Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus disguised as Adobe Flash update


  • This topic is locked This topic is locked
41 replies to this topic

#1 TheOverheater

TheOverheater

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 06 July 2012 - 04:25 PM

*****I JUST REALIZED THAT I DIDN'T FOLLOW THE RULES OF POSTING. I WOULD APPRECIATE IT IF YOU GUYS STILL TRIED TO HELP, BUT I'LL DELETE THIS POST SOON. I APOLOGIZE THAT I DON'T READ STUFF.*****

Hello everyone. Today, I was using google, and after reading an article in one of the search results, a security notice from windows 7 popped up saying that adobe flash player wanted to update. I pressed "no", and it came back up less than a second later. I finally gave in and let it do it's thing; and when it did, malewarebytes came up with a notice to quarentine a trojan. I did that, and checked the task manager. I saw an unfamiliar process running, and ended it. I then performed a full scan with Malewarebytes, and it found 7 items. It told me to restart my PC, so I did. When it came back on, I saw that an update to adobe flash was available, and all of my desktop icons were organized completely differently. I clicked on remind me later (as if I'd update flash after what I just encountered). Everything seems to be in order, but my computer feels a wee mite sluggish, and I'd like to be sure I got rid of everything. Here is the log for what was removed, maybe you guys could work off that? I can provide more info if needed. Again, I just would like your opinion(s) on if I have this all removed, if my computer is ok,an answer to the moved desktop icons if possible, and maybe a guide for the removal of this virus if it is still in my PC if any of you know what this virus is. All help is appreciated!

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
User :: NICK2 [administrator]

Protection: Enabled

7/6/2012 4:04:36 PM
mbam-log-2012-07-06 (16-04-36).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 388834
Time elapsed: 48 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|DATD6A0.tmp.exe (Trojan.FakeAlert) -> Data: C:\Users\User\AppData\Local\Temp\DATD6A0.tmp.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Users\User\AppData\Local\{a0c39018-6653-7865-a557-faa816a5f6c8}\n (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Windows\Installer\{a0c39018-6653-7865-a557-faa816a5f6c8}\n (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Windows\Installer\{a0c39018-6653-7865-a557-faa816a5f6c8}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Temp\DATD6A0.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

(end)

Edited by TheOverheater, 06 July 2012 - 05:00 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 AM

Posted 06 July 2012 - 11:30 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 TheOverheater

TheOverheater
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 08 July 2012 - 05:36 PM

Thank you for your reply! Before I get started, I'm a bit weary of disabling any anti virus programs I have. The reason for this is because Malewarebytes is the program that is blocking the main file from activating its self and taking over my computer. Is it still ok to disable this? Or can I run DDS while my PC is in safe mode? I appreciate your time!

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 AM

Posted 08 July 2012 - 06:27 PM

it would be ok to run DDS in safe mode


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 TheOverheater

TheOverheater
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 July 2012 - 04:26 PM

I'm running security check at the current moment, and I have one other question whilst running it, I disabled the cd emulation drive, if I reboot my computer into safe mode to run dds, will the drives be re-activated? Thanks!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 AM

Posted 09 July 2012 - 04:34 PM

no they will not be reactivated until we run the program again later


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 TheOverheater

TheOverheater
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 July 2012 - 04:39 PM

Ok, got the logs!

Security checkup-

Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Lavasoft Ad-Watch Live! Anti-Virus
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 22
Java™ 6 Update 31
Java version out of Date!
Mozilla Firefox 10.0.2 Firefox out of Date!
Google Chrome 19.0.1084.56
Google Chrome 20.0.1132.47
````````Process Check: objlist.exe by Laurent````````
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Malwarebytes Anti-Malware mbamgui.exe
Ad-Aware Antivirus AdAwareService.exe
Ad-Aware Antivirus SBAMSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 6%
````````````````````End of Log``````````````````````


DDS-

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by User at 17:33:31 on 2012-07-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6092.4936 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: TrueSuite Website Log On: {8590886e-ec8c-43c1-a32c-e4c2b0b6395b} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Dyyno Launcher] "C:\Program Files (x86)\Dyyno\Dyyno Broadcaster\dyyno_launcher.exe" 30100 30101 30102 30103 30104
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [<NO NAME>]
mRun: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: Interfaces\{7E4D6E25-40D0-41C7-976A-81C1F4AE6AAF} : DhcpNameServer = 172.16.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO-X64: Ad-Aware Security Toolbar - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO-X64: TSBHO Class - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun-x64: [(Default)]
mRun-x64: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
SEH-X64: EasyBits ShellExecute Hook: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\epa57lmu.default\
FF - prefs.js: browser.startup.homepage - youtube.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Users\User\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\User\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_257.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SBRE;SBRE;C:\Windows\System32\drivers\SBREDrv.sys [2011-10-26 101112]
R2 Ad-Aware Service;Ad-Aware Service;C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-5-3 1226096]
R3 iwdbus;IWD Bus Enumerator;C:\Windows\system32\DRIVERS\iwdbus.sys --> C:\Windows\system32\DRIVERS\iwdbus.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
S1 SbFw;SbFw;C:\Windows\system32\drivers\SbFw.sys --> C:\Windows\system32\drivers\SbFw.sys [?]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
S2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-2-14 89600]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
S2 Dyyno Launcher;Dyyno Service;C:\Program Files (x86)\Dyyno\Dyyno Broadcaster\launcherd.exe [2012-3-3 409600]
S2 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe [2011-8-25 514232]
S2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-8-25 260424]
S2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
S2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
S2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-2-14 13336]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-4-12 654408]
S2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S2 SBAMSvc;Ad-Aware;C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2011-12-19 3289032]
S2 sbapifs;sbapifs;C:\Windows\system32\DRIVERS\sbapifs.sys --> C:\Windows\system32\DRIVERS\sbapifs.sys [?]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
S2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-2-14 2656280]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 hpCMSrv;HP Connection Manager 4.0 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-2-15 1071160]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\system32\drivers\intelaud.sys --> C:\Windows\system32\drivers\intelaud.sys [?]
S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
S3 intelkmd;intelkmd;C:\Windows\system32\DRIVERS\igdpmd64.sys --> C:\Windows\system32\DRIVERS\igdpmd64.sys [?]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\system32\DRIVERS\LEqdUsb.Sys --> C:\Windows\system32\DRIVERS\LEqdUsb.Sys [?]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\system32\DRIVERS\LHidEqd.Sys --> C:\Windows\system32\DRIVERS\LHidEqd.Sys [?]
S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-1-5 340240]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;C:\Windows\system32\DRIVERS\sbfwim.sys --> C:\Windows\system32\DRIVERS\sbfwim.sys [?]
S3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;C:\Windows\system32\DRIVERS\SBFWIM.sys --> C:\Windows\system32\DRIVERS\SBFWIM.sys [?]
S3 sbhips;sbhips;C:\Windows\system32\drivers\sbhips.sys --> C:\Windows\system32\drivers\sbhips.sys [?]
S3 sbwtis;sbwtis;C:\Windows\system32\DRIVERS\sbwtis.sys --> C:\Windows\system32\DRIVERS\sbwtis.sys [?]
S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-07-06 21:26:45 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2012-07-06 21:23:56 -------- d-----w- C:\Users\User\AppData\Local\adaware
2012-07-06 21:23:37 60536 ----a-w- C:\Windows\System32\drivers\sbhips.sys
2012-07-06 21:23:15 119416 ----a-w- C:\Windows\System32\drivers\SbFwIm.sys
2012-07-06 21:23:14 256632 ----a-w- C:\Windows\System32\drivers\SbFw.sys
2012-07-06 21:23:13 45936 ----a-w- C:\Windows\System32\sbbd.exe
2012-07-06 21:23:12 -------- d-----w- C:\Program Files (x86)\Ad-Aware Antivirus
2012-07-06 21:16:44 -------- d-----w- C:\Users\User\AppData\Roaming\Ad-Aware Antivirus
2012-07-05 22:26:20 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2012-07-05 22:25:54 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-07-04 18:15:57 -------- d-----w- C:\Users\User\AppData\Local\ArmA 2 Free
2012-07-03 23:11:35 -------- d-----w- C:\Users\User\.thumbnails
2012-07-02 02:10:50 -------- d-----w- C:\Users\User\AppData\Local\fontconfig
2012-07-02 02:10:48 -------- d-----w- C:\Users\User\AppData\Local\gegl-0.2
2012-07-02 02:10:48 -------- d-----w- C:\Users\User\.gimp-2.8
2012-07-02 01:56:14 -------- d-----w- C:\Program Files\GIMP 2
2012-06-21 18:04:47 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-21 18:04:21 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-21 18:04:21 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-16 16:55:55 -------- d-----w- C:\Users\User\AppData\Local\Macromedia
.
==================== Find3M ====================
.
2012-07-06 20:04:03 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-06 20:04:03 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-10 23:04:53 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
.
============= FINISH: 17:34:30.88 ===============


DDS (attach)-

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 3/4/2012 4:57:45 PM
System Uptime: 7/9/2012 5:31:59 PM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 1800
Processor: Intel® Core™ i7-2630QM CPU @ 2.00GHz | CPU1 | 1995/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 681 GiB total, 536.48 GiB free.
D: is FIXED (NTFS) - 17 GiB total, 1.863 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
Description: Consumer IR Devices
Device ID: ROOT\SYSTEM\0001
Manufacturer: Microsoft
Name: Consumer IR Devices
PNP Device ID: ROOT\SYSTEM\0001
Service: circlass
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C5100 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C5100 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP56: 6/20/2012 6:49:34 PM - Revo Uninstaller's restore point - Bing Bar
RP57: 6/20/2012 6:51:55 PM - Revo Uninstaller's restore point - OpenOffice.org 3.3
RP58: 6/20/2012 6:55:51 PM - Revo Uninstaller's restore point - Evernote v. 4.2.2
RP59: 6/20/2012 6:56:09 PM - Removed Evernote v. 4.2.2
RP60: 6/21/2012 2:04:03 PM - Windows Update
RP61: 7/1/2012 3:43:56 PM - Windows Update
RP62: 7/4/2012 2:13:49 PM - Installed DirectX
RP63: 7/5/2012 6:25:32 PM - Installed DirectX
RP64: 7/5/2012 6:25:55 PM - Installed NVIDIA PhysX
.
==== Installed Programs ======================
.
Ad-Aware Antivirus
Ad-Aware Browsing Protection
Ad-Aware Security Toolbar
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X MUI
Adobe Shockwave Player 11.5
Agatha Christie - Peril at End House
AIO_CDA_ProductContext
AIO_CDA_Software
AIO_Scan
Bejeweled 2 Deluxe
Bejeweled 3
Blackhawk Striker 2
Blasterball 3
Blio
Bounce Symphony
BufferChm
Build-a-lot 2
Bulletstorm Demo
C5100
c5100_Help
Cake Mania
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Control Center Profiles Mobile
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
Copy
CyberLink YouCam
D3DX10
Destinations
DeviceDiscovery
Diablo III
Diner Dash 2 Restaurant Rescue
DocProc
Dora's World Adventure
Dungeon Defenders
Dyyno Broadcaster
Energy Star Digital Logo
eReg
ESU for Microsoft Windows 7
Fallout 3
Fallout Collection
Farm Frenzy
FATE - The Traitor Soul
Fax
Garry's Mod
Garry's Mod 13
Google Chrome
Google Talk Plugin
GPBaseService2
Grand Theft Auto IV
Half-Life 2
Hewlett-Packard ACLM.NET v1.1.2.0
HP Connection Manager
HP Customer Experience Enhancements
HP Documentation
HP DVB-T TV Tuner 8.0.64.43
HP Games
HP MovieStore
HP On Screen Display
HP Power Manager
HP Quick Launch
HP Setup
HP Setup Manager
HP SimplePass 2011
HP Software Framework
HP Support Assistant
HP Update
HPPhotoGadget
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HPSSupply
IDT Audio
Intel® Display Audio Driver
Intel® Management Engine Components
Intel® Rapid Storage Technology
Intel® WiDi
Java Auto Updater
Java™ 6 Update 22
Java™ 6 Update 31
Junk Mail filter update
League of Legends
Left 4 Dead
Magic Desktop
Magicka
Mah Jong Medley
Malwarebytes Anti-Malware version 1.61.0.1400
MarketResearch
McAfee Security Scan Plus
Mesh Runtime
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
Mozilla Firefox 10.0.2 (x86 en-US)
Mozilla Firefox 13.0.1 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mumble 1.2.3
Mystery P.I. - Stolen in San Francisco
Namco All-Stars PAC-MAN
NVIDIA PhysX
Pando Media Booster
Penguins!
Plants vs. Zombies - Game of the Year
PlayReady PC Runtime x86
Poker Superstars III
Polar Bowler
Polar Golfer
PX Profile Update
Realtek Ethernet Controller Driver
Realtek PCIE Card Reader
Recovery Manager
Renesas Electronics USB 3.0 Host Controller Driver
Revo Uninstaller 1.94
RoxioNow Player
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Slingo Supreme
SmartWebPrinting
SolutionCenter
Source SDK Base 2007
Status
Steam
Team Fortress 2
The Binding of Isaac
The Elder Scrolls V: Skyrim
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update Installer for WildTangent Games App
Virtual Villagers 4 - The Tree of Life
Warcraft III
WebReg
Wheel of Fortune 2
WildTangent Games App (HP Games)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
7/9/2012 5:32:36 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
7/9/2012 5:32:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/9/2012 5:32:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/9/2012 5:32:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/9/2012 5:32:31 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/9/2012 5:32:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/9/2012 5:32:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/9/2012 5:32:19 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss SbFw spldr tdx vwififlt Wanarpv6 WfpLwf
7/9/2012 5:32:17 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
7/9/2012 5:32:17 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
7/9/2012 5:32:17 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/9/2012 5:32:17 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/9/2012 5:32:17 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/9/2012 5:32:17 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/9/2012 5:32:17 PM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
7/9/2012 5:32:15 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/9/2012 5:32:15 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/9/2012 5:32:15 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
7/9/2012 5:32:15 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/9/2012 5:32:15 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/9/2012 5:32:15 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/9/2012 5:28:56 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
7/9/2012 5:20:47 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
7/9/2012 5:20:45 PM, Error: Service Control Manager [7000] - The sbwtis service failed to start due to the following error: There are no more endpoints available from the endpoint mapper.
7/9/2012 5:20:21 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
7/9/2012 5:20:21 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/8/2012 5:07:48 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
7/6/2012 5:13:38 PM, Error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 AM

Posted 09 July 2012 - 08:29 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 TheOverheater

TheOverheater
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 July 2012 - 08:49 PM

I am attempting to disable my antivirus programs, but my taskbar and system are being quite unresponsive and slow, any idea on this?

Edited by TheOverheater, 09 July 2012 - 08:50 PM.


#10 TheOverheater

TheOverheater
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 July 2012 - 08:58 PM

Ok, I ran combofix, let it run, and after the bar reached the end, it popped up with a window with some text for a split second, and then another window that looked like a blue command prompt that closed as soon as it opened. I have my computer disconnected from the internet, is that why?

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 AM

Posted 09 July 2012 - 09:00 PM

Hello

it is the virus doing that

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 TheOverheater

TheOverheater
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 July 2012 - 09:03 PM

wait, is this to fix combofix or my unresponsive taskbar and desktop? I got the taskbar and desktop to work by restarting the pc; now it's just combofix. Again, sorry for the inconvenience.

Edited by TheOverheater, 09 July 2012 - 09:18 PM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 AM

Posted 09 July 2012 - 09:18 PM

the combofix one - the virus is stopping it from running so I want to run this program now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 TheOverheater

TheOverheater
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 July 2012 - 09:29 PM

FRST log

Scan result of Farbar Recovery Scan Tool Version: 09-07-2012
Ran by SYSTEM at 09-07-2012 22:26:46
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-03-11] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2480936 2010-12-16] (Synaptics Incorporated)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2011-01-05] (Intel® Corporation)
HKLM\...\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch [1580368 2010-11-03] (Logitech, Inc.)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167704 2011-08-09] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [392472 2011-08-09] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [416024 2011-08-09] (Intel Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-12] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-02-15] (Hewlett-Packard Development Company L.P.)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [61112 2011-03-16] (EasyBits Software AS)
HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [318520 2011-01-27] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [198032 2011-10-21] (Lavasoft)
HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-09-30] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run [x]
HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-03-04] (Google Inc.)
HKU\User\...\Run: [Dyyno Launcher] "C:\Program Files (x86)\Dyyno\Dyyno Broadcaster\dyyno_launcher.exe" 30100 30101 30102 30103 30104 [2146304 2012-03-03] ()
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)

==================== Services (Whitelisted) ======

2 Ad-Aware Service; "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe" [1226096 2012-05-03] (Lavasoft Limited)
2 Dyyno Launcher; C:\Program Files (x86)\Dyyno\Dyyno Broadcaster\launcherd.exe [409600 2012-03-03] ()
3 hpCMSrv; "C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe" [1071160 2011-02-15] (Hewlett-Packard Development Company L.P.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-01-05] ()
2 SBAMSvc; "C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe" [3289032 2011-12-19] (GFI Software)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2010-12-22] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [57976 2011-10-26] (GFI Software)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-09 22:26 - 2012-07-09 22:26 - 00000000 ____D C:\FRST
2012-07-09 17:54 - 2012-07-09 17:54 - 00000000 ____D C:\ComboFix
2012-07-09 17:53 - 2012-07-09 17:54 - 00000000 ____D C:\Windows\erdnt
2012-07-09 17:53 - 2012-07-09 17:54 - 00000000 ____D C:\Qoobox
2012-07-09 17:42 - 2012-07-09 17:35 - 04574676 ____R (Swearware) C:\Users\User\Desktop\ComboFix.exe
2012-07-09 17:40 - 2012-07-09 17:40 - 00000000 ____A C:\Windows\System32\SBRC.dat
2012-07-09 13:21 - 2012-07-09 13:33 - 00000470 ____A C:\Users\User\Desktop\defogger_disable.log
2012-07-09 13:21 - 2012-07-09 13:21 - 00000000 ____A C:\Users\User\defogger_reenable
2012-07-09 13:21 - 2012-07-09 13:18 - 00050477 ____A C:\Users\User\Desktop\Defogger.exe
2012-07-09 13:21 - 2012-07-09 13:17 - 00607260 ____R (Swearware) C:\Users\User\Desktop\dds.scr
2012-07-09 13:21 - 2012-07-09 13:16 - 00881475 ____A C:\Users\User\Desktop\SecurityCheck.exe
2012-07-08 12:50 - 2012-07-08 12:50 - 00001188 ____A C:\Windows\SysWOW64\ServiceConfig.xml
2012-07-07 14:02 - 2012-07-07 14:02 - 00002106 ____A C:\Users\User\Documents\aswMBR.txt
2012-07-07 14:02 - 2012-07-07 14:02 - 00000512 ____A C:\Users\User\Documents\MBR.dat
2012-07-07 13:42 - 2012-07-08 11:10 - 00000000 ____D C:\Users\User\Downloads\Virusremoval
2012-07-06 13:26 - 2012-07-06 13:26 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-06 13:24 - 2012-07-06 13:24 - 00000012 ____A C:\Users\User\Downloads\FSSC.dat
2012-07-06 13:23 - 2012-07-09 17:50 - 00001868 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2012-07-06 13:23 - 2012-07-09 17:50 - 00001868 ____A C:\Users\All Users\Desktop\Ad-Aware Antivirus.lnk
2012-07-06 13:23 - 2012-07-06 13:28 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus
2012-07-06 13:23 - 2012-07-06 13:23 - 00000000 ____D C:\Users\User\AppData\Local\adaware
2012-07-06 13:23 - 2011-12-19 09:21 - 00045936 ____A (GFI Software) C:\Windows\System32\sbbd.exe
2012-07-06 13:23 - 2011-12-19 08:44 - 00256632 ____A (GFI Software) C:\Windows\System32\Drivers\SbFw.sys
2012-07-06 13:23 - 2011-12-19 08:44 - 00060536 ____A (GFI Software) C:\Windows\System32\Drivers\sbhips.sys
2012-07-06 13:23 - 2011-09-29 08:16 - 00119416 ____A (GFI Software) C:\Windows\System32\Drivers\SbFwIm.sys
2012-07-06 13:16 - 2012-07-09 17:53 - 00000000 ____D C:\Users\User\AppData\Roaming\Ad-Aware Antivirus
2012-07-06 13:16 - 2012-07-06 13:16 - 06236280 ____A (Lavasoft Limited) C:\Users\User\Downloads\Adaware_Installer.exe
2012-07-05 14:26 - 2012-07-05 14:26 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2012-07-04 10:15 - 2012-07-04 10:19 - 00000000 ____D C:\Users\User\Documents\ArmA 2
2012-07-04 10:15 - 2012-07-04 10:15 - 00000000 ____D C:\Users\User\AppData\Local\ArmA 2 Free
2012-07-03 19:36 - 2012-07-03 19:36 - 00001450 ____A C:\Users\User\AppData\Local\recently-used.xbel
2012-07-03 15:11 - 2012-07-03 19:33 - 00180079 ____A C:\Users\User\Documents\donut.xcf
2012-07-03 15:11 - 2012-07-03 15:11 - 00000000 ____D C:\Users\User\.thumbnails
2012-07-02 16:00 - 2012-07-02 16:00 - 00099269 ____A C:\Users\User\Documents\yup.wma
2012-07-01 18:10 - 2012-07-03 19:36 - 00000000 ____D C:\Users\User\.gimp-2.8
2012-07-01 18:10 - 2012-07-01 18:10 - 00000000 ____D C:\Users\User\AppData\Local\gegl-0.2
2012-07-01 17:56 - 2012-07-01 17:57 - 00000000 ____D C:\Program Files\GIMP 2
2012-07-01 17:47 - 2012-07-01 17:55 - 76225536 ____A (The GIMP Team ) C:\Users\User\Downloads\gimp-2.8.0-setup.exe
2012-06-28 13:37 - 2012-06-28 13:37 - 00000445 ____A C:\Users\User\Downloads\mtp.cfg
2012-06-22 18:09 - 2012-06-22 18:09 - 00000000 ____D C:\Users\User\Downloads\The_Stanley_Parable_v1.4
2012-06-21 10:04 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 10:04 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 10:04 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 10:04 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 10:04 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 10:04 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-16 13:08 - 2012-06-16 13:08 - 00000221 ____A C:\Users\User\Desktop\The Elder Scrolls V Skyrim.url
2012-06-16 08:55 - 2012-06-16 08:55 - 00000000 ____D C:\Users\User\AppData\Local\Macromedia
2012-06-10 09:27 - 2012-06-10 09:27 - 00000222 ____A C:\Users\User\Documents\mumbz.rtf

============ 3 Months Modified Files ========================

2012-07-09 17:57 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-09 17:57 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-09 17:54 - 2009-07-13 21:13 - 00796986 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-09 17:50 - 2012-07-06 13:23 - 00001868 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2012-07-09 17:50 - 2012-07-06 13:23 - 00001868 ____A C:\Users\All Users\Desktop\Ad-Aware Antivirus.lnk
2012-07-09 17:50 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-09 17:50 - 2009-07-13 20:51 - 00067984 ____A C:\Windows\setupact.log
2012-07-09 17:40 - 2012-07-09 17:40 - 00000000 ____A C:\Windows\System32\SBRC.dat
2012-07-09 17:35 - 2012-07-09 17:42 - 04574676 ____R (Swearware) C:\Users\User\Desktop\ComboFix.exe
2012-07-09 13:33 - 2012-07-09 13:21 - 00000470 ____A C:\Users\User\Desktop\defogger_disable.log
2012-07-09 13:21 - 2012-07-09 13:21 - 00000000 ____A C:\Users\User\defogger_reenable
2012-07-09 13:18 - 2012-07-09 13:21 - 00050477 ____A C:\Users\User\Desktop\Defogger.exe
2012-07-09 13:17 - 2012-07-09 13:21 - 00607260 ____R (Swearware) C:\Users\User\Desktop\dds.scr
2012-07-09 13:16 - 2012-07-09 13:21 - 00881475 ____A C:\Users\User\Desktop\SecurityCheck.exe
2012-07-08 13:15 - 2010-11-20 19:47 - 00290760 ____A C:\Windows\PFRO.log
2012-07-08 12:50 - 2012-07-08 12:50 - 00001188 ____A C:\Windows\SysWOW64\ServiceConfig.xml
2012-07-08 12:32 - 2012-03-04 14:43 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3583884152-3058386939-603675786-1000UA.job
2012-07-08 11:08 - 2012-03-04 14:43 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3583884152-3058386939-603675786-1000Core.job
2012-07-07 21:09 - 2012-03-05 17:08 - 00025019 ____A C:\Users\User\Documents\nick2.rtf
2012-07-07 14:02 - 2012-07-07 14:02 - 00002106 ____A C:\Users\User\Documents\aswMBR.txt
2012-07-07 14:02 - 2012-07-07 14:02 - 00000512 ____A C:\Users\User\Documents\MBR.dat
2012-07-06 13:24 - 2012-07-06 13:24 - 00000012 ____A C:\Users\User\Downloads\FSSC.dat
2012-07-06 13:16 - 2012-07-06 13:16 - 06236280 ____A (Lavasoft Limited) C:\Users\User\Downloads\Adaware_Installer.exe
2012-07-06 13:16 - 2012-03-08 11:18 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2012-07-06 13:16 - 2012-03-08 11:18 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2012-07-06 13:12 - 2012-03-05 11:28 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForUser.job
2012-07-06 12:04 - 2012-04-03 09:04 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-06 12:04 - 2012-03-04 14:43 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-06 12:04 - 2012-02-14 15:00 - 01723264 ____A C:\Windows\WindowsUpdate.log
2012-07-05 14:25 - 2011-08-24 20:32 - 00148374 ____A C:\Windows\DirectX.log
2012-07-03 19:36 - 2012-07-03 19:36 - 00001450 ____A C:\Users\User\AppData\Local\recently-used.xbel
2012-07-03 19:33 - 2012-07-03 15:11 - 00180079 ____A C:\Users\User\Documents\donut.xcf
2012-07-02 16:00 - 2012-07-02 16:00 - 00099269 ____A C:\Users\User\Documents\yup.wma
2012-07-02 13:27 - 2012-03-19 12:55 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2012-07-02 13:27 - 2012-03-05 11:18 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-07-01 17:55 - 2012-07-01 17:47 - 76225536 ____A (The GIMP Team ) C:\Users\User\Downloads\gimp-2.8.0-setup.exe
2012-06-28 13:37 - 2012-06-28 13:37 - 00000445 ____A C:\Users\User\Downloads\mtp.cfg
2012-06-20 14:48 - 2012-03-21 10:47 - 00001264 ____A C:\Users\User\Desktop\Revo Uninstaller.lnk
2012-06-20 14:44 - 2012-04-20 09:25 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-20 14:44 - 2012-04-20 09:25 - 00000822 ____A C:\Users\All Users\Desktop\CCleaner.lnk
2012-06-16 13:08 - 2012-06-16 13:08 - 00000221 ____A C:\Users\User\Desktop\The Elder Scrolls V Skyrim.url
2012-06-13 11:07 - 2012-05-21 19:16 - 00000335 ____A C:\Users\User\Documents\tubs.rtf
2012-06-10 09:27 - 2012-06-10 09:27 - 00000222 ____A C:\Users\User\Documents\mumbz.rtf
2012-06-08 10:46 - 2012-06-08 10:46 - 00001142 ____A C:\Users\User\Desktop\Mozilla Firefox.lnk
2012-06-02 14:19 - 2012-06-21 10:04 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 10:04 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 10:04 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:15 - 2012-06-21 10:04 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 11:19 - 2012-06-21 10:04 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-21 10:04 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-29 13:04 - 2012-05-29 13:04 - 00001189 ____A C:\Users\Public\Desktop\Diablo III.lnk
2012-05-29 13:04 - 2012-05-29 13:04 - 00001189 ____A C:\Users\All Users\Desktop\Diablo III.lnk
2012-05-29 13:03 - 2012-05-29 13:03 - 40048208 ____A (Blizzard Entertainment) C:\Users\User\Downloads\Diablo-III-Setup-enUS.exe
2012-05-17 11:09 - 2012-05-08 13:19 - 00000229 ____A C:\Users\User\Documents\wowcode.rtf
2012-05-15 10:36 - 2012-05-15 10:36 - 00000205 ____A C:\Users\User\Documents\frank.rtf
2012-05-11 12:00 - 2012-05-11 12:00 - 00000221 ____A C:\Users\User\Desktop\Grand Theft Auto IV.url
2012-05-10 15:04 - 2012-05-10 15:04 - 00178800 ____A (Sony DADC Austria AG.) C:\Windows\SysWOW64\CmdLineExt_x64.dll
2012-05-06 15:03 - 2012-05-06 15:03 - 00001094 ____A C:\Users\Public\Desktop\Warcraft III - The Frozen Throne.lnk
2012-05-06 15:03 - 2012-05-06 15:03 - 00001094 ____A C:\Users\All Users\Desktop\Warcraft III - The Frozen Throne.lnk
2012-05-02 13:27 - 2012-05-02 13:27 - 00000796 ____A C:\Users\Public\Desktop\Speccy.lnk
2012-05-02 13:27 - 2012-05-02 13:27 - 00000796 ____A C:\Users\All Users\Desktop\Speccy.lnk
2012-04-30 14:55 - 2012-04-30 14:55 - 00435430 ____A C:\Users\User\Documents\Windows_NT6_BSOD_jcgriff2.rar
2012-04-30 14:33 - 2012-04-30 14:33 - 00053760 ____A C:\Users\User\Documents\Windows_NT6_BSOD_v3.03_jcgriff2_.exe
2012-04-28 12:32 - 2009-07-13 21:08 - 00013842 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-20 17:57 - 2012-04-20 17:57 - 00000228 ____A C:\Users\User\Documents\elipses.rtf
2012-04-15 18:20 - 2012-04-15 18:20 - 00017286 ____A C:\Users\User\Documents\youtube clip.odt
2012-04-15 17:20 - 2012-04-15 17:20 - 00016825 ____A C:\Users\User\Documents\review.odt
2012-04-15 16:48 - 2012-04-13 15:13 - 00017914 ____A C:\Users\User\Documents\virtuevice.odt
2012-04-15 16:40 - 2012-04-14 17:35 - 00020010 ____A C:\Users\User\Documents\Interview.odt
2012-04-13 16:48 - 2012-04-13 16:48 - 00002376 ____A C:\Users\User\Documents\MumbleAutomaticCertificateBackup.p12
2012-04-13 16:35 - 2012-04-13 16:35 - 00001014 ____A C:\Users\Public\Desktop\Mumble.lnk
2012-04-13 16:35 - 2012-04-13 16:35 - 00001014 ____A C:\Users\All Users\Desktop\Mumble.lnk
2012-04-12 15:58 - 2012-03-08 11:09 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-12 15:58 - 2012-03-08 11:09 - 00001109 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-11 18:11 - 2012-04-11 18:11 - 00000195 ____A C:\Users\User\Documents\phhhhhooooen.rtf
2012-04-11 11:24 - 2012-03-25 12:28 - 00012736 ____A C:\Users\User\Documents\review.rtf


ZeroAccess:
C:\Windows\Installer\{a0c39018-6653-7865-a557-faa816a5f6c8}
C:\Windows\Installer\{a0c39018-6653-7865-a557-faa816a5f6c8}\L
C:\Windows\Installer\{a0c39018-6653-7865-a557-faa816a5f6c8}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 6091.86 MB
Available physical RAM: 5286.45 MB
Total Pagefile: 6090.01 MB
Available Pagefile: 5276.94 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:681.33 GB) (Free:536.3 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:17.02 GB) (Free:1.86 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
5 Drive h: (Lexar) (Removable) (Total:3.73 GB) (Free:2.41 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Disk 1 Online 3824 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 681 GB 200 MB
Partition 3 Primary 17 GB 681 GB
Partition 4 Primary 102 MB 698 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 681 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 17 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 102 MB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3823 MB 24 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H Lexar FAT32 Removable 3823 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-17 20:06

======================= End Of Log ==========================

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 AM

Posted 09 July 2012 - 09:42 PM

Greetings

Ok lets see if we can find a replacement for the infected file

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users