Jump to content

Another rootkit.0access infection


levers

Recommended Posts

Me again...unfortunately!

 

Apparently a forwarded email from the computer we are working on in this thread has infected another colleague's computer through a forwarded email.

 

Unfortunately this colleague did not have Malwarebytes PRO and the infection appears worse as his hard drive suddenly is nearly full. We have scanned with Malwarebytes Free version and it quarantined and deleted successfully.

 

Thank you very much for your continued assistance.

 

Here are the DDS logs for this laptop:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16736  BrowserJavaVersion: 10.21.2
Run by LifeBook at 11:56:59 on 2013-11-20
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2002.834 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Program Files\Softex\OmniPass\OmniServ.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\A-B\Mobility Time Manager\ABMTimeManager.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\o2flash.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Fujitsu\fjdvrupd\updnvsrv.exe
C:\Program Files\CSR\Bluetooth Feature Pack 5.0\VFPRadioSupportService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\taskhost.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\CSR\Bluetooth Feature Pack 5.0\ConMgr.exe
C:\Program Files\Softex\OmniPass\opvapp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\System32\WUDFHost.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.

uSearch Bar = Preserve
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - c:\program files\evernote\evernote\EvernoteIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [indicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [sSUtility] c:\program files\fujitsu\ssutility\FJSSDMN.exe
mRun: [FjStrtAp] c:\program files\fujitsu\utils\FjStrtAp.exe
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [updatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [ATSwpNav] "c:\program files\fingerprint sensor\ATSwpNav" -run
mRun: [OmniPass] c:\program files\softex\omnipass\scureapp.exe
mRun: [CSRSkype] c:\program files\csr\bluetooth feature pack 5.0\CSRSkype.exe
mRun: [ConMgr] "c:\program files\csr\bluetooth feature pack 5.0\ConMgr.exe"
mRun: [FJUPDNV_Chitose] c:\program files\fujitsu\fjdvrupd\updatenv.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Gnetmous] c:\program files\compaq\scroll mouse\gnetmous.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\lifebook\appdata\roaming\micros~1\windows\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
StartupFolder: c:\users\lifebook\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\program files\evernote\evernote\\evernoteieres\AddNote.html
Trusted Zone: ab-sales.com
Trusted Zone: abmarketing.com
Trusted Zone: eaglebh.com











TCP: NameServer = 64.251.160.2 64.251.173.40
TCP: Interfaces\{88EF47C5-F948-4356-A682-7CB611A697E0} : DHCPNameServer = 64.251.160.2 64.251.173.40
TCP: Interfaces\{90915695-3111-4CA3-BD98-0E854440D6A2} : DHCPNameServer = 64.251.160.2 64.251.173.40
TCP: Interfaces\{90915695-3111-4CA3-BD98-0E854440D6A2}\16C637F616379637 : DHCPNameServer = 101.187.1.1
TCP: Interfaces\{90915695-3111-4CA3-BD98-0E854440D6A2}\44562637E45647 : DHCPNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{90915695-3111-4CA3-BD98-0E854440D6A2}\4646D2772747 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{90915695-3111-4CA3-BD98-0E854440D6A2}\6427F6E6479656270205164727F6E637 : DHCPNameServer = 192.168.35.1
TCP: Interfaces\{90915695-3111-4CA3-BD98-0E854440D6A2}\655627E69656636363 : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
mASetup: SPP-ActiveSetup - c:\program files\jda\abcustom\service release\ABUserProfileFiles.EXE
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lifebook\appdata\roaming\mozilla\firefox\profiles\w79sk0fl.default\
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\users\lifebook\appdata\local\citrix\plugins\79\npappdetector.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 FBIOSDRV;Fujitsu BIOS Driver;c:\windows\system32\drivers\FBIOSDRV.sys [2009-9-9 17008]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2009-9-9 12776]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2009-8-1 1807608]
R2 Mobility Time Manager;Mobility Time Manager;c:\program files\a-b\mobility time manager\ABMTimeManager.exe [2010-10-18 18944]
R2 MSSQL$ABMSQL;SQL Server (ABMSQL);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 MSSQL$ABRSM;SQL Server (ABRSM);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-9-16 2790696]
R2 UpdateNaviInstallService;UpdateNaviInstallService;c:\program files\fujitsu\fjdvrupd\updnvsrv.exe [2009-7-15 12800]
R2 VFPRadioSupportService;Bluetooth Feature Support;c:\program files\csr\bluetooth feature pack 5.0\VFPRadioSupportService.exe [2009-8-20 111488]
R3 acpials;ALS Sensor Filter;c:\windows\system32\drivers\acpials.sys [2009-7-14 7680]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-9-9 659328]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2009-9-9 18816]
R3 FjGenIo;Fujitsu Generic I/O Driver;c:\windows\system32\drivers\FjGenIo.sys [2009-9-9 7680]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2009-9-9 5632]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-9-9 122880]
R3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-9-9 273448]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-11-20 40776]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-9-16 4232192]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-5-12 48672]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-7-2 44064]
R3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2011-1-4 37232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 107392]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-9-9 221912]
S3 NisSrv;NisSrv;c:\program files\microsoft security client\NisSrv.exe [2013-8-12 295376]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2009-9-9 20352]
S3 SWNC8U33;Sierra Wireless MUX NDIS Driver (UMTS33);c:\windows\system32\drivers\swnc8u33.sys [2009-9-9 222720]
S3 SWUMX00;Sierra Wireless USB MUX Driver (UMTS00);c:\windows\system32\drivers\swumx00.sys [2009-9-9 148992]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2009-9-9 148992]
S3 SWUMX21;Sierra Wireless USB MUX Driver (UMTS21);c:\windows\system32\drivers\swumx21.sys [2009-9-9 148992]
S3 SWUMX22;Sierra Wireless USB MUX Driver (UMTS22);c:\windows\system32\drivers\swumx22.sys [2009-9-9 148992]
S3 SWUMX32;Sierra Wireless USB MUX Driver (UMTS32);c:\windows\system32\drivers\swumx32.sys [2009-9-9 148992]
S3 SWUMX33;Sierra Wireless USB MUX Driver (UMTS33);c:\windows\system32\drivers\swumx33.sys [2009-9-9 148992]
S3 SWUMX3A;Sierra Wireless USB MUX Driver (UMTS3A);c:\windows\system32\drivers\swumx3a.sys [2009-9-9 148992]
S3 SWUMX3B;Sierra Wireless USB MUX Driver (UMTS3B);c:\windows\system32\drivers\swumx3B.sys [2009-9-9 148992]
S3 SWUMX3C;Sierra Wireless USB MUX Driver (UMTS3C);c:\windows\system32\drivers\swumx3C.sys [2009-9-9 148992]
S3 SWUMX3D;Sierra Wireless USB MUX Driver (UMTS3D);c:\windows\system32\drivers\swumx3D.sys [2009-9-9 148992]
S3 SWUMX3E;Sierra Wireless USB MUX Driver (UMTS3E);c:\windows\system32\drivers\swumx3e.sys [2009-9-9 148992]
S3 SWUMX40;Sierra Wireless USB MUX Driver (UMTS40);c:\windows\system32\drivers\swumx40.sys [2009-9-9 148992]
S3 SWUMX50;Sierra Wireless USB MUX Driver (UMTS50);c:\windows\system32\drivers\swumx50.sys [2009-9-9 148992]
S3 SWUMX52;Sierra Wireless USB MUX Driver (UMTS52);c:\windows\system32\drivers\swumx52.sys [2009-9-9 148992]
S3 SWUMX53;Sierra Wireless USB MUX Driver (UMTS53);c:\windows\system32\drivers\swumx53.sys [2009-9-9 148992]
S3 SWUMX54;Sierra Wireless USB MUX Driver (UMTS54);c:\windows\system32\drivers\swumx54.sys [2009-9-9 148992]
S3 SWUMX55;Sierra Wireless USB MUX Driver (UMTS55);c:\windows\system32\drivers\swumx55.sys [2009-9-9 148992]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2009-9-9 148992]
S3 SWUMX57;Sierra Wireless USB MUX Driver (UMTS57);c:\windows\system32\drivers\swumx57.sys [2009-9-9 148992]
S3 SWUMX58;Sierra Wireless USB MUX Driver (UMTS58);c:\windows\system32\drivers\swumx58.sys [2009-9-9 148992]
S3 SWUMX59;Sierra Wireless USB MUX Driver (UMTS59);c:\windows\system32\drivers\swumx59.sys [2009-9-9 148992]
S3 SWUMX5A;Sierra Wireless USB MUX Driver (UMTS5A);c:\windows\system32\drivers\swumx5A.sys [2009-9-9 148992]
S3 SWUMX70;Sierra Wireless USB MUX Driver (UMTS70);c:\windows\system32\drivers\swumx70.sys [2009-9-9 148992]
S3 SWUMX71;Sierra Wireless USB MUX Driver (UMTS71);c:\windows\system32\drivers\swumx71.sys [2009-9-9 148992]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2009-9-9 148992]
S3 SWUMX81;Sierra Wireless USB MUX Driver (UMTS81);c:\windows\system32\drivers\swumx81.sys [2009-9-9 148992]
S3 SWUMX82;Sierra Wireless USB MUX Driver (UMTS82);c:\windows\system32\drivers\swumx82.sys [2009-9-9 148992]
S3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);c:\windows\system32\drivers\swumx90.sys [2009-9-9 148992]
S3 SWUMX91;Sierra Wireless USB MUX Driver (UMTS91);c:\windows\system32\drivers\swumx91.sys [2009-9-9 148992]
S3 SWUMX92;Sierra Wireless USB MUX Driver (UMTS92);c:\windows\system32\drivers\swumx92.sys [2009-9-9 148992]
S3 SWUMX93;Sierra Wireless USB MUX Driver (UMTS93);c:\windows\system32\drivers\swumx93.sys [2009-9-9 148992]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-9-9 148992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-21 52224]
S3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [2009-9-9 14376]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-7 1343400]
.
=============== Created Last 30 ================
.
2013-11-20 16:03:01    --------    d-----w-    c:\windows\TempE72F9FA2-0FD0-7975-5CBF-112720B2D9DE-Signatures
2013-11-20 16:02:33    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-11-19 20:19:48    --------    d-----w-    c:\users\lifebook\appdata\local\Programs
2013-11-19 09:00:57    --------    d-----w-    c:\windows\TempB140977A-9441-D4C8-E8D3-E1FDA4434C00-Signatures
2013-11-14 13:57:56    817664    ----a-w-    c:\program files\common files\microsoft shared\vgx\VGX.dll
2013-11-14 13:57:54    1767936    ----a-w-    c:\windows\system32\wininet.dll
2013-11-14 13:57:53    770736    ----a-w-    c:\program files\internet explorer\iexplore.exe
2013-11-11 14:41:11    7796464    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{54564bd1-d7b7-4436-8171-5d2c703cb143}\mpengine.dll
2013-11-07 17:39:59    7796464    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-11-07 01:30:48    719224    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{ff8b447e-433b-4a12-8ad9-cb3a6f7b33a2}\gapaengine.dll
2013-10-28 14:05:26    --------    d-----w-    c:\program files\iPod
2013-10-28 14:05:19    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-28 14:05:19    --------    d-----w-    c:\program files\iTunes
.
==================== Find3M  ====================
.
2013-10-12 07:02:33    2877952    ----a-w-    c:\windows\system32\jscript9.dll
2013-10-12 07:02:29    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-10-12 07:02:29    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-10-12 06:08:58    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-10-12 05:15:39    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-10-12 02:03:08    656896    ----a-w-    c:\windows\system32\nshwfp.dll
2013-10-12 02:01:41    679424    ----a-w-    c:\windows\system32\IKEEXT.DLL
2013-10-12 02:01:25    216576    ----a-w-    c:\windows\system32\FWPUCLNT.DLL
2013-10-10 13:00:33    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-10 13:00:32    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-05 19:57:25    1168384    ----a-w-    c:\windows\system32\crypt32.dll
2013-10-04 01:58:50    152576    ----a-w-    c:\windows\system32\SmartcardCredentialProvider.dll
2013-10-04 01:56:25    168960    ----a-w-    c:\windows\system32\credui.dll
2013-10-04 01:56:00    1796096    ----a-w-    c:\windows\system32\authui.dll
2013-10-03 01:58:07    305152    ----a-w-    c:\windows\system32\gdi32.dll
2013-09-25 02:01:08    136640    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2013-09-25 02:01:06    67520    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2013-09-25 01:57:46    99840    ----a-w-    c:\windows\system32\sspicli.dll
2013-09-25 01:57:26    22016    ----a-w-    c:\windows\system32\secur32.dll
2013-09-25 01:57:24    247808    ----a-w-    c:\windows\system32\schannel.dll
2013-09-25 01:56:42    220160    ----a-w-    c:\windows\system32\ncrypt.dll
2013-09-25 01:56:02    1038848    ----a-w-    c:\windows\system32\lsasrv.dll
2013-09-25 00:49:20    22016    ----a-w-    c:\windows\system32\lsass.exe
2013-09-25 00:49:18    15872    ----a-w-    c:\windows\system32\sspisrv.dll
2013-09-14 00:48:58    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-09-08 02:07:12    1294272    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03:58    231424    ----a-w-    c:\windows\system32\mswsock.dll
2013-08-29 01:51:45    3969472    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51:45    3914176    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50:30    1289096    ----a-w-    c:\windows\system32\ntdll.dll
2013-08-29 01:50:16    619520    ----a-w-    c:\windows\system32\tdh.dll
2013-08-29 01:48:17    640512    ----a-w-    c:\windows\system32\advapi32.dll
2013-08-28 01:04:30    2348544    ----a-w-    c:\windows\system32\win32k.sys
2013-08-28 00:57:20    434688    ----a-w-    c:\windows\system32\scavengeui.dll
.
============= FINISH: 12:02:57.78 ===============
 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/26/2011 2:41:14 PM
System Uptime: 11/20/2013 9:20:21 AM (3 hours ago)
.
Motherboard: FUJITSU |  | FJNB206
Processor: Intel® Core2 Duo CPU     P8700  @ 2.53GHz | Onboard | 785/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 66 GiB total, 1.344 GiB free.
D: is FIXED (NTFS) - 66 GiB total, 64.38 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP458: 11/15/2013 8:00:58 AM - Windows Update
RP459: 11/19/2013 3:00:11 AM - Windows Update
RP460: 11/20/2013 10:02:12 AM - Windows Update
.
==== Installed Programs ======================
.
ABCustomizations
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.8)
Adobe Shockwave Player 11.6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AuthenTec Fingerprint Software
Battery Utility
Bluetooth Feature Pack 5.0
Bonjour
C9600n from OKI® Printing Solutions PCL Driver for Windows Vista
CompetitiveCodeBook
CyberLink MakeDisc
CyberLink PowerDirector
CyberLink PowerDVD 8
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DigitalCodeBook
Evernote v. 4.6.7
Fujitsu Button Utilities
Fujitsu Driver Update
Fujitsu Fingerprint Authentication Library
Fujitsu Generic IO Driver
Fujitsu Hotkey Utility
Fujitsu MobilityCenter Extension Utility
Fujitsu System Extension Utility
Google Earth
Google Update Helper
GoToMeeting 5.7.0.1172
iCloud
Image Extractor
Inst5672
Intel® Graphics Media Accelerator Driver
iTunes
Java 7 Update 21
Java Auto Updater
JDA PDF Writer
JDA Space Automation
JDA Space Planning
Junk Mail filter update
Malwarebytes Anti-Malware version 1.75.0.1300
Micro Vane Workstation 5.4
Micro Vane Workstation 5.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Business 2010
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Express Edition (ABMSQL)
Microsoft SQL Server 2005 Express Edition (ABRSM)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MobileMe Control Panel
Mobility App
Mobility Database Installer 3.4.4
Mobility Time Manager
Mobility Tool
Mobility Upgrader
Mozilla Firefox 23.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
O2Micro Flash Memory Card Windows Driver
OmniPass 7.00.01
OpenOffice 4.0.0
Pen Tablet
Planogram Management Tool
Profitability Calculator
QuickTime
Realtek High Definition Audio Driver
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Creator LJ
Scroll Mouse
Security Panel
Security Panel Application
Security Panel Application for Supervisor
Security Panel for Supervisor
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2760781) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB2837597) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
Shock Sensor Utility
SQL Server System CLR Types
swMSM
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2827323) 32-Bit Edition
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== Event Viewer Messages From Past Week ========
.
11/20/2013 10:04:07 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Security Essentials - 4.4.304.0 (KB2902885).
11/20/2013 10:02:06 AM, Error: WISDPen [6]  - The size of the buffer is invalid for the specified operation.
11/19/2013 4:10:14 PM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
11/19/2013 4:10:14 PM, Error: Service Control Manager [7003]  - The Microsoft Network Inspection System service depends the following service: BFE. This service might not be installed.
11/19/2013 4:10:11 PM, Error: Service Control Manager [7003]  - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
11/19/2013 4:09:58 PM, Error: Service Control Manager [7000]  - The Microsoft Antimalware Service service failed to start due to the following error:  Access is denied.
11/14/2013 8:14:06 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800f0902: Update for Windows 7 (KB2893519).
11/14/2013 8:14:06 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 (KB2876331).
.
==== End Of File ===========================
 

 

 

Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thanks MrC!

 

Here is the report:

 

RogueKiller V8.7.8 [Nov 14 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : LifeBook [Admin rights]
Mode : Scan -- Date : 11/20/2013 13:20:24
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{90ab704f-7d68-8135-6e3d-19c9c90019af}\   \...\???ﯹ๛\{90ab704f-7d68-8135-6e3d-19c9c90019af}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\LifeBook\AppData\Local\Google\Desktop\Install\{90ab704f-7d68-8135-6e3d-19c9c90019af}\?��?��?��\?��?��?��\???ﯹ๛\{90ab704f-7d68-8135-6e3d-19c9c90019af}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-1922918003-2033863409-679332406-1000\[...]\Run : Google Update ("C:\Users\LifeBook\AppData\Local\Google\Desktop\Install\{90ab704f-7d68-8135-6e3d-19c9c90019af}\?��?��?��\?��?��?��\???ﯹ๛\{90ab704f-7d68-8135-6e3d-19c9c90019af}\GoogleUpdate.exe" >) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{90ab704f-7d68-8135-6e3d-19c9c90019af}\   \...\???ﯹ๛\{90ab704f-7d68-8135-6e3d-19c9c90019af}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{90ab704f-7d68-8135-6e3d-19c9c90019af}\   \...\???ﯹ๛\{90ab704f-7d68-8135-6e3d-19c9c90019af}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{90ab704f-7d68-8135-6e3d-19c9c90019af}\   \...\???ﯹ๛\{90ab704f-7d68-8135-6e3d-19c9c90019af}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][sUSP PATH] {1F2B390E-CEEC-44F7-BCBA-C8A41C95C0A8} : C:\Users\LifeBook\Desktop\FarmingSimulator2011DemoEN.exe [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] Backup : C:\Program Files\Microsoft Security Client\Backup >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] DbgHelp.dll : C:\Program Files\Microsoft Security Client\DbgHelp.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] Drivers : C:\Program Files\Microsoft Security Client\Drivers >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] en-us : C:\Program Files\Microsoft Security Client\en-us >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] EppManifest.dll : C:\Program Files\Microsoft Security Client\EppManifest.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Microsoft Security Client\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Microsoft Security Client\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Microsoft Security Client\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Microsoft Security Client\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] mpevmsg.dll : C:\Program Files\Microsoft Security Client\mpevmsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAv.dll : C:\Program Files\Microsoft Security Client\MpOAv.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Microsoft Security Client\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Microsoft Security Client\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSESysprep.dll : C:\Program Files\Microsoft Security Client\MSESysprep.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Microsoft Security Client\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpEng.exe : C:\Program Files\Microsoft Security Client\MsMpEng.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Microsoft Security Client\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Microsoft Security Client\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] msseces.exe : C:\Program Files\Microsoft Security Client\msseces.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] msseoobe.exe : C:\Program Files\Microsoft Security Client\msseoobe.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] msseooberes.dll : C:\Program Files\Microsoft Security Client\msseooberes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsseWat.dll : C:\Program Files\Microsoft Security Client\MsseWat.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] NisIpsPlugin.dll : C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] NisLog.dll : C:\Program Files\Microsoft Security Client\NisLog.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] NisSrv.exe : C:\Program Files\Microsoft Security Client\NisSrv.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] NisWFP.dll : C:\Program Files\Microsoft Security Client\NisWFP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] Setup.exe : C:\Program Files\Microsoft Security Client\Setup.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] SetupRes.dll : C:\Program Files\Microsoft Security Client\SetupRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] shellext.dll : C:\Program Files\Microsoft Security Client\shellext.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] sqmapi.dll : C:\Program Files\Microsoft Security Client\sqmapi.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] SymSrv.dll : C:\Program Files\Microsoft Security Client\SymSrv.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] SymSrv.yes : C:\Program Files\Microsoft Security Client\SymSrv.yes >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Users\LifeBook\AppData\Local\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) FUJITSU MHZ2160BH G2 +++++
--- User ---
[MBR] 2205df3d1ef6fa4c70201dfd31259c16
[bSP] e4939a16928225a2597fcfd0a38c5d09 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16384 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 33556480 | Size: 200 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33966080 | Size: 68020 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 173271040 | Size: 68021 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_11202013_132024.txt >>



 

Link to post
Share on other sites

YEP, you certainly have a ZA infection.

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

Alrighty, here is FRST.txt and Addition.txt is attached:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-11-2013
Ran by LifeBook (administrator) on T2010-07 on 20-11-2013 12:19:05
Running from C:\Users\LifeBook\Desktop\MalwareRemoval
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(AuthenTec, Inc.) C:\Program Files\Fingerprint Sensor\AtService.exe
(Softex Inc.) C:\Program Files\Softex\OmniPass\OmniServ.exe
(Microsoft Corporation) C:\windows\SYSTEM32\WISPTIS.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Anheuser-Busch, Inc) C:\Program Files\A-B\Mobility Time Manager\ABMTimeManager.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
(O2Micro International) C:\Windows\system32\o2flash.exe
() C:\Program Files\CyberLink\Shared files\RichVideo.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Wacom Technology, Corp.) C:\Windows\system32\Pen_Tablet.exe
(FUJITSU LIMITED) C:\Program Files\Fujitsu\fjdvrupd\updnvsrv.exe
(CSR, plc) C:\Program Files\CSR\Bluetooth Feature Pack 5.0\VFPRadioSupportService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\windows\SYSTEM32\WISPTIS.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
(Wacom Technology, Corp.) C:\Windows\system32\WTablet\Pen_TabletUser.exe
(Wacom Technology, Corp.) C:\Windows\system32\Pen_Tablet.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(FUJITSU LIMITED) C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
(FUJITSU LIMITED) C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
(FUJITSU LIMITED) C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
(AuthenTec, Inc.) C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
() C:\Program Files\Softex\OmniPass\scureapp.exe
(Fujitsu Computer Systems Corporation) C:\Program Files\Fujitsu\Utils\FjDspMon.exe
(Fujitsu Computer Systems Corporation) C:\Program Files\Fujitsu\Utils\fjevents.exe
(Fujitsu Computer Systems Corporation) C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
(Intel Corporation) C:\Windows\system32\igfxext.exe
(CSR, plc) C:\Program Files\CSR\Bluetooth Feature Pack 5.0\ConMgr.exe
() C:\Program Files\Softex\OmniPass\opvapp.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7703072 2009-08-05] (Realtek Semiconductor)
HKLM\...\Run: [indicatorUtility] - C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe [47464 2009-06-22] (FUJITSU LIMITED)
HKLM\...\Run: [LoadFUJ02E3] - C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe [36712 2009-06-16] (FUJITSU LIMITED)
HKLM\...\Run: [sSUtility] - C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe [193832 2007-12-14] (FUJITSU LIMITED)
HKLM\...\Run: [FjStrtAp] - C:\Program Files\Fujitsu\Utils\fjstrtap.exe [20480 2008-04-01] (Fujitsu Computer Systems)
HKLM\...\Run: [RemoteControl8] - C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe [91432 2009-04-16] (CyberLink Corp.)
HKLM\...\Run: [PDVD8LanguageShortcut] - C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe [50472 2009-04-16] (CyberLink Corp.)
HKLM\...\Run: [updatePDRShortCut] - C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [222504 2008-01-04] (CyberLink Corp.)
HKLM\...\Run: [ATSwpNav] - "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
HKLM\...\Run: [OmniPass] - C:\Program Files\Softex\OmniPass\scureapp.exe [3162112 2009-07-16] ()
HKLM\...\Run: [CSRSkype] - C:\Program Files\CSR\Bluetooth Feature Pack 5.0\CSRSkype.exe [346464 2009-08-20] (CSR, plc)
HKLM\...\Run: [ConMgr] - C:\Program Files\CSR\Bluetooth Feature Pack 5.0\ConMgr.exe [504160 2009-08-20] (CSR, plc)
HKLM\...\Run: [FJUPDNV_Chitose] - C:\Program Files\Fujitsu\fjdvrupd\updatenv.exe [143360 2009-08-07] (FUJITSU LIMITED)
HKLM\...\Run: [AppleSyncNotifier] - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM\...\Run: [Gnetmous] - C:\Program Files\COMPAQ\Scroll Mouse\gnetmous.exe [153600 2002-11-26] ( )
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-08-12] ()
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-10-23] (Apple Inc.)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {6f8956fd-a312-11de-947d-806e6f6e6963} - D:\StartCD.exe
Startup: C:\Users\LifeBook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
Startup: C:\Users\LifeBook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solutions.us.fujitsu.com/index.php
SearchScopes: HKCU - {927E356B-2C38-4FA6-80E0-C35358DE909D} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=BB990BB6-9358-434E-9104-117D0CECE8E0&apn_sauid=639B4DD6-AA28-4B25-8D6D-9BC4C09C3283&
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Evernote extension - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} https://www.budnet.com/DQR/Templates/,DSID=dae404021994eece66df88eaca4d4bb3,DanaInfo=.a184C65F999JAF,ST=1+/All_Templates.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} http://liberygrain.viewnetcam.com:50000/SysCamInst.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} http://69.9.192.175/kxhcm10.ocx
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} http://208.53.196.48:50000/JpegInst.cab
DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} https://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} https://secure.ab-sales.com/echannelcg_enu/19251/applets/SiebelAx_Desktop_Integration.cab
DPF: {B66D7C9D-905F-4A8E-A919-F6190334B9D0} https://secure.ab-sales.com/echannelcg_enu/19251/applets/SiebelAx_HI_Client.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} http://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {C1FC96DA-81BE-4836-B3A5-958F55E56E8E} https://secure.ab-sales.com/echannelcg_enu/19251/applets/SiebelAx_OutBound_mail.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Winsock: Catalog5 10 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 64.251.160.2 64.251.173.40

FireFox:
========
FF ProfilePath: C:\Users\LifeBook\AppData\Roaming\Mozilla\Firefox\Profiles\w79sk0fl.default
FF Plugin: @adobe.com/ShockwavePlayer - C:\windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=10.21.2 - C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\LifeBook\AppData\Local\Citrix\Plugins\79\npappdetector.dll (Citrix Online)

========================== Services (Whitelisted) =================

R2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1807608 2009-08-01] (AuthenTec, Inc.)
R2 Mobility Time Manager; C:\Program Files\A-B\Mobility Time Manager\ABMTimeManager.exe [18944 2010-10-18] (Anheuser-Busch, Inc)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-08-12] ()
R2 MSSQL$ABMSQL; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
R2 MSSQL$ABRSM; C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [295376 2013-08-12] ()
R2 omniserv; C:\Program Files\Softex\OmniPass\OmniServ.exe [40960 2009-07-16] (Softex Inc.)
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] ()
R2 UpdateNaviInstallService; C:\Program Files\Fujitsu\fjdvrupd\updnvsrv.exe [12800 2009-07-15] (FUJITSU LIMITED)
R2 VFPRadioSupportService; C:\Program Files\CSR\Bluetooth Feature Pack 5.0\VFPRadioSupportService.exe [111488 2009-08-20] (CSR, plc)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{90ab704f-7d68-8135-6e3d-19c9c90019af}\   \...\???\{90ab704f-7d68-8135-6e3d-19c9c90019af}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R3 acpials; C:\Windows\System32\DRIVERS\acpials.sys [7680 2009-07-13] (Microsoft Corporation)
R0 FBIOSDRV; C:\Windows\System32\Drivers\FBIOSDRV.sys [17008 2009-06-24] (FUJITSU LIMITED)
R3 Fjbtndrv; C:\Windows\system32\DRIVERS\FjBtnDrv.sys [18816 2009-08-27] (Fujitsu America, Inc.)
R3 FjGenIo; C:\Windows\System32\Drivers\FjGenIo.sys [7680 2009-08-06] (Fujitsu Computer Systems Corporation)
R0 FJGSDisk; C:\Windows\System32\DRIVERS\FJGSDisk.sys [12776 2009-09-09] (FUJITSU LIMITED)
R3 FUJ02B1; C:\Windows\system32\DRIVERS\FUJ02B1.sys [5888 2006-11-01] (FUJITSU LIMITED)
R3 genmcmn; C:\Windows\System32\DRIVERS\gmfiltr.sys [6206 2001-08-16] (KYE Systems Corp.)
R3 MBAMSwissArmy; C:\windows\system32\drivers\mbamswissarmy.sys [40776 2013-11-20] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S3 O2SCBUS; C:\Windows\System32\DRIVERS\ozscr.sys [102560 2009-05-14] (O2Micro)
S3 swivsp; C:\Windows\system32\DRIVERS\swivspnt.sys [20352 2007-03-26] (Sierra Wireless Inc.)
S3 SWNC8U33; C:\Windows\System32\DRIVERS\swnc8u33.sys [222720 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX00; C:\Windows\system32\DRIVERS\swumx00.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 swumx12; C:\Windows\system32\DRIVERS\swumx12.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX20; C:\Windows\system32\DRIVERS\swumx20.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX21; C:\Windows\system32\DRIVERS\swumx21.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX22; C:\Windows\system32\DRIVERS\swumx22.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX32; C:\Windows\system32\DRIVERS\swumx32.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX33; C:\Windows\system32\DRIVERS\swumx33.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX3A; C:\Windows\system32\DRIVERS\swumx3a.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX3B; C:\Windows\system32\DRIVERS\swumx3B.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX3C; C:\Windows\system32\DRIVERS\swumx3C.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX3D; C:\Windows\system32\DRIVERS\swumx3D.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX3E; C:\Windows\system32\DRIVERS\swumx3e.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX40; C:\Windows\system32\DRIVERS\swumx40.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX50; C:\Windows\system32\DRIVERS\swumx50.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX51; C:\Windows\system32\DRIVERS\swumx51.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX52; C:\Windows\system32\DRIVERS\swumx52.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX53; C:\Windows\system32\DRIVERS\swumx53.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX54; C:\Windows\system32\DRIVERS\swumx54.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX55; C:\Windows\system32\DRIVERS\swumx55.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX56; C:\Windows\system32\DRIVERS\swumx56.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX57; C:\Windows\system32\DRIVERS\swumx57.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX58; C:\Windows\system32\DRIVERS\swumx58.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX59; C:\Windows\system32\DRIVERS\swumx59.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX5A; C:\Windows\system32\DRIVERS\swumx5A.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX70; C:\Windows\system32\DRIVERS\swumx70.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX71; C:\Windows\system32\DRIVERS\swumx71.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX80; C:\Windows\system32\DRIVERS\swumx80.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX81; C:\Windows\system32\DRIVERS\swumx81.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX82; C:\Windows\system32\DRIVERS\swumx82.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX90; C:\Windows\system32\DRIVERS\swumx90.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX91; C:\Windows\system32\DRIVERS\swumx91.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX92; C:\Windows\system32\DRIVERS\swumx92.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMX93; C:\Windows\system32\DRIVERS\swumx93.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 SWUMXA3; C:\Windows\system32\DRIVERS\swumxa3.sys [148992 2009-07-22] (Sierra Wireless Inc.)
S3 wacomhidfilter; C:\Windows\system32\DRIVERS\wacomhidfilter.sys [14376 2009-07-15] (Wacom Technology)
R3 WISDPen; C:\Windows\System32\DRIVERS\wisdpen.sys [37232 2011-01-04] (Wacom Technology)
S4 DNE; system32\DRIVERS\dne2000.sys [x]
S3 rcvpn; system32\DRIVERS\rcvpn.sys [x]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-13] (Microsoft Corporation)
U3 mbr; \??\C:\Users\LifeBook\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-20 12:18 - 2013-11-20 12:18 - 00000000 ____D C:\FRST
2013-11-20 12:03 - 2013-11-20 12:03 - 00009765 _____ C:\Users\LifeBook\Desktop\attach.txt
2013-11-20 12:03 - 2013-11-20 12:02 - 00022317 _____ C:\Users\LifeBook\Desktop\dds.txt
2013-11-20 11:55 - 2013-11-20 12:19 - 00000000 ____D C:\Users\LifeBook\Desktop\MalwareRemoval
2013-11-20 10:03 - 2013-11-20 10:03 - 00000000 ____D C:\windows\TempE72F9FA2-0FD0-7975-5CBF-112720B2D9DE-Signatures
2013-11-20 10:02 - 2013-11-20 10:03 - 00040776 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamswissarmy.sys
2013-11-19 16:10 - 2013-11-19 16:10 - 00000000 ___RD C:\Users\LifeBook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 8
2013-11-19 14:50 - 2013-11-19 15:44 - 3910455294 _____ C:\avenger.txt
2013-11-19 14:50 - 2013-11-19 14:50 - 00000000 ____D C:\Avenger
2013-11-19 11:15 - 2013-11-19 11:15 - 00148554 ____N C:\Users\LifeBook\Desktop\2014 Price sheet.xlsx
2013-11-19 03:00 - 2013-11-19 03:01 - 00000000 ____D C:\windows\TempB140977A-9441-D4C8-E8D3-E1FDA4434C00-Signatures
2013-11-14 07:58 - 2013-10-12 01:04 - 00042496 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2013-11-14 07:58 - 2013-10-12 01:03 - 01138176 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2013-11-14 07:58 - 2013-10-12 01:02 - 02877952 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2013-11-14 07:58 - 2013-10-12 01:02 - 00690688 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2013-11-14 07:58 - 2013-10-12 01:02 - 00493056 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2013-11-14 07:58 - 2013-10-12 01:02 - 00391168 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2013-11-14 07:58 - 2013-10-12 01:02 - 00109056 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll
2013-11-14 07:58 - 2013-10-12 01:02 - 00061440 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2013-11-14 07:58 - 2013-10-12 01:02 - 00039424 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2013-11-14 07:58 - 2013-10-12 01:02 - 00033280 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2013-11-14 07:58 - 2013-10-12 00:08 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2013-11-14 07:58 - 2013-10-11 23:15 - 00071680 _____ (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe
2013-11-14 07:57 - 2013-10-12 01:03 - 01767936 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2013-11-14 07:57 - 2013-10-12 01:02 - 14355968 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2013-11-14 07:57 - 2013-10-12 01:02 - 13761024 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2013-11-14 07:57 - 2013-10-12 01:02 - 02049024 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2013-11-13 12:54 - 2013-10-11 20:03 - 00656896 _____ (Microsoft Corporation) C:\windows\system32\nshwfp.dll
2013-11-13 12:54 - 2013-10-11 20:01 - 00679424 _____ (Microsoft Corporation) C:\windows\system32\IKEEXT.DLL
2013-11-13 12:54 - 2013-10-11 20:01 - 00216576 _____ (Microsoft Corporation) C:\windows\system32\FWPUCLNT.DLL
2013-11-13 12:54 - 2013-10-05 13:57 - 01168384 _____ (Microsoft Corporation) C:\windows\system32\crypt32.dll
2013-11-13 12:54 - 2013-10-03 19:58 - 00152576 _____ (Microsoft Corporation) C:\windows\system32\SmartcardCredentialProvider.dll
2013-11-13 12:54 - 2013-10-03 19:56 - 01796096 _____ (Microsoft Corporation) C:\windows\system32\authui.dll
2013-11-13 12:54 - 2013-10-03 19:56 - 00168960 _____ (Microsoft Corporation) C:\windows\system32\credui.dll
2013-11-13 12:54 - 2013-10-02 19:58 - 00305152 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll
2013-11-13 12:54 - 2013-09-24 20:01 - 00136640 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2013-11-13 12:54 - 2013-09-24 20:01 - 00067520 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2013-11-13 12:54 - 2013-09-24 19:57 - 00247808 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2013-11-13 12:54 - 2013-09-24 19:57 - 00099840 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2013-11-13 12:54 - 2013-09-24 19:57 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2013-11-13 12:54 - 2013-09-24 19:56 - 01038848 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2013-11-13 12:54 - 2013-09-24 19:56 - 00220160 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2013-11-13 12:54 - 2013-09-24 18:49 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2013-11-13 12:54 - 2013-09-24 18:49 - 00015872 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2013-11-13 12:54 - 2013-07-04 06:16 - 00369848 _____ (Microsoft Corporation) C:\windows\system32\Drivers\cng.sys
2013-11-11 10:54 - 2013-11-11 10:54 - 00038242 _____ C:\Users\LifeBook\Desktop\RTP Turbo final list.xlsx
2013-10-28 08:07 - 2013-10-28 08:07 - 00001753 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-10-28 08:05 - 2013-10-28 08:07 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-28 08:05 - 2013-10-28 08:07 - 00000000 ____D C:\Program Files\iTunes
2013-10-28 08:05 - 2013-10-28 08:05 - 00000000 ____D C:\Program Files\iPod
2013-10-25 07:45 - 2013-10-25 07:45 - 00149224 _____ C:\Users\LifeBook\Desktop\2014 pricing.xlsx

==================== One Month Modified Files and Folders =======

2013-11-20 12:19 - 2013-11-20 11:55 - 00000000 ____D C:\Users\LifeBook\Desktop\MalwareRemoval
2013-11-20 12:18 - 2013-11-20 12:18 - 00000000 ____D C:\FRST
2013-11-20 12:15 - 2013-03-01 12:45 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
2013-11-20 12:03 - 2013-11-20 12:03 - 00009765 _____ C:\Users\LifeBook\Desktop\attach.txt
2013-11-20 12:02 - 2013-11-20 12:03 - 00022317 _____ C:\Users\LifeBook\Desktop\dds.txt
2013-11-20 12:01 - 2012-12-19 11:15 - 00000890 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-20 11:55 - 2009-09-09 10:56 - 00875430 _____ C:\windows\system32\PerfStringBackup.INI
2013-11-20 11:54 - 2011-03-01 15:21 - 00000000 ____D C:\Users\LifeBook\Documents\Outlook Files
2013-11-20 11:28 - 2009-07-13 22:34 - 00009920 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-20 11:28 - 2009-07-13 22:34 - 00009920 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-20 11:23 - 2013-09-12 10:33 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-20 11:17 - 2011-01-26 14:43 - 01159435 _____ C:\windows\WindowsUpdate.log
2013-11-20 10:10 - 2012-12-19 11:15 - 00000886 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-20 10:03 - 2013-11-20 10:03 - 00000000 ____D C:\windows\TempE72F9FA2-0FD0-7975-5CBF-112720B2D9DE-Signatures
2013-11-20 10:03 - 2013-11-20 10:02 - 00040776 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamswissarmy.sys
2013-11-20 10:03 - 2011-03-01 12:17 - 00002141 _____ C:\windows\epplauncher.mif
2013-11-19 16:10 - 2013-11-19 16:10 - 00000000 ___RD C:\Users\LifeBook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 8
2013-11-19 16:10 - 2011-01-26 14:41 - 00000000 ____D C:\Users\LifeBook\AppData\Roaming\WTablet
2013-11-19 16:10 - 2009-07-13 22:53 - 00000006 ____H C:\windows\Tasks\SA.DAT
2013-11-19 16:10 - 2009-07-13 22:39 - 00045156 _____ C:\windows\setupact.log
2013-11-19 15:44 - 2013-11-19 14:50 - 3910455294 _____ C:\avenger.txt
2013-11-19 14:50 - 2013-11-19 14:50 - 00000000 ____D C:\Avenger
2013-11-19 14:50 - 2011-03-01 12:35 - 00022784 _____ C:\windows\PFRO.log
2013-11-19 14:20 - 2012-02-07 10:10 - 00001067 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-19 14:20 - 2011-02-28 15:53 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-11-19 11:17 - 2011-10-19 13:52 - 00000000 ____D C:\Users\LifeBook\Desktop\General store
2013-11-19 11:15 - 2013-11-19 11:15 - 00148554 ____N C:\Users\LifeBook\Desktop\2014 Price sheet.xlsx
2013-11-19 03:01 - 2013-11-19 03:00 - 00000000 ____D C:\windows\TempB140977A-9441-D4C8-E8D3-E1FDA4434C00-Signatures
2013-11-15 08:52 - 2009-07-13 20:37 - 00000000 ____D C:\windows\rescache
2013-11-14 08:08 - 2011-03-01 11:26 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-11-14 07:57 - 2013-08-15 02:13 - 00000000 ____D C:\windows\system32\MRT
2013-11-14 07:52 - 2011-03-10 10:16 - 80340640 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2013-11-13 08:30 - 2009-07-13 20:37 - 00000000 ____D C:\windows\Microsoft.NET
2013-11-13 07:58 - 2009-07-13 20:04 - 00000478 _____ C:\windows\win.ini
2013-11-12 08:04 - 2011-04-19 14:48 - 00000000 ____D C:\Scale_ABM
2013-11-12 08:04 - 2011-04-19 14:48 - 00000000 ____D C:\Scale
2013-11-11 10:54 - 2013-11-11 10:54 - 00038242 _____ C:\Users\LifeBook\Desktop\RTP Turbo final list.xlsx
2013-11-11 09:32 - 2012-12-19 11:14 - 00000000 ____D C:\Users\LifeBook\AppData\Local\Google
2013-11-11 09:32 - 2012-12-19 11:14 - 00000000 ____D C:\Program Files\Google
2013-11-08 08:56 - 2011-05-12 08:52 - 00000000 ____D C:\Users\LifeBook\Tracing
2013-10-28 08:07 - 2013-10-28 08:07 - 00001753 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-10-28 08:07 - 2013-10-28 08:05 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-28 08:07 - 2013-10-28 08:05 - 00000000 ____D C:\Program Files\iTunes
2013-10-28 08:05 - 2013-10-28 08:05 - 00000000 ____D C:\Program Files\iPod
2013-10-28 08:05 - 2011-04-26 12:11 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-10-25 07:45 - 2013-10-25 07:45 - 00149224 _____ C:\Users\LifeBook\Desktop\2014 pricing.xlsx
ZeroAccess:
C:\Users\LifeBook\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Files to move or delete:
====================
C:\Users\LifeBook\Recycle SQL.bat


Some content of TEMP:
====================
C:\Users\LifeBook\AppData\Local\Temp\ApnStub.exe
C:\Users\LifeBook\AppData\Local\Temp\G2MCoreInstExtractor.exe
C:\Users\LifeBook\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue001.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue002.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue003.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue004.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue005.exe
C:\Users\LifeBook\AppData\Local\Temp\mpam-2e23955b.exe
C:\Users\LifeBook\AppData\Local\Temp\mssinstaller.exe
C:\Users\LifeBook\AppData\Local\Temp\npappdetector.dll


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client


LastRegBack: 2013-11-20 10:50

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Please read the following information first.

 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-11-2013
Ran by LifeBook at 2013-11-20 14:10:14 Run:1
Running from C:\Users\LifeBook\Desktop\MalwareRemoval
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] - [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{90ab704f-7d68-8135-6e3d-19c9c90019af}\   \...\???\{90ab704f-7d68-8135-6e3d-19c9c90019af}\GoogleUpdate.exe"
C:\Users\LifeBook\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Users\LifeBook\Recycle SQL.bat
C:\Users\LifeBook\AppData\Local\Temp\ApnStub.exe
C:\Users\LifeBook\AppData\Local\Temp\G2MCoreInstExtractor.exe
C:\Users\LifeBook\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\LifeBook\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue001.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue002.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue003.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue004.exe
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue005.exe
C:\Users\LifeBook\AppData\Local\Temp\mpam-2e23955b.exe
C:\Users\LifeBook\AppData\Local\Temp\mssinstaller.exe
C:\Users\LifeBook\AppData\Local\Temp\npappdetector.dll
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client



*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
*etadpug => Service deleted successfully.
C:\Users\LifeBook\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Program Files\Google\Desktop\Install => Moved successfully.
C:\Users\LifeBook\Recycle SQL.bat => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\ApnStub.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\G2MCoreInstExtractor.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\G2MInstallerExtractor.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue001.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue002.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue003.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue004.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\LMIRescue005.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\mpam-2e23955b.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\mssinstaller.exe => Moved successfully.
C:\Users\LifeBook\AppData\Local\Temp\npappdetector.dll => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client\Backup" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\DbgHelp.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Drivers" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\en-us" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\EppManifest.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\mpevmsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpOAv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MSESysprep.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpEng.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseces.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseoobe.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseooberes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsseWat.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisLog.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisSrv.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisWFP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Setup.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SetupRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\shellext.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\sqmapi.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.yes" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.


The system needs a manual reboot.

==== End of Fixlog ====

 

 

MBAR Log:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.11.20.12

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16736
LifeBook :: T2010-07 [administrator]

11/20/2013 2:32:43 PM
mbar-log-2013-11-20 (14-32-43).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 247345
Time elapsed: 26 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 

MBAR found no threats the first time I ran it. Should I still run it a second time to be sure?

Link to post
Share on other sites

New RougeKiller log:

 

RogueKiller V8.7.8 [Nov 14 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : LifeBook [Admin rights]
Mode : Scan -- Date : 11/20/2013 15:47:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][sUSP PATH] {1F2B390E-CEEC-44F7-BCBA-C8A41C95C0A8} : C:\Users\LifeBook\Desktop\FarmingSimulator2011DemoEN.exe [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) FUJITSU MHZ2160BH G2 +++++
--- User ---
[MBR] 2205df3d1ef6fa4c70201dfd31259c16
[bSP] e4939a16928225a2597fcfd0a38c5d09 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16384 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 33556480 | Size: 200 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33966080 | Size: 68020 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 173271040 | Size: 68021 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_11202013_154708.txt >>
RKreport[0]_S_11202013_132024.txt


 

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

OK, silly question time. I'm trying to run this and he has Microsoft Security Essentials on this laptop. I have unchecked the Real Time Protection to turn it off, but ComboFix still seems to think it is running as it is popping up a warning alert for me to turn it off. I have double and triple checked and it is definitely off...can I continue with ComboFix or do I need to do something more??

Link to post
Share on other sites

OK, here's the ComboFix log. I'm leaving the office for the night now, so I won't have access to this computer again until tomorrow. I will check back here first thing in the morning for any further instructions. Thank you again for your time and knowledge in helping with this!

 

ComboFix 13-11-19.01 - LifeBook 11/20/2013  16:56:09.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2002.1001 [GMT -6:00]
Running from: c:\users\LifeBook\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\MyScrapNook_12EI
c:\program files\wss
c:\program files\wss\CompetitiveCodeBook\CompCodeBook.exe
c:\program files\wss\DigitalCodeBook\DigitalCodeBook.exe
c:\program files\wss\DigitalCodeBook_SP\CustomInstaller.InstallState
c:\windows\Downloaded Program Files\Install.inf
c:\windows\mreg.reg
c:\windows\PFRO.log
c:\windows\system32\FlashPlayerApp.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-20 to 2013-11-20  )))))))))))))))))))))))))))))))
.
.
2013-11-20 21:43 . 2013-11-20 21:43    40392    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{60FA7D7B-F5BC-4859-8599-D18B347AAE66}\MpKsl9c8b9e18.sys
2013-11-20 20:32 . 2013-11-20 21:01    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-11-20 20:32 . 2013-11-20 20:32    105176    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-20 20:29 . 2013-11-20 20:30    75992    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-11-20 20:25 . 2013-11-08 01:15    7772552    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{60FA7D7B-F5BC-4859-8599-D18B347AAE66}\mpengine.dll
2013-11-20 19:09 . 2013-11-20 19:09    --------    d--h--w-    c:\windows\PIF
2013-11-20 18:18 . 2013-11-20 20:11    --------    d-----w-    C:\FRST
2013-11-20 16:03 . 2013-11-20 16:03    --------    d-----w-    c:\windows\TempE72F9FA2-0FD0-7975-5CBF-112720B2D9DE-Signatures
2013-11-19 20:19 . 2013-11-19 20:19    --------    d-----w-    c:\users\LifeBook\AppData\Local\Programs
2013-11-19 09:00 . 2013-11-19 09:01    --------    d-----w-    c:\windows\TempB140977A-9441-D4C8-E8D3-E1FDA4434C00-Signatures
2013-11-14 13:57 . 2013-10-12 07:03    817664    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-11-14 13:57 . 2013-10-12 07:03    1767936    ----a-w-    c:\windows\system32\wininet.dll
2013-11-14 13:57 . 2013-10-12 07:44    770736    ----a-w-    c:\program files\Internet Explorer\iexplore.exe
2013-11-11 14:41 . 2013-10-14 06:39    7796464    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-07 01:30 . 2013-10-18 14:20    719224    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF8B447E-433B-4A12-8AD9-CB3A6F7B33A2}\gapaengine.dll
2013-10-28 14:05 . 2013-10-28 14:05    --------    d-----w-    c:\program files\iPod
2013-10-28 14:05 . 2013-10-28 14:07    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-28 14:05 . 2013-10-28 14:07    --------    d-----w-    c:\program files\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-19 10:21 . 2011-02-11 17:37    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-10-18 14:20 . 2011-03-26 14:08    719224    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-10-10 13:00 . 2013-01-28 22:03    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-14 00:48 . 2013-10-10 13:24    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-09-08 02:07 . 2013-10-10 13:24    1294272    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03 . 2013-10-10 13:24    231424    ----a-w-    c:\windows\system32\mswsock.dll
2013-08-29 01:51 . 2013-10-10 13:24    3969472    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51 . 2013-10-10 13:24    3914176    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50 . 2013-10-10 13:24    1289096    ----a-w-    c:\windows\system32\ntdll.dll
2013-08-29 01:50 . 2013-10-10 13:24    619520    ----a-w-    c:\windows\system32\tdh.dll
2013-08-29 01:48 . 2013-10-10 13:24    640512    ----a-w-    c:\windows\system32\advapi32.dll
2013-08-28 01:04 . 2013-10-10 13:24    2348544    ----a-w-    c:\windows\system32\win32k.sys
2013-08-28 00:57 . 2013-10-10 13:24    434688    ----a-w-    c:\windows\system32\scavengeui.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-24 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-24 151064]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-05 7703072]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2009-06-22 47464]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2009-06-17 36712]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2008-04-01 20480]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2009-07-16 3162112]
"CSRSkype"="c:\program files\CSR\Bluetooth Feature Pack 5.0\CSRSkype.exe" [2009-08-20 346464]
"ConMgr"="c:\program files\CSR\Bluetooth Feature Pack 5.0\ConMgr.exe" [2009-08-20 504160]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2009-08-08 143360]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"Gnetmous"="c:\program files\COMPAQ\Scroll Mouse\gnetmous.exe" [2002-11-26 153600]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-10-23 152392]
.
c:\users\LifeBook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2013-7-23 1089888]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-6-25 228552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-13 221912]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-08-12 295376]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [x]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\DRIVERS\swivspnt.sys [2007-03-26 20352]
R3 SWNC8U33;Sierra Wireless MUX NDIS Driver (UMTS33);c:\windows\system32\DRIVERS\swnc8u33.sys [2009-07-22 222720]
R3 SWUMX00;Sierra Wireless USB MUX Driver (UMTS00);c:\windows\system32\DRIVERS\swumx00.sys [2009-07-22 148992]
R3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\DRIVERS\swumx12.sys [2009-07-22 148992]
R3 SWUMX21;Sierra Wireless USB MUX Driver (UMTS21);c:\windows\system32\DRIVERS\swumx21.sys [2009-07-22 148992]
R3 SWUMX22;Sierra Wireless USB MUX Driver (UMTS22);c:\windows\system32\DRIVERS\swumx22.sys [2009-07-22 148992]
R3 SWUMX32;Sierra Wireless USB MUX Driver (UMTS32);c:\windows\system32\DRIVERS\swumx32.sys [2009-07-22 148992]
R3 SWUMX33;Sierra Wireless USB MUX Driver (UMTS33);c:\windows\system32\DRIVERS\swumx33.sys [2009-07-22 148992]
R3 SWUMX3A;Sierra Wireless USB MUX Driver (UMTS3A);c:\windows\system32\DRIVERS\swumx3a.sys [2009-07-22 148992]
R3 SWUMX3B;Sierra Wireless USB MUX Driver (UMTS3B);c:\windows\system32\DRIVERS\swumx3B.sys [2009-07-22 148992]
R3 SWUMX3C;Sierra Wireless USB MUX Driver (UMTS3C);c:\windows\system32\DRIVERS\swumx3C.sys [2009-07-22 148992]
R3 SWUMX3D;Sierra Wireless USB MUX Driver (UMTS3D);c:\windows\system32\DRIVERS\swumx3D.sys [2009-07-22 148992]
R3 SWUMX3E;Sierra Wireless USB MUX Driver (UMTS3E);c:\windows\system32\DRIVERS\swumx3e.sys [2009-07-22 148992]
R3 SWUMX40;Sierra Wireless USB MUX Driver (UMTS40);c:\windows\system32\DRIVERS\swumx40.sys [2009-07-22 148992]
R3 SWUMX50;Sierra Wireless USB MUX Driver (UMTS50);c:\windows\system32\DRIVERS\swumx50.sys [2009-07-22 148992]
R3 SWUMX52;Sierra Wireless USB MUX Driver (UMTS52);c:\windows\system32\DRIVERS\swumx52.sys [2009-07-22 148992]
R3 SWUMX53;Sierra Wireless USB MUX Driver (UMTS53);c:\windows\system32\DRIVERS\swumx53.sys [2009-07-22 148992]
R3 SWUMX54;Sierra Wireless USB MUX Driver (UMTS54);c:\windows\system32\DRIVERS\swumx54.sys [2009-07-22 148992]
R3 SWUMX55;Sierra Wireless USB MUX Driver (UMTS55);c:\windows\system32\DRIVERS\swumx55.sys [2009-07-22 148992]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [2009-07-22 148992]
R3 SWUMX57;Sierra Wireless USB MUX Driver (UMTS57);c:\windows\system32\DRIVERS\swumx57.sys [2009-07-22 148992]
R3 SWUMX58;Sierra Wireless USB MUX Driver (UMTS58);c:\windows\system32\DRIVERS\swumx58.sys [2009-07-22 148992]
R3 SWUMX59;Sierra Wireless USB MUX Driver (UMTS59);c:\windows\system32\DRIVERS\swumx59.sys [2009-07-22 148992]
R3 SWUMX5A;Sierra Wireless USB MUX Driver (UMTS5A);c:\windows\system32\DRIVERS\swumx5A.sys [2009-07-22 148992]
R3 SWUMX70;Sierra Wireless USB MUX Driver (UMTS70);c:\windows\system32\DRIVERS\swumx70.sys [2009-07-22 148992]
R3 SWUMX71;Sierra Wireless USB MUX Driver (UMTS71);c:\windows\system32\DRIVERS\swumx71.sys [2009-07-22 148992]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [2009-07-22 148992]
R3 SWUMX81;Sierra Wireless USB MUX Driver (UMTS81);c:\windows\system32\DRIVERS\swumx81.sys [2009-07-22 148992]
R3 SWUMX82;Sierra Wireless USB MUX Driver (UMTS82);c:\windows\system32\DRIVERS\swumx82.sys [2009-07-22 148992]
R3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);c:\windows\system32\DRIVERS\swumx90.sys [2009-07-22 148992]
R3 SWUMX91;Sierra Wireless USB MUX Driver (UMTS91);c:\windows\system32\DRIVERS\swumx91.sys [2009-07-22 148992]
R3 SWUMX92;Sierra Wireless USB MUX Driver (UMTS92);c:\windows\system32\DRIVERS\swumx92.sys [2009-07-22 148992]
R3 SWUMX93;Sierra Wireless USB MUX Driver (UMTS93);c:\windows\system32\DRIVERS\swumx93.sys [2009-07-22 148992]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\DRIVERS\swumxa3.sys [2009-07-22 148992]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\DRIVERS\wacomhidfilter.sys [2009-07-16 14376]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-06 1343400]
S0 FBIOSDRV;Fujitsu BIOS Driver;c:\windows\System32\Drivers\FBIOSDRV.sys [2009-06-24 17008]
S0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\DRIVERS\FJGSDisk.sys [2009-09-09 12776]
S1 MpKsl9c8b9e18;MpKsl9c8b9e18;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{60FA7D7B-F5BC-4859-8599-D18B347AAE66}\MpKsl9c8b9e18.sys [2013-11-20 40392]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-08-01 1807608]
S2 Mobility Time Manager;Mobility Time Manager;c:\program files\A-B\Mobility Time Manager\ABMTimeManager.exe [2010-10-18 18944]
S2 MSSQL$ABMSQL;SQL Server (ABMSQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 MSSQL$ABRSM;SQL Server (ABRSM);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-06-19 107392]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-08-21 2790696]
S2 UpdateNaviInstallService;UpdateNaviInstallService;c:\program files\Fujitsu\fjdvrupd\updnvsrv.exe [2009-07-15 12800]
S2 VFPRadioSupportService;Bluetooth Feature Support;c:\program files\CSR\Bluetooth Feature Pack 5.0\VFPRadioSupportService.exe [2009-08-20 111488]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-13 7680]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-08-01 659328]
S3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\DRIVERS\FjBtnDrv.sys [2009-08-28 18816]
S3 FjGenIo;Fujitsu Generic I/O Driver;c:\windows\System32\Drivers\FjGenIo.sys [2009-08-07 7680]
S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\DRIVERS\FUJ02E3.sys [2006-11-02 5632]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 122880]
S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-06-07 273448]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-08-23 4232192]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2009-05-13 48672]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2009-07-03 44064]
S3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\DRIVERS\wisdpen.sys [2011-01-04 37232]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NISDRV
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\SPP-ActiveSetup]
2013-02-15 12:11    151509    ----a-w-    c:\program files\JDA\ABCustom\Service Release\ABUserProfileFiles.EXE
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-28 13:00]
.
2013-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-19 17:14]
.
2013-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-19 17:14]
.
.
------- Supplementary Scan -------
.

uInternet Settings,ProxyOverride = *.local
Trusted Zone: ab-sales.com
Trusted Zone: ab-sales.com\secure
Trusted Zone: ab-sales.com\www
Trusted Zone: abmarketing.com
Trusted Zone: budnet.com\www
Trusted Zone: eaglebh.com
TCP: DhcpNameServer = 64.251.160.2 64.251.173.40






FF - ProfilePath - c:\users\LifeBook\AppData\Roaming\Mozilla\Firefox\Profiles\w79sk0fl.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5356)
c:\program files\Softex\OmniPass\SCUREDLL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Softex\OmniPass\OmniServ.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\o2flash.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Fingerprint Sensor\ATSwpNav.exe
c:\program files\Fujitsu\Utils\FjDspMon.exe
c:\program files\Softex\OmniPass\opvapp.exe
c:\windows\system32\igfxext.exe
c:\program files\Microsoft Office\Office14\ONENOTEM.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\program files\Microsoft Security Client\MpCmdRun.exe
.
**************************************************************************
.
Completion time: 2013-11-20  17:35:15 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-20 23:35
.
Pre-Run: 6,483,603,456 bytes free
Post-Run: 9,468,751,872 bytes free
.
- - End Of File - - F30FC2B9E7E4209E55B45EC6A105E6D2
A36C5E4F47E84449FF07ED3517B43A31
 

Link to post
Share on other sites

Looks Good......

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

As far as I can tell the computer seems to be running well. I do notice there is now an ENORMOUS (11.6 GB) file on the C drive called Avenger.txt, which I assume is a result of all this. Obviously this file is taking up a great deal of room on his hard drive...Is it something that can be deleted?

 

Also, since he had MSE running but it did not prevent this infection is there a different antivirus program you would recommend instead?

 

Here are the requested logs:

 

# AdwCleaner v3.012 - Report created 21/11/2013 at 09:59:30
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : LifeBook - T2010-07
# Running from : C:\Users\LifeBook\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\Users\LifeBook\AppData\LocalLow\AskToolbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_farming-simulator_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_farming-simulator_RASMANCS
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\ParetoLogic

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16736


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\LifeBook\AppData\Roaming\Mozilla\Firefox\Profiles\w79sk0fl.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [1402 octets] - [21/11/2013 09:29:03]
AdwCleaner[s0].txt - [1351 octets] - [21/11/2013 09:59:30]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1411 octets] ##########
 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.21.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16736
LifeBook :: T2010-07 [administrator]

11/21/2013 10:10:29 AM
mbam-log-2013-11-21 (10-10-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245241
Time elapsed: 19 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

Link to post
Share on other sites

That's not from me but another program that was once used called Avenger.

You can delete it.

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

Done...

 

 Results of screen317's Security Check version 0.99.77  
 Windows 7 Service Pack 1 x86 (UAC is disabled!)  
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 21  
 Java version out of Date!
 Adobe Reader 10.1.8 Adobe Reader out of Date!  
 Mozilla Firefox (25.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Java 7 Update 21 <---please update, should be Update 45

Java version out of Date! <--------Go to control panel > Java > Update Tab > Update Now
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

If there's no update tab in Java, uninstall it and Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Adobe Reader 10.1.8 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (also HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

All went smoothly except for Adobe Reader....when I check for updates it tells me it is actually up to date. I will, however, mention to him the other reader you recommended and perhaps he will switch to that.

 

I'm going to turn the computer back over to the owner and let him test it out to make sure everything is working for him. I will post back if he encounters any issues.

 

Thank you SO much for your help! You're a lifesaver, MrC!!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.