16 replies to this topic

[igorpavlovic]

Good Morning Gents,

Malwarebytes is detecting the Sirefef virus and so is McAfee, however it is unable to remove them, When i try to run a scan it sometimes crashes, and also sometimes completes the scan but crashes when attempting to remove the virus. I have also ran a tool specifically for the Sirefef virus but that states that the machine is not infected with the virus, have to boot the machine into safemode otherwise it will load up windows normally then hang after around 5 minutes. Hopefully you guys can help.

Here are the dds Logs:

 dds.txt   15.97K   6 downloads

[igorpavlovic]

Quick update, Just tried to run another MBAM scan (quick Scan) and it has frozen 2 minutes into it.

[igorpavlovic]

I am logged onto this machine remotely via a program called 'Bomgar' i am unable to burn a CD as the user is in a different location to me.

[igorpavlovic]

Error when trying to remove with Forefront client.

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[igorpavlovic]

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: 2plan [Admin rights]
Mode: Scan -- Date: 08/07/2012 14:35:27

¤¤¤ Bad processes: 2 ¤¤¤
[SUSP PATH] Z@!-60e13116-81c5-4932-8e6f-3cd7ba8aeff3.tmp -- C:\Users\2plan\AppData\Local\Temp\Z@!-60e13116-81c5-4932-8e6f-3cd7ba8aeff3.tmp -> UNLOADED
[SUSP PATH] bomgar-scc.exe -- C:\ProgramData\bomgar-scc-502112CE\bomgar-scc.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 11 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Bomgar Support Reconnect [1343914321] ("C:\ProgramData\bomgar-scc-501A8150\bomgar-scc.exe" -nomulti) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Bomgar Support Reconnect [1344332667] ("C:\ProgramData\bomgar-scc-5020E37B\bomgar-scc.exe" -nomulti) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Bomgar Support Reconnect [1344334573] ("C:\ProgramData\bomgar-scc-5020EAED\bomgar-scc.exe" -nomulti) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Bomgar Support Reconnect [1344344782] ("C:\ProgramData\bomgar-scc-502112CE\bomgar-scc.exe" -nomulti) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2029709861-1995564892-4082333619-1000[...]\Run : Bomgar Support Reconnect [1343914321] ("C:\ProgramData\bomgar-scc-501A8150\bomgar-scc.exe" -nomulti) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2029709861-1995564892-4082333619-1000[...]\Run : Bomgar Support Reconnect [1344332667] ("C:\ProgramData\bomgar-scc-5020E37B\bomgar-scc.exe" -nomulti) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2029709861-1995564892-4082333619-1000[...]\Run : Bomgar Support Reconnect [1344334573] ("C:\ProgramData\bomgar-scc-5020EAED\bomgar-scc.exe" -nomulti) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2029709861-1995564892-4082333619-1000[...]\Run : Bomgar Support Reconnect [1344344782] ("C:\ProgramData\bomgar-scc-502112CE\bomgar-scc.exe" -nomulti) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\L --> FOUND
[Susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX
[ZeroAccess][Sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543216L9SA00 +++++
--- User ---
[MBR] 1f614e66d42a5e02aa4bbc8abbedf9d9
[BSP] 22b3c4b072d1fc340447b2b87917798e : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 76313 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 159363072 | Size: 74812 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt




Please be aware that i am using Bomgar to connect to this machine as it is a remote machine. The services for this must stay running

Thank you

[MrCharlie]

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

Quote

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Being you have Vista, you may or may not be able to do this but please try.

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• 
  
  Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
  services.exe
  
• Now press the Search button
  
• When the search is complete, search.txt will also be written to your USB
  
• Type exit and reboot the computer normally
  
• Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[igorpavlovic]

First.txt Log

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 05-08-2012 01
Ran by 2plan at 07-08-2012 17:47:05
Running from D:\
  Service Pack 2 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.
ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

============ One Month Created Files and Folders ==============
2012-08-07 16:37 - 2012-08-07 16:37 - 00892958 ____A (Farbar) C:\Users\2plan\Downloads\FRST (1).exe
2012-08-07 16:35 - 2012-08-07 17:47 - 00000000 ____D C:\FRST
2012-08-07 16:34 - 2012-08-07 16:35 - 00892958 ____A (Farbar) C:\Users\2plan\Downloads\FRST.exe
2012-08-07 14:35 - 2012-08-07 16:51 - 00000000 ____D C:\Users\All Users\bomgar-scc-502119B0
2012-08-07 14:35 - 2012-08-07 14:35 - 00003461 ____A C:\Users\2plan\Desktop\RKreport[1].txt
2012-08-07 14:32 - 2012-08-07 14:35 - 00000000 ____D C:\Users\2plan\Desktop\RK_Quarantine
2012-08-07 14:06 - 2012-08-07 16:51 - 00000000 ____D C:\Users\All Users\bomgar-scc-502112CE
2012-08-07 11:24 - 2012-08-07 11:24 - 00051645 ____A C:\Users\2plan\Desktop\attach.txt
2012-08-07 11:24 - 2012-08-07 11:24 - 00016354 ____A C:\Users\2plan\Desktop\dds.txt
2012-08-07 11:16 - 2012-08-07 16:50 - 00000000 ____D C:\Users\All Users\bomgar-scc-5020EAED
2012-08-07 10:44 - 2012-08-07 16:50 - 00000000 ____D C:\Users\All Users\bomgar-scc-5020E37B
2012-08-02 16:50 - 2012-08-02 16:50 - 00000911 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-02 16:46 - 2012-08-06 21:30 - 00000000 ____D C:\Users\All Users\bomgar-scc-501AA0DF
2012-08-02 16:43 - 2012-08-02 16:43 - 00000000 ____D C:\Windows\pss
2012-08-02 16:42 - 2010-11-24 17:15 - 00007168 ____A C:\Users\All Users\Z@!-273642b5-2328-4160-a839-32b4bd2bca59.tmp
2012-08-02 16:03 - 2012-08-02 16:03 - 00014664 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-08-02 15:55 - 2012-08-02 16:03 - 00000000 ____D C:\Program Files\stinger
2012-08-02 14:35 - 2012-08-02 16:50 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-08-02 14:35 - 2012-08-02 14:35 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-02 14:35 - 2012-08-02 14:35 - 00000000 ____D C:\Users\2plan\AppData\Roaming\Malwarebytes
2012-08-02 14:35 - 2012-07-03 13:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-02 14:34 - 2012-08-07 14:32 - 00000000 ____D C:\AV
2012-08-02 14:34 - 2012-08-02 14:34 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-02 14:18 - 2012-08-02 14:19 - 00000000 ____D C:\Users\All Users\bomgar-scc-501A7E31
2012-08-02 11:15 - 2012-08-02 16:17 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-02 11:15 - 2012-08-02 11:17 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-12 08:59 - 2012-06-13 14:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 18:04 - 2012-06-02 10:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 18:04 - 2012-06-02 09:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 18:04 - 2012-06-02 09:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 18:04 - 2012-06-02 09:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 18:04 - 2012-06-02 09:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 18:04 - 2012-06-02 09:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 18:04 - 2012-06-02 09:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 18:04 - 2012-06-02 09:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 18:04 - 2012-06-02 09:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 18:04 - 2012-06-02 09:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 18:04 - 2012-06-02 09:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 18:04 - 2012-06-02 09:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 18:04 - 2012-06-02 09:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 18:04 - 2012-06-02 09:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 09:41 - 2012-06-08 18:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 09:40 - 2012-06-05 17:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 09:40 - 2012-06-05 17:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 09:35 - 2012-06-04 16:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 09:35 - 2012-06-02 01:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 09:35 - 2012-06-02 01:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-08 07:19 - 2012-07-08 07:19 - 00065752 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys
============ 3 Months Modified Files ========================
2012-08-07 17:37 - 2012-01-22 23:29 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-07 17:37 - 2006-11-02 14:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-07 17:37 - 2006-11-02 13:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-07 17:37 - 2006-11-02 13:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-07 17:34 - 2006-11-02 14:01 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-07 16:37 - 2012-08-07 16:37 - 00892958 ____A (Farbar) C:\Users\2plan\Downloads\FRST (1).exe
2012-08-07 16:35 - 2012-08-07 16:34 - 00892958 ____A (Farbar) C:\Users\2plan\Downloads\FRST.exe
2012-08-07 14:35 - 2012-08-07 14:35 - 00003461 ____A C:\Users\2plan\Desktop\RKreport[1].txt
2012-08-07 13:43 - 2006-11-02 14:00 - 00074594 ____A C:\Windows\PFRO.log
2012-08-07 11:24 - 2012-08-07 11:24 - 00051645 ____A C:\Users\2plan\Desktop\attach.txt
2012-08-07 11:24 - 2012-08-07 11:24 - 00016354 ____A C:\Users\2plan\Desktop\dds.txt
2012-08-07 09:10 - 2009-03-24 23:47 - 01334421 ____A C:\Windows\WindowsUpdate.log
2012-08-06 21:31 - 2009-06-02 11:02 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-06 18:55 - 2012-01-22 23:30 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-06 18:55 - 2010-06-14 12:49 - 00000034 ____A C:\Windows\System32\BD2140.DAT
2012-08-06 14:20 - 2012-01-20 13:40 - 00009318 ____A C:\Users\2plan\AppData\Roaming\Comma Separated Values (Windows).EML
2012-08-02 16:50 - 2012-08-02 16:50 - 00000911 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-02 16:17 - 2012-08-02 11:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-02 16:03 - 2012-08-02 16:03 - 00014664 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-08-02 15:39 - 2006-11-02 11:33 - 00779320 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-02 11:17 - 2012-08-02 11:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-02 11:17 - 2011-06-16 15:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-01 18:36 - 2012-07-02 09:52 - 00017723 ____A C:\Users\2plan\Desktop\Prospect List.xlsx
2012-07-30 17:35 - 2011-06-28 15:56 - 00001879 ____A C:\Users\Public\Desktop\TrigoldCrystal Prospector.lnk
2012-07-26 15:58 - 2011-10-18 15:30 - 00000300 ____A C:\Users\2plan\Desktop\FactFind.appref-ms
2012-07-12 18:58 - 2012-04-13 10:45 - 00001976 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-07-12 10:40 - 2006-11-02 13:47 - 00370472 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 08:58 - 2006-11-02 11:23 - 00000292 ____A C:\Windows\win.ini
2012-07-11 18:06 - 2006-11-02 11:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-08 07:19 - 2012-07-08 07:19 - 00065752 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys
2012-07-03 13:46 - 2012-08-02 14:35 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-27 09:18 - 2012-02-27 20:04 - 01053254 ____A C:\Windows\setupact.log
2012-06-19 09:12 - 2012-06-19 09:09 - 00595456 ____A C:\Users\2plan\Desktop\Detailed sales pipeline management - Paul.xls
2012-06-13 14:40 - 2012-07-12 08:59 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 18:47 - 2012-07-11 09:41 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 17:47 - 2012-07-11 09:40 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 17:47 - 2012-07-11 09:40 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 16:26 - 2012-07-11 09:35 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 23:19 - 2012-06-21 11:57 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 23:19 - 2012-06-21 11:57 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 23:19 - 2012-06-21 11:57 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 23:19 - 2012-06-21 11:56 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 23:19 - 2012-06-21 11:56 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 23:12 - 2012-06-21 11:57 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 23:12 - 2012-06-21 11:56 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 15:19 - 2012-06-21 11:56 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 15:12 - 2012-06-21 11:56 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 10:07 - 2012-07-11 18:04 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 09:43 - 2012-07-11 18:04 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 09:33 - 2012-07-11 18:04 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 09:26 - 2012-07-11 18:04 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 09:25 - 2012-07-11 18:04 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 09:25 - 2012-07-11 18:04 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 09:23 - 2012-07-11 18:04 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 09:21 - 2012-07-11 18:04 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 09:20 - 2012-07-11 18:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 09:19 - 2012-07-11 18:04 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 09:19 - 2012-07-11 18:04 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 09:17 - 2012-07-11 18:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 09:16 - 2012-07-11 18:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 09:14 - 2012-07-11 18:04 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:04 - 2012-07-11 09:35 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-02 01:03 - 2012-07-11 09:35 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-25 13:13 - 2012-04-13 10:43 - 00001897 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk

ZeroAccess:
C:\Windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}
C:\Windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\@
C:\Windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\L
C:\Windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\U
C:\Windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\U\00000001.@
C:\Windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\U\80000000.@
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
========================= Memory info ======================
Percentage of memory in use: 22%
Total physical RAM: 1896.44 MB
Available physical RAM: 1476.58 MB
Total Pagefile: 4033.89 MB
Available Pagefile: 3763.1 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.42 MB
======================= Partitions =========================
1 Drive c: (Vista) (Fixed) (Total:74.52 GB) (Free:19.03 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Removable) (Total:1.87 GB) (Free:1.86 GB) FAT
3 Drive e: (Data) (Fixed) (Total:73.06 GB) (Free:58.55 GB) NTFS ==>[System with boot components (obtained from reading drive)]
  Disk ###  Status	  Size	 Free	 Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online	   149 GB	  0 B		
  Disk 1    Online	  1912 MB	  0 B		
Partitions of Disk 0:
===============
  Partition ###  Type			  Size	 Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary		   1500 MB  1024 KB
  Partition 2    Primary			 75 GB  1501 MB
  Partition 3    Primary			 73 GB    76 GB
==================================================================================
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: No
  Volume ###  Ltr  Label	    Fs	 Type	    Size	 Status	 Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 0		 WinRE	    NTFS   Partition   1500 MB  Healthy		   
==================================================================================
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes
  Volume ###  Ltr  Label	    Fs	 Type	    Size	 Status	 Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1	 C   Vista	    NTFS   Partition	 75 GB  Healthy    System (partition with boot components) 
==================================================================================
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No
  Volume ###  Ltr  Label	    Fs	 Type	    Size	 Status	 Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2	 E   Data		 NTFS   Partition	 73 GB  Healthy		   
==================================================================================
Partitions of Disk 1:
===============
  Partition ###  Type			  Size	 Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary		   1910 MB  1792 KB
==================================================================================
Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: No
  Volume ###  Ltr  Label	    Fs	 Type	    Size	 Status	 Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3	 D			    FAT    Removable   1910 MB  Healthy		   
==================================================================================
==========================================================
Last Boot: 2012-08-07 16:53
======================= End Of Log ==========================

Search.txt

Farbar Recovery Scan Tool Version: 05-08-2012 01
Ran by 2plan at 2012-08-07 17:48:47
Running from D:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-06-02 11:02] - [2009-04-11 07:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-21 03:25] - [2008-01-21 03:25] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\System32\services.exe
[2009-06-02 11:02] - [2012-08-06 21:31] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843
=== End Of Search ===

[igorpavlovic]

Oh and Also, Wasn't able to follow the steps 100% on vista.

[MrCharlie]

igorpavlovic, on 08 August 2012 - 03:49 AM, said:

Oh and Also, Wasn't able to follow the steps 100% on vista.

We'll use ComboFix instead............


Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[igorpavlovic]

ComboFix 12-08-07.05 - 2plan 08/08/2012  14:11:16.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.44.1033.18.1896.1346 [GMT 1:00]
Running from: c:\users\2plan\Desktop\ComboFix.exe
AV: Microsoft Forefront Client Security *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Forefront Client Security *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Z@!-273642b5-2328-4160-a839-32b4bd2bca59.tmp
c:\users\2plan\AppData\Local\Temp\nsq8F84.tmp\System.dll
c:\users\2plan\AppData\Local\Temp\Z@!-78962c11-bd7b-47cd-9644-61369b0e4120.tmp
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\chrome.manifest
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\funmoods.css
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\funmoods.xul
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\images\pref.jpg
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\arwDwn.gif
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ae.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\bg.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ch.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\cn.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\cz.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\de.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\eg.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\en.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\es.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\fr.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\gr.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\he.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\il.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\it.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ja.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\jp.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\nl.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\no.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\pl.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\pt.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ro.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ru.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\sa.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\se.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\sv.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\tr.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ua.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\us.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\help_16.gif
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\home.gif
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\logo.png
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\privecy_16_hot.gif
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\imgs\tellafriend.gif
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\loader.xul
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\mtstart.js
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\preferences.xul
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\content\tmplt.js
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\install.rdf
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\META-INF\le_c6a58f26_4d2d_4341_b387_c4f2289b6170.rsa
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\META-INF\le_c6a58f26_4d2d_4341_b387_c4f2289b6170.sf
c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\extensions\ffxtlbr@funmoods.com\META-INF\manifest.mf
c:\users\2plan\g2mdlhlpx.exe
c:\windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\@
c:\windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\U\00000001.@
c:\windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\U\80000000.@
c:\windows\Installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\U\800000cb.@
c:\windows\system32\pt
c:\windows\system32\pt\tabtsb.dll.mui
c:\windows\system32\pt\tmicfxui.dll.mui
c:\windows\system32\pt\tmicfxui64.dll.mui
c:\windows\system32\pt\toscdspd.cpl.mui
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy9_!Windows!winsxs!x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56!services.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-08 to 2012-08-08  )))))))))))))))))))))))))))))))
.
.
2012-08-08 13:18 . 2012-08-08 13:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-08 13:02 . 2012-08-08 13:05 -------- d-----w- c:\programdata\bomgar-scc-50226360
2012-08-08 12:45 . 2012-08-08 12:57 -------- d-----w- c:\programdata\bomgar-scc-50225F50
2012-08-08 12:18 . 2012-08-08 12:18 -------- d-----w- c:\users\2plan\AppData\Local\Macromedia
2012-08-08 12:17 . 2012-08-08 12:17 -------- d-----w- c:\program files\PriceGong
2012-08-08 12:17 . 2012-08-08 12:17 -------- d-----w- c:\users\2plan\AppData\Local\Wajam
2012-08-08 12:17 . 2012-08-08 12:17 -------- d-----w- c:\program files\Wajam
2012-08-08 12:17 . 2012-08-08 12:17 -------- d-----w- c:\program files\Funmoods
2012-08-07 15:35 . 2012-08-07 16:47 -------- d-----w- C:\FRST
2012-08-07 13:35 . 2012-08-07 15:51 -------- d-----w- c:\programdata\bomgar-scc-502119B0
2012-08-07 13:06 . 2012-08-07 15:51 -------- d-----w- c:\programdata\bomgar-scc-502112CE
2012-08-07 10:16 . 2012-08-07 15:50 -------- d-----w- c:\programdata\bomgar-scc-5020EAED
2012-08-07 09:44 . 2012-08-07 15:50 -------- d-----w- c:\programdata\bomgar-scc-5020E37B
2012-08-02 15:46 . 2012-08-06 20:30 -------- d-----w- c:\programdata\bomgar-scc-501AA0DF
2012-08-02 15:03 . 2012-08-02 15:03 14664 ----a-w- c:\windows\stinger.sys
2012-08-02 14:55 . 2012-08-02 15:03 -------- d-----w- c:\program files\stinger
2012-08-02 14:47 . 2012-08-06 20:37 56200 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{05A267D0-7010-4C04-A100-88E30A96EB39}\offreg.dll
2012-08-02 13:35 . 2012-08-02 13:35 -------- d-----w- c:\users\2plan\AppData\Roaming\Malwarebytes
2012-08-02 13:35 . 2012-08-02 13:35 -------- d-----w- c:\programdata\Malwarebytes
2012-08-02 13:35 . 2012-08-02 15:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-02 13:35 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-02 13:34 . 2012-08-07 13:32 -------- d-----w- C:\AV
2012-08-02 13:34 . 2012-08-02 13:34 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-02 13:18 . 2012-08-02 13:19 -------- d-----w- c:\programdata\bomgar-scc-501A7E31
2012-08-02 10:15 . 2012-08-02 10:17 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-02 07:47 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{05A267D0-7010-4C04-A100-88E30A96EB39}\mpengine.dll
2012-07-12 07:59 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 08:40 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 08:40 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 08:40 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 08:35 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 08:35 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 08:35 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 10:17 . 2011-06-16 14:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 06:19 . 2012-07-08 06:19 65752 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-06-29 08:44 . 2009-03-25 10:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-02 22:19 . 2012-06-21 10:57 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 10:57 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 10:56 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 10:56 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 10:57 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 10:57 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 10:56 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-21 10:56 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:12 . 2012-06-21 10:56 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-09 16:59 . 2010-06-14 14:49 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]
@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"
[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]
2008-07-25 15:41 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bomgar_Cleanup_ZD95411715724"="rd" [X]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2010-06-10 1496528]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Bomgar Support Reconnect [1344429904]"="c:\programdata\bomgar-scc-50225F50\bomgar-scc.exe" [2010-11-24 16:15 782272]
"Bomgar Support Reconnect [1344430944]"="c:\programdata\bomgar-scc-50226360\bomgar-scc.exe" [2010-11-24 16:15 782272]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"TOSDCR"="c:\program files\TOSHIBA\PasswordUtility\TOSDCR.exe" [2007-08-28 169296]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-07-30 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-07-15 726904]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-28 6275072]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"TRot.exe"="c:\program files\Toshiba\TOSHIBA Rotation Utility\TRot.exe" [2008-08-04 692224]
"TAcelMgr"="c:\program files\Toshiba\TOSHIBA Accelerometer Utilities\TAcelMgr\TAcelMgr.exe" [2006-10-31 151216]
"TSkrMain"="c:\program files\Toshiba\TOSHIBA Accelerometer Utilities\Shaker\TSkrMain.exe" [2006-10-31 57008]
"Button Disable"="c:\program files\Toshiba\TOSHIBA Button Disable\TBD.exe" [2007-11-07 337784]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]
"Toshiba TEMPO"="c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe" [2008-08-26 103824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-28 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-28 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-28 145944]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-04-29 367128]
"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-09-03 712704]
"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2008-07-25 94208]
"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2008-09-03 3152384]
"TPCHWMsg"="c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe" [2008-08-11 446464]
"TosAutLk"="c:\program files\TOSHIBA\WirelessKeyLogon\TosAutLk.exe" [2008-04-02 116040]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-08-19 417792]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 2245984]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-07-20 1033600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Bomgar_Cleanup_ZD4765815724"="rd" [X]
"Bomgar_Cleanup_ZD4494315724"="rd" [X]
"Bomgar_Cleanup_ZD3904715724"="rd" [X]
.
c:\users\2plan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-02 10:17]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-22 22:29]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-22 22:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtBtAtCzzzztBzy0DyEtByDyEtCyCtN0D0Tzu0CtBtBtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2129979952
mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtBtAtCzzzztBzy0DyEtByDyEtCyCtN0D0Tzu0CtBtBtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2129979952
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: uk.com\exweb.exchange
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\2plan\AppData\Roaming\Mozilla\Firefox\Profiles\4k9dqg76.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtBtAtCzzzztBzy0DyEtByDyEtCyCtN0D0Tzu0CtBtBtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2129979952
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtBtAtCzzzztBzy0DyEtByDyEtCyCtN0D0Tzu0CtBtBtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2129979952
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtBtAtCzzzztBzy0DyEtByDyEtCyCtN0D0Tzu0CtBtBtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2129979952
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtBtAtCzzzztBzy0DyEtByDyEtCyCtN0D0Tzu0CtBtBtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2129979952&q=
FF - user.js: extensions.funmoods.id - 002318829D425416
FF - user.js: extensions.funmoods.instlDay - 15560
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2213:17
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - adknlg
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - adknlg
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Bomgar Support Reconnect [1343914321] - c:\programdata\bomgar-scc-501A8150\bomgar-scc.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-08 14:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3964)
c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\TAMSvr.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\WTouch\WTouchUser.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\dllhost.exe
c:\program files\Toshiba TEMPRO\TempoSVC.exe
c:\windows\system32\ThpSrv.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\TOSHIBA\TPHM\TPCHSrv.exe
c:\program files\Trigold\Update\TRUService.exe
c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
c:\program files\Wajam\Updater\WajamUpdater.exe
c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
c:\windows\system32\dllhost.exe
c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe
c:\windows\System32\msdtc.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\progra~1\MICROS~1\Office12\OUTLOOK.EXE
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\WerCon.exe
.
**************************************************************************
.
Completion time: 2012-08-08  14:42:12 - machine was rebooted
ComboFix-quarantined-files.txt  2012-08-08 13:41
.
Pre-Run: 20,017,856,512 bytes free
Post-Run: 20,154,527,744 bytes free
.
- - End Of File - - E3653E7B721A41F0DC8BD3F29F2B77D5

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Then reboot and scan the system with RogueKiller again and post the new log, MrC

[igorpavlovic]

MBAM Log

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.08.07
Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
2plan :: SEAN-JONES [administrator]
Protection: Disabled
08/08/2012 15:46:31
mbam-log-2012-08-08 (15-59-31).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216243
Time elapsed: 12 minute(s),
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 18
HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> No action taken.
HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> No action taken.
HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> No action taken.
HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> No action taken.
HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> No action taken.
HKCR\f (PUP.Funmoods) -> No action taken.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> No action taken.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> No action taken.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\funmoods (PUP.Funmoods) -> No action taken.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 2
C:\Program Files\Funmoods\1.5.23.22 (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\bh (PUP.Funmoods) -> No action taken.
Files Detected: 13
C:\Program Files\Funmoods\1.5.23.22\funmoodssrv.exe (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\bh\escort.dll (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\escortApp.dll (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\escortEng.dll (PUP.Funmoods) -> No action taken.
C:\Users\2plan\Downloads\Setup.exe (PUP.Bundle.Installer.OI) -> No action taken.
C:\Users\2plan\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\2plan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\2plan\AppData\Local\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\2plan\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\escorTlbr.dll (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\escortShld.dll (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\FavIcon.ico (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\uninstall.exe (PUP.Funmoods) -> No action taken.
(end)

RK Log

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.08.07
Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
2plan :: SEAN-JONES [administrator]
Protection: Disabled
08/08/2012 15:46:31
mbam-log-2012-08-08 (15-59-31).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216243
Time elapsed: 12 minute(s),
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 18
HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> No action taken.
HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> No action taken.
HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> No action taken.
HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> No action taken.
HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> No action taken.
HKCR\f (PUP.Funmoods) -> No action taken.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> No action taken.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> No action taken.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\funmoods (PUP.Funmoods) -> No action taken.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 2
C:\Program Files\Funmoods\1.5.23.22 (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\bh (PUP.Funmoods) -> No action taken.
Files Detected: 13
C:\Program Files\Funmoods\1.5.23.22\funmoodssrv.exe (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\bh\escort.dll (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\escortApp.dll (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\escortEng.dll (PUP.Funmoods) -> No action taken.
C:\Users\2plan\Downloads\Setup.exe (PUP.Bundle.Installer.OI) -> No action taken.
C:\Users\2plan\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\2plan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\2plan\AppData\Local\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\2plan\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\escorTlbr.dll (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\escortShld.dll (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\FavIcon.ico (PUP.Funmoods) -> No action taken.
C:\Program Files\Funmoods\1.5.23.22\uninstall.exe (PUP.Funmoods) -> No action taken.
(end)

[igorpavlovic]

apologies, below is the RK Log

RogueKiller V7.6.5 [08/03/2012]  by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: 2plan [Admin rights]
Mode: Scan -- Date: 08/08/2012 16:52:51
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : c:\windows\installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\L --> FOUND
¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[382] : NtCreateThreadEx @ 0x82653FE9 -> HOOKED (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_34302.sys @ 0x8D3D5640)
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1	   localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS543216L9SA00 +++++
--- User ---
[MBR] 1f614e66d42a5e02aa4bbc8abbedf9d9
[BSP] 22b3c4b072d1fc340447b2b87917798e : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 76313 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 159363072 | Size: 74812 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

[MrCharlie]

Please don't put the logs in code > they're too hard to read.

.......................

If you want to keep this program > Funmoods

Don't do anything with Malwarebytes, if you want to remove it form your computer.... (I suggest you remove it)

Make sure that everything is checked, and click Remove Selected.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run RogueKiller again and click Scan
When the scan completes > click on the Files tab
Put a check next to all of these and uncheck the rest:

Quote

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : c:\windows\installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{13ccfeca-99f4-c9c5-d3c1-9de09aff286a}\L --> FOUND

Now click Delete on the right hand column under Options


~~~~~~~~~~~~~~~~~~~~~~~~~~

Reboot and run another scan with RogueKiller and post the log, MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!