Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services.exe seems to be compromised


  • This topic is locked This topic is locked
23 replies to this topic

#1 nicoray

nicoray

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 03 July 2012 - 02:46 PM

Hello, i think I am another one of the unfortunate who have encountered this root toolkit issue. I am new to this forum and reading the various postings and support, the effort and quality of responses is really commendable. I've tried to follow the preparation guide protocol and performed the various steps. Your help is greatly appreciated. Regards, Nicoray.

I was running AVG, which i have now uninstalled. It identified various trojans but only gave me the ignore option. I also had malwarebytes, so i updated it and ran it several times in safe mode and regular win 7 32 bit mode and each time it identifies various trojans and removes them. but on reboot and internet connect, they always come back. Also ran TDSKiller.

Thanks again.

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 03 July 2012 - 09:49 PM

Hi, please run the following:


download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]



Also, please post the TDSSKiller log(s) you have

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 nicoray

nicoray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 July 2012 - 12:13 AM

Thank you for the reply. Here is the frst file tdsskiller to follow:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-06-2012 01
Ran by SYSTEM at 03-07-2012 23:07:34
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe [496184 2010-03-03] (Conexant Systems, Inc.)
HKLM\...\Run: [AmIcoSinglun] C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe [233472 2010-06-09] (Alcor Micro Corp.)
HKLM\...\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe [908368 2010-04-07] (Dritek System Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1725736 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [ODDPwr] "C:\Program Files\Acer\Optical Drive Power Management\ODDPwr.exe" [186912 2010-04-22] (Acer Incorporated)
HKLM\...\Run: [BackupManagerTray] "C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k [260608 2010-03-08] (NewTech Infosystems, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2010-04-06] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [175640 2010-04-06] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [169496 2010-04-06] (Intel Corporation)
HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [206208 2010-08-11] ()
HKLM\...\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [715296 2010-04-23] (Acer Incorporated)
HKLM\...\Run: [EgisTecPMMUpdate] "C:\Program Files\EgisTec IPS\PmmUpdate.exe" [401192 2009-12-24] (Egis Technology Inc.)
HKLM\...\Run: [EgisUpdate] "C:\Program Files\EgisTec IPS\EgisUpdate.exe" -d [201512 2009-12-24] (Egis Technology Inc.)
HKLM\...\Run: [VitaKeyTSR] "C:\Program Files\Acer Bio Protection\EgisTSR.exe" /run [186224 2010-06-02] (Egis Technology Inc. )
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-05] (Apple Inc.)
HKLM\...\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [1298320 2011-04-13] (Microsoft Corporation)
HKLM\...\Run: [] [x]
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [IBWin Background process] "C:\IBackup for Windows\IBackground_955.exe" [42472 2012-02-03] (Pro Softnet Corporation)
HKLM\...\Run: [IBWin Monitor] "C:\IBackup for Windows\IBMonitor.exe" Min [1861096 2012-02-09] (Pro Softnet Corporation)
HKU\Doug\...\Run: [IBWin Background process] "C:\IBackup for Windows\IBackground_955.exe" [42472 2012-02-03] (Pro Softnet Corporation)
HKU\Doug\...\Run: [IBWin Monitor] "C:\IBackup for Windows\IBMonitor.exe" Min [1861096 2012-02-09] (Pro Softnet Corporation)
HKU\Doug\...\Run: [AdobeBridge] [x]
HKU\Doug\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-06-23] (Google Inc.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1082440 2012-04-04] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Lsa: [Notification Packages] EgisPwdFilter
EgisDSPwdFilter
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)

================================ Services (Whitelisted) ==================

2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe [628000 2010-03-26] (Broadcom Corporation.)
2 EgisTec Service; "C:\Program Files\Acer Bio Protection\EgisService.exe" [310128 2010-06-02] (Egis Technology Inc. )
2 EgisTec Ticket Service; "C:\Program Files\Common Files\EgisTec\Services\EgisTicketService.exe" [257904 2010-06-02] (Egis Technology Inc. )
3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [556032 2010-08-03] (Microsoft Corporation)
3 ehSched; C:\Windows\ehome\ehsched.exe [94720 2009-07-13] (Microsoft Corporation)
2 ePowerSvc; C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [735776 2010-04-23] (Acer Incorporated)
2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 ExpressInvoiceService; "C:\Program Files\NCH Software\ExpressInvoice\expressinvoice.exe" -service [1696772 2011-01-26] (NCH Software)
2 GREGService; C:\Program Files\Acer\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
2 IBAdminProcess; "C:\IBackup for Windows\IBAdminProcess.exe" [124392 2012-02-03] (Pro Softnet Corporation)
2 IBWin Service; "C:\IBackup for Windows\IBWin Service_955.exe" [132584 2012-02-03] (Pro Softnet Corporation)
2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374152 2012-05-31] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136584 2012-05-31] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2011-09-16] (LogMeIn, Inc.)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" [322120 2003-06-19] (Microsoft Corporation)
3 MSSQL$MSSMLBIZ; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
4 MSSQLServerADHelper; "C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [44384 2010-12-10] (Microsoft Corporation)
2 NTI IScheduleSvc; C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [250368 2010-03-08] (NewTech Infosystems, Inc.)
3 NTIBackupSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [50432 2009-11-05] (NewTech InfoSystems, Inc.)
2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [144640 2009-11-05] (NewTech Infosystems, Inc.)
2 ODDPwrSvc; C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [129568 2010-04-22] (Acer Incorporated)
2 PSI_SVC_2; "C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [185632 2007-07-24] (Protexis Inc.)
2 QBCFMonitorService; "C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [24576 2011-11-28] (Intuit)
3 QBFCService; "C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [61440 2008-11-18] (Intuit Inc.)
2 rpcnet; C:\Windows\system32\rpcnet.exe [58288 2012-04-04] (Absolute Software Corp.)
2 RS_Service; C:\Program Files\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)
2 SQLBrowser; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [238944 2010-12-10] (Microsoft Corporation)
2 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [86880 2010-12-10] (Microsoft Corporation)
3 SwitchBoard; "C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [517096 2010-02-19] (Adobe Systems Incorporated)
2 Updater Service; C:\Program Files\Acer\Acer Updater\UpdaterService.exe [243232 2010-01-28] (Acer Group)
3 wbengine; "C:\Windows\system32\wbengine.exe" [1202688 2009-07-13] (Microsoft Corporation)
2 FastUserSwitchingCompatibility; C:\Windows\system32\FastUserSwitchingCompatibilityex.dll [x]

========================== Drivers (Whitelisted) =============

3 AmUStor; C:\Windows\System32\drivers\AmUStor.SYS [25600 2010-06-09] (Alcor Micro, Corp.)
3 btwampfl; C:\Windows\System32\drivers\btwampfl.sys [286248 2010-03-05] (Broadcom Corporation.)
2 FPSensor; C:\Windows\System32\Drivers\FPSensor.sys [29232 2010-08-11] (EgisTec)
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2011-09-16] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2011-09-16] (LogMeIn, Inc.)
2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2011-09-16] (LogMeIn, Inc.)
3 Netaapl; C:\Windows\System32\DRIVERS\netaapl.sys [18432 2011-05-10] (Apple Inc.)
3 NTIDrvr; \??\C:\Windows\system32\drivers\NTIDrvr.sys [15360 2009-05-05] (NewTech Infosystems, Inc.)
3 PROCEXP113; \??\C:\Windows\system32\Drivers\PROCEXP113.SYS [12568 2012-06-26] (Sysinternals - www.sysinternals.com)
3 UBHelper; \??\C:\Windows\system32\drivers\UBHelper.sys [14336 2009-05-05] (NewTech Infosystems Corporation)
4 LMIRfsClientNP; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-01 11:36 - 2012-07-01 11:36 - 00003108 ____A C:\Users\Doug\Desktop\gmer.log
2012-06-27 14:43 - 2012-06-27 14:43 - 00000000 ____A C:\Users\Doug\defogger_reenable
2012-06-27 14:40 - 2012-06-27 14:40 - 00000242 ____A C:\Users\Doug\Desktop\defogger_enable.log
2012-06-27 12:38 - 2012-06-27 12:05 - 00882250 ____A C:\FRST.exe
2012-06-27 12:35 - 2012-06-27 14:43 - 00000444 ____A C:\Users\Doug\Desktop\defogger_disable.log
2012-06-27 12:35 - 2012-06-27 12:22 - 00050477 ____A C:\Users\Doug\Desktop\Defogger.exe
2012-06-27 12:34 - 2012-06-27 12:34 - 00021064 ____A C:\Users\Doug\Desktop\Attach.txt
2012-06-27 12:34 - 2012-06-27 12:26 - 00302592 ____A C:\Users\Doug\Desktop\wpqh3to6.exe
2012-06-27 12:32 - 2012-06-27 12:32 - 00024164 ____A C:\Users\Doug\Desktop\DDS.txt
2012-06-27 12:30 - 2012-06-27 12:23 - 00607260 ____R (Swearware) C:\Users\Doug\Desktop\dds.scr
2012-06-26 20:15 - 2012-06-26 20:15 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-06-26 20:11 - 2012-06-26 20:12 - 00000000 ___SD C:\ComboFix
2012-06-26 20:10 - 2012-06-26 20:10 - 00012568 ____A (Sysinternals - www.sysinternals.com) C:\Windows\System32\Drivers\PROCEXP113.SYS
2012-06-26 20:09 - 2012-06-26 20:11 - 00000000 ____D C:\Qoobox
2012-06-26 20:08 - 2012-06-26 20:14 - 00000000 ___SD C:\32788R22FWJFW
2012-06-26 18:55 - 2012-06-27 10:16 - 00039663 ____A C:\FRST.txt
2012-06-26 18:54 - 2012-07-03 23:08 - 00000000 ____D C:\FRST
2012-06-26 18:51 - 2012-06-26 18:27 - 00882250 ____A C:\FRST32.exe
2012-06-26 15:56 - 2012-06-26 16:21 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Muygo
2012-06-26 15:56 - 2012-06-26 15:56 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Utabz
2012-06-26 15:56 - 2012-06-26 15:56 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Ursy
2012-06-26 14:23 - 2012-06-26 15:39 - 00078801 ____A C:\Windows\System32\avgrep.txt
2012-06-26 14:06 - 2012-06-26 14:06 - 00000036 ____A C:\Users\Doug\AppData\Roaming\AB7738.dat
2012-06-26 13:56 - 2012-07-03 21:00 - 00000342 ____A C:\Windows\Tasks\At48.job
2012-06-26 13:56 - 2012-07-03 21:00 - 00000340 ____A C:\Windows\Tasks\At24.job
2012-06-26 13:56 - 2012-07-03 20:00 - 00000342 ____A C:\Windows\Tasks\At47.job
2012-06-26 13:56 - 2012-07-03 20:00 - 00000340 ____A C:\Windows\Tasks\At23.job
2012-06-26 13:56 - 2012-07-03 19:00 - 00000342 ____A C:\Windows\Tasks\At46.job
2012-06-26 13:56 - 2012-07-03 19:00 - 00000340 ____A C:\Windows\Tasks\At22.job
2012-06-26 13:56 - 2012-07-03 18:00 - 00000342 ____A C:\Windows\Tasks\At45.job
2012-06-26 13:56 - 2012-07-03 18:00 - 00000340 ____A C:\Windows\Tasks\At21.job
2012-06-26 13:56 - 2012-07-03 17:00 - 00000342 ____A C:\Windows\Tasks\At44.job
2012-06-26 13:56 - 2012-07-03 16:00 - 00000342 ____A C:\Windows\Tasks\At43.job
2012-06-26 13:56 - 2012-07-03 15:00 - 00000342 ____A C:\Windows\Tasks\At42.job
2012-06-26 13:56 - 2012-07-03 14:00 - 00000342 ____A C:\Windows\Tasks\At41.job
2012-06-26 13:56 - 2012-07-03 13:00 - 00000342 ____A C:\Windows\Tasks\At40.job
2012-06-26 13:56 - 2012-07-03 12:00 - 00000342 ____A C:\Windows\Tasks\At39.job
2012-06-26 13:56 - 2012-07-03 11:00 - 00000342 ____A C:\Windows\Tasks\At38.job
2012-06-26 13:56 - 2012-07-03 10:00 - 00000342 ____A C:\Windows\Tasks\At37.job
2012-06-26 13:56 - 2012-07-01 09:00 - 00000342 ____A C:\Windows\Tasks\At36.job
2012-06-26 13:56 - 2012-07-01 08:00 - 00000342 ____A C:\Windows\Tasks\At35.job
2012-06-26 13:56 - 2012-07-01 07:00 - 00000342 ____A C:\Windows\Tasks\At34.job
2012-06-26 13:56 - 2012-07-01 06:00 - 00000342 ____A C:\Windows\Tasks\At33.job
2012-06-26 13:56 - 2012-07-01 05:00 - 00000342 ____A C:\Windows\Tasks\At32.job
2012-06-26 13:56 - 2012-07-01 04:00 - 00000342 ____A C:\Windows\Tasks\At31.job
2012-06-26 13:56 - 2012-07-01 03:00 - 00000342 ____A C:\Windows\Tasks\At30.job
2012-06-26 13:56 - 2012-07-01 02:00 - 00000342 ____A C:\Windows\Tasks\At29.job
2012-06-26 13:56 - 2012-07-01 01:00 - 00000342 ____A C:\Windows\Tasks\At28.job
2012-06-26 13:56 - 2012-07-01 00:00 - 00000342 ____A C:\Windows\Tasks\At27.job
2012-06-26 13:56 - 2012-06-30 23:00 - 00000342 ____A C:\Windows\Tasks\At26.job
2012-06-26 13:56 - 2012-06-30 22:34 - 00000342 ____A C:\Windows\Tasks\At25.job
2012-06-26 13:55 - 2012-07-03 17:00 - 00000340 ____A C:\Windows\Tasks\At20.job
2012-06-26 13:55 - 2012-07-03 16:00 - 00000340 ____A C:\Windows\Tasks\At19.job
2012-06-26 13:55 - 2012-07-03 15:00 - 00000340 ____A C:\Windows\Tasks\At18.job
2012-06-26 13:55 - 2012-07-03 14:00 - 00000340 ____A C:\Windows\Tasks\At17.job
2012-06-26 13:55 - 2012-07-03 13:00 - 00000340 ____A C:\Windows\Tasks\At16.job
2012-06-26 13:55 - 2012-07-03 12:00 - 00000340 ____A C:\Windows\Tasks\At15.job
2012-06-26 13:55 - 2012-07-03 11:00 - 00000340 ____A C:\Windows\Tasks\At14.job
2012-06-26 13:55 - 2012-07-03 10:00 - 00000340 ____A C:\Windows\Tasks\At13.job
2012-06-26 13:55 - 2012-07-01 09:00 - 00000340 ____A C:\Windows\Tasks\At12.job
2012-06-26 13:55 - 2012-07-01 08:00 - 00000340 ____A C:\Windows\Tasks\At11.job
2012-06-26 13:55 - 2012-07-01 07:00 - 00000340 ____A C:\Windows\Tasks\At10.job
2012-06-26 13:55 - 2012-07-01 06:00 - 00000340 ____A C:\Windows\Tasks\At9.job
2012-06-26 13:55 - 2012-07-01 05:00 - 00000340 ____A C:\Windows\Tasks\At8.job
2012-06-26 13:55 - 2012-07-01 04:00 - 00000340 ____A C:\Windows\Tasks\At7.job
2012-06-26 13:55 - 2012-07-01 03:00 - 00000340 ____A C:\Windows\Tasks\At6.job
2012-06-26 13:55 - 2012-07-01 02:00 - 00000340 ____A C:\Windows\Tasks\At5.job
2012-06-26 13:55 - 2012-07-01 01:00 - 00000340 ____A C:\Windows\Tasks\At4.job
2012-06-26 13:55 - 2012-07-01 00:00 - 00000340 ____A C:\Windows\Tasks\At3.job
2012-06-26 13:55 - 2012-06-30 23:00 - 00000340 ____A C:\Windows\Tasks\At2.job
2012-06-26 13:55 - 2012-06-26 16:21 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Owuqel
2012-06-26 13:55 - 2012-06-26 14:02 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Cuat
2012-06-26 13:55 - 2012-06-26 13:55 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Ypodir
2012-06-26 13:54 - 2012-06-30 22:17 - 00000340 ____A C:\Windows\Tasks\At1.job
2012-06-26 13:54 - 2012-06-26 16:21 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Ms_dir_
2012-06-26 13:54 - 2012-06-26 13:54 - 00075106 ____A C:\Windows\System32\1fdcd3d9.exe
2012-06-26 12:15 - 2012-06-26 12:15 - 00013101 ____A C:\Windows\System32\hs_err_pid4956.log
2012-06-26 12:15 - 2012-06-26 12:15 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Google Inc
2012-06-26 09:46 - 2012-06-26 09:46 - 315993997 ____A C:\Windows\MEMORY.DMP
2012-06-26 09:46 - 2012-06-26 09:46 - 00147704 ____A C:\Windows\Minidump\062612-60013-01.dmp
2012-06-26 09:46 - 2012-06-26 09:46 - 00000000 ____D C:\Windows\Minidump
2012-06-25 22:13 - 2012-06-25 22:13 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Help
2012-06-25 21:20 - 2012-06-25 21:20 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-25 20:59 - 2012-06-25 20:59 - 00000000 ____D C:\Users\Doug\AppData\Roaming\TeamViewer
2012-06-25 20:46 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-25 20:46 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-25 20:46 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-25 20:46 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-25 20:45 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-25 20:45 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-25 20:45 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-25 20:45 - 2012-06-02 13:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-25 20:45 - 2012-06-02 13:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-25 20:44 - 2012-06-25 20:44 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-25 14:37 - 2012-06-25 20:19 - 00000480 ____A C:\Users\All Users\YyFJrc7WRqEuhW
2012-06-25 14:37 - 2012-06-25 20:15 - 00000152 ____A C:\Users\All Users\-YyFJrc7WRqEuhWr
2012-06-25 14:37 - 2012-06-25 20:15 - 00000000 ____A C:\Users\All Users\-YyFJrc7WRqEuhW
2012-06-25 10:26 - 2012-06-25 10:47 - 00000000 ____D C:\Users\Doug\Documents\golf pics
2012-06-20 15:22 - 2012-06-20 15:22 - 00033758 ___AH C:\Users\Doug\AppData\Local\dt.dat
2012-06-14 20:32 - 2012-06-14 20:32 - 00001757 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-14 20:31 - 2012-06-14 20:32 - 00000000 ____D C:\Program Files\iTunes
2012-06-14 20:31 - 2012-06-14 20:31 - 00000000 ____D C:\Program Files\iPod
2012-06-13 11:09 - 2012-05-14 19:08 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 11:09 - 2012-05-14 19:06 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 11:09 - 2012-04-27 19:19 - 00177152 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 11:09 - 2012-04-19 21:07 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 11:09 - 2012-04-19 21:07 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 11:09 - 2012-04-19 21:06 - 06028288 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 11:09 - 2012-04-19 21:06 - 00627200 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-13 11:09 - 2012-04-19 21:06 - 00606208 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-06-13 11:09 - 2012-04-19 21:06 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 11:09 - 2012-04-19 21:06 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-06-13 11:09 - 2012-04-19 21:05 - 11019776 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 11:09 - 2012-04-19 21:05 - 02072576 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 11:09 - 2012-04-19 21:05 - 00381440 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-06-13 11:09 - 2012-04-19 21:05 - 00185856 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-06-13 11:09 - 2012-04-19 21:05 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 11:09 - 2012-04-19 21:05 - 00044544 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-06-13 11:09 - 2012-04-19 21:03 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-06-13 11:09 - 2012-04-19 19:58 - 00386048 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-06-13 11:09 - 2012-04-19 19:24 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 11:08 - 2012-05-14 17:12 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 11:08 - 2012-05-01 20:52 - 00163328 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-13 11:08 - 2012-04-25 20:48 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 11:08 - 2012-04-25 20:48 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 11:08 - 2012-04-25 20:43 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 11:08 - 2012-04-23 20:47 - 01156608 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 11:08 - 2012-04-23 20:47 - 00139264 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 11:08 - 2012-04-23 20:47 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 11:08 - 2012-04-16 20:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 11:08 - 2012-04-07 03:34 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll


============ 3 Months Modified Files and Folders ===============

2012-07-03 23:08 - 2012-06-26 18:54 - 00000000 ____D C:\FRST
2012-07-03 21:03 - 2010-08-11 16:06 - 00114594 ____A C:\Windows\PFRO.log
2012-07-03 21:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At48.job
2012-07-03 21:00 - 2012-06-26 13:56 - 00000340 ____A C:\Windows\Tasks\At24.job
2012-07-03 20:44 - 2011-06-25 20:07 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3152815046-135200866-3593950756-1001UA.job
2012-07-03 20:36 - 2011-01-26 07:31 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-03 20:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At47.job
2012-07-03 20:00 - 2012-06-26 13:56 - 00000340 ____A C:\Windows\Tasks\At23.job
2012-07-03 19:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At46.job
2012-07-03 19:00 - 2012-06-26 13:56 - 00000340 ____A C:\Windows\Tasks\At22.job
2012-07-03 18:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At45.job
2012-07-03 18:00 - 2012-06-26 13:56 - 00000340 ____A C:\Windows\Tasks\At21.job
2012-07-03 17:44 - 2011-06-25 20:07 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3152815046-135200866-3593950756-1001Core.job
2012-07-03 17:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At44.job
2012-07-03 17:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At20.job
2012-07-03 16:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At43.job
2012-07-03 16:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At19.job
2012-07-03 15:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At42.job
2012-07-03 15:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At18.job
2012-07-03 14:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At41.job
2012-07-03 14:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At17.job
2012-07-03 13:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At40.job
2012-07-03 13:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At16.job
2012-07-03 12:35 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\Offline Web Pages
2012-07-03 12:27 - 2010-06-23 08:39 - 00796132 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-03 12:27 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-03 12:27 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-03 12:23 - 2010-08-11 16:09 - 01474823 ____A C:\Windows\WindowsUpdate.log
2012-07-03 12:21 - 2012-02-01 22:02 - 00001024 ____A C:\.rnd
2012-07-03 12:21 - 2011-01-26 07:31 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-03 12:19 - 2011-01-26 06:12 - 00058288 ____A (Absolute Software Corp.) C:\Windows\System32\rpcnet.dll
2012-07-03 12:19 - 2010-06-23 08:21 - 00017920 ____A C:\Windows\System32\rpcnetp.exe
2012-07-03 12:19 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-03 12:19 - 2009-07-13 20:39 - 00140952 ____A C:\Windows\setupact.log
2012-07-03 12:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At39.job
2012-07-03 12:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At15.job
2012-07-03 11:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At38.job
2012-07-03 11:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At14.job
2012-07-03 10:46 - 2010-06-23 08:51 - 00000000 ____D C:\Windows\Downloaded Installations
2012-07-03 10:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At37.job
2012-07-03 10:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At13.job
2012-07-03 09:46 - 2012-07-03 09:46 - 00000000 ____D C:\Sch
2012-07-03 09:46 - 2012-02-09 21:26 - 00000000 ____D C:\Users\Doug\AppData\Local\IBackup
2012-07-03 09:44 - 2011-06-05 18:08 - 00000000 ____D C:\Windows\Sun
2012-07-03 09:44 - 2011-03-24 06:23 - 00000000 ____D C:\Users\All Users\LogMeIn
2012-07-01 11:36 - 2012-07-01 11:36 - 00003108 ____A C:\Users\Doug\Desktop\gmer.log
2012-07-01 09:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At36.job
2012-07-01 09:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At12.job
2012-07-01 08:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At35.job
2012-07-01 08:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At11.job
2012-07-01 07:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At34.job
2012-07-01 07:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At10.job
2012-07-01 06:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At33.job
2012-07-01 06:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At9.job
2012-07-01 05:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At32.job
2012-07-01 05:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At8.job
2012-07-01 04:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At31.job
2012-07-01 04:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At7.job
2012-07-01 03:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At30.job
2012-07-01 03:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At6.job
2012-07-01 02:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At29.job
2012-07-01 02:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At5.job
2012-07-01 01:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At28.job
2012-07-01 01:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At4.job
2012-07-01 00:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At27.job
2012-07-01 00:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At3.job
2012-06-30 23:00 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At26.job
2012-06-30 23:00 - 2012-06-26 13:55 - 00000340 ____A C:\Windows\Tasks\At2.job
2012-06-30 22:34 - 2012-06-26 13:56 - 00000342 ____A C:\Windows\Tasks\At25.job
2012-06-30 22:17 - 2012-06-26 13:54 - 00000340 ____A C:\Windows\Tasks\At1.job
2012-06-27 14:43 - 2012-06-27 14:43 - 00000000 ____A C:\Users\Doug\defogger_reenable
2012-06-27 14:43 - 2012-06-27 12:35 - 00000444 ____A C:\Users\Doug\Desktop\defogger_disable.log
2012-06-27 14:43 - 2011-01-26 06:10 - 00000000 ____D C:\users\Doug
2012-06-27 14:40 - 2012-06-27 14:40 - 00000242 ____A C:\Users\Doug\Desktop\defogger_enable.log
2012-06-27 13:09 - 2011-01-26 11:13 - 00000000 ____D C:\Users\Doug\Documents\Web Contents
2012-06-27 12:34 - 2012-06-27 12:34 - 00021064 ____A C:\Users\Doug\Desktop\Attach.txt
2012-06-27 12:32 - 2012-06-27 12:32 - 00024164 ____A C:\Users\Doug\Desktop\DDS.txt
2012-06-27 12:26 - 2012-06-27 12:34 - 00302592 ____A C:\Users\Doug\Desktop\wpqh3to6.exe
2012-06-27 12:23 - 2012-06-27 12:30 - 00607260 ____R (Swearware) C:\Users\Doug\Desktop\dds.scr
2012-06-27 12:22 - 2012-06-27 12:35 - 00050477 ____A C:\Users\Doug\Desktop\Defogger.exe
2012-06-27 12:21 - 2010-06-23 08:21 - 00017920 ____A C:\Windows\System32\rpcnetp.dll
2012-06-27 12:05 - 2012-06-27 12:38 - 00882250 ____A C:\FRST.exe
2012-06-27 10:45 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Resources
2012-06-27 10:16 - 2012-06-26 18:55 - 00039663 ____A C:\FRST.txt
2012-06-27 10:12 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\security
2012-06-27 07:40 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\LiveKernelReports
2012-06-26 20:46 - 2011-11-22 15:58 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-06-26 20:32 - 2010-06-23 08:55 - 00000000 ____D C:\Windows\PCHEALTH
2012-06-26 20:24 - 2011-10-18 10:29 - 00000000 ____D C:\Users\All Users\AVG2012
2012-06-26 20:22 - 2011-01-27 22:07 - 00000000 ____D C:\Users\All Users\MFAData
2012-06-26 20:21 - 2011-01-27 22:24 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-06-26 20:15 - 2012-06-26 20:15 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-06-26 20:14 - 2012-06-26 20:08 - 00000000 ___SD C:\32788R22FWJFW
2012-06-26 20:12 - 2012-06-26 20:11 - 00000000 ___SD C:\ComboFix
2012-06-26 20:11 - 2012-06-26 20:09 - 00000000 ____D C:\Qoobox
2012-06-26 20:10 - 2012-06-26 20:10 - 00012568 ____A (Sysinternals - www.sysinternals.com) C:\Windows\System32\Drivers\PROCEXP113.SYS
2012-06-26 18:27 - 2012-06-26 18:51 - 00882250 ____A C:\FRST32.exe
2012-06-26 16:21 - 2012-06-26 15:56 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Muygo
2012-06-26 16:21 - 2012-06-26 13:55 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Owuqel
2012-06-26 16:21 - 2012-06-26 13:54 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Ms_dir_
2012-06-26 16:21 - 2011-10-19 07:29 - 00000000 ____D C:\Program Files\MALWAREBYTES ANTI-MALWARE
2012-06-26 15:56 - 2012-06-26 15:56 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Utabz
2012-06-26 15:56 - 2012-06-26 15:56 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Ursy
2012-06-26 15:54 - 2012-01-11 01:36 - 00000000 __SHD C:\Users\Doug\AppData\Local\{dcf519f2-62cd-eec2-56b4-80ced078645e}
2012-06-26 15:39 - 2012-06-26 14:23 - 00078801 ____A C:\Windows\System32\avgrep.txt
2012-06-26 14:16 - 2010-06-23 09:04 - 00000000 ____D C:\Users\All Users\Partner
2012-06-26 14:06 - 2012-06-26 14:06 - 00000036 ____A C:\Users\Doug\AppData\Roaming\AB7738.dat
2012-06-26 14:02 - 2012-06-26 13:55 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Cuat
2012-06-26 13:55 - 2012-06-26 13:55 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Ypodir
2012-06-26 13:54 - 2012-06-26 13:54 - 00075106 ____A C:\Windows\System32\1fdcd3d9.exe
2012-06-26 12:15 - 2012-06-26 12:15 - 00013101 ____A C:\Windows\System32\hs_err_pid4956.log
2012-06-26 12:15 - 2012-06-26 12:15 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Google Inc
2012-06-26 09:46 - 2012-06-26 09:46 - 315993997 ____A C:\Windows\MEMORY.DMP
2012-06-26 09:46 - 2012-06-26 09:46 - 00147704 ____A C:\Windows\Minidump\062612-60013-01.dmp
2012-06-26 09:46 - 2012-06-26 09:46 - 00000000 ____D C:\Windows\Minidump
2012-06-26 08:14 - 2011-01-26 13:05 - 00000000 ____D C:\Windows\Twain32
2012-06-26 00:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2012-06-25 22:13 - 2012-06-25 22:13 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Help
2012-06-25 21:20 - 2012-06-25 21:20 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-25 20:59 - 2012-06-25 20:59 - 00000000 ____D C:\Users\Doug\AppData\Roaming\TeamViewer
2012-06-25 20:44 - 2012-06-25 20:44 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-25 20:44 - 2011-10-19 07:29 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-06-25 20:37 - 2010-08-11 16:21 - 00000000 ____D C:\Program Files\Acer Bio Protection
2012-06-25 20:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2012-06-25 20:35 - 2012-02-09 21:26 - 00000000 ____D C:\Windows\System32\IBCOMMON
2012-06-25 20:35 - 2012-02-01 22:00 - 00000000 ____D C:\Users\Doug\AppData\Local\Apps\2.0
2012-06-25 20:35 - 2012-01-23 23:19 - 00000000 ____D C:\Users\Doug\AppData\Local\Downloaded Installations
2012-06-25 20:35 - 2012-01-20 08:30 - 00000000 ____D C:\Users\Doug\AppData\Roaming\uTorrent
2012-06-25 20:35 - 2011-12-29 15:39 - 00000000 ____D C:\Users\Doug\AppData\Local\ESCORT_Inc
2012-06-25 20:35 - 2011-12-11 22:03 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Audacity
2012-06-25 20:35 - 2011-09-14 08:41 - 00000000 ____D C:\Users\Doug\AppData\Roaming\dvd-cloner
2012-06-25 20:35 - 2011-07-12 16:14 - 00000000 ____D C:\Users\Doug\AppData\Local\Intuit
2012-06-25 20:35 - 2011-06-03 15:04 - 00000000 ____D C:\Users\Doug\AppData\Roaming\vlc
2012-06-25 20:35 - 2011-05-31 12:20 - 00000000 ____D C:\Users\Doug\AppData\Roaming\FrostWire
2012-06-25 20:35 - 2011-03-02 08:40 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Skype
2012-06-25 20:35 - 2011-02-10 19:47 - 00000000 ____D C:\Users\Doug\AppData\Local\PokerStars.NET
2012-06-25 20:35 - 2011-02-06 21:35 - 00000000 ____D C:\Users\Doug\AppData\Roaming\NCH Software
2012-06-25 20:35 - 2011-02-06 21:24 - 00000000 ____D C:\Users\Doug\AppData\Roaming\FreeHideIP
2012-06-25 20:35 - 2011-01-27 00:26 - 00000000 ___RD C:\Users\Doug\Desktop\Various
2012-06-25 20:35 - 2011-01-26 11:57 - 00000000 ____D C:\Users\Doug\Documents\WebCam Albums
2012-06-25 20:35 - 2011-01-26 11:10 - 00000000 ____D C:\Users\Doug\Documents\Updater
2012-06-25 20:35 - 2011-01-26 11:08 - 00000000 ____D C:\Users\Doug\Documents\Quickbooks Backups
2012-06-25 20:35 - 2011-01-26 11:07 - 00000000 ____D C:\Users\Doug\Documents\PSLS
2012-06-25 20:35 - 2011-01-26 11:05 - 00000000 ___SD C:\Users\Doug\Documents\My Webs
2012-06-25 20:35 - 2011-01-26 10:59 - 00000000 ____D C:\Users\Doug\Documents\ImTOO
2012-06-25 20:35 - 2011-01-26 10:58 - 00000000 ____D C:\Users\Doug\Documents\equal docs
2012-06-25 20:35 - 2011-01-26 10:40 - 00000000 ___SD C:\Users\Doug\Documents\My Web Sites
2012-06-25 20:35 - 2011-01-26 07:16 - 00000000 ____D C:\Users\Doug\AppData\Local\Microsoft Help
2012-06-25 20:35 - 2010-06-23 08:53 - 00000000 ____D C:\Program Files\Acer
2012-06-25 20:35 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-06-25 20:34 - 2012-02-09 21:45 - 00000000 ____D C:\IBackup
2012-06-25 20:34 - 2011-12-29 15:40 - 00000000 ____D C:\ESCORT
2012-06-25 20:34 - 2010-06-23 09:13 - 00000000 ___HD C:\OEM
2012-06-25 20:34 - 2010-06-23 08:37 - 00000000 ____D C:\Intel
2012-06-25 20:33 - 2009-07-13 23:49 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-06-25 20:33 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2012-06-25 20:31 - 2011-11-22 15:59 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Mozilla
2012-06-25 20:31 - 2011-04-05 15:54 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Intuit Canada
2012-06-25 20:31 - 2011-02-06 21:37 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Apowersoft
2012-06-25 20:31 - 2011-01-30 23:27 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Epson
2012-06-25 20:31 - 2011-01-26 09:50 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Corel
2012-06-25 20:31 - 2011-01-26 08:05 - 00000000 ____D C:\Users\Doug\AppData\Roaming\BitDefender
2012-06-25 20:31 - 2011-01-26 06:55 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Adobe
2012-06-25 20:31 - 2011-01-26 06:13 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Macromedia
2012-06-25 20:31 - 2011-01-26 06:10 - 00000000 ____D C:\Users\Doug\AppData\Local\VirtualStore
2012-06-25 20:30 - 2011-11-22 15:59 - 00000000 ____D C:\Users\Doug\AppData\Local\Mozilla
2012-06-25 20:30 - 2011-10-06 22:16 - 00000000 ____D C:\Users\Doug\AppData\Local\HP
2012-06-25 20:30 - 2011-01-26 10:43 - 00000000 ____D C:\Users\Doug\AppData\Local\Adobe
2012-06-25 20:30 - 2011-01-26 06:55 - 00000000 ____D C:\Users\Doug\AppData\Local\Google
2012-06-25 20:19 - 2012-06-25 14:37 - 00000480 ____A C:\Users\All Users\YyFJrc7WRqEuhW
2012-06-25 20:15 - 2012-06-25 14:37 - 00000152 ____A C:\Users\All Users\-YyFJrc7WRqEuhWr
2012-06-25 20:15 - 2012-06-25 14:37 - 00000000 ____A C:\Users\All Users\-YyFJrc7WRqEuhW
2012-06-25 14:32 - 2011-01-26 08:21 - 00000000 ___HD C:\Users\Doug\AppData\Local\Windows Live
2012-06-25 10:47 - 2012-06-25 10:26 - 00000000 ____D C:\Users\Doug\Documents\golf pics
2012-06-21 07:50 - 2011-01-26 11:10 - 00000000 ____D C:\Users\Doug\Documents\Stuff For Sale
2012-06-20 15:22 - 2012-06-20 15:22 - 00033758 ___AH C:\Users\Doug\AppData\Local\dt.dat
2012-06-14 20:32 - 2012-06-14 20:32 - 00001757 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-14 20:32 - 2012-06-14 20:31 - 00000000 ____D C:\Program Files\iTunes
2012-06-14 20:31 - 2012-06-14 20:31 - 00000000 ____D C:\Program Files\iPod
2012-06-14 20:31 - 2011-01-27 01:32 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-06-14 10:32 - 2011-01-26 11:05 - 00000000 ____D C:\Users\Doug\Documents\Personal
2012-06-14 06:30 - 2012-04-03 08:13 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-14 06:30 - 2011-05-15 12:32 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-14 06:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2012-06-14 05:52 - 2009-07-13 20:33 - 03964664 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 20:44 - 2010-06-23 08:54 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-13 20:41 - 2011-01-26 07:26 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-05 08:29 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp
2012-06-02 14:19 - 2012-06-25 20:46 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-25 20:46 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-25 20:46 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-25 20:45 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-25 20:45 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-25 20:46 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-25 20:45 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 13:19 - 2012-06-25 20:45 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 13:12 - 2012-06-25 20:45 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-31 12:36 - 2012-02-01 22:01 - 00000000 ____D C:\Program Files\LogMeIn
2012-05-31 12:35 - 2012-02-01 22:02 - 00087424 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2012-05-31 12:35 - 2012-02-01 22:02 - 00083360 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2012-05-31 12:35 - 2012-02-01 22:02 - 00030592 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-05-31 10:50 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2012-05-31 10:20 - 2011-01-29 17:16 - 00000000 ____D C:\Users\All Users\boost_interprocess
2012-05-30 13:41 - 2012-05-30 13:41 - 00000000 ____D C:\Users\All Users\Mozilla
2012-05-30 13:41 - 2012-05-30 13:41 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-05-28 20:02 - 2011-11-15 12:25 - 00061440 __ASH C:\Users\Doug\Documents\Thumbs.db
2012-05-25 13:09 - 2012-01-07 23:34 - 00000000 ____D C:\Users\Doug\Documents\techmgmt
2012-05-19 08:58 - 2012-05-19 08:58 - 00001819 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-05-19 08:58 - 2012-05-19 08:58 - 00000000 ____D C:\Program Files\QuickTime
2012-05-14 19:08 - 2012-06-13 11:09 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 19:06 - 2012-06-13 11:09 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 17:12 - 2012-06-13 11:08 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 01:28 - 2010-06-23 09:00 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-11 01:27 - 2009-07-13 23:50 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-06 10:57 - 2012-04-13 10:20 - 00000000 ____D C:\Users\Doug\Documents\SecurView Pro
2012-05-02 11:34 - 2011-04-21 13:51 - 00284800 ___AH C:\Windows\System32\mlfcache.dat
2012-05-01 20:52 - 2012-06-13 11:08 - 00163328 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 17:05 - 2012-04-30 17:05 - 00002048 ____A C:\Windows\System32\win32xmI.TXl
2012-04-30 14:38 - 2011-01-26 11:08 - 00000000 ____D C:\Users\Doug\Documents\Tax Files
2012-04-27 19:19 - 2012-06-13 11:09 - 00177152 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 20:48 - 2012-06-13 11:08 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:48 - 2012-06-13 11:08 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:43 - 2012-06-13 11:08 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-24 13:45 - 2012-04-24 13:24 - 00001844 ____A C:\Users\Public\Desktop\UFile 2011.lnk
2012-04-24 13:45 - 2012-04-24 13:24 - 00000000 ____D C:\Program Files\UFile 2011
2012-04-23 20:47 - 2012-06-13 11:08 - 01156608 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 20:47 - 2012-06-13 11:08 - 00139264 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 20:47 - 2012-06-13 11:08 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 11:27 - 2012-04-23 11:27 - 00001002 ____A C:\Users\Doug\Downloads\CAAemailsubscribe_Data(3).xls
2012-04-19 21:07 - 2012-06-13 11:09 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-19 21:07 - 2012-06-13 11:09 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-19 21:06 - 2012-06-13 11:09 - 06028288 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-19 21:06 - 2012-06-13 11:09 - 00627200 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-04-19 21:06 - 2012-06-13 11:09 - 00606208 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-04-19 21:06 - 2012-06-13 11:09 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-19 21:06 - 2012-06-13 11:09 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-04-19 21:05 - 2012-06-13 11:09 - 11019776 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-19 21:05 - 2012-06-13 11:09 - 02072576 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-19 21:05 - 2012-06-13 11:09 - 00381440 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-04-19 21:05 - 2012-06-13 11:09 - 00185856 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-04-19 21:05 - 2012-06-13 11:09 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-19 21:05 - 2012-06-13 11:09 - 00044544 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-04-19 21:03 - 2012-06-13 11:09 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-04-19 19:58 - 2012-06-13 11:09 - 00386048 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-04-19 19:24 - 2012-06-13 11:09 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-18 18:56 - 2012-04-18 18:56 - 00094208 ____A (Apple Inc.) C:\Windows\System32\QuickTimeVR.qtx
2012-04-18 18:56 - 2012-04-18 18:56 - 00069632 ____A (Apple Inc.) C:\Windows\System32\QuickTime.qts
2012-04-17 16:33 - 2011-11-29 00:07 - 00000000 ____D C:\Video Data
2012-04-16 20:45 - 2012-06-13 11:08 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-04-13 12:03 - 2012-04-13 12:03 - 00000783 ____A C:\Users\Doug\Downloads\CAAemailsubscribe_Data(2).xls
2012-04-13 12:02 - 2012-04-13 12:02 - 00001251 ____A C:\Users\Doug\Downloads\CAAeventadd_Data(3).xls
2012-04-13 10:20 - 2012-04-13 10:20 - 00001155 ____A C:\Users\Public\Desktop\SecurView Pro.lnk
2012-04-13 10:20 - 2011-11-30 12:57 - 00000000 ____D C:\Program Files\Common Files\CMS
2012-04-13 10:20 - 2011-11-26 08:51 - 00000000 ____D C:\Program Files\TRENDnet
2012-04-13 10:08 - 2010-06-23 09:08 - 00000000 ____D C:\Users\All Users\Adobe
2012-04-12 14:48 - 2012-04-12 14:48 - 00002000 ____A C:\Users\Public\Desktop\Adobe Acrobat X Pro.lnk
2012-04-12 11:10 - 2011-01-26 11:08 - 00000000 ____D C:\Users\Doug\Documents\rmx admin
2012-04-07 03:34 - 2012-06-13 11:08 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

ZeroAccess:
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}\@
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}\L
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}\U
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}\L\00000004.@
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}\L\201d3dde
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}\L\55490ac4
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}\U\00000004.@
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}\U\000000cb.@

ZeroAccess:
C:\Users\Doug\AppData\Local\{dcf519f2-62cd-eec2-56b4-80ced078645e}
C:\Users\Doug\AppData\Local\{dcf519f2-62cd-eec2-56b4-80ced078645e}\@
C:\Users\Doug\AppData\Local\{dcf519f2-62cd-eec2-56b4-80ced078645e}\L
C:\Users\Doug\AppData\Local\{dcf519f2-62cd-eec2-56b4-80ced078645e}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 3764.49 MB
Available physical RAM: 3158.36 MB
Total Pagefile: 3762.77 MB
Available Pagefile: 3162.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1977.62 MB

======================= Partitions =========================

1 Drive c: (Acer) (Fixed) (Total:222.78 GB) (Free:102.77 GB) NTFS
2 Drive e: (DATA) (Fixed) (Total:222.87 GB) (Free:215.47 GB) NTFS
3 Drive f: (PQSERVICE) (Fixed) (Total:20 GB) (Free:1.39 GB) NTFS
5 Drive h: (JENNY'S BAR) (Removable) (Total:1.97 GB) (Free:1.94 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 2013 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 20 GB 1024 KB
Partition 2 Primary 100 MB 20 GB
Partition 3 Primary 222 GB 20 GB
Partition 4 Primary 222 GB 242 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F PQSERVICE NTFS Partition 20 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Acer NTFS Partition 222 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E DATA NTFS Partition 222 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 2012 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H JENNY'S BAR FAT Removable 2012 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-18 09:49

======================= End Of Log ==========================

#4 nicoray

nicoray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 July 2012 - 12:30 AM

TDSSKiller is clean, although I dont know how to copy and paste their report. I have attached a screen capture of the tdsskiller summary

Attached Files



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 04 July 2012 - 10:34 AM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
HKLM\...\Run: [] [x]
2012-06-26 15:56 - 2012-06-26 16:21 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Muygo
2012-06-26 15:56 - 2012-06-26 15:56 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Utabz
2012-06-26 15:56 - 2012-06-26 15:56 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Ursy
2012-06-26 14:06 - 2012-06-26 14:06 - 00000036 ____A C:\Users\Doug\AppData\Roaming\AB7738.dat
2012-06-26 13:55 - 2012-06-26 16:21 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Owuqel
2012-06-26 13:55 - 2012-06-26 14:02 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Cuat
2012-06-26 13:55 - 2012-06-26 13:55 - 00000000 ____D C:\Users\Doug\AppData\Roaming\Ypodir
2012-06-25 14:37 - 2012-06-25 20:19 - 00000480 ____A C:\Users\All Users\YyFJrc7WRqEuhW
2012-06-25 14:37 - 2012-06-25 20:15 - 00000152 ____A C:\Users\All Users\-YyFJrc7WRqEuhWr
2012-06-25 14:37 - 2012-06-25 20:15 - 00000000 ____A C:\Users\All Users\-YyFJrc7WRqEuhW
2012-06-26 15:54 - 2012-01-11 01:36 - 00000000 __SHD C:\Users\Doug\AppData\Local\{dcf519f2-62cd-eec2-56b4-80ced078645e}
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e}
C:\Users\Doug\AppData\Local\{dcf519f2-62cd-eec2-56b4-80ced078645e}
2012-06-26 13:54 - 2012-06-26 13:54 - 00075106 ____A C:\Windows\System32\1fdcd3d9.exe
cmd: del /a/f/q c:\windows\tasks\at*.job
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 nicoray

nicoray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 July 2012 - 10:48 AM

hello. thanks for this. Just checking - you want me to run frst64 instead of just FRST? Thanks

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 04 July 2012 - 10:55 AM

oh no sorry, typo, should be just FRST.exe, thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 nicoray

nicoray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 July 2012 - 11:32 AM

ComboFix 12-07-04.03 - Doug 07/04/12 10:08:44.1.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.2356.1252 [GMT -6:00]
Running from: c:\users\Doug\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Doug\AppData\Roaming\Help\coredb\storage
c:\users\Doug\AppData\Roaming\Ms_dir_
c:\windows\assembly\GAC\Desktop.ini
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
.
c:\windows\System32\autochk.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
.
.
2012-07-04 16:18 . 2012-07-04 16:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-03 19:42 . 2012-06-18 09:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{033DC96A-4736-4753-BDC0-70CD047AC3BF}\mpengine.dll
2012-07-03 17:46 . 2012-07-03 17:46 -------- d-----w- C:\Sch
2012-06-27 04:15 . 2012-06-27 04:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-27 02:54 . 2012-07-04 07:08 -------- d-----w- C:\FRST
2012-06-26 21:54 . 2012-06-26 21:54 -------- d-----w- c:\programdata\Local Settings
2012-06-26 20:15 . 2012-06-26 20:15 -------- d-----w- c:\users\Doug\AppData\Roaming\Google Inc
2012-06-26 05:20 . 2012-06-26 05:20 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-26 04:59 . 2012-06-26 04:59 -------- d-----w- c:\users\Doug\AppData\Roaming\TeamViewer
2012-06-26 04:46 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-26 04:46 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-26 04:46 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-26 04:46 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-26 04:45 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-26 04:45 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-26 04:45 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-26 04:45 . 2012-06-02 21:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-26 04:45 . 2012-06-02 21:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-25 18:10 . 2012-06-26 04:34 -------- d-----w- c:\program files\Photo Story 3 for Windows
2012-06-15 04:31 . 2012-06-15 04:31 -------- d-----w- c:\program files\iPod
2012-06-15 04:31 . 2012-06-15 04:32 -------- d-----w- c:\program files\iTunes
2012-06-13 19:08 . 2012-04-07 11:34 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-13 19:08 . 2012-05-15 01:12 2342400 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 19:08 . 2012-04-26 04:48 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 19:08 . 2012-04-26 04:48 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 19:08 . 2012-04-26 04:43 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 19:08 . 2012-05-02 04:52 163328 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 19:08 . 2012-04-24 04:47 139264 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 19:08 . 2012-04-24 04:47 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 19:08 . 2012-04-24 04:47 1156608 ----a-w- c:\windows\system32\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-04 16:20 . 2010-06-23 16:21 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-07-04 16:20 . 2011-01-26 14:12 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-07-04 16:03 . 2010-06-23 16:21 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2012-06-14 14:30 . 2012-04-03 16:13 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-14 14:30 . 2011-05-15 20:32 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-31 20:35 . 2012-02-02 06:02 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-05-31 20:35 . 2012-02-02 06:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-05-31 20:35 . 2012-02-02 06:02 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-05-31 20:35 . 2012-02-02 06:02 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-04-19 02:56 . 2012-04-19 02:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 02:56 . 2012-04-19 02:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-05-30 21:41 . 2011-11-22 23:58 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7}]
2011-04-20 22:25 605888 ----a-w- c:\program files\GhosteryIEplugin\GhosteryBrowserHelperObject.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBWin Background process"="c:\ibackup for windows\IBackground_955.exe" [2012-02-04 42472]
"IBWin Monitor"="c:\ibackup for windows\IBMonitor.exe" [2012-02-10 1861096]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-23 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2010-03-04 496184]
"AmIcoSinglun"="c:\program files\AmIcoSingLun\AmIcoSinglun.exe" [2010-06-10 233472]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2010-04-08 908368]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-22 1725736]
"ODDPwr"="c:\program files\Acer\Optical Drive Power Management\ODDPwr.exe" [2010-04-22 186912]
"BackupManagerTray"="c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2010-03-08 260608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-07 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-07 169496]
"PLFSetI"="c:\windows\PLFSetI.exe" [2010-08-12 206208]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2010-04-23 715296]
"EgisTecPMMUpdate"="c:\program files\EgisTec IPS\PmmUpdate.exe" [2009-12-25 401192]
"EgisUpdate"="c:\program files\EgisTec IPS\EgisUpdate.exe" [2009-12-25 201512]
"VitaKeyTSR"="c:\program files\Acer Bio Protection\EgisTSR.exe" [2010-06-03 186224]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1298320]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"IBWin Background process"="c:\ibackup for windows\IBackground_955.exe" [2012-02-04 42472]
"IBWin Monitor"="c:\ibackup for windows\IBMonitor.exe" [2012-02-10 1861096]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2012-04-04 05:53 815512 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2012-04-04 05:53 36760 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-04-04 05:53 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-30 15:46 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 14:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-12-03 17:12 976320 ----a-w- c:\program files\Epson Software\Event Manager\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]
2009-12-03 07:00 847872 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-26 15:31 135664 ----atw- c:\users\Doug\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-06-10 02:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2008-11-18 22:01 623880 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-08 01:33 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2011-09-16 21:10 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileDocuments]
2012-02-23 18:30 59240 ----a-w- c:\program files\Common Files\Apple\Internet Services\ubd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 02:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 18:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-06-23 17:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 20:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkForce 520(Network)]
2009-09-14 15:00 200704 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIGIA.EXE
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 ExpressInvoiceService;Express Invoice;c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [x]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [x]
S2 EgisTec Service;EgisTec Service;c:\program files\Acer Bio Protection\EgisService.exe [x]
S2 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files\Common Files\EgisTec\Services\EgisTicketService.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [x]
S2 FPSensor;EgisTec-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\Drivers\FPSensor.sys [x]
S2 GREGService;GREGService;c:\program files\Acer\Registration\GREGsvc.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 IBAdminProcess;IBAdminProcess;c:\ibackup for windows\IBAdminProcess.exe [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [x]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [x]
S2 ODDPwrSvc;Acer ODD Power Service;c:\program files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [x]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [x]
S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-26 15:31]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-26 15:31]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3152815046-135200866-3593950756-1001Core.job
- c:\users\Doug\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-26 15:31]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3152815046-135200866-3593950756-1001UA.job
- c:\users\Doug\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-26 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sportsillustrated.cnn.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=travelmate_8472t&r=270501119816l0423z2m5x67i3n74q
uInternet Settings,ProxyServer = http=;ftp=;https=;
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm
IE: {{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - c:\program files\GhosteryIEplugin\GhosteryBrowserHelperObject.dll
DPF: {12193C65-F0E1-4DD1-AD4E-DB73C6911011} - file:///E:/activeX/DCP.cab
DPF: {707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11} - hxxp://192.168.1.65:81/admin/UltraMJCamX.cab
DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD} - file:///E:/activeX/aplugLiteDL.cab
FF - ProfilePath - c:\users\Doug\AppData\Roaming\Mozilla\Firefox\Profiles\0c07sxuq.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
BHO-{a8cd82f1-3ec7-756d-4dfc-3da8812b6c3e} - c:\windows\system32\180f7d1c.dll
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
HKCU-Run-AdobeBridge - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3152815046-135200866-3593950756-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3152815046-135200866-3593950756-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-3152815046-135200866-3593950756-1001)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.vcf"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3404)
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\ibackup for windows\IBWin Service_955.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Launch Manager\LMworker.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\ibackup for windows\ibackup_web.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-07-04 10:26:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-04 16:26
.
Pre-Run: 110,129,176,576 bytes free
Post-Run: 110,279,987,200 bytes free
.
- - End Of File - - 386678577F37A94BCA847443C18019F6

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 04 July 2012 - 11:40 AM

we need to find a replacement file, please run the following: (also do you have the FRST fix log?)


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *autochk*
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 nicoray

nicoray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 July 2012 - 11:52 AM

sorry about that...

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-06-2012 01
Ran by SYSTEM at 2012-07-04 10:02:30 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Users\Doug\AppData\Roaming\Muygo moved successfully.
C:\Users\Doug\AppData\Roaming\Utabz moved successfully.
C:\Users\Doug\AppData\Roaming\Ursy moved successfully.
C:\Users\Doug\AppData\Roaming\AB7738.dat moved successfully.
C:\Users\Doug\AppData\Roaming\Owuqel moved successfully.
C:\Users\Doug\AppData\Roaming\Cuat moved successfully.
C:\Users\Doug\AppData\Roaming\Ypodir moved successfully.
C:\Users\All Users\YyFJrc7WRqEuhW moved successfully.
C:\Users\All Users\-YyFJrc7WRqEuhWr moved successfully.
C:\Users\All Users\-YyFJrc7WRqEuhW moved successfully.
C:\Users\Doug\AppData\Local\{dcf519f2-62cd-eec2-56b4-80ced078645e} moved successfully.
C:\Windows\Installer\{dcf519f2-62cd-eec2-56b4-80ced078645e} moved successfully.
C:\Users\Doug\AppData\Local\{dcf519f2-62cd-eec2-56b4-80ced078645e} not found.
C:\Windows\System32\1fdcd3d9.exe moved successfully.

========= del /a/f/q c:\windows\tasks\at*.job =========


========= End of CMD: =========


==== End of Fixlog ====

#11 nicoray

nicoray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 July 2012 - 12:06 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 10:57 on 04/07/2012 by Doug
Administrator - Elevation successful

========== filefind ==========

Searching for "*autochk*"
C:\Windows\System32\autochk.exe --a---- 668160 bytes [22:48 12/11/2011] [07:17 01/10/2009] F0321E0D26B12C54E83654B95C3FD9D3
C:\Windows\System32\en-US\autochk.exe.mui --a---- 229376 bytes [04:54 14/07/2009] [02:07 14/07/2009] D220BED087B6EB64EC5233CD3CE502E5
C:\Windows\winsxs\Manifests\x86_microsoft-windows-autochk.resources_31bf3856ad364e35_6.1.7600.16385_en-us_49645dc252e24b19.manifest --a---- 2170 bytes [04:54 14/07/2009] [02:28 14/07/2009] A18DDA9361CEFD8CBD0EACE600AA698C
C:\Windows\winsxs\Manifests\x86_microsoft-windows-autochkconfigurator_31bf3856ad364e35_6.1.7600.16385_none_1898d1bbe9180b39.manifest --a---- 2548 bytes [02:03 14/07/2009] [01:55 14/07/2009] E78A23DDED748515F426DCCD31A76523
C:\Windows\winsxs\Manifests\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_e1ca436d2314b860.manifest --a---- 3017 bytes [02:03 14/07/2009] [01:57 14/07/2009] CA17CB4D20874916D23BF617CF4DA294
C:\Windows\winsxs\Manifests\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.20538_none_e28cf2983c0715a1.manifest ------- 3017 bytes [22:48 12/11/2011] [07:52 01/10/2009] 9848AF92B5A5CF5CE5ABEB389BB587DE
C:\Windows\winsxs\x86_microsoft-windows-autochk.resources_31bf3856ad364e35_6.1.7600.16385_en-us_49645dc252e24b19\autochk.exe.mui --a---- 229376 bytes [04:54 14/07/2009] [02:07 14/07/2009] D220BED087B6EB64EC5233CD3CE502E5
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.20538_none_e28cf2983c0715a1\autochk.exe --a---- 668160 bytes [22:48 12/11/2011] [07:17 01/10/2009] F0321E0D26B12C54E83654B95C3FD9D3

-= EOF =-

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 04 July 2012 - 12:19 PM

Hi,

Let's have an analysis done of that file as there isn't a different replacement, the one replacement has the same MD5

please run the following:

submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\Windows\System32\autochk.exe
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

please do the same for this file:

C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.20538_none_e28cf2983c0715a1\autochk.exe


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 nicoray

nicoray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 July 2012 - 12:26 PM

autochk...

https://www.virustotal.com/file/a0b33f7032caf8b4f8e89f55955c55ebc1bc9e22fd50a3f4a3c4e6ce53f6b8cd/analysis/1341422681/

#14 nicoray

nicoray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 July 2012 - 12:31 PM

winsxs autochk...

https://www.virustotal.com/file/a0b33f7032caf8b4f8e89f55955c55ebc1bc9e22fd50a3f4a3c4e6ce53f6b8cd/analysis/1341422986/

#15 nicoray

nicoray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 July 2012 - 12:38 PM

Updated malwarebytes scan is clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users