Jump to content

svchost playing music at random times


Recommended Posts

Hello,

This problem has been bothering me a couple weeks and I'm just realizing how serious it is. My computer plays music at random times - after doing investigations I have found it has ZeroAccess Max++ (RogueKiller found it) but I can't figure out how to get rid of it. I had run Malwarebytes AntiMalware yesterday, and after reading about another user that had the same symptoms I was hoping you could help me.

I had already run RogueKiller when I found the post, but did not tell it to do anything to solve the problem - here are my files as requested from the dds script.

I appreciate any time and help you can give me - now that I know what this is, it is really bothering me to have it!

Attach.txt

DDS.txt

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]Now press the Search button

[*]When the search is complete, search.txt will also be written to your USB

[*]Type exit and reboot the computer normally

[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

Ok - Did some backup and restore point, and now here are the logs:

FRST.txt

Scan result of Farbar Recovery Scan Tool Version: 29-08-2012 02

Ran by SYSTEM at 29-08-2012 13:53:29

Running from C:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [] [x]

HKLM\...\Run: [cAudioFilterAgent] "C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [520760 2010-03-10] (Conexant Systems, Inc.)

HKLM\...\Run: [smartAudio] "C:\Program Files\CONEXANT\SAII\SAIICpl.exe" /t [307768 2010-04-28] ()

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [505696 2009-11-05] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)

HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [913720 2010-03-03] (TOSHIBA Corporation)

HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)

HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1483776 2010-02-25] (TOSHIBA Corporation)

HKLM\...\Run: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)

HKLM\...\Run: [TosVolRegulator] "C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [24376 2009-11-11] (TOSHIBA Corporation)

HKLM\...\Run: [TosSENotify] "C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [709976 2010-02-05] (TOSHIBA Corporation)

HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)

HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-03-15] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)

HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)

HKLM-x32\...\Run: [EEventManager] "C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe" [673616 2009-04-07] (SEIKO EPSON CORPORATION)

HKLM-x32\...\Run: [EfficientToDoListFree] [x]

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-23] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-20] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [304568 2010-10-12] (Citrix Systems, Inc.)

HKLM-x32\...\Run: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ul [710504 2012-08-26] (Webroot)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)

HKU\Susan\...\Run: [best Buy pc app] C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x]

HKU\Susan\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-07-18] (Google Inc.)

HKU\Susan\...\Run: [EPSOND9ED65] "C:\windows\system32\spool\DRIVERS\x64\3\E_IATIFJA.EXE" /FU "C:\windows\TEMP\E_S9168.tmp" /EF "HKCU" [223232 2009-01-26] (SEIKO EPSON CORPORATION)

HKU\Susan\...\Run: [WorkForce 610(Network)] "C:\windows\system32\spool\DRIVERS\x64\3\E_IATIFJA.EXE" /FU "C:\windows\TEMP\E_S560D.tmp" /EF "HKCU" [223232 2009-01-26] (SEIKO EPSON CORPORATION)

HKU\Susan\...\Run: [TivoServer] "C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer [2264336 2010-08-24] (TiVo Inc.)

HKU\Susan\...\Run: [TivoTransfer] "C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe" [608528 2010-08-24] (TiVo Inc.)

HKU\Susan\...\Run: [TivoNotify] "C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify [437520 2010-08-24] (TiVo Inc.)

HKU\Susan\...\Run: [TranscodingService] "C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe" [856336 2010-08-24] (TiVo Inc.)

HKU\Susan\...\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5661056 2012-08-26] (SUPERAntiSpyware.com)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Susan\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

Startup: C:\Users\Susan\Start Menu\Programs\Startup\Efficient To-Do List Free.lnk

ShortcutTarget: Efficient To-Do List Free.lnk -> C:\Program Files (x86)\Efficient To-Do List Free\EfficientToDoListFree.exe (Efficient Software)

Startup: C:\Users\Susan\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ======

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)

2 NitroReaderDriverReadSpool; "C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe" [341296 2010-12-03] (Nitro PDF Software)

4 TivoBeacon2; "C:\Program Files (x86)\TiVo\Desktop\TiVoBeacon.exe" /service [1104656 2010-08-24] (TiVo Inc.)

2 WRSVC; "C:\Program Files\Webroot\WRSA.exe" -service [710504 2012-08-26] (Webroot)

==================== Drivers (Whitelisted) ===================

1 ctxusbm; C:\Windows\System32\Drivers\ctxusbm.sys [87600 2010-07-14] (Citrix Systems, Inc.)

1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

0 WRkrn; C:\Windows\System32\Drivers\WRkrn.sys [110096 2012-08-26] (Webroot)

==================== NetSvcs (Whitelisted) =================

==================== One Month Created Files and Folders ======================

2012-08-29 13:53 - 2012-08-29 13:53 - 00000000 ____D C:\FRST

2012-08-29 05:34 - 2012-08-29 05:35 - 00000000 ____D C:\Users\Susan\Documents\New folder

2012-08-28 07:21 - 2012-08-28 07:21 - 00007244 ____A C:\Users\Susan\Desktop\Attach.txt

2012-08-28 07:20 - 2012-08-28 07:20 - 00026401 ____A C:\Users\Susan\Desktop\DDS.txt

2012-08-28 07:16 - 2012-08-28 07:16 - 00607260 ____R (Swearware) C:\Users\Susan\Desktop\dds.com

2012-08-28 06:49 - 2012-08-28 06:49 - 00004083 ____A C:\Users\Susan\Desktop\RKreport[1].txt

2012-08-28 06:48 - 2012-08-28 06:49 - 00000000 ____D C:\Users\Susan\Desktop\RK_Quarantine

2012-08-28 06:46 - 2012-08-28 06:46 - 01320960 ____A C:\Users\Susan\Desktop\RogueKiller.exe

2012-08-27 18:53 - 2012-08-27 18:53 - 00016292 ____A C:\Users\Susan\Desktop\hs_err_pid3500.log

2012-08-27 18:52 - 2012-08-27 18:52 - 00000000 ____D C:\Users\Susan\Pearson

2012-08-27 18:43 - 2012-08-27 18:43 - 00045827 ____A C:\Users\Susan\Documents\SvcsAfterSound.txt

2012-08-27 18:41 - 2012-08-27 18:41 - 00045827 ____A C:\Users\Susan\Documents\SvcsDuringSound.txt

2012-08-27 12:47 - 2012-08-27 12:47 - 00045848 ____A C:\Users\Susan\Documents\ServAfterRebootNoSound.txt

2012-08-27 12:38 - 2012-08-27 13:11 - 00000327 ____A C:\Users\Susan\Documents\servListSoundDiff.txt

2012-08-27 06:50 - 2012-08-27 06:50 - 00045827 ____A C:\Users\Susan\Documents\servlistnosound2.txt

2012-08-27 06:43 - 2012-08-27 06:43 - 00045820 ____A C:\Users\Susan\Documents\servListSound.txt

2012-08-27 05:26 - 2012-08-27 05:26 - 00045834 ____A C:\Users\Susan\Documents\ServListNoSound.txt

2012-08-26 17:17 - 2012-08-26 17:19 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2012-08-26 17:17 - 2012-08-26 17:17 - 00001819 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2012-08-26 17:17 - 2012-08-26 17:17 - 00000000 ____D C:\Users\Susan\AppData\Roaming\SUPERAntiSpyware.com

2012-08-26 17:17 - 2012-08-26 17:17 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com

2012-08-26 17:16 - 2012-08-26 17:16 - 17246464 ____A (SUPERAntiSpyware.com) C:\Users\Susan\Downloads\SUPERAntiSpyware.exe

2012-08-26 11:05 - 2012-08-26 11:05 - 00001124 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-26 11:05 - 2012-08-26 11:05 - 00000000 ____D C:\Users\Susan\AppData\Roaming\Malwarebytes

2012-08-26 11:05 - 2012-08-26 11:05 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-08-26 11:05 - 2012-08-26 11:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-26 11:05 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-26 11:04 - 2012-08-26 11:04 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Susan\Downloads\mbam-setup-1.62.0.1300.exe

2012-08-26 10:53 - 2012-08-26 10:53 - 00007610 ____A C:\Users\Susan\AppData\Local\Resmon.ResmonCfg

2012-08-26 10:27 - 2012-08-26 10:27 - 00000000 ____D C:\Users\Susan\Downloads\tdsskiller (1)

2012-08-26 10:26 - 2012-08-26 10:26 - 02193184 ____A C:\Users\Susan\Downloads\tdsskiller (1).zip

2012-08-26 10:26 - 2012-08-26 10:26 - 00000000 ____D C:\Users\Susan\Downloads\tdsskiller

2012-08-26 10:25 - 2012-08-26 10:25 - 02193345 ____A C:\Users\Susan\Downloads\tdsskiller.zip

2012-08-26 09:16 - 2012-08-26 09:17 - 01131094 ____A C:\Users\Susan\Downloads\ClassroomManagementsession2.pptx

2012-08-25 13:03 - 2012-08-25 13:04 - 00000000 ____D C:\Program Files\iTunes

2012-08-25 13:03 - 2012-08-25 13:04 - 00000000 ____D C:\Program Files (x86)\iTunes

2012-08-25 13:03 - 2012-08-25 13:03 - 00000000 ____D C:\Program Files\iPod

2012-08-25 13:01 - 2012-08-25 13:01 - 00000000 ____D C:\Program Files (x86)\Apple Software Update

2012-08-25 13:00 - 2012-08-25 13:00 - 00000000 ____D C:\Program Files\Bonjour

2012-08-25 13:00 - 2012-08-25 13:00 - 00000000 ____D C:\Program Files (x86)\Bonjour

2012-08-25 12:57 - 2012-08-25 12:58 - 79225752 ____A (Apple Inc.) C:\Users\Susan\Downloads\iTunes64Setup.exe

2012-08-22 16:42 - 2012-08-26 09:21 - 00000000 ____D C:\Users\Susan\Documents\CS

2012-08-22 16:33 - 2012-08-26 09:20 - 00013826 ____A C:\Users\Susan\Downloads\CS Leesburg Session II 2012FA with Instructors rev 03Aug12.xlsx

2012-08-17 04:49 - 2012-06-28 20:55 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-08-17 04:49 - 2012-06-28 20:09 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-08-17 04:49 - 2012-06-28 19:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-08-17 04:49 - 2012-06-28 19:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-08-17 04:49 - 2012-06-28 19:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-08-17 04:49 - 2012-06-28 19:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-08-17 04:49 - 2012-06-28 19:47 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-08-17 04:49 - 2012-06-28 19:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-08-17 04:49 - 2012-06-28 19:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-08-17 04:49 - 2012-06-28 19:43 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-08-17 04:49 - 2012-06-28 19:42 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-08-17 04:49 - 2012-06-28 19:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-08-17 04:49 - 2012-06-28 19:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-08-17 04:49 - 2012-06-28 19:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-08-17 04:49 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-08-17 04:49 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-08-17 04:49 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-08-17 04:49 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-08-17 04:49 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-08-17 04:49 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-08-17 04:49 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-08-17 04:49 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-08-17 04:49 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-08-17 04:49 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-08-17 04:49 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-08-17 04:49 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-08-17 04:49 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-08-17 04:49 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-08-15 15:48 - 2012-02-10 22:36 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2012-08-15 15:48 - 2012-02-10 22:29 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe

2012-08-15 15:48 - 2012-02-10 22:29 - 00067584 ____A (Microsoft Corporation) C:\Windows\splwow64.exe

2012-08-15 15:48 - 2012-02-10 21:44 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2012-08-15 06:13 - 2012-05-05 00:30 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll

2012-08-15 06:13 - 2012-05-04 23:44 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll

2012-08-15 05:51 - 2012-07-04 14:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-08-15 05:51 - 2012-07-04 14:01 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-08-15 05:51 - 2012-07-04 14:01 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-08-15 05:51 - 2012-07-04 13:26 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-08-15 05:51 - 2012-07-04 13:23 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

2012-08-15 05:50 - 2012-07-18 09:31 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-08-15 05:48 - 2012-05-13 21:20 - 00956416 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

2012-08-14 18:41 - 2012-08-18 18:54 - 00038600 ____A C:\Users\Susan\Documents\OuterBanks2012.odt

2012-08-12 12:40 - 2012-08-15 06:32 - 00030817 ____A C:\Users\Susan\Documents\Minnesota2012.odt

==================== 3 Months Modified Files ================================

2012-08-29 09:48 - 2012-01-12 13:21 - 00000758 ____A C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk

2012-08-29 09:48 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-29 09:48 - 2009-07-13 20:51 - 00042865 ____A C:\Windows\setupact.log

2012-08-29 09:41 - 2010-09-20 00:42 - 01164498 ____A C:\Windows\WindowsUpdate.log

2012-08-29 09:41 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-29 09:41 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-29 09:26 - 2009-07-13 21:13 - 00727310 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-29 08:55 - 2010-07-18 17:28 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-08-28 18:54 - 2010-07-18 17:28 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-08-28 09:44 - 2010-12-08 20:33 - 00708608 ____A C:\Users\Susan\Documents\MyToDoList.etd

2012-08-28 07:21 - 2012-08-28 07:21 - 00007244 ____A C:\Users\Susan\Desktop\Attach.txt

2012-08-28 07:20 - 2012-08-28 07:20 - 00026401 ____A C:\Users\Susan\Desktop\DDS.txt

2012-08-28 07:16 - 2012-08-28 07:16 - 00607260 ____R (Swearware) C:\Users\Susan\Desktop\dds.com

2012-08-28 06:49 - 2012-08-28 06:49 - 00004083 ____A C:\Users\Susan\Desktop\RKreport[1].txt

2012-08-28 06:46 - 2012-08-28 06:46 - 01320960 ____A C:\Users\Susan\Desktop\RogueKiller.exe

2012-08-27 18:53 - 2012-08-27 18:53 - 00016292 ____A C:\Users\Susan\Desktop\hs_err_pid3500.log

2012-08-27 18:43 - 2012-08-27 18:43 - 00045827 ____A C:\Users\Susan\Documents\SvcsAfterSound.txt

2012-08-27 18:41 - 2012-08-27 18:41 - 00045827 ____A C:\Users\Susan\Documents\SvcsDuringSound.txt

2012-08-27 13:11 - 2012-08-27 12:38 - 00000327 ____A C:\Users\Susan\Documents\servListSoundDiff.txt

2012-08-27 12:47 - 2012-08-27 12:47 - 00045848 ____A C:\Users\Susan\Documents\ServAfterRebootNoSound.txt

2012-08-27 06:50 - 2012-08-27 06:50 - 00045827 ____A C:\Users\Susan\Documents\servlistnosound2.txt

2012-08-27 06:43 - 2012-08-27 06:43 - 00045820 ____A C:\Users\Susan\Documents\servListSound.txt

2012-08-27 05:26 - 2012-08-27 05:26 - 00045834 ____A C:\Users\Susan\Documents\ServListNoSound.txt

2012-08-26 17:17 - 2012-08-26 17:17 - 00001819 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2012-08-26 17:16 - 2012-08-26 17:16 - 17246464 ____A (SUPERAntiSpyware.com) C:\Users\Susan\Downloads\SUPERAntiSpyware.exe

2012-08-26 12:52 - 2010-07-18 17:36 - 00202174 ____A C:\Windows\PFRO.log

2012-08-26 11:05 - 2012-08-26 11:05 - 00001124 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-26 11:04 - 2012-08-26 11:04 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Susan\Downloads\mbam-setup-1.62.0.1300.exe

2012-08-26 10:53 - 2012-08-26 10:53 - 00007610 ____A C:\Users\Susan\AppData\Local\Resmon.ResmonCfg

2012-08-26 10:26 - 2012-08-26 10:26 - 02193184 ____A C:\Users\Susan\Downloads\tdsskiller (1).zip

2012-08-26 10:25 - 2012-08-26 10:25 - 02193345 ____A C:\Users\Susan\Downloads\tdsskiller.zip

2012-08-26 09:20 - 2012-08-22 16:33 - 00013826 ____A C:\Users\Susan\Downloads\CS Leesburg Session II 2012FA with Instructors rev 03Aug12.xlsx

2012-08-26 09:17 - 2012-08-26 09:16 - 01131094 ____A C:\Users\Susan\Downloads\ClassroomManagementsession2.pptx

2012-08-26 04:09 - 2012-01-12 13:21 - 00149688 ____A (Webroot) C:\Windows\SysWOW64\WRusr.dll

2012-08-26 04:09 - 2012-01-12 13:21 - 00110096 ____A (Webroot) C:\Windows\System32\Drivers\WRkrn.sys

2012-08-26 04:09 - 2012-01-12 13:21 - 00102832 ____A (Webroot) C:\Windows\System32\WRusr.dll

2012-08-25 12:58 - 2012-08-25 12:57 - 79225752 ____A (Apple Inc.) C:\Users\Susan\Downloads\iTunes64Setup.exe

2012-08-18 18:54 - 2012-08-14 18:41 - 00038600 ____A C:\Users\Susan\Documents\OuterBanks2012.odt

2012-08-18 04:31 - 2009-07-13 20:45 - 00482760 ____A C:\Windows\System32\FNTCACHE.DAT

2012-08-16 16:06 - 2010-12-13 20:01 - 00015360 ____A C:\Users\Susan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-08-15 06:32 - 2012-08-12 12:40 - 00030817 ____A C:\Users\Susan\Documents\Minnesota2012.odt

2012-07-26 12:17 - 2012-07-26 12:17 - 00002263 ____A C:\Users\Public\Desktop\Mahjong Escape Collection.lnk

2012-07-26 11:49 - 2012-07-26 11:49 - 00001452 ____A C:\Users\Public\Desktop\Wheel of Fortune Deluxe.lnk

2012-07-18 09:31 - 2012-08-15 05:50 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-13 18:11 - 2011-12-06 18:23 - 00005616 ____A C:\Users\Susan\Documents\Creative Memories StoryBook Creator 4.0 Upgrade content activation codes.txt

2012-07-13 11:40 - 2011-10-08 11:30 - 00002130 ____A C:\Users\Public\Desktop\Storybook Creator 4.lnk

2012-07-04 14:04 - 2012-08-15 05:51 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-07-04 14:01 - 2012-08-15 05:51 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-07-04 14:01 - 2012-08-15 05:51 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-07-04 13:26 - 2012-08-15 05:51 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-07-04 13:23 - 2012-08-15 05:51 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

2012-07-03 09:46 - 2012-08-26 11:05 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-28 20:55 - 2012-08-17 04:49 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-28 20:09 - 2012-08-17 04:49 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-28 19:56 - 2012-08-17 04:49 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-28 19:49 - 2012-08-17 04:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-28 19:49 - 2012-08-17 04:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-28 19:48 - 2012-08-17 04:49 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-28 19:47 - 2012-08-17 04:49 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-28 19:45 - 2012-08-17 04:49 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-28 19:44 - 2012-08-17 04:49 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-28 19:43 - 2012-08-17 04:49 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-28 19:42 - 2012-08-17 04:49 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-28 19:40 - 2012-08-17 04:49 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-28 19:39 - 2012-08-17 04:49 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-28 19:35 - 2012-08-17 04:49 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-28 16:52 - 2012-08-17 04:49 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-28 16:27 - 2012-08-17 04:49 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-28 16:16 - 2012-08-17 04:49 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-28 16:09 - 2012-08-17 04:49 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-28 16:09 - 2012-08-17 04:49 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-28 16:08 - 2012-08-17 04:49 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-28 16:07 - 2012-08-17 04:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-28 16:06 - 2012-08-17 04:49 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-28 16:04 - 2012-08-17 04:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-28 16:04 - 2012-08-17 04:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-28 16:01 - 2012-08-17 04:49 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-28 16:01 - 2012-08-17 04:49 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-28 16:00 - 2012-08-17 04:49 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-28 15:57 - 2012-08-17 04:49 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-23 15:47 - 2012-06-23 15:47 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-06-23 15:47 - 2011-11-22 13:11 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-06-23 15:42 - 2012-06-23 15:41 - 00990448 ____A (Solid State Networks) C:\Users\Susan\Downloads\install_flashplayer11x32ax_gtbp_chrd_aih (1).exe

2012-06-23 15:41 - 2012-06-23 15:41 - 00990448 ____A (Solid State Networks) C:\Users\Susan\Downloads\install_flashplayer11x32ax_gtbp_chrd_aih.exe

2012-06-08 21:30 - 2012-07-11 10:06 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:46 - 2012-07-11 10:06 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 21:50 - 2012-07-11 10:06 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 21:50 - 2012-07-11 10:06 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 21:09 - 2012-07-11 10:06 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:09 - 2012-07-11 10:06 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-02 14:19 - 2012-06-21 04:45 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-21 04:45 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-21 04:45 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-21 04:45 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-21 04:45 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-21 04:45 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-21 04:45 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-21 04:44 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-21 04:44 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 07:56 - 2012-06-02 07:56 - 00001052 ____A C:\Users\Susan\Desktop\Dropbox.lnk

2012-06-01 21:38 - 2012-07-11 10:06 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:38 - 2012-07-11 10:06 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:37 - 2012-07-11 10:06 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:27 - 2012-07-11 10:06 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:27 - 2012-07-11 10:06 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:48 - 2012-07-11 10:06 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:48 - 2012-07-11 10:06 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:47 - 2012-07-11 10:06 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:42 - 2012-07-11 10:06 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

ZeroAccess:

C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}

C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}\@

C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}\L

C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}\n

C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}\U

C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}\U\00000001.@

C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}\U\80000000.@

C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}\U\800000cb.@

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-11 05:59:30

Restore point made on: 2012-08-15 06:33:30

Restore point made on: 2012-08-17 04:48:52

Restore point made on: 2012-08-21 05:05:36

Restore point made on: 2012-08-24 07:01:47

Restore point made on: 2012-08-25 13:01:19

Restore point made on: 2012-08-28 06:36:27

Restore point made on: 2012-08-29 09:34:26

==================== Memory info ===========================

Percentage of memory in use: 14%

Total physical RAM: 3834.9 MB

Available physical RAM: 3271 MB

Total Pagefile: 3833.05 MB

Available Pagefile: 3256.92 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions ============================

1 Drive c: (TI105949W0C) (Fixed) (Total:286.57 GB) (Free:75.72 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[system with boot components (obtained from reading drive)]

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (LEXAR MEDIA) (Removable) (Total:0.12 GB) (Free:0.12 GB) FAT

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 123 MB 0 B

Disk 2 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 1500 MB 1024 KB

Partition 2 Primary 286 GB 1501 MB

Partition 3 Primary 10 GB 288 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E System NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C TI105949W0C NTFS Partition 286 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 122 MB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 Y LEXAR MEDIA FAT Removable 122 MB Healthy

==================================================================================

Last Boot: 2012-08-27 12:13

==================== End Of Log =============================

Search.txt

Farbar Recovery Scan Tool Version: 29-08-2012 02

Ran by SYSTEM at 2012-08-29 13:55:45

Running from C:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Okay I ran the Fix - here's the fix log...

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 29-08-2012 02

Ran by SYSTEM at 2012-08-29 18:47:21 Run:1

Running from C:\

==============================================

C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267} moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Please read the directions carefully so you don't end up deleting something that is good!!

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

Yes they're OK

~~~~~~~~~~~~~~

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Not sure what to do - ComboFix has been running for about an hour and a half, the last thing it said was over 30 minutes ago...

Deleting Files

C:\Install.exe

It is still running the disk, seems like a pattern of reading, then blinking, then reading, and so on. I will let it run, but am not sure what will happen when the computer sleeps - I'm afraid to click anything to try to change settings. Not feeling too hopeful at this point...

Link to post
Share on other sites

Stop it and then try it like this........

Try it like this......

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown: (copy and paste)

"%userprofile%\desktop\combofix.exe" /nombr

See if it will run successfully now. MrC

Link to post
Share on other sites

Great, that's been happening on these wireless systems for some reason...I've reported it.

~~~~~~~~~~~~~~~~~

Lets start over...................

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Ran RogueKiller again - here's the log:

RogueKiller V8.0.0 [08/26/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Susan [Admin rights]

Mode : Scan -- Date : 08/30/2012 11:34:37

¤¤¤ Bad processes : 3 ¤¤¤

[RESIDUE] TiVoServer.exe -- C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe -> KILLED [TermProc]

[RESIDUE] TiVoTransfer.exe -- C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe -> KILLED [TermProc]

[RESIDUE] TiVoNotify.exe -- C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 15 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : Best Buy pc app (C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : TivoServer ("C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : TivoTransfer ("C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : TivoNotify ("C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : TranscodingService ("C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : Best Buy pc app (C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : TivoServer ("C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : TivoTransfer ("C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : TivoNotify ("C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : TranscodingService ("C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe") -> FOUND

[sTARTUP][sUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND

[sTARTUP][sUSP PATH] Best Buy pc app.lnk @Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK3265GSX ATA Device +++++

--- User ---

[MBR] 4df490d3091673b0a7b27ea2bcb84998

[bSP] 1d2d0a7d94f462bbd182eb7df44c25b4 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 293443 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 604045312 | Size: 10301 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

Link to post
Share on other sites

Not too bad....

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Susan\AppData\Local\{c511400a-11dd-1999-2ea4-ca67a51ea267}\n.) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~~~

Then........

Please read the directions carefully so you don't end up deleting something that is good!!

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

Looks good - said it didn't detect anything (it didn't before either though) - This time was much faster though...

Here is the log:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.30.05

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

Susan :: SUSAN-PC2 [administrator]

8/30/2012 2:15:08 PM

mbam-log-2012-08-30 (14-15-08).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 288672

Time elapsed: 16 minute(s), 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

I will keep it connected and use it tonight and let you know tomorrow if the random audio stays away. I never had a sure way to check it as I couldn't see anything unless the sounds started...

Thank you so much!

Link to post
Share on other sites

Yay! - RogueKiller is happy too...

RogueKiller V8.0.0 [08/26/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Susan [Admin rights]

Mode : Scan -- Date : 08/30/2012 14:50:16

¤¤¤ Bad processes : 3 ¤¤¤

[RESIDUE] TiVoServer.exe -- C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe -> KILLED [TermProc]

[RESIDUE] TiVoTransfer.exe -- C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe -> KILLED [TermProc]

[RESIDUE] TiVoNotify.exe -- C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 14 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : Best Buy pc app (C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : TivoServer ("C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : TivoTransfer ("C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : TivoNotify ("C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : TranscodingService ("C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : Best Buy pc app (C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : TivoServer ("C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : TivoTransfer ("C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : TivoNotify ("C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3578430810-3624963796-3763101815-1001[...]\Run : TranscodingService ("C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe") -> FOUND

[sTARTUP][sUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND

[sTARTUP][sUSP PATH] Best Buy pc app.lnk @Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK3265GSX ATA Device +++++

--- User ---

[MBR] 4df490d3091673b0a7b27ea2bcb84998

[bSP] 1d2d0a7d94f462bbd182eb7df44c25b4 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 293443 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 604045312 | Size: 10301 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[5].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

Link to post
Share on other sites

MrC -

Thank you for all your help - everything seems fine so far and I am hopeful that it won't repeat. Haven't had any random music playing since yesterday. Looks like this one is done (knock on wood) and I will visit your page when I can use a safer computer. You're the best!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.