-x86_64-Win_GUI.exe
2012-07-20 20:44 - 2012-07-20 20:44 - 00016600 ____A C:\Users\Owner\Documents\cc_20120721_004442.reg
2012-07-20 20:39 - 2012-07-20 20:39 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-20 20:39 - 2012-07-20 20:39 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-20 20:39 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-20 20:38 - 2012-07-20 20:38 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Owner\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-20 16:56 - 2012-07-20 16:56 - 00000000 ____D C:\Users\Owner\AppData\Local\Logishrd
2012-07-20 16:55 - 2012-07-20 16:55 - 00000000 ____D C:\Program Files\Logitech
2012-07-20 13:39 - 2012-07-20 13:39 - 00000000 ____D C:\Users\Owner\AppData\Local\Macromedia
2012-07-19 19:32 - 2012-07-19 19:32 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-06-30 06:51 - 2012-07-07 08:37 - 00000804 ____A C:\Windows\Tasks\hpwebreg_CN14LBK29F.job
2012-06-30 06:25 - 2012-07-21 20:19 - 00000000 ____D C:\Users\Owner\AppData\Roaming\HpUpdate
2012-06-30 06:25 - 2012-06-30 06:25 - 00002224 ____A C:\Users\Public\Desktop\HP Officejet Pro 8500 A910.lnk
2012-06-30 06:25 - 2012-06-30 06:25 - 00001896 ____A C:\Users\Public\Desktop\HP ePrintCenter - HP Officejet Pro 8500 A910.lnk
2012-06-30 06:25 - 2012-06-30 06:25 - 00001224 ____A C:\Users\Public\Desktop\HP Officejet Pro 8500 A910 Scan.lnk
2012-06-30 06:25 - 2012-06-30 06:25 - 00001187 ____A C:\Users\Public\Desktop\Shop for Supplies - HP Officejet Pro 8500 A910.lnk
2012-06-30 06:25 - 2010-11-16 17:24 - 00750440 ____N (Hewlett-Packard Co.) C:\Windows\System32\HPDiscoPM5312.dll
2012-06-30 06:24 - 2012-06-30 06:52 - 00000000 ____D C:\Users\Owner\AppData\Local\HP
2012-06-30 06:23 - 2012-06-30 06:23 - 01450884 ____A C:\Users\Owner\Downloads\HP_Officejet_Pro_8500_A910g_productname_patch.exe
2012-06-30 06:22 - 2012-06-30 06:23 - 37106248 ____A (Hewlett-Packard Company / Igor Pavlov) C:\Users\Owner\Downloads\HPPV-3_0_0-x64.exe
2012-06-30 06:11 - 2012-06-30 06:13 - 122098432 ____A C:\Users\Owner\Downloads\OJ8500_A910_231.exe
2012-06-24 09:24 - 2012-06-24 09:24 - 00000318 ____A C:\Users\Owner\Desktop\Curse Client.appref-ms
2012-06-24 09:19 - 2012-06-24 09:19 - 00000000 ____D C:\Users\Owner\Documents\My Curse
2012-06-22 09:07 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-22 09:07 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-22 09:07 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-22 09:07 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-22 09:07 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-22 09:07 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-22 09:07 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-22 09:06 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-22 09:06 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

============ 3 Months Modified Files ========================

2012-07-22 08:02 - 2012-03-24 12:24 - 01336566 ____A C:\Windows\WindowsUpdate.log
2012-07-22 07:58 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-22 07:57 - 2012-07-22 07:57 - 01437781 ____A (Farbar) C:\Users\Owner\Downloads\FRST64.exe
2012-07-22 07:52 - 2012-01-26 16:32 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-22 07:51 - 2012-04-08 06:18 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-22 07:40 - 2012-07-22 07:40 - 01552384 ____A C:\Users\Owner\Downloads\RogueKiller.exe
2012-07-22 07:40 - 2012-07-22 07:40 - 00003181 ____A C:\Users\Owner\Desktop\RKreport[1].txt
2012-07-22 07:35 - 2012-07-22 07:35 - 00033234 ____A C:\Users\Owner\Desktop\Attach.txt
2012-07-22 07:35 - 2012-07-22 07:35 - 00016255 ____A C:\Users\Owner\Desktop\DDS.txt
2012-07-22 07:28 - 2012-07-22 07:28 - 00607260 ____R (Swearware) C:\Users\Owner\Downloads\dds.scr
2012-07-22 07:23 - 2009-07-13 20:45 - 00015024 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-22 07:23 - 2009-07-13 20:45 - 00015024 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-22 07:22 - 2012-07-22 05:59 - 00002091 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-22 07:22 - 2011-01-15 11:43 - 00000991 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-07-22 07:21 - 2012-01-26 16:32 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-22 07:16 - 2011-01-19 09:31 - 00026934 ____A C:\Windows\SysWOW64\temp.txt
2012-07-22 07:15 - 2012-07-22 05:03 - 00000168 ____A C:\Windows\setupact.log
2012-07-22 07:15 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-22 06:03 - 2012-07-22 06:03 - 00000380 ____A C:\Windows\DirectX.log
2012-07-22 05:59 - 2012-07-22 05:59 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-07-22 05:30 - 2012-07-22 05:30 - 00001262 ____A C:\Users\Owner\Desktop\Spybot - Search & Destroy.lnk
2012-07-22 05:29 - 2012-07-22 05:27 - 89340632 ____A C:\Users\Owner\Downloads\avast_free_antivirus_setup.exe
2012-07-22 05:27 - 2012-07-22 05:27 - 16409960 ____A (Safer Networking Limited ) C:\Users\Owner\Downloads\spybotsd162.exe
2012-07-22 05:10 - 2009-07-13 21:08 - 00032588 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-22 05:03 - 2012-07-22 05:03 - 00000712 ____A C:\Windows\PFRO.log
2012-07-22 05:03 - 2012-07-22 05:03 - 00000000 ____A C:\Windows\setuperr.log
2012-07-22 03:31 - 2011-07-11 07:54 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2064912402-3754680767-1499082353-1000UA.job
2012-07-21 22:04 - 2012-07-21 22:04 - 03889704 ____A (Piriform Ltd) C:\Users\Owner\Downloads\ccsetup320.exe
2012-07-21 20:40 - 2011-01-17 06:33 - 00007605 ____A C:\Users\Owner\AppData\Local\resmon.resmoncfg
2012-07-21 15:31 - 2011-07-11 07:54 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2064912402-3754680767-1499082353-1000Core.job
2012-07-21 10:19 - 2012-07-21 10:19 - 07210075 ____A C:\Users\Owner\Downloads\HandBrake-0.9.8-x86_64-Win_GUI.exe
2012-07-20 20:44 - 2012-07-20 20:44 - 00016600 ____A C:\Users\Owner\Documents\cc_20120721_004442.reg
2012-07-20 20:39 - 2012-07-20 20:39 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-20 20:38 - 2012-07-20 20:38 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Owner\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-20 16:56 - 2011-09-30 18:14 - 00018960 ____A (Logitech, Inc.) C:\Windows\System32\Drivers\LNonPnP.sys
2012-07-20 06:51 - 2012-04-08 06:18 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-20 06:51 - 2011-08-18 12:22 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-12 11:53 - 2012-05-06 14:05 - 00002344 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-07-07 08:37 - 2012-06-30 06:51 - 00000804 ____A C:\Windows\Tasks\hpwebreg_CN14LBK29F.job
2012-07-03 09:46 - 2012-07-20 20:39 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-03 08:21 - 2012-07-22 05:59 - 00958400 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-07-03 08:21 - 2012-07-22 05:59 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-03 08:21 - 2012-07-22 05:59 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-07-03 08:21 - 2012-07-22 05:59 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-03 08:21 - 2012-07-22 05:59 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-03 08:21 - 2012-07-22 05:59 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-07-03 08:21 - 2012-07-22 05:59 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-03 08:21 - 2012-07-22 05:58 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-07-03 08:21 - 2012-07-22 05:58 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-06-30 06:56 - 2011-01-17 15:51 - 00129536 __ASH C:\Users\Owner\Thumbs.db
2012-06-30 06:25 - 2012-06-30 06:25 - 00002224 ____A C:\Users\Public\Desktop\HP Officejet Pro 8500 A910.lnk
2012-06-30 06:25 - 2012-06-30 06:25 - 00001896 ____A C:\Users\Public\Desktop\HP ePrintCenter - HP Officejet Pro 8500 A910.lnk
2012-06-30 06:25 - 2012-06-30 06:25 - 00001224 ____A C:\Users\Public\Desktop\HP Officejet Pro 8500 A910 Scan.lnk
2012-06-30 06:25 - 2012-06-30 06:25 - 00001187 ____A C:\Users\Public\Desktop\Shop for Supplies - HP Officejet Pro 8500 A910.lnk
2012-06-30 06:23 - 2012-06-30 06:23 - 01450884 ____A C:\Users\Owner\Downloads\HP_Officejet_Pro_8500_A910g_productname_patch.exe
2012-06-30 06:23 - 2012-06-30 06:22 - 37106248 ____A (Hewlett-Packard Company / Igor Pavlov) C:\Users\Owner\Downloads\HPPV-3_0_0-x64.exe
2012-06-30 06:13 - 2012-06-30 06:11 - 122098432 ____A C:\Users\Owner\Downloads\OJ8500_A910_231.exe
2012-06-24 09:24 - 2012-06-24 09:24 - 00000318 ____A C:\Users\Owner\Desktop\Curse Client.appref-ms
2012-06-15 18:47 - 2012-06-15 18:47 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-15 18:43 - 2012-06-15 18:43 - 00001845 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-06-02 14:19 - 2012-06-22 09:07 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 09:07 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 09:07 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 09:07 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 09:07 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-22 09:07 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-22 09:07 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-22 09:06 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-22 09:06 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:18 - 2012-03-25 15:56 - 00000129 ____A C:\Windows\System32\MRT.INI
2012-06-01 21:00 - 2012-06-01 21:00 - 00000250 ____A C:\Users\Owner\Documents\cc_20120602_010023.reg
2012-06-01 20:58 - 2012-06-01 20:58 - 03862112 ____A (Piriform Ltd) C:\Users\Owner\Downloads\ccsetup319.exe
2012-05-25 14:24 - 2012-05-25 14:24 - 00000902 ____A C:\Users\Owner\Desktop\soccer.txt
2012-05-24 18:31 - 2011-12-20 12:19 - 00002052 ____A C:\Users\Owner\Documents\Default.rdp
2012-05-19 20:36 - 2012-05-19 20:34 - 143194861 ____A C:\Users\Owner\Downloads\HangoutMusicFest2012Sampler.zip
2012-05-06 14:12 - 2012-05-06 14:12 - 00032260 ____A C:\Users\Owner\Documents\cc_20120506_181155.reg
2012-05-06 14:01 - 2012-05-06 14:01 - 03654896 ____A (Piriform Ltd) C:\Users\Owner\Downloads\ccsetup318.exe
2012-05-06 13:58 - 2012-05-06 13:58 - 00000406 ____A C:\Windows\System32\ioloBootDefrag.cfg
2012-05-06 13:53 - 2011-01-22 12:29 - 00002223 ____A C:\Users\Owner\Desktop\System Mechanic.lnk
2012-05-01 17:59 - 2011-08-13 08:42 - 00005632 ____A C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-26 16:03 - 2011-01-15 12:24 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe


ZeroAccess:
C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}
C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\@
C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\L
C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\U
C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\L\00000004.@
C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\L\1afb2d56
C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\L\201d3dde
C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\U\00000008.@
C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 9207.12 MB
Available physical RAM: 8336.49 MB
Total Pagefile: 9205.27 MB
Available Pagefile: 8320.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:931.41 GB) (Free:679.33 GB) NTFS
4 Drive g: (PROJECTDISK) (Removable) (Total:1.92 GB) (Free:1.92 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 1968 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1967 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G PROJECTDISK FAT32 Removable 1967 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-17 20:13

======================= End Of Log ==========================

#7
Morisk
Posted 22 July 2012 - 11:27 AM

    New Member

  • Members
  • Pip
  • 10 posts
Farbar Recovery Scan Tool Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-22 12:20:41
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\system64\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

#8
MrCharlie
Posted 22 July 2012 - 11:32 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,524 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
OK, here you go......Please carefully carry out this procedure!!!!!!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#9
Morisk
Posted 22 July 2012 - 11:43 AM

    New Member

  • Members
  • Pip
  • 10 posts
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-22 12:38:46 Run:1
Running from G:\

==============================================

C:\Windows\Installer\{fbaf559b-3908-fc78-3976-dced04d04f00} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

#10
Morisk
Posted 22 July 2012 - 11:52 AM

    New Member

  • Members
  • Pip
  • 10 posts
I am no longer getting any messages saying something is amiss. No audio randomly playing. You could very well be my new hero. I am thankful you are playing for the good guys.

Is there something I should be doing differently, or running to prevent this in the future. I am always careful, in my opinion, but maybe not as much as I need to be. Any advice is appreciated.


Mo

#11
MrCharlie
Posted 22 July 2012 - 12:02 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,524 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
I'll give you some advice when we are done, just one more scan to run.........


Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#12
Morisk
Posted 22 July 2012 - 01:33 PM

    New Member

  • Members
  • Pip
  • 10 posts
ComboFix 12-07-21.01 - Owner 07/22/2012 14:01:08.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.9207.6866 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\windows
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{2caa185e-1460-4aea-8ef8-df88379fbdcb}
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{2caa185e-1460-4aea-8ef8-df88379fbdcb}\chrome.manifest
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{2caa185e-1460-4aea-8ef8-df88379fbdcb}\chrome\xulcache.jar
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{2caa185e-1460-4aea-8ef8-df88379fbdcb}\defaults\preferences\xulcache.js
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{2caa185e-1460-4aea-8ef8-df88379fbdcb}\install.rdf
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{e93aedb9-8514-4e05-a4c4-70b58e181614}
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{e93aedb9-8514-4e05-a4c4-70b58e181614}\chrome.manifest
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{e93aedb9-8514-4e05-a4c4-70b58e181614}\chrome\xulcache.jar
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{e93aedb9-8514-4e05-a4c4-70b58e181614}\defaults\preferences\xulcache.js
c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\extensions\{e93aedb9-8514-4e05-a4c4-70b58e181614}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2012-06-22 to 2012-07-22 )))))))))))))))))))))))))))))))
.
.
2012-07-22 20:07 . 2012-07-22 20:07 -------- d-----w- C:\FRST
2012-07-22 14:06 . 2012-07-22 14:06 -------- d-----w- c:\windows\en
2012-07-22 14:04 . 2012-07-22 14:04 -------- d-----w- c:\program files\Windows Live
2012-07-22 14:04 . 2012-07-22 14:04 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-07-22 13:59 . 2012-07-03 16:21 355856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-22 13:59 . 2012-07-03 16:21 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-22 13:59 . 2012-07-03 16:21 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-22 13:59 . 2012-07-03 16:21 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-07-22 13:59 . 2012-07-03 16:21 958400 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-22 13:59 . 2012-07-03 16:21 71064 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-22 13:59 . 2012-07-03 16:21 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-22 13:58 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
2012-07-22 13:58 . 2012-07-03 16:21 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-07-22 13:31 . 2012-07-22 13:57 -------- d-----w- c:\programdata\AVAST Software
2012-07-22 13:31 . 2012-07-22 13:57 -------- d-----w- c:\program files\AVAST Software
2012-07-22 13:30 . 2012-07-22 13:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-07-22 13:30 . 2012-07-22 13:36 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-07-22 04:19 . 2012-07-22 04:19 -------- d-----w- c:\windows\Hewlett-Packard
2012-07-21 21:24 . 2012-07-21 21:24 89944 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\272d60e91cd678702\DSETUP.dll
2012-07-21 21:24 . 2012-07-21 21:24 537432 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\272d60e91cd678702\DXSETUP.exe
2012-07-21 21:24 . 2012-07-21 21:24 1801048 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\272d60e91cd678702\dsetup32.dll
2012-07-21 18:38 . 2012-07-21 18:46 -------- d-----w- c:\users\Owner\My Movies
2012-07-21 18:35 . 2012-07-21 18:44 -------- d-----w- c:\users\Owner\AppData\Roaming\HandBrake
2012-07-21 04:39 . 2012-07-21 04:39 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-21 04:39 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-21 00:56 . 2012-07-21 00:56 53248 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-07-21 00:56 . 2012-07-21 00:56 -------- d-----w- c:\users\Owner\AppData\Local\Logishrd
2012-07-21 00:55 . 2012-07-21 00:55 -------- d-----w- c:\program files\Logitech
2012-07-20 21:39 . 2012-07-20 21:39 -------- d-----w- c:\users\Owner\AppData\Local\Macromedia
2012-07-20 03:32 . 2012-07-20 03:32 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-06-30 14:25 . 2012-07-22 04:19 -------- d-----w- c:\users\Owner\AppData\Roaming\HpUpdate
2012-06-30 14:25 . 2010-11-17 01:24 750440 ------w- c:\windows\system32\HPDiscoPM5312.dll
2012-06-30 14:24 . 2012-06-30 14:52 -------- d-----w- c:\users\Owner\AppData\Local\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-21 00:56 . 2011-10-01 02:14 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-07-20 14:51 . 2012-04-08 14:18 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-20 14:51 . 2011-08-18 20:22 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-22 17:07 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 17:07 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 17:07 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 17:07 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 17:07 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 17:07 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 17:07 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-22 17:06 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-22 17:06 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-04-27 00:03 . 2011-01-15 20:24 57848688 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2012-01-31 20:59 86696 ----a-w- c:\program files (x86)\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files (x86)\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2012-01-31 86696]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-03-17 01:06 1008784 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-03-17 01:06 1008784 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-03-17 01:06 1008784 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-02-24 59240]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Panda Security URL Filtering"="c:\programdata\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2012-03-19 217256]
"PSUNMain"="c:\program files (x86)\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-27 136176]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2012-04-17 1047336]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-20 250056]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-04-01 24576]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-27 136176]
R3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys [2010-01-20 40320]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-18 113120]
R3 rkhdrv40;Rootkit Unhooker Driver; [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-16 1255736]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2008-12-09 23464]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2011-11-23 149768]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-07-03 71064]
S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [2012-03-30 151656]
S2 ioloSystemService;iolo System Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2012-04-17 1047336]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2011-06-30 517632]
S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files (x86)\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2011-04-28 140608]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2012-01-05 161032]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2011-04-28 114760]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2011-04-28 121928]
S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys [2011-11-30 128264]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2009-05-28 509056]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 14:51]
.
2012-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-27 00:32]
.
2012-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-27 00:32]
.
2012-07-07 c:\windows\Tasks\hpwebreg_CN14LBK29F.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\hpwebreg.exe [2010-11-17 01:29]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-03-17 00:58 1279120 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-03-17 00:58 1279120 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-03-17 00:58 1279120 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2011-05-09 15:45 436040 ----a-w- c:\program files (x86)\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2011-05-09 15:45 436040 ----a-w- c:\program files (x86)\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://mail.hortech.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: $talisma_url$
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kqtb4nb4.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{0FF1C4C3-343F-49B0-B613-557EFD390574} - (no file)
Wow6432Node-HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
Notify-LBTWlgn - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2064912402-3754680767-1499082353-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2064912402-3754680767-1499082353-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
.
**************************************************************************
.
Completion time: 2012-07-22 14:22:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-22 18:22
.
Pre-Run: 728,985,849,856 bytes free
Post-Run: 728,590,598,144 bytes free
.
- - End Of File - - 9934F70AC81DCBB14A28B6ECF2738202

#13
MrCharlie
Posted 22 July 2012 - 01:39 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,524 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#14
Morisk
Posted 22 July 2012 - 02:52 PM

    New Member

  • Members
  • Pip
  • 10 posts
Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.22.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

Protection: Enabled

7/22/2012 2:51:23 PM
mbam-log-2012-07-22 (14-51-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230644
Time elapsed: 1 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#15
MrCharlie
Posted 22 July 2012 - 02:57 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,524 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
How is it????? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#16
Morisk
Posted 22 July 2012 - 05:33 PM

    New Member

  • Members
  • Pip
  • 10 posts
Now may I call you my hero?? I have got some nasty stuff over the years on computers, this was by all accounts the worst. When I started hearing advertisements when nothing was open, I knew I was in for it. It was also the easiest to remedy with your expertise. I think I am going to put you on speed dial if that is ok.... Any advice to keep everything running smoothly? Any programs etc that you would suggest? Is there a way to give you a thumbs up, gold star, and or big tip??

Forever in debt.

Mo

#17
MrCharlie
Posted 22 July 2012 - 05:35 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,524 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Great Posted Image and Thank You :)

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Posted Image

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#18
Maurice Naggar
Posted 23 July 2012 - 04:58 AM

    Eradicator de logiciels malveillants

  • Moderators
  • PipPipPipPipPipPip
  • 13,229 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention
:)
Glad we could help. This has been resolved, and now this topic is closed.

The fixes in this Topic are for this system only! Do not apply the fix-instructions from this topic to any other system!
~Maurice Naggar

I close my threads if there is 5 days without a response.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us