Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

caught the sirefef trojan


  • This topic is locked This topic is locked
16 replies to this topic

#1 Kuatdriveyards

Kuatdriveyards

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 10 September 2012 - 03:08 PM

Thanks in advance for any help provided. Today I noticed my MSE was out of date so I deleted and reinstalled it and the initial scan found several cases of the sirefef trojan which when deleted with MSE, return when I restart. Also MSE informs me of a critical error which requires a restart to complete and after restarting the critical error message pops up again. Since the first restart an Adobe Flash Player download and installation keeps popping up every few minutes. I have removed MSE for the time being and the Adobe flash player has not popped up since. I have tried other options like malwarebytes, which found the trojans but was just as effective as MSE. I've included a DDS log as well as a GMER log, though in following the GMER log instructions in the sticky I did not have the same options to disable on the right side of the program, all that were available were services, registry and files (does this have to do with me running a windows 7 64 edition?).Attached File  Gmer.log   301bytes   1 downloadsAttached File  DDS.txt   18.43KB   1 downloads

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 PM

Posted 10 September 2012 - 03:30 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Kuatdriveyards

Kuatdriveyards
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 10 September 2012 - 09:10 PM

Scan result of Farbar Recovery Scan Tool (x64) Version: 08-09-2012
Ran by SYSTEM at 10-09-2012 22:01:42
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12446824 2012-01-31] (Realtek Semiconductor)
HKLM\...\Run: [XFast LAN] C:\Program Files\ASRock\XFast LAN\cFosSpeed.exe [1441152 2011-10-19] (cFos Software GmbH)
HKLM\...\Run: [THXCfg64] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64 [26624 2011-05-13] (Creative Technology Ltd.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [291608 2012-01-26] (Intel Corporation)
HKLM-x32\...\Run: [XFastUSB] "C:\Program Files (x86)\XFastUSB\XFastUsb.exe" [5019360 2012-07-16] (FNet Co., Ltd.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [34672 2008-06-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [THX TruStudio NB Settings] "C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe" /r [909824 2011-05-19] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] C:\Windows\UpdReg.EXE [90112 2000-05-10] (Creative Technology Ltd.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [636032 2012-02-14] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [atwtusb] atwtusb.exe beta [x]
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKU\Howie\...\Run: [ASRockXTU] [x]
HKU\Howie\...\Run: [zASRockInstantBoot] [x]
HKU\Howie\...\Run: [AdobeBridge] [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$5fb670db51bdb1b0064afcb158ef4c30\n. ATTENTION! ====> ZeroAccess
Startup: C:\Users\Howie\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services ====================

2 cFosSpeedS; "C:\Program Files\ASRock\XFast LAN\spd.exe" -service [395136 2011-10-19] (cFos Software GmbH)
2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [133632 2012-02-09] ()
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation)
3 DAUpdaterSvc; C:\Program Files (x86)\Origin Games\Dragon Age\\bin_ship\DAUpdaterSvc.Service.exe [x]

==================== Drivers =================================

0 asahci64; C:\Windows\System32\Drivers\asahci64.sys [49760 2011-09-21] (Asmedia Technology)
0 AsrRamDisk; C:\Windows\System32\Drivers\AsrRamDisk.sys [31016 2012-01-13] (ASRock Inc.)
2 DgiVecp; C:\Windows\System32\Drivers\DgiVecp.sys [53816 2009-03-02] (Samsung Electronics Co., Ltd.)
3 FNETTBOH_305; C:\Windows\System32\Drivers\FNETTBOH_305.sys [32320 2012-08-05] (FNet Co., Ltd.)
1 FNETURPX; C:\Windows\System32\Drivers\FNETURPX.sys [15936 2012-07-16] (FNet Co., Ltd.)
3 ikbevent; C:\Windows\System32\Drivers\ikbevent.sys [25536 2012-02-09] ()
3 imsevent; C:\Windows\System32\Drivers\imsevent.sys [25536 2012-02-09] ()
3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [44992 2012-02-09] ()
0 iusb3hcs; C:\Windows\System32\Drivers\iusb3hcs.sys [16152 2012-01-26] (Intel Corporation)
3 iusb3hub; C:\Windows\System32\Drivers\iusb3hub.sys [356120 2012-01-26] (Intel Corporation)
3 iusb3xhc; C:\Windows\System32\Drivers\iusb3xhc.sys [787736 2012-01-26] (Intel Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)
3 WPRO_41_2001; C:\Windows\System32\Drivers\WPRO_41_2001.sys [34752 2012-09-10] ()
3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-10 12:07 - 2012-09-10 12:07 - 00000301 ____A C:\Users\Howie\Documents\Gmer.log
2012-09-10 11:52 - 2012-09-10 11:52 - 00302592 ____A C:\Users\Howie\Downloads\mu5uf02g.exe
2012-09-10 11:50 - 2012-09-10 11:50 - 00018873 ____A C:\Users\Howie\Documents\DDS.txt
2012-09-10 11:50 - 2012-09-10 11:50 - 00013483 ____A C:\Users\Howie\Documents\Attach.txt
2012-09-10 11:46 - 2012-09-10 11:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F1154A514E5B9D51
2012-09-10 11:45 - 2012-09-10 17:55 - 00094656 ____A (CACE Technologies) C:\Windows\System32\WPRO_41_2001woem.tmp
2012-09-10 11:40 - 2012-09-10 11:40 - 00302592 ____A C:\Users\Howie\Downloads\p2s8d86r.exe
2012-09-10 11:38 - 2012-09-10 11:38 - 00607260 ____R (Swearware) C:\Users\Howie\Downloads\dds.com
2012-09-10 11:23 - 2012-09-10 11:24 - 00036651 ____A C:\Users\Howie\Downloads\FRST.txt
2012-09-10 11:22 - 2012-09-10 11:23 - 00000000 ____D C:\FRST
2012-09-10 11:22 - 2012-09-10 11:22 - 01453141 ____A (Farbar) C:\Users\Howie\Downloads\FRST64.exe
2012-09-10 11:08 - 2012-09-10 11:45 - 00000000 ____D C:\Program Files (x86)\PC Tools
2012-09-10 11:07 - 2012-09-10 11:15 - 00000000 ____D C:\Users\All Users\PC Tools
2012-09-10 11:07 - 2012-09-10 11:07 - 00000000 ____D C:\Users\Howie\AppData\Roaming\TestApp
2012-09-10 11:07 - 2012-06-22 11:35 - 00251560 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys
2012-09-10 10:57 - 2012-09-10 10:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E1B179B4591B401F
2012-09-10 10:53 - 2012-09-10 10:53 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.389CC7CBBC4A96D4
2012-09-10 10:46 - 2012-09-10 10:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E6885C842AF74ABD
2012-09-10 10:41 - 2012-09-10 10:41 - 00000000 ____D C:\Program Files\Enigma Software Group
2012-09-10 10:40 - 2012-09-10 10:48 - 00000000 ____D C:\Windows\8C5C34C7BC6B48318B2C6535FE63E502.TMP
2012-09-10 10:40 - 2012-09-10 10:40 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Howie\Downloads\SpyHunter-Installer.exe
2012-09-10 10:36 - 2012-09-10 10:36 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Howie\Downloads\mbam-setup-1.65.0.1400.exe
2012-09-10 10:36 - 2012-09-10 10:36 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-10 10:36 - 2012-09-10 10:36 - 00000000 ____D C:\Users\Howie\AppData\Roaming\Malwarebytes
2012-09-10 10:36 - 2012-09-10 10:36 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-09-10 10:36 - 2012-09-10 10:36 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-10 10:36 - 2012-09-07 13:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-10 10:30 - 2012-09-10 10:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F069828AA0B7CC15
2012-09-10 10:26 - 2012-09-10 10:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ED837DB4CDFB1C6A
2012-09-10 10:24 - 2012-09-10 10:24 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7225E2DE9D686BA1
2012-09-10 10:21 - 2012-09-10 10:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AC2B8C6EB870B652
2012-09-10 10:11 - 2012-09-10 10:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4F0521236B5E0E0F
2012-09-10 10:08 - 2012-09-10 10:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DB3CC3A15BACD4CA
2012-09-10 10:08 - 2012-09-10 10:08 - 00049872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cppbzqxz.sys
2012-09-10 10:04 - 2012-09-10 10:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C295A3F130EC7A2E
2012-09-10 10:02 - 2012-09-10 10:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.236B38C004996D21
2012-09-10 09:59 - 2012-09-10 09:59 - 12621696 ____A (Microsoft Corporation) C:\Users\Howie\Downloads\mseinstall(2).exe
2012-09-10 09:47 - 2012-09-10 09:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E98B197B1C82894B
2012-09-10 09:44 - 2012-09-10 09:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D7B6813785C954D5
2012-09-10 09:39 - 2012-09-10 09:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.128298D9030F2135
2012-09-10 09:39 - 2012-09-10 09:39 - 00049872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\pfnghmxn.sys
2012-09-10 09:37 - 2012-09-10 09:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.91E1D518F54CA793
2012-09-10 09:34 - 2012-09-10 09:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.503298978C7A6D3F
2012-09-10 09:30 - 2012-09-10 09:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CEDEBF7FC8D92BC2
2012-09-10 09:27 - 2012-09-10 09:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.FE296F2ACC3D5B52
2012-09-10 09:02 - 2012-09-10 09:02 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-09-09 09:12 - 2012-09-09 09:12 - 00604904 ____A C:\Users\Howie\Downloads\MikScrollingBattleText-5.7.122.zip
2012-09-01 10:42 - 2012-09-01 10:42 - 00842043 ____A (Daan van Yperen ) C:\Users\Howie\Downloads\Redblade-installer-1.3.0.16-RC1(1).exe
2012-09-01 10:42 - 2012-09-01 10:42 - 00000974 ____A C:\Users\Howie\Desktop\Redblade.lnk
2012-09-01 10:42 - 2012-09-01 10:42 - 00000000 ____D C:\Program Files (x86)\Redblade 3.5e
2012-08-28 15:32 - 2012-08-28 16:15 - 00000777 ____A C:\Users\Public\Desktop\World of Warcraft.lnk
2012-08-28 15:30 - 2012-08-28 15:31 - 00000000 ____D C:\Users\All Users\Battle.net
2012-08-22 14:17 - 2012-08-22 14:17 - 32160136 ____A C:\Users\Howie\Downloads\WoW-4.0.0-WOW-enUS-Installer(1).exe
2012-08-21 09:15 - 2012-08-22 14:19 - 00000000 ____D C:\Users\All Users\Blizzard Entertainment
2012-08-21 09:15 - 2012-08-21 09:15 - 32160136 ____A C:\Users\Howie\Downloads\WoW-4.0.0-WOW-enUS-Installer.exe
2012-08-15 19:16 - 2012-06-28 20:55 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 19:16 - 2012-06-28 20:09 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 19:16 - 2012-06-28 19:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-15 19:16 - 2012-06-28 19:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 19:16 - 2012-06-28 19:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 19:16 - 2012-06-28 19:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-15 19:16 - 2012-06-28 19:47 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 19:16 - 2012-06-28 19:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 19:16 - 2012-06-28 19:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 19:16 - 2012-06-28 19:43 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-15 19:16 - 2012-06-28 19:42 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 19:16 - 2012-06-28 19:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 19:16 - 2012-06-28 19:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 19:16 - 2012-06-28 19:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 19:16 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-15 19:16 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-15 19:16 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-15 19:16 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-15 19:16 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-15 19:16 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-15 19:16 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-15 19:16 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-15 19:16 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 19:16 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-15 19:16 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-15 19:16 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-15 19:16 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-15 19:16 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 04:10 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 04:10 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 04:10 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 04:10 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 04:10 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 04:10 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-15 04:10 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-15 04:10 - 2012-05-05 00:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-15 04:10 - 2012-05-04 23:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-15 04:10 - 2012-02-10 22:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-15 04:10 - 2012-02-10 22:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-15 04:10 - 2012-02-10 22:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-15 04:10 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll


==================== 3 Months Modified Files ================================

2012-09-10 17:55 - 2012-09-10 11:45 - 00094656 ____A (CACE Technologies) C:\Windows\System32\WPRO_41_2001woem.tmp
2012-09-10 17:55 - 2012-07-16 18:49 - 00034752 ____A C:\Windows\System32\Drivers\WPRO_41_2001.sys
2012-09-10 17:55 - 2010-11-20 19:47 - 00455058 ____A C:\Windows\PFRO.log
2012-09-10 17:55 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-10 17:55 - 2009-07-13 20:51 - 00078690 ____A C:\Windows\setupact.log
2012-09-10 17:45 - 2009-07-13 20:45 - 00020496 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-10 17:45 - 2009-07-13 20:45 - 00020496 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-10 17:43 - 2012-09-10 17:43 - 01453141 ____A (Farbar) C:\Users\Howie\Downloads\FRST64(1).exe
2012-09-10 17:43 - 2009-07-13 21:13 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-10 12:07 - 2012-09-10 12:07 - 00000301 ____A C:\Users\Howie\Documents\Gmer.log
2012-09-10 11:52 - 2012-09-10 11:52 - 00302592 ____A C:\Users\Howie\Downloads\mu5uf02g.exe
2012-09-10 11:50 - 2012-09-10 11:50 - 00018873 ____A C:\Users\Howie\Documents\DDS.txt
2012-09-10 11:50 - 2012-09-10 11:50 - 00013483 ____A C:\Users\Howie\Documents\Attach.txt
2012-09-10 11:48 - 2012-07-20 18:26 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-10 11:46 - 2012-09-10 11:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F1154A514E5B9D51
2012-09-10 11:40 - 2012-09-10 11:40 - 00302592 ____A C:\Users\Howie\Downloads\p2s8d86r.exe
2012-09-10 11:38 - 2012-09-10 11:38 - 00607260 ____R (Swearware) C:\Users\Howie\Downloads\dds.com
2012-09-10 11:24 - 2012-09-10 11:23 - 00036651 ____A C:\Users\Howie\Downloads\FRST.txt
2012-09-10 11:22 - 2012-09-10 11:22 - 01453141 ____A (Farbar) C:\Users\Howie\Downloads\FRST64.exe
2012-09-10 10:57 - 2012-09-10 10:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E1B179B4591B401F
2012-09-10 10:53 - 2012-09-10 10:53 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.389CC7CBBC4A96D4
2012-09-10 10:46 - 2012-09-10 10:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E6885C842AF74ABD
2012-09-10 10:40 - 2012-09-10 10:40 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Howie\Downloads\SpyHunter-Installer.exe
2012-09-10 10:36 - 2012-09-10 10:36 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Howie\Downloads\mbam-setup-1.65.0.1400.exe
2012-09-10 10:36 - 2012-09-10 10:36 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-10 10:30 - 2012-09-10 10:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F069828AA0B7CC15
2012-09-10 10:26 - 2012-09-10 10:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ED837DB4CDFB1C6A
2012-09-10 10:24 - 2012-09-10 10:24 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7225E2DE9D686BA1
2012-09-10 10:21 - 2012-09-10 10:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AC2B8C6EB870B652
2012-09-10 10:18 - 2012-07-20 18:26 - 00742892 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-09-10 10:18 - 2012-07-16 18:29 - 01061587 ____A C:\Windows\WindowsUpdate.log
2012-09-10 10:11 - 2012-09-10 10:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4F0521236B5E0E0F
2012-09-10 10:08 - 2012-09-10 10:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DB3CC3A15BACD4CA
2012-09-10 10:08 - 2012-09-10 10:08 - 00049872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cppbzqxz.sys
2012-09-10 10:04 - 2012-09-10 10:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C295A3F130EC7A2E
2012-09-10 10:02 - 2012-09-10 10:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.236B38C004996D21
2012-09-10 09:59 - 2012-09-10 09:59 - 12621696 ____A (Microsoft Corporation) C:\Users\Howie\Downloads\mseinstall(2).exe
2012-09-10 09:47 - 2012-09-10 09:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E98B197B1C82894B
2012-09-10 09:44 - 2012-09-10 09:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D7B6813785C954D5
2012-09-10 09:39 - 2012-09-10 09:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.128298D9030F2135
2012-09-10 09:39 - 2012-09-10 09:39 - 00049872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\pfnghmxn.sys
2012-09-10 09:37 - 2012-09-10 09:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.91E1D518F54CA793
2012-09-10 09:34 - 2012-09-10 09:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.503298978C7A6D3F
2012-09-10 09:30 - 2012-09-10 09:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CEDEBF7FC8D92BC2
2012-09-10 09:27 - 2012-09-10 09:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.FE296F2ACC3D5B52
2012-09-09 09:12 - 2012-09-09 09:12 - 00604904 ____A C:\Users\Howie\Downloads\MikScrollingBattleText-5.7.122.zip
2012-09-07 13:04 - 2012-09-10 10:36 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-01 10:42 - 2012-09-01 10:42 - 00842043 ____A (Daan van Yperen ) C:\Users\Howie\Downloads\Redblade-installer-1.3.0.16-RC1(1).exe
2012-09-01 10:42 - 2012-09-01 10:42 - 00000974 ____A C:\Users\Howie\Desktop\Redblade.lnk
2012-08-28 16:15 - 2012-08-28 15:32 - 00000777 ____A C:\Users\Public\Desktop\World of Warcraft.lnk
2012-08-22 14:17 - 2012-08-22 14:17 - 32160136 ____A C:\Users\Howie\Downloads\WoW-4.0.0-WOW-enUS-Installer(1).exe
2012-08-21 09:15 - 2012-08-21 09:15 - 32160136 ____A C:\Users\Howie\Downloads\WoW-4.0.0-WOW-enUS-Installer.exe
2012-08-16 11:31 - 2009-07-13 20:45 - 05034240 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-15 19:15 - 2012-07-20 18:44 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-11 04:42 - 2012-08-10 04:37 - 04503728 ___AT C:\Users\All Users\0tbpw.pad
2012-08-10 10:54 - 2012-08-10 10:54 - 00000221 ____A C:\Users\Howie\Desktop\The Elder Scrolls V Skyrim.url
2012-08-08 10:31 - 2012-07-16 20:55 - 00418394 ____A C:\Windows\DirectX.log
2012-08-05 13:21 - 2012-08-02 18:02 - 00032320 ____A (FNet Co., Ltd.) C:\Windows\System32\Drivers\FNETTBOH_305.SYS
2012-08-04 13:57 - 2012-07-16 18:43 - 00109224 ____A C:\Users\Howie\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-03 23:02 - 2009-07-13 18:34 - 00000628 ____A C:\Windows\win.ini
2012-08-02 17:36 - 2012-08-02 17:36 - 10068535 ____A (Samsung ) C:\Users\Howie\Downloads\ML-1740_Win7_GDI.exe
2012-07-29 19:23 - 2012-07-29 19:22 - 00001827 ____A C:\Users\Howie\Documents\Mass Effect 2 - DLC_EXP_Part02.log
2012-07-29 19:22 - 2012-07-29 19:22 - 00001792 ____A C:\Users\Howie\Documents\Mass Effect 2 1.02.log
2012-07-29 19:18 - 2012-07-29 18:59 - 1039141520 ____A (BioWare) C:\Users\Howie\Downloads\ME2_Kasumi.exe
2012-07-29 19:17 - 2012-07-29 18:59 - 922454032 ____A (BioWare) C:\Users\Howie\Downloads\ME2_Arrival.exe
2012-07-29 19:15 - 2012-07-29 18:59 - 522684080 ____A (BioWare) C:\Users\Howie\Downloads\ME2_Zaeed.exe
2012-07-29 19:11 - 2012-07-29 18:59 - 496788312 ____A (BioWare) C:\Users\Howie\Downloads\ME2_Hammerhead.exe
2012-07-29 19:01 - 2012-07-29 18:59 - 65107976 ____A (BioWare) C:\Users\Howie\Downloads\ME2_NormandyCrash.exe
2012-07-29 19:00 - 2012-07-29 18:59 - 18643616 ____A (BioWare) C:\Users\Howie\Downloads\ME2_CerberusWpnArmor.exe
2012-07-29 18:02 - 2012-07-29 18:02 - 00000221 ____A C:\Users\Howie\Desktop\Mass Effect.url
2012-07-25 15:37 - 2012-07-25 15:37 - 00000997 ____A C:\Users\Public\Desktop\Power Presenter RE.lnk
2012-07-25 15:34 - 2012-07-25 15:34 - 00003631 ____A C:\Windows\aiptbl.ini
2012-07-23 18:39 - 2012-07-23 18:39 - 01754394 ____A (MAJC Information Technology Co., Ltd. ) C:\Users\Howie\Downloads\dsf4_setup.exe
2012-07-22 15:14 - 2012-07-22 15:10 - 00003056 ____A C:\Users\Howie\Documents\Dragon Age Origins - dao_prc_gib.log
2012-07-22 15:09 - 2012-07-22 15:09 - 00002344 ____A C:\Users\Howie\Documents\Dragon Age Origins - dao_prc_nrx_1.log
2012-07-22 15:09 - 2012-07-22 15:02 - 787537696 ____A (BioWare) C:\Users\Howie\Downloads\DAO_GolemsOfAmgarrak.exe
2012-07-22 15:04 - 2012-07-22 15:02 - 180005184 ____A (BioWare) C:\Users\Howie\Downloads\DAO_WardensKeep.exe
2012-07-21 08:57 - 2012-07-21 08:57 - 00001075 ____A C:\Users\Howie\Desktop\Adobe Photoshop CS6 (64 Bit).lnk
2012-07-20 19:27 - 2012-07-20 19:27 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-07-18 10:15 - 2012-08-15 04:10 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-17 20:07 - 2012-07-17 20:07 - 03695416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2012-07-17 20:07 - 2012-07-17 20:07 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2012-07-17 20:07 - 2012-07-17 20:07 - 00697344 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00603648 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00580608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00534528 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00452608 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00448512 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-07-17 20:07 - 2012-07-17 20:07 - 00434176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00403248 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00367104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-07-17 20:07 - 2012-07-17 20:07 - 00353792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00353584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00282112 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00267776 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00249344 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00227840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieaksie.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00223232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00222208 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00203776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00165888 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakui.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00162304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00160256 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00160256 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00152064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00145920 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00135168 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00130560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakeng.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00123392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00118784 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00114176 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00111616 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00101888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\admparse.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00091648 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00089088 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00089088 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00086528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00082432 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00078848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00076800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2012-07-17 20:07 - 2012-07-17 20:07 - 00074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00074240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00066048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00063488 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2012-07-17 20:07 - 2012-07-17 20:07 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00054272 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00049664 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00035840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00031744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-07-17 20:07 - 2012-07-17 20:07 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-07-17 20:07 - 2012-07-17 20:07 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-07-17 20:07 - 2012-07-17 20:06 - 00003397 ____A C:\Windows\IE9_main.log
2012-07-16 22:25 - 2012-07-16 00:17 - 00008192 _RASH C:\BOOTSECT.BAK
2012-07-16 22:25 - 2009-07-13 21:38 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
2012-07-16 22:25 - 2009-07-13 21:32 - 00028672 ____A C:\Windows\System32\config\BCD-Template
2012-07-16 21:26 - 2012-07-16 21:26 - 00001355 ____A C:\Windows\TSSysprep.log
2012-07-16 21:26 - 2009-07-13 20:46 - 00002790 ____A C:\Windows\DtcInstall.log
2012-07-16 21:11 - 2012-07-16 21:11 - 00000204 ____A C:\Users\Public\Desktop\MapleStory.url
2012-07-16 20:55 - 2012-07-16 20:55 - 00001457 ____A C:\Users\Public\Desktop\Mass Effect 3.lnk
2012-07-16 20:18 - 2012-07-16 20:18 - 02013336 ____A C:\Users\Howie\Downloads\MapleStoryDownloader.exe
2012-07-16 19:56 - 2012-07-16 19:56 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-16 19:54 - 2012-07-16 19:54 - 00000997 ____A C:\Users\Public\Desktop\WinRAR.lnk
2012-07-16 19:54 - 2012-07-16 19:54 - 00000971 ____A C:\Users\Howie\Desktop\Dropbox.lnk
2012-07-16 19:54 - 2012-07-16 19:54 - 00000917 ____A C:\Users\Public\Desktop\Steam.lnk
2012-07-16 19:45 - 2012-07-16 19:45 - 00254152 ____A (Secure By Design Inc.) C:\Users\Howie\Downloads\Ninite Dropbox Spybot Steam WinRAR iTunes Installer.exe
2012-07-16 19:31 - 2012-07-16 19:31 - 17063192 ____A (Electronic Arts, Inc.) C:\Users\Howie\Downloads\OriginThinSetup.exe
2012-07-16 19:31 - 2012-07-16 19:31 - 00000983 ____A C:\Users\Public\Desktop\Origin.lnk
2012-07-16 19:31 - 2012-07-16 19:31 - 00000533 ____A C:\Windows\KB893803v2.log
2012-07-16 19:29 - 2012-07-16 19:29 - 00000000 ____A C:\Windows\ativpsrm.bin
2012-07-16 18:57 - 2012-07-16 18:57 - 00001134 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-16 18:50 - 2012-07-16 18:50 - 00002014 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-07-16 18:50 - 2012-07-16 18:50 - 00000997 ____A C:\Users\Public\Desktop\Acrobat.com.lnk
2012-07-16 18:50 - 2012-07-16 18:50 - 00000159 __RAH C:\Windows\ctfile.rfc
2012-07-16 18:49 - 2012-07-16 18:49 - 00015936 ____A (FNet Co., Ltd.) C:\Windows\System32\Drivers\FNETURPX.SYS
2012-07-16 18:49 - 2012-07-16 18:49 - 00001889 ____A C:\Users\Public\Desktop\XFast USB.LNK
2012-07-16 18:49 - 2012-07-16 18:49 - 00001230 ____A C:\Users\Public\Desktop\ASRock eXtreme Tuner.lnk
2012-07-16 18:49 - 2012-07-16 18:49 - 00001120 ____A C:\Users\Public\Desktop\ASRock InstantBoot.lnk
2012-07-16 18:49 - 2012-07-16 18:49 - 00001048 ____A C:\Users\Public\Desktop\ASRock SmartConnect.lnk
2012-07-16 18:49 - 2012-07-16 18:49 - 00000003 ____A C:\Users\Howie\AppData\Local\user_data.ini
2012-07-16 18:49 - 2012-07-16 18:45 - 00017306 ____A C:\Windows\DPINST.LOG
2012-07-16 18:45 - 2012-07-16 18:45 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_iusb3hcs_01009.Wdf
2012-07-16 18:43 - 2012-07-16 18:43 - 00018316 ____A C:\Windows\System32\results.xml
2012-07-16 18:29 - 2012-07-16 18:29 - 00000020 ___SH C:\Users\Howie\ntuser.ini
2012-07-04 14:16 - 2012-08-15 04:10 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-15 04:10 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-15 04:10 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-15 04:10 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-15 04:10 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-06-28 20:55 - 2012-08-15 19:16 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 20:09 - 2012-08-15 19:16 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 19:56 - 2012-08-15 19:16 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 19:49 - 2012-08-15 19:16 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 19:49 - 2012-08-15 19:16 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 19:48 - 2012-08-15 19:16 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 19:47 - 2012-08-15 19:16 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 19:45 - 2012-08-15 19:16 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 19:44 - 2012-08-15 19:16 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 19:43 - 2012-08-15 19:16 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 19:42 - 2012-08-15 19:16 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 19:40 - 2012-08-15 19:16 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 19:39 - 2012-08-15 19:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 19:35 - 2012-08-15 19:16 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-28 16:52 - 2012-08-15 19:16 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-28 16:27 - 2012-08-15 19:16 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-28 16:16 - 2012-08-15 19:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-28 16:09 - 2012-08-15 19:16 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-28 16:09 - 2012-08-15 19:16 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-28 16:08 - 2012-08-15 19:16 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-28 16:07 - 2012-08-15 19:16 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-28 16:06 - 2012-08-15 19:16 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-28 16:04 - 2012-08-15 19:16 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-28 16:04 - 2012-08-15 19:16 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-28 16:01 - 2012-08-15 19:16 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-28 16:01 - 2012-08-15 19:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-28 16:00 - 2012-08-15 19:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-28 15:57 - 2012-08-15 19:16 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-22 11:35 - 2012-09-10 11:07 - 00251560 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys

ZeroAccess:
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\@
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\L
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\L\00000004.@
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\L\201d3dde
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\00000004.@
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\00000008.@
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\000000cb.@
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\80000000.@
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\80000032.@
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\80000064.@

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2288607870-3541903038-3225312029-1000\$5fb670db51bdb1b0064afcb158ef4c30

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-05 04:36:34
Restore point made on: 2012-09-09 05:53:14
Restore point made on: 2012-09-09 15:00:22
Restore point made on: 2012-09-10 09:55:03

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 8086.02 MB
Available physical RAM: 7291.42 MB
Total Pagefile: 8084.22 MB
Available Pagefile: 7287.82 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions ============================

1 Drive c: () (Fixed) (Total:111.79 GB) (Free:19.14 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
3 Drive e: (My Book) (Fixed) (Total:1397.23 GB) (Free:1270.83 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 111 GB 0 B
Disk 1 Online 1397 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 111 GB 1024 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1397 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E My Book NTFS Partition 1397 GB Healthy

==================================================================================

Last Boot: 2012-09-06 12:00

==================== End Of Log =============================

Search log:
Farbar Recovery Scan Tool (x64) Version: 08-09-2012
Ran by SYSTEM at 2012-09-10 22:02:33
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======


thanks for the consideration

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 PM

Posted 10 September 2012 - 09:29 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$5fb670db51bdb1b0064afcb158ef4c30\n. ATTENTION! ====> ZeroAccess
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}
C:\$Recycle.Bin\S-1-5-21-2288607870-3541903038-3225312029-1000\$5fb670db51bdb1b0064afcb158ef4c30
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe c:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT




  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    Posted Image
  • Next click on the ShortcutsFix
    Posted Image
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Kuatdriveyards

Kuatdriveyards
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 10 September 2012 - 09:48 PM

Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-09-2012
Ran by SYSTEM at 2012-09-10 22:38:53 Run:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
C:\Windows\Installer\{5fb670db-51bd-b1b0-064a-fcb158ef4c30} moved successfully.
C:\$Recycle.Bin\S-1-5-21-2288607870-3541903038-3225312029-1000\$5fb670db51bdb1b0064afcb158ef4c30 moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
c:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to c:\Windows\System32\services.exe

==== End of Fixlog ====

Roguekiller log 1:

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Howie [Admin rights]
Mode : Scan -- Date : 09/10/2012 22:43:42

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][BLACKLIST DLL] HKLM\[...]\Run : THXCfg64 (C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-2288607870-3541903038-3225312029-1000\$5fb670db51bdb1b0064afcb158ef4c30\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$5fb670db51bdb1b0064afcb158ef4c30\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$5fb670db51bdb1b0064afcb158ef4c30\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Corsair Force GT +++++
--- User ---
[MBR] b79f5fb129edc05922f79ba53e5afa8b
[BSP] 98df68c498c73bacf0aac0fb22980666 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WD My Book 1140 USB Device +++++
--- User ---
[MBR] c570f3bf377740b8267308a99af2d3d6
[BSP] f0d7639c07f6783687a8c627fbf5bc1f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1430766 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



roguekiller log 2:

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Howie [Admin rights]
Mode : Remove -- Date : 09/10/2012 22:44:02

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][BLACKLIST DLL] HKLM\[...]\Run : THXCfg64 (C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-2288607870-3541903038-3225312029-1000\$5fb670db51bdb1b0064afcb158ef4c30\n.) -> REPLACED (C:\Windows\system32\shell32.dll)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$5fb670db51bdb1b0064afcb158ef4c30\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\$recycle.bin\S-1-5-18\$5fb670db51bdb1b0064afcb158ef4c30\L\00000004.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$5fb670db51bdb1b0064afcb158ef4c30\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Corsair Force GT +++++
--- User ---
[MBR] b79f5fb129edc05922f79ba53e5afa8b
[BSP] 98df68c498c73bacf0aac0fb22980666 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WD My Book 1140 USB Device +++++
--- User ---
[MBR] c570f3bf377740b8267308a99af2d3d6
[BSP] f0d7639c07f6783687a8c627fbf5bc1f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1430766 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

roguekiller log 3:

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Howie [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/10/2012 22:44:17

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 9 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 69 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 2 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 258 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume2 -- 0x3 --> Restored

¤¤¤ Infection : ZeroAccess ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 PM

Posted 11 September 2012 - 04:18 PM

Please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Kuatdriveyards

Kuatdriveyards
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 11 September 2012 - 09:08 PM

Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.10.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Howie :: LEGION [administrator]

Protection: Enabled

9/11/2012 8:03:00 PM
mbam-log-2012-09-11 (08-03-00).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 322069
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\FRST\Quarantine\services.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\80000000.@ (Rootkit.0Access.64) -> Quarantined and deleted successfully.

(end)

Eset scan:

C:\FRST\Quarantine\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\00000004.@ Win64/Conedex.C trojan
C:\FRST\Quarantine\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\80000032.@ Win32/Sirefef.FD trojan
C:\FRST\Quarantine\{5fb670db-51bd-b1b0-064a-fcb158ef4c30}\U\80000064.@ Win64/Sirefef.AN trojan

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 PM

Posted 11 September 2012 - 09:32 PM

all those files are in FRST quarantine already, so they can't hurt your computer


please run the following:

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Kuatdriveyards

Kuatdriveyards
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 11 September 2012 - 10:06 PM

MiniToolBox by Farbar Version: 23-07-2012
Ran by Howie (administrator) on 11-09-2012 at 23:03:16
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================




=========================== Installed Programs ============================

Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Adobe AIR (Version: 1.5.2.8900)
Adobe Photoshop CS6 (Version: 13.0)
Adobe Reader 9 (Version: 9.0.0)
AMD Accelerated Video Transcoding (Version: 2.00.0001)
AMD APP SDK Runtime (Version: 10.0.898.1)
AMD Catalyst Install Manager (Version: 3.0.868.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Media Foundation Decoders (Version: 1.0.70214.2220)
Apple Application Support (Version: 2.1.9)
Apple Mobile Device Support (Version: 5.2.0.6)
Apple Software Update (Version: 2.1.3.127)
Asmedia ASM104x USB 3.0 Host Controller Driver (Version: 1.10.1.0)
Asmedia ASM106x SATA Host Controller Driver (Version: 1.3.1.000)
ASRock App Charger v1.0.5
ASRock eXtreme Tuner v0.1.181
ASRock InstantBoot v1.29
ASRock SmartConnect v1.0.6
ASRock XFast RAM v2.0.9
Broadcom NetLink Controller (Version: 14.8.5.1)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center (Version: 2012.0214.2218.39913)
Catalyst Control Center Graphics Previews Common (Version: 2012.0214.2218.39913)
Catalyst Control Center InstallProxy (Version: 2012.0214.2218.39913)
Catalyst Control Center Localization All (Version: 2012.0214.2218.39913)
ccc-utility64 (Version: 2012.0214.2218.39913)
CCC Help Chinese Standard (Version: 2012.0214.2217.39913)
CCC Help Chinese Traditional (Version: 2012.0214.2217.39913)
CCC Help Czech (Version: 2012.0214.2217.39913)
CCC Help Danish (Version: 2012.0214.2217.39913)
CCC Help Dutch (Version: 2012.0214.2217.39913)
CCC Help English (Version: 2012.0214.2217.39913)
CCC Help Finnish (Version: 2012.0214.2217.39913)
CCC Help French (Version: 2012.0214.2217.39913)
CCC Help German (Version: 2012.0214.2217.39913)
CCC Help Greek (Version: 2012.0214.2217.39913)
CCC Help Hungarian (Version: 2012.0214.2217.39913)
CCC Help Italian (Version: 2012.0214.2217.39913)
CCC Help Japanese (Version: 2012.0214.2217.39913)
CCC Help Korean (Version: 2012.0214.2217.39913)
CCC Help Norwegian (Version: 2012.0214.2217.39913)
CCC Help Polish (Version: 2012.0214.2217.39913)
CCC Help Portuguese (Version: 2012.0214.2217.39913)
CCC Help Russian (Version: 2012.0214.2217.39913)
CCC Help Spanish (Version: 2012.0214.2217.39913)
CCC Help Swedish (Version: 2012.0214.2217.39913)
CCC Help Thai (Version: 2012.0214.2217.39913)
CCC Help Turkish (Version: 2012.0214.2217.39913)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dropbox (Version: 1.4.11)
EA Installer (Version: 2.2.0.62)
EA Shared Game Component: Activation (Version: 2.2.0)
EA Shared Game Component: Activation (Version: 2.2.0.62)
ESET Online Scanner v3
Intel® Control Center (Version: 1.2.1.1007)
Intel® Management Engine Components (Version: 8.0.2.1410)
Intel® OpenCL CPU Runtime
Intel® Processor Graphics (Version: 8.15.10.2696)
Intel® Rapid Storage Technology (Version: 11.0.0.1032)
Intel® Smart Connect Technology 2.0 x64 (Version: 2.0.1083.0)
Intel® USB 3.0 eXtensible Host Controller Driver (Version: 1.0.3.214)
iTunes (Version: 10.6.3.25)
Malwarebytes Anti-Malware version 1.65.0.1400 (Version: 1.65.0.1400)
MapleStory
Mass Effect
Mass Effect 2 (Version: 1.02)
Mass Effect™ 3 (Version: 1.03.0.0)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Mozilla Firefox 15.0.1 (x86 en-US) (Version: 15.0.1)
Mozilla Maintenance Service (Version: 15.0.1)
Nexon Game Manager
NVIDIA PhysX (Version: 9.11.1107)
Origin (Version: 8.6.0.357)
Pando Media Booster (Version: 2.6.0.8)
PDF Settings CS6 (Version: 11.0)
Power Presenter RE (Version: 1.00.000)
Realtek High Definition Audio Driver (Version: 6.0.1.6559)
Redblade 1.3.0.16 RC 1
Samsung ML-1740 Series
Steam (Version: 1.0.0.0)
The Elder Scrolls V: Skyrim
THX TruStudio (Version: 1.00.01)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553272) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598289) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
USB Tablet Driver
WinRAR 4.20 (64-bit) (Version: 4.20.0)
World of Warcraft (Version: 5.0.4.16016)
XFast LAN v6.61 (Version: 6.61)
XFastUSB (Version: 3.02.28)

**** End of log ****


Farbar Service Scanner Version: 06-08-2012
Ran by Howie (administrator) on 11-09-2012 at 23:04:40
Running from "C:\Users\Howie\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 PM

Posted 11 September 2012 - 10:24 PM

there are lots of broken services there

let's run the windows repair tool and see if that can fix them

after it has completed, please run another Farbar Service scan and post the new log



Please download Windows Repair (all in one) from here

Install the program then run it

Go to step 2 and allow it to run Disk check

Posted Image

Once that is done then go to step 3 and allow it to run SFC

Posted Image

On the the Start Repairs tab => Click the Start

Posted Image

Click on the select all check box and then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Kuatdriveyards

Kuatdriveyards
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 12 September 2012 - 07:43 AM

Farbar Service Scanner Version: 06-08-2012
Ran by Howie (administrator) on 12-09-2012 at 08:42:29
Running from "C:\Users\Howie\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 PM

Posted 12 September 2012 - 05:02 PM

your BITS and Defender registry keys are missing.

Please download the attached reg fixes to your desktop

right click them and allow them to merge to your registry

reboot the machine, allow all your startup programs to load, then run another scan with Farbar Service Scanner






Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Kuatdriveyards

Kuatdriveyards
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 12 September 2012 - 06:06 PM

Farbar Service Scanner Version: 06-08-2012
Ran by Howie (administrator) on 12-09-2012 at 19:05:17
Running from "C:\Users\Howie\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 PM

Posted 12 September 2012 - 06:21 PM

still a few services not running


please run the following:


Download the ESET services repair tool, extract the file to your desktop.

  • Double-click ServicesRepair.exe,
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • a log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply
 

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Kuatdriveyards

Kuatdriveyards
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 12 September 2012 - 06:25 PM

Log Opened: 2012-09-12 @ 19:23:45
19:23:45 - -----------------
19:23:45 - | Begin Logging |
19:23:45 - -----------------
19:23:45 - Fix started on a WIN_7 X64 computer
19:23:45 - Prep in progress. Please Wait.
19:23:45 - Prep complete
19:23:45 - Repairing Services Now. Please wait...
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\BFE.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\SubLayer>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Provider>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\BITS.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Performance>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\iphlpsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Teredo\{FA88062C-9A61-4C1E-AC45-7143F8F01AAD}>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Isatap\{8AD2FB26-F91E-44F1-9B24-3C0AE56C9CE0}>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Isatap>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\IPHTTPS>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Interfaces>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\config>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\MpsSvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\DHCP>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\SharedAccess.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch2>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\WinDefend.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\TriggerInfo\0>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\TriggerInfo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\wscsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\wuauserv.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.
19:23:46 - Services Repair Complete.
19:23:55 - Reboot Initiated




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users