Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Rootkit


  • This topic is locked This topic is locked
23 replies to this topic

#1 twintone

twintone

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 12 July 2012 - 04:05 PM

I was advised to post a link to my original topic which is here : http://www.bleepingcomputer.com/forums/topic460425.html

I am helping a friend of mine with his laptop, so I don't have a whole lot of history on it. He just stated it has been slow as of late. He was not running any AV software (out of date) so I ran Avast! on it, and it reported 16 threats. When I removed the threats the laptop would no longer boot, and I was forced to do a restore. So I am back to square one with an infected laptop.

Windows 7 64bit




.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Zoyde at 15:52:05 on 2012-07-12
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.1743 [GMT -5:00]
.
AV: Norton 360 *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21bd21dd0a38d98e\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21bd21dd0a38d98e\AESTSr64.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
C:\PROGRA~2\OURBAB~2\bar\2.bin\27barsvc.exe
C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Program Files (x86)\SMINST\BLService.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\DivX\DivX Plus Web Player\DDMService.exe
C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27brmon.exe
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\taskhost.exe
C:\Users\Zoyde\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Zoyde\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Zoyde\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Zoyde\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Zoyde\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Zoyde\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Zoyde\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Zoyde\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=YRxdm0036Nus&ptb=56922129-41F9-4EBA-869B-A14C1CEC6F32
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uURLSearchHooks: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - C:\Program Files (x86)\Dealio Toolbar\IE\4.6\dealioToolbarIE.dll
uURLSearchHooks: N/A: {edd4f682-e67a-4175-bb45-c4066da2f7d9} - C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27SrcAs.dll
uURLSearchHooks: H - No File
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - C:\Program Files (x86)\Dealio Toolbar\IE\4.6\dealioToolbarIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Toolbar BHO: {588b75f1-89a0-4956-bd69-3f6e90394909} - C:\PROGRA~2\OURBAB~2\bar\2.bin\27bar.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\IPS\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Search Assistant BHO: {825b4dd6-b751-4d90-802a-eae6754c1c7e} - C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27SrcAs.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\coIEPlg.dll
TB: OurBabymaker: {e0b0df9f-34a3-4db1-becc-621697348607} - C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27bar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - C:\Program Files (x86)\Dealio Toolbar\IE\4.6\dealioToolbarIE.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "C:\Program Files (x86)\DivX\DivX Plus Web Player\DDmService.exe" start
mRun: [OurBabyMaker_27 Browser Plugin Loader] C:\PROGRA~2\OURBAB~2\bar\2.bin\27brmon.exe
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\Users\Zoyde\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1C5A1E08-7806-4044-9C2C-1651C006B8FD} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1C5A1E08-7806-4044-9C2C-1651C006B8FD}\358616E656D203 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{81BB5E25-78A1-4081-8839-3859E25106C8} : DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Dealio Toolbar: {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files (x86)\Dealio Toolbar\IE\4.6\dealioToolbarIE.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Toolbar BHO: {588b75f1-89a0-4956-bd69-3f6e90394909} - C:\PROGRA~2\OURBAB~2\bar\2.bin\27bar.dll
BHO-X64: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Search Assistant BHO: {825b4dd6-b751-4d90-802a-eae6754c1c7e} - C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27SrcAs.dll
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\coIEPlg.dll
TB-X64: OurBabymaker: {e0b0df9f-34a3-4db1-becc-621697348607} - C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27bar.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Dealio Toolbar: {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files (x86)\Dealio Toolbar\IE\4.6\dealioToolbarIE.dll
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun-x64: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun-x64: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun-x64: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun-x64: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun-x64: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [DivX Download Manager] "C:\Program Files (x86)\DivX\DivX Plus Web Player\DDmService.exe" start
mRun-x64: [OurBabyMaker_27 Browser Plugin Loader] C:\PROGRA~2\OURBAB~2\bar\2.bin\27brmon.exe
mRun-x64: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [(Default)]
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20110716.031\IDSviA64.sys [2011-7-19 488056]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0502000.00D\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0502000.00D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/07/30 19:52:49];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21bd21dd0a38d98e\AESTSr64.exe [2009-7-30 89088]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-7-12 44808]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-12 655944]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\ccsvchst.exe [2012-1-30 130008]
R2 OurBabyMaker_27Service;OurBabymaker Service;C:\PROGRA~2\OURBAB~2\bar\2.bin\27barsvc.exe [2011-4-4 36864]
R2 PenCommService;Livescribe Smartpen Service;C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [2010-12-29 458240]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-4-8 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-26 296320]
R2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-26 116096]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-4-8 228408]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
S1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [2011-7-5 1143416]
S1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys --> C:\Windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys --> C:\Windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;C:\Windows\system32\DRIVERS\motport.sys --> C:\Windows\system32\DRIVERS\motport.sys [?]
S3 PulseUsb;Livescribe Smartpen USB Driver;C:\Windows\system32\DRIVERS\PulseUsb.sys --> C:\Windows\system32\DRIVERS\PulseUsb.sys [?]
S3 ssrangdr;ssrangdr;C:\Windows\system32\DRIVERS\ssrangdr.sys --> C:\Windows\system32\DRIVERS\ssrangdr.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-07-12 20:46:30 -------- d-----w- C:\Fixing
2012-07-12 17:10:07 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-07-12 17:10:04 958400 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-07-12 17:10:01 71064 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-07-12 17:08:52 41224 ----a-w- C:\Windows\avastSS.scr
2012-07-12 16:45:14 711240 ----a-w- C:\Windows\isRS-000.tmp
2012-07-11 22:39:35 -------- d-----w- C:\ProgramData\AVAST Software
2012-07-11 22:39:35 -------- d-----w- C:\Program Files\AVAST Software
2012-07-11 21:42:49 -------- d-----w- C:\Users\Zoyde\AppData\Roaming\TuneUp Software
2012-07-11 21:42:45 -------- d-----w- C:\Program Files (x86)\TuneUp Utilities 2012
2012-07-11 21:42:41 -------- d-----w- C:\ProgramData\TuneUp Software
2012-07-11 21:42:30 -------- d--h--w- C:\ProgramData\Common Files
2012-07-11 20:46:58 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-07-11 17:16:20 -------- d-----w- C:\5c0ea68be1fd520e41b82326c9
2012-07-11 16:56:56 -------- d-----w- C:\Users\Zoyde\AppData\Local\Symantec
2012-07-11 16:48:56 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2012-07-11 16:48:55 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-07-11 16:44:57 -------- d-----w- C:\Program Files (x86)\Hp
2012-07-11 16:44:31 -------- d-----w- C:\Users\Zoyde\AppData\Roaming\HpUpdate
2012-07-11 16:44:16 -------- d-----w- C:\Windows\Hewlett-Packard
2012-06-25 18:18:40 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-25 18:17:31 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-25 18:16:44 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-25 18:16:44 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-18 19:00:44 208896 ----a-w- C:\Windows\System32\profsvc.dll
2012-06-18 19:00:44 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-06-18 19:00:39 5505392 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-06-18 19:00:38 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-18 19:00:37 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-18 19:00:34 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-06-18 19:00:34 76288 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-06-18 19:00:34 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-06-18 19:00:16 3213824 ----a-w- C:\Windows\System32\msi.dll
2012-06-18 19:00:15 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-18 18:59:58 1460224 ----a-w- C:\Windows\System32\crypt32.dll
2012-06-18 18:59:58 1156608 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-18 18:59:57 182272 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-06-18 18:59:57 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-06-18 18:59:57 139264 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-18 18:59:57 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-06-18 18:58:56 3144192 ----a-w- C:\Windows\System32\win32k.sys
.
==================== Find3M ====================
.
2012-07-11 17:13:54 476936 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-07-11 17:13:54 472840 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-07-03 18:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-04-29 04:02:21 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
.
============= FINISH: 15:53:31.30 ===============

Attached Files


Edited by twintone, 12 July 2012 - 04:10 PM.


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:22 AM

Posted 13 July 2012 - 01:52 PM

twintone,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


FRST
Please download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

- OR -

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 twintone

twintone
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 13 July 2012 - 02:29 PM

Hello Jason,

Thank you for the reply. I have run farbar and attached the log.

 

Scan result of Farbar Recovery Scan Tool Version: 11-07-2012
Ran by SYSTEM at 12-07-2012 20:25:34
Running from F:\FixItTools
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe [441344 2008-09-26] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1220392 2008-01-18] (Synaptics, Inc.)
HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [914224 2008-11-18] (Hewlett-Packard)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [189736 2008-12-25] (CyberLink)
HKLM-x32\...\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2008-11-28] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [322104 2009-10-08] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2008-08-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [1316136 2008-12-25] (CyberLink Corp.)
HKLM-x32\...\Run: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [210216 2009-01-21] (CyberLink Corp.)
HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" [218408 2008-11-14] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [210216 2008-10-30] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" [210216 2008-06-13] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2008-11-26] (CyberLink Corp.)
HKLM-x32\...\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [200704 2007-08-06] (PowerISO Computing, Inc.)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-06-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [274608 2010-11-10] (RealNetworks, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1230704 2011-01-10] ()
HKLM-x32\...\Run: [DivX Download Manager] "C:\Program Files (x86)\DivX\DivX Plus Web Player\DDmService.exe" start [63360 2010-12-08] (DivX, LLC)
HKLM-x32\...\Run: [OurBabyMaker_27 Browser Plugin Loader] C:\PROGRA~2\OURBAB~2\bar\2.bin\27brmon.exe [27648 2011-04-04] (OurBabymaker)
HKLM-x32\...\Run: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" [534880 2011-08-17] (Spigot, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-10-09] (Apple Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\Zoyde\...\Policies\system: [LogonHoursAction] 2
HKU\Zoyde\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
Startup: C:\Users\Zoyde\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
ShortcutTarget: Picture Motion Browser Media Check Tool.lnk -> C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)

==================== Services (Whitelisted) ======

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21bd21dd0a38d98e\AESTSr64.exe [89088 2008-09-26] (Andrea Electronics Corporation)
2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll [4419392 2012-07-12] (Akamai Technologies, Inc)
3 GameConsoleService; "C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe" [238328 2010-02-08] (WildTangent, Inc.)
2 mafwboot; C:\Windows\System32\cvsnt.dll [6656 2009-07-13] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
2 N360; "C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton 360\Engine\5.2.0.13\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
2 OurBabyMaker_27Service; C:\PROGRA~2\OURBAB~2\bar\2.bin\27barsvc.exe [36864 2011-04-04] (OurBabymaker)
2 PenCommService; "C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe" [458240 2010-12-29] (Livescribe)
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-02] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-09-15] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21bd21dd0a38d98e\STacSV64.exe [279040 2008-09-26] (IDT, Inc.)
2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-11-26] ()
2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-11-26] ()
2 s716mgmt; \\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs [x]
2 smtpd32; \\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs [x]

========================== Drivers (Whitelisted) =============

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-07-14] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20110716.031\IDSvia64.sys [488056 2011-07-07] (Symantec Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
3 motport; C:\Windows\System32\Drivers\motport.sys [29184 2007-06-20] (Motorola)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20110719.003\ENG64.SYS [117880 2011-07-14] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20110719.003\EX64.SYS [2011768 2011-07-14] (Symantec Corporation)
3 PulseUsb; C:\Windows\System32\Drivers\PulseUsb.sys [26112 2010-05-24] (Windows ® Win 7 DDK provider)
3 SRTSP; C:\Windows\System32\Drivers\N360x64\0502000.00D\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360x64\0502000.00D\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
3 ssrangdr; C:\Windows\System32\Drivers\ssrangdr.sys [4608 2009-08-20] (SupportSoft Inc.)
0 SymDS; C:\Windows\System32\drivers\N360x64\0502000.00D\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360x64\0502000.00D\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-06-19] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\N360x64\0502000.00D\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2008-11-28] (CyberLink Corp.)
4 eabfiltr; [x]
3 SYMFW; C:\Windows\System32\Drivers\N360x64\0308000.029\SYMFW.SYS [x]
3 SYMNDISV; C:\Windows\System32\Drivers\N360x64\0308000.029\SYMNDISV.SYS [x]

========================== NetSvcs (Whitelisted) ===========

NETSVC: 3compxe -> No ServiceDLL Path.
NETSVC: DELL_A02 -> No ServiceDLL Path.
NETSVC: vmnetbridge -> No ServiceDLL Path.
NETSVC: mafwboot -> C:\Windows\system32\cvsnt.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
NETSVC: dns4meclient -> No ServiceDLL Path.
NETSVC: Intel_MIPMNMP -> No ServiceDLL Path.
NETSVC: pae_avs -> No ServiceDLL Path.
NETSVC: s716mgmt -> No ServiceDLL Path.

============ One Month Created Files and Folders ==============

2012-07-12 20:25 - 2012-07-12 20:25 - 00000000 ____D C:\FRST
2012-07-12 12:46 - 2012-07-12 17:00 - 00000000 ____D C:\Fixing
2012-07-12 12:44 - 2012-07-12 12:44 - 00000472 ____A C:\Users\Zoyde\Downloads\defogger_disable.log
2012-07-12 12:44 - 2012-07-12 12:44 - 00000000 ____A C:\Users\Zoyde\defogger_reenable
2012-07-11 14:39 - 2012-07-12 09:08 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-07-11 14:39 - 2012-07-12 09:08 - 00000000 ____D C:\Program Files\AVAST Software
2012-07-11 13:42 - 2012-07-12 09:35 - 00000000 ____D C:\Program Files (x86)\TuneUp Utilities 2012
2012-07-11 13:42 - 2012-07-11 13:43 - 00000000 ____D C:\Users\All Users\TuneUp Software
2012-07-11 13:42 - 2012-07-11 13:42 - 00000000 ____D C:\Users\Zoyde\AppData\Roaming\TuneUp Software
2012-07-11 12:46 - 2012-07-11 16:14 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-11 09:16 - 2012-07-12 17:00 - 00000000 ____D C:\5c0ea68be1fd520e41b82326c9
2012-07-11 09:14 - 2012-07-11 09:13 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-07-11 09:14 - 2012-07-11 09:13 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-07-11 09:14 - 2012-07-11 09:13 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-07-11 09:14 - 2012-07-11 09:13 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-07-11 09:14 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 09:14 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 09:14 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 09:14 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 09:14 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 09:14 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 09:14 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 09:14 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 09:14 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 09:14 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 09:14 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 09:14 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 09:14 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 09:14 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 09:14 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-11 09:14 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-11 09:14 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-11 09:14 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-11 09:14 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-11 09:14 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-11 09:14 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-11 09:14 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-11 09:14 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-11 09:14 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-11 09:14 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-11 09:14 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-11 09:14 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-11 09:14 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-11 08:56 - 2012-07-11 08:56 - 00000000 ____D C:\Users\Zoyde\AppData\Local\Symantec
2012-07-11 08:44 - 2012-07-11 08:50 - 00000000 ____D C:\Users\Zoyde\AppData\Roaming\HpUpdate
2012-07-11 08:44 - 2012-07-11 08:44 - 00000321 ____A C:\updatedatfix.log
2012-07-11 08:44 - 2012-07-11 08:44 - 00000000 ____D C:\Windows\Hewlett-Packard
2012-07-11 08:44 - 2012-07-11 08:44 - 00000000 ____D C:\Program Files (x86)\Hp
2012-06-25 12:22 - 2012-06-25 12:22 - 00274448 ____A C:\Windows\Minidump\062512-31761-01.dmp
2012-06-25 10:18 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-25 10:18 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-25 10:18 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-25 10:18 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-25 10:17 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-25 10:17 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-25 10:17 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-25 10:16 - 2012-06-02 12:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-25 10:16 - 2012-06-02 12:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-21 09:55 - 2012-06-21 09:55 - 00274448 ____A C:\Windows\Minidump\062112-35630-01.dmp
2012-06-18 11:00 - 2012-05-04 02:52 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-18 11:00 - 2012-05-04 02:08 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-18 11:00 - 2012-05-04 02:08 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-18 11:00 - 2012-05-01 21:32 - 00208896 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-18 11:00 - 2012-04-27 19:50 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-18 11:00 - 2012-04-25 21:34 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-18 11:00 - 2012-04-25 21:34 - 00076288 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-18 11:00 - 2012-04-25 21:28 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-18 11:00 - 2012-04-07 04:18 - 03213824 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-18 11:00 - 2012-04-07 03:34 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-18 10:59 - 2012-04-23 21:59 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-18 10:59 - 2012-04-23 21:59 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-18 10:59 - 2012-04-23 21:59 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-18 10:59 - 2012-04-23 20:47 - 01156608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-18 10:59 - 2012-04-23 20:47 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-18 10:59 - 2012-04-23 20:47 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-18 10:58 - 2012-05-14 17:32 - 03144192 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 07:37 - 2012-06-12 07:37 - 00262144 ____A C:\Windows\Minidump\061212-34195-01.dmp

============ 3 Months Modified Files ========================

2012-07-12 17:19 - 2010-01-13 21:02 - 01407811 ____A C:\Windows\WindowsUpdate.log
2012-07-12 17:19 - 2009-07-13 20:51 - 02974283 ____A C:\Windows\setupact.log
2012-07-12 17:12 - 2010-01-30 23:58 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-12 17:12 - 2010-01-30 23:58 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-12 17:12 - 2009-09-08 11:56 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-853061395-3121904867-2439913712-1000UA.job
2012-07-12 16:08 - 2010-01-13 19:53 - 00011120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-12 16:08 - 2010-01-13 19:53 - 00011120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-12 16:00 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-12 12:44 - 2012-07-12 12:44 - 00000472 ____A C:\Users\Zoyde\Downloads\defogger_disable.log
2012-07-12 12:44 - 2012-07-12 12:44 - 00000000 ____A C:\Users\Zoyde\defogger_reenable
2012-07-11 09:13 - 2012-07-11 09:14 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-07-11 09:13 - 2012-07-11 09:14 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-07-11 09:13 - 2012-07-11 09:14 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-07-11 09:13 - 2012-07-11 09:14 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-07-11 09:13 - 2010-08-18 21:03 - 00472840 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-07-11 08:52 - 2009-09-08 11:57 - 00002228 ____A C:\Users\Zoyde\Desktop\Google Chrome.lnk
2012-07-11 08:44 - 2012-07-11 08:44 - 00000321 ____A C:\updatedatfix.log
2012-07-11 08:38 - 2009-09-08 11:56 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-853061395-3121904867-2439913712-1000Core.job
2012-06-26 10:22 - 2010-01-13 20:44 - 00080686 ____A C:\Windows\PFRO.log
2012-06-25 12:22 - 2012-06-25 12:22 - 00274448 ____A C:\Windows\Minidump\062512-31761-01.dmp
2012-06-25 12:22 - 2012-06-03 18:25 - 383146443 ____A C:\Windows\MEMORY.DMP
2012-06-25 11:48 - 2009-07-13 20:45 - 00357952 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-25 11:44 - 2009-07-13 21:13 - 00799398 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-25 11:42 - 2012-05-09 18:37 - 00000127 ____A C:\Windows\System32\MRT.INI
2012-06-25 10:25 - 2010-05-05 10:22 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-21 09:55 - 2012-06-21 09:55 - 00274448 ____A C:\Windows\Minidump\062112-35630-01.dmp
2012-06-18 21:45 - 2009-09-07 12:50 - 00000334 ____A C:\Windows\Tasks\HPCeeScheduleForZoyde.job
2012-06-12 07:37 - 2012-06-12 07:37 - 00262144 ____A C:\Windows\Minidump\061212-34195-01.dmp
2012-06-11 07:55 - 2012-06-11 07:55 - 00274448 ____A C:\Windows\Minidump\061112-31777-01.dmp
2012-06-03 19:09 - 2012-06-03 19:09 - 00270152 ____A C:\Windows\Minidump\060312-33961-01.dmp
2012-06-03 18:26 - 2012-06-03 18:25 - 00274448 ____A C:\Windows\Minidump\060312-37065-01.dmp
2012-06-03 16:11 - 2012-03-12 23:25 - 00001308 ____A C:\Users\Public\Desktop\The Weather Channel App.lnk
2012-06-02 14:19 - 2012-06-25 10:18 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-25 10:18 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-25 10:18 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-25 10:17 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-25 10:17 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-25 10:18 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-25 10:17 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-25 10:16 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-25 10:16 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-11 09:14 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 09:14 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 09:14 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 09:14 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 09:14 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 09:14 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 09:14 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 09:14 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 09:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 09:14 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 09:14 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 09:14 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 09:14 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 09:14 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 09:14 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 09:14 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 09:14 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 09:14 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 09:14 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 09:14 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 09:14 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 09:14 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 09:14 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 09:14 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 09:14 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 09:14 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 09:14 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 09:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-29 07:25 - 2012-04-16 04:53 - 00291619 ____N C:\Windows\Minidump\052912-35958-01.dmp
2012-05-20 17:55 - 2012-05-20 17:55 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-14 17:32 - 2012-06-18 10:58 - 03144192 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-06 11:31 - 2012-05-06 11:31 - 00031777 ____A C:\Users\Zoyde\Documents\safety work cited.rtf
2012-05-06 11:31 - 2012-05-06 11:31 - 00000162 ___AH C:\Users\Zoyde\Documents\~$fety work cited.rtf
2012-05-06 11:18 - 2012-05-06 10:43 - 01250039 ____A C:\Users\Zoyde\Documents\Ergonomic Sub-line Design.pptx
2012-05-04 02:52 - 2012-06-18 11:00 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:08 - 2012-06-18 11:00 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:08 - 2012-06-18 11:00 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-01 21:32 - 2012-06-18 11:00 - 00208896 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-28 20:12 - 2009-07-13 21:08 - 00032544 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-28 20:02 - 2012-04-22 02:39 - 00000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-04-27 19:50 - 2012-06-18 11:00 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 21:34 - 2012-06-18 11:00 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:34 - 2012-06-18 11:00 - 00076288 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:28 - 2012-06-18 11:00 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 21:59 - 2012-06-18 10:59 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:59 - 2012-06-18 10:59 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:59 - 2012-06-18 10:59 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:47 - 2012-06-18 10:59 - 01156608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:47 - 2012-06-18 10:59 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:47 - 2012-06-18 10:59 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-20 07:01 - 2012-04-20 07:57 - 00045664 __ASH C:\Users\Zoyde\AppData\Local\dplayx.dll
2012-04-16 04:53 - 2012-04-16 04:53 - 00274448 ____A C:\Windows\Minidump\041612-33945-01.dmp


ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 3837.83 MB
Available physical RAM: 3203.53 MB
Total Pagefile: 3835.98 MB
Available Pagefile: 3197.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:451.71 GB) (Free:334.85 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:14.05 GB) (Free:2.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (Transcend) (Removable) (Total:7.53 GB) (Free:7.39 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 2048 KB
Disk 1 Online 7728 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 451 GB 1024 KB
Partition 2 Primary 14 GB 451 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 451 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 14 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7727 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F Transcend FAT32 Removable 7727 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-05-17 04:42

======================= End Of Log ==========================

Attached Files

  • Attached File  FRST.txt   31.61KB   2 downloads

Edited by jntkwx, 13 July 2012 - 02:34 PM.
Including log in post (easier to read)


#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:22 AM

Posted 13 July 2012 - 03:05 PM

twintone,

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM-x32\...\Run: [] [x]
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
2 mafwboot; C:\Windows\System32\cvsnt.dll [6656 2009-07-13] (Oak Technology Inc.)
C:\Windows\System32\cvsnt.dll
2 OurBabyMaker_27Service; C:\PROGRA~2\OURBAB~2\bar\2.bin\27barsvc.exe [36864 2011-04-04] (OurBabymaker)
C:\PROGRA~2\OURBAB~2\bar\2.bin\27barsvc.exe 
2 s716mgmt; \\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs [x]
2 smtpd32; \\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs [x]
4 eabfiltr; [x]
NETSVC: 3compxe
NETSVC: DELL_A02
NETSVC: vmnetbridge
NETSVC: mafwboot
NETSVC: dns4meclient
NETSVC: Intel_MIPMNMP
NETSVC: pae_avs
NETSVC: s716mgmt
C:\Windows\System32\dds_trash_log.cmd
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Please enter System Recovery Options, as we've done previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. (please don't attach logs unless specifically asked to)

Edited by jntkwx, 13 July 2012 - 03:30 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 twintone

twintone
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 13 July 2012 - 04:08 PM

Jason, I need to be upfront with you and let you know I ran Combofix today. I ran the FRST before Combofix and that was the log I posted. I know it's a no, no to do what I did, but this is my buddy's laptop and he is desperate to get it back as he is leaving town tomorrow for a week. I have run combofix before in the past, and thought I would just go for it. Hopefully you are understanding and still willing to help me figure out if I am totally clean. I did end up with and issue where I couldn't open several things in control panel, users, windows update, but was able to figure out how to fix that. Again, I apologize for not being patient. I absolutely appreciate what you guys do for people. Below is the combofix log from earlier today.


ComboFix 12-07-13.02 - Zoyde 07/13/2012 10:21:20.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.2353 [GMT -5:00]
Running from: c:\users\Zoyde\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\progra~2\OURBAB~2\bar\2.bin\27BAr.dll
c:\program files (x86)\Dealio Toolbar
c:\program files (x86)\Dealio Toolbar\IE\4.6\config.ini
c:\program files (x86)\Dealio Toolbar\IE\4.6\dealioToolbarIE.dll
c:\program files (x86)\Dealio Toolbar\Res\amazon.gif
c:\program files (x86)\Dealio Toolbar\Res\apple.gif
c:\program files (x86)\Dealio Toolbar\Res\barnes.gif
c:\program files (x86)\Dealio Toolbar\Res\bestbuy.gif
c:\program files (x86)\Dealio Toolbar\Res\dealio_logo.gif
c:\program files (x86)\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files (x86)\Dealio Toolbar\Res\ebay.gif
c:\program files (x86)\Dealio Toolbar\Res\icon_settings.gif
c:\program files (x86)\Dealio Toolbar\Res\macys.gif
c:\program files (x86)\Dealio Toolbar\Res\newegg.gif
c:\program files (x86)\Dealio Toolbar\Res\overstock.gif
c:\program files (x86)\Dealio Toolbar\Res\search-button-hover.gif
c:\program files (x86)\Dealio Toolbar\Res\search-button.gif
c:\program files (x86)\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files (x86)\Dealio Toolbar\Res\search-chevron.gif
c:\program files (x86)\Dealio Toolbar\Res\search_amazon.gif
c:\program files (x86)\Dealio Toolbar\Res\search_dealio.gif
c:\program files (x86)\Dealio Toolbar\Res\search_ebay.gif
c:\program files (x86)\Dealio Toolbar\Res\search_yahoo.gif
c:\program files (x86)\Dealio Toolbar\Res\target.gif
c:\program files (x86)\Dealio Toolbar\Res\walmart.gif
c:\program files (x86)\Dealio Toolbar\Res\widgets.xml
c:\program files (x86)\Dealio Toolbar\WidgiHelper.exe
c:\program files (x86)\OurBabyMaker_27\bar\2.bin\27BAr.dll
c:\program files (x86)\OurBabyMaker_27\bar\2.bin\27SRcas.dll
c:\users\Zoyde\AppData\Roaming\Local
c:\users\Zoyde\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi
c:\users\Zoyde\AppData\Roaming\Local\Temp\DDM\Settings\1.ddi
c:\users\Zoyde\AppData\Roaming\Local\Temp\DDM\Settings\fukkpabaxvjf.avi.ddr
c:\users\Zoyde\AppData\Roaming\Local\Temp\DDM\Settings\Inception_Trailer_592.divx.ddr
c:\users\Zoyde\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi
c:\users\Zoyde\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\fukkpabaxvjf.avi.ddp
c:\users\Zoyde\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\Inception_Trailer_592.divx.ddp
c:\users\Zoyde\Documents\~WRL0005.tmp
c:\users\Zoyde\Documents\~WRL1527.tmp
c:\users\Zoyde\Documents\~WRL1610.tmp
c:\users\Zoyde\Documents\ShopToWin
c:\windows\pthreadGC2.dll
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2012-06-13 to 2012-07-13 )))))))))))))))))))))))))))))))
.
.
2012-07-13 15:36 . 2012-07-13 15:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-13 15:09 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-07-13 04:25 . 2012-07-13 04:25 -------- d-----w- C:\FRST
2012-07-13 02:07 . 2012-07-13 14:52 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-13 00:09 . 2012-06-06 05:50 2003968 ----a-w- c:\windows\system32\msxml6.dll
2012-07-13 00:09 . 2012-06-06 05:50 1880064 ----a-w- c:\windows\system32\msxml3.dll
2012-07-13 00:09 . 2012-06-06 05:09 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-07-13 00:09 . 2012-06-06 05:09 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-07-12 20:46 . 2012-07-13 05:58 -------- d-----w- C:\Fixing
2012-07-11 22:39 . 2012-07-13 02:29 -------- d-----w- c:\programdata\AVAST Software
2012-07-11 22:39 . 2012-07-13 02:29 -------- d-----w- c:\program files\AVAST Software
2012-07-11 21:42 . 2012-07-11 21:42 -------- d-----w- c:\users\Zoyde\AppData\Roaming\TuneUp Software
2012-07-11 21:42 . 2012-07-12 17:35 -------- d-----w- c:\program files (x86)\TuneUp Utilities 2012
2012-07-11 21:42 . 2012-07-11 21:43 -------- d-----w- c:\programdata\TuneUp Software
2012-07-11 21:42 . 2012-07-11 21:42 -------- d--h--w- c:\programdata\Common Files
2012-07-11 20:46 . 2012-07-12 00:14 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-11 17:16 . 2012-07-13 05:58 -------- d-----w- C:\5c0ea68be1fd520e41b82326c9
2012-07-11 17:14 . 2012-07-11 17:13 476936 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-07-11 16:56 . 2012-07-11 16:56 -------- d-----w- c:\users\Zoyde\AppData\Local\Symantec
2012-07-11 16:48 . 2012-06-06 05:50 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 16:48 . 2012-06-06 05:09 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-11 16:44 . 2012-07-11 16:44 -------- d-----w- c:\program files (x86)\Hp
2012-07-11 16:44 . 2012-07-11 16:50 -------- d-----w- c:\users\Zoyde\AppData\Roaming\HpUpdate
2012-07-11 16:44 . 2012-07-11 16:44 -------- d-----w- c:\windows\Hewlett-Packard
2012-06-25 18:18 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-25 18:18 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-25 18:18 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-25 18:18 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-25 18:17 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-25 18:17 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-25 18:17 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-25 18:16 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-25 18:16 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-18 19:00 . 2012-05-02 05:32 208896 ----a-w- c:\windows\system32\profsvc.dll
2012-06-18 19:00 . 2012-04-28 03:50 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-18 19:00 . 2012-05-04 10:52 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-18 19:00 . 2012-05-04 10:08 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-18 19:00 . 2012-05-04 10:08 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-18 19:00 . 2012-04-26 05:34 76288 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-18 19:00 . 2012-04-26 05:34 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-18 19:00 . 2012-04-26 05:28 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-18 19:00 . 2012-04-07 12:18 3213824 ----a-w- c:\windows\system32\msi.dll
2012-06-18 19:00 . 2012-04-07 11:34 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-18 18:59 . 2012-04-24 05:59 1460224 ----a-w- c:\windows\system32\crypt32.dll
2012-06-18 18:59 . 2012-04-24 04:47 1156608 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-18 18:59 . 2012-04-24 05:59 182272 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-18 18:59 . 2012-04-24 05:59 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-18 18:59 . 2012-04-24 04:47 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-18 18:59 . 2012-04-24 04:47 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 17:13 . 2010-08-19 05:03 472840 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-04-29 04:02 . 2012-04-22 10:39 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 03:20 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-10-08 322104]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-12-25 1316136]
"TVAgent"="c:\program files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-01-21 210216]
"UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-10-30 210216]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2010-11-11 274608]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"DivX Download Manager"="c:\program files (x86)\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"OurBabyMaker_27 Browser Plugin Loader"="c:\progra~2\OURBAB~2\bar\2.bin\27brmon.exe" [2011-04-04 27648]
"SearchSettings"="c:\program files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-08-17 534880]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Zoyde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-9-29 385024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"wave2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\setup\disabledrunkeys]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 135664]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 135664]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 19456]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 9216]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-21 29184]
R3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\DRIVERS\PulseUsb.sys [2010-05-24 26112]
R3 ssrangdr;ssrangdr;c:\windows\system32\DRIVERS\ssrangdr.sys [2009-08-20 4608]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-25 1255736]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/07/30 19:52];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-29 01:04 146928]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21bd21dd0a38d98e\AESTSr64.exe [2008-09-26 89088]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 203264]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-03-18 23040]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 OurBabyMaker_27Service;OurBabymaker Service;c:\progra~2\OURBAB~2\bar\2.bin\27barsvc.exe [2011-04-04 36864]
S2 PenCommService;Livescribe Smartpen Service;c:\program files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [2010-12-29 458240]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files (x86)\SMINST\BLService.exe [2008-12-03 365952]
S2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-27 296320]
S2 TVSched;TV Task Scheduler (TVTS);c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-27 116096]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-01-24 60928]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-07-21 145496]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 24904]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2008-12-20 33160]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2008-05-28 26168]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - EraserUtilRebootDrv
*Deregistered* - IDSVia64
*Deregistered* - SRTSPX
*Deregistered* - SymEFA
*Deregistered* - SymEvent
*Deregistered* - SYMFW
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-10-16 17:49 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 07:58]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 07:58]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-853061395-3121904867-2439913712-1000Core.job
- c:\users\Zoyde\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-08 19:55]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-853061395-3121904867-2439913712-1000UA.job
- c:\users\Zoyde\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-08 19:55]
.
2012-06-19 c:\windows\Tasks\HPCeeScheduleForZoyde.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-08 18:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1220392]
"combofix"="c:\combofix\CF21604.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
3compxe
DELL_A02
vmnetbridge
mafwboot
dns4meclient
Intel_MIPMNMP
pae_avs
s716mgmt
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=YRxdm0036Nus&ptb=56922129-41F9-4EBA-869B-A14C1CEC6F32
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{edd4f682-e67a-4175-bb45-c4066da2f7d9} - c:\program files (x86)\OurBabyMaker_27\bar\2.bin\27SrcAs.dll
SafeBoot-79756193.sys
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
AddRemove-The Weather Channel Desktop 6 - c:\program files (x86)\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-853061395-3121904867-2439913712-1000\Software\SecuROM\License information*]
"datasecu"=hex:83,cd,fb,38,34,5e,cc,d4,88,53,46,c8,6a,ed,c0,5a,ac,13,db,6e,6d,
f7,63,57,8c,81,e0,ef,b8,0b,4f,35,1e,ac,b0,4e,8d,cc,a9,51,04,56,22,65,1a,42,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\OurBabyMaker_27\bar\2.bin\27brmon.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2012-07-13 10:48:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-13 15:48
.
Pre-Run: 359,526,744,064 bytes free
Post-Run: 360,271,941,632 bytes free
.
- - End Of File - - 23967DAC761F1F1F7C219688B087CEBB

#6 twintone

twintone
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 13 July 2012 - 08:59 PM

So, I ran a full scan with Avast! and appear to still be infected. I don't think I am going to get this resolved before tomorrow anyway, so I am going to run your fixlist.txt script and post the results here. Again, I apologize, and will have the weekend to work on this, and will wait for your instructions.

#7 twintone

twintone
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 13 July 2012 - 09:08 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 11-07-2012
Ran by SYSTEM at 2012-07-13 21:07:10 Run:1
Running from F:\FixItTools

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
mafwboot service not found.
C:\Windows\System32\cvsnt.dll not found.
OurBabyMaker_27Service service deleted successfully.
C:\PROGRA~2\OURBAB~2\bar\2.bin\27barsvc.exe moved successfully.
s716mgmt service deleted successfully.
smtpd32 service deleted successfully.
eabfiltr service deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs 3compxe Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs DELL_A02 Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs vmnetbridge Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs mafwboot Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs dns4meclient Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs Intel_MIPMNMP Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs pae_avs Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs s716mgmt Deleted successfully.
C:\Windows\System32\dds_trash_log.cmd moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:22 AM

Posted 13 July 2012 - 10:29 PM

twintone,

I understand you want to fix this computer as fast as possible, but from here on, please be patient and wait for me to give you instructions. Thank you. :thumbup2:

Please rerun Avast, and if it produces a log, copy and paste that into your next post. If it doesn't produce a log, please tell me exactly what items it detects, if any.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 twintone

twintone
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 13 July 2012 - 10:54 PM

Thanks for giving me another chance Jason.. I will be patient this time. I was already running a full scan in safemode when I saw your reply. I walked over to the laptop to see how far along it was, and see it had shut down. :angry: So, I am starting a new scan now.

#10 twintone

twintone
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 14 July 2012 - 06:39 AM

Full scan with Avast run in safemode found the following:

c:\FRST\Quarantine\Desktop.ini - Win32:Sirefef-HO
c:\Windows\System32\abiosdsk.dll - Win64:ZAccess-E
c:\Windows\System32\bantext.dll - Win64:ZAccess-E
c:\Windows\System32\ino_flpy.dll - Win64:ZAccess-E
c:\Windows\System32\JRAID.dll - Win64:ZAccess-E
c:\Windows\System32\QPCapSvc.dll - Win64:ZAccess-E
c:\Windows\System32\s125mdm.dll - Win64:ZAccess-E
c:\Windows\System32\VC6SecS.dll - Win64:ZAccess-E
c:\Windows\System32\W700mdm.dll - Win64:ZAccess-E
c:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QOT8J64R\justforwomen_mypodstudios_com[1].htm - HTML:Script-inf

I had to type this all out by hand, so hopefully I don't have any typos. I was pretty careful not to..

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:22 AM

Posted 14 July 2012 - 08:09 AM

twintone,

Good job. :thumbup2:

:step1: Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

:step2: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

In your next reply, please include:
  • Malwarebytes log
  • FSS log
  • Feedback from you - how is the computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 twintone

twintone
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 14 July 2012 - 03:15 PM

Hello Jason,

Both scans have been run, and are below. Computer seems pretty much back to normal. I am unable to find anything that isn't working properly.


Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.14.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Zoyde :: ZOYDE-PC [administrator]

Protection: Disabled

7/14/2012 2:14:48 PM
mbam-log-2012-07-14 (14-14-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218810
Time elapsed: 8 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



-----------------




Farbar Service Scanner Version: 08-07-2012
Ran by Zoyde (administrator) on 14-07-2012 at 15:12:09
Running from "F:\FixItTools"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:22 AM

Posted 14 July 2012 - 03:19 PM

Looking good. :thumbup2:


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


In your next reply, please include:
  • ESET log
  • Copy and paste the contents of C:\Qoobox\Add-Remove Prorgams.txt

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 twintone

twintone
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 14 July 2012 - 11:40 PM

Hello Jason,

Below is the output from the ESET scan. I don't have a c:\Qoobox directory.. looked around a bit for "Qoobox" and can't find anything by that name on the system.


ESET log

C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27datact.dll a variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting - quarantined
C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27html.dll probably a variant of Win32/Toolbar.MyWebSearch.F application cleaned by deleting - quarantined
C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27htmlmu.dll probably a variant of Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27Plugin.dll a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files (x86)\OurBabyMaker_27\bar\2.bin\27skin.dll a variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting - quarantined
C:\Users\Zoyde\AppData\Local\OurBabymakerAuto.exe probably a variant of Win32/Toolbar.MyWebSearch.L application deleted - quarantined
C:\Users\Zoyde\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FD10C5H7\meu-sevonce[1].htm HTML/Iframe.B.Gen virus deleted - quarantined
C:\Users\Zoyde\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G8KMYWDB\fdd91a64ce20e17d[1].htm JS/Fraud.NAQ trojan cleaned by deleting - quarantined
C:\Users\Zoyde\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q269PQJO\firstload_com[1].htm HTML/Hoax.FastDownload.C.Gen application cleaned by deleting - quarantined
C:\Users\Zoyde\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UQT0F6U1\7516fd43adaa5e0b8a65a672c39845d2[1].htm HTML/Iframe.B.Gen virus deleted - quarantined
C:\Users\Zoyde\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\8ee6af5-451f62ff multiple threats deleted - quarantined
C:\Users\Zoyde\Desktop\htd-scom.iso probably a variant of Win32/TrojanDownloader.Obfuscated.MFRBVSS trojan deleted - quarantined
C:\Windows\Installer\54c14.msi a variant of Win32/Toolbar.Widgi application deleted - quarantined

#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:22 AM

Posted 15 July 2012 - 11:02 AM

twintone,

Below is the output from the ESET scan. I don't have a c:\Qoobox directory.. looked around a bit for "Qoobox" and can't find anything by that name on the system.

That's odd, because when you ran Combofix, it should have created that directory. Is there a Combofix file still on your desktop?

Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others checked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Home" button to leave the control center screen.
  • Back on the main screen, under "Select Scan Type" click Complete Scan.
  • On the left, make sure you check C:\.
  • Click Start Complete Scan > Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

In your next reply, please include:
  • SuperAntiSpyware log
  • Feedback from you - how is the computer running now? Please be as descriptive as possible.

Edited by jntkwx, 15 July 2012 - 11:03 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users