Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected by ZeroAccess - think the virus has gone but PC is unhealthy


  • Please log in to reply
42 replies to this topic

#1 ruddyidiot

ruddyidiot

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 31 May 2013 - 03:44 AM

Hello,

 

I created a post in the 'am I infected? What do I do?' Sub Forum yesterday, you can view it here, http://www.bleepingcomputer.com/forums/t/496430/another-one-bites-the-dust-think-the-infection-is-gone-but-computer-still-buggy/

 

I also replied to another users thread who was also describing the exact same problems I was experiencing, this was also where a mod, xXToffeeXx instructed me to create a new post with dds logs. You can see this thread here, http://www.bleepingcomputer.com/forums/t/496430/another-one-bites-the-dust-think-the-infection-is-gone-but-computer-still-buggy/

 

So basically my computer was infected with a virus called ZeroAccess. I tried to fix the problems myself by following a few web guides and forum threads that had resolved the issues, this meant doing things like running comboxfix, rKill, Malware bytes and a bazillion other bits of software. I think I have got rid of the actual virus / trojan, but my computer is left in a very sorry state. Here are the 3 major problems I keep running into, as described in my original post from yesterday,

 

1) Can't get windows defender to turn on at all, when I go to services it just says , WinDefend and in the description, <failed to read Description. Error CodeL 5>, when I try and start the service it says, 'Windows could not start the WinDefend service on Local Computer. Error 5: Access is denied.

 

2) Trying to run the sfc /scannow through cmd I get to 91% and the scan stops and says, 'Windows Resource Protection could not preform the requested operation'

 

3) Whenever I try to download a file through chrome or IE I get a message that says the file contained a virus and was stopped. So yeah, basically I can't download anything through these two browsers. 

 

I think the windows services and registry has taken a pretty big hit, it might just be that I have no choice but to do a complete new reinstall of windows 7, however if there is a chance to avoid that and get this system healthy again I am prepared to try. This starts by attaching my Attach.txt dds logs to this post, and pasting below the contents of DDS.text into this post. 

 

I will be extremely grateful for any help or advice offered.

Thanks,

Tom

 

DDS LOG

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.21.2
Run by Toms at 9:28:09 on 2013-05-31
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.44.1033.18.3198.1931 [GMT 1:00]
.
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\D-Link\DWA-140 revB\ANIWConnService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AirVideoServer\AirVideoServer.exe
T:\Games\Steam\Steam.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Users\Toms\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [AirVideoServer] c:\program files\airvideoserver\AirVideoServer.exe
uRun: [Steam] "t:\games\steam\steam.exe" -silent
uRun: [Spotify Web Helper] "c:\users\toms\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
mRun: [D-Link D-Link Wireless N DWA-140] c:\program files\d-link\dwa-140 revb\AirNCFG.exe
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AdobeCS6ServiceManager] "c:\program files\common files\adobe\cs6servicemanager\CS6ServiceManager.exe" -launchedbylogin
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Defender] %
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\toms\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\toms\appdata\roaming\dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{5BFE3C6C-BAB8-4965-A353-091691336C22} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{900140F3-1315-4EE1-8BC5-12DAB492A213} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{900140F3-1315-4EE1-8BC5-12DAB492A213}\1446160747164796F6E60244164796E676 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{900140F3-1315-4EE1-8BC5-12DAB492A213}\1646160747164796F6E646164796E676 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{F3E222DB-6DC8-4234-BBF9-4F0DE5B19859} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{F3E222DB-6DC8-4234-BBF9-4F0DE5B19859}\1646160747164796F6E646164796E676 : DHCPNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.94\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\drivers\anodlwf.sys [2011-10-6 12800]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2011-12-11 12672]
R2 D-Link Wireless N DWA-140_WPS;D-Link Wireless N DWA-140_WPS Service;c:\program files\d-link\dwa-140 revb\ANIWConnService.exe [2011-10-6 53248]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 100328]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2013-1-18 383264]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2011-10-6 22784]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2011-10-20 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-10-20 79360]
S3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Dnetr28u.sys [2011-10-6 855392]
S3 NisSrv;NisSrv;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-10-27 15872]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-10-27 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-10-6 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
FileExt: .js: Applications\notepad++.exe="c:\program files\notepad++\notepad++.exe" "%1" [UserChoice]
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs5.5\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-05-30 13:15:16 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-30 13:00:30 -------- d-----w- c:\windows\system32\catroot2
2013-05-29 22:20:06 -------- d-----w- c:\program files\Tweaking.com
2013-05-29 16:38:57 -------- d-----w- c:\users\toms\appdata\local\Little_Apps
2013-05-29 16:36:47 -------- d-----w- c:\program files\common files\Little Registry Cleaner
2013-05-29 16:28:34 -------- d-----w- c:\program files\Little Registry Cleaner
2013-05-29 16:04:56 -------- d-----w- c:\program files\CCleaner
2013-05-22 06:04:43 -------- d-sh--w- C:\$$PendingFiles
2013-05-21 20:15:45 -------- d-sh--w- C:\$RECYCLE.BIN
2013-05-21 20:03:20 98816 ----a-w- c:\windows\sed.exe
2013-05-21 20:03:20 256000 ----a-w- c:\windows\PEV.exe
2013-05-21 20:03:20 208896 ----a-w- c:\windows\MBR.exe
2013-05-21 20:03:18 -------- d-----w- C:\ComboFix
2013-05-20 21:10:17 -------- d-----w- c:\programdata\Panda Security
2013-05-20 21:10:06 -------- d-----w- c:\program files\Panda USB Vaccine
2013-05-20 20:33:22 -------- d-----w- c:\program files\NirSoft
2013-05-20 19:34:57 -------- d-----w- c:\windows\ERUNT
2013-05-20 19:34:23 -------- d-----w- C:\JRT
2013-05-20 11:53:00 -------- d-----w- c:\users\toms\appdata\roaming\Malwarebytes
2013-05-20 11:52:48 -------- d-----w- c:\programdata\Malwarebytes
2013-05-20 11:52:47 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-20 11:52:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-19 15:55:19 -------- d-----w- c:\program files\ESET
2013-05-18 09:50:46 -------- d-----w- c:\users\toms\appdata\local\temp
2013-05-17 22:24:08 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-05-17 21:37:57 -------- d-----w- c:\users\toms\appdata\roaming\SUPERAntiSpyware.com
2013-05-17 21:16:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-05-17 21:16:21 -------- d-----w- c:\users\toms\appdata\local\Programs
2013-05-16 18:06:47 7016152 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{df57132c-f746-42f0-9d7f-ac4a6acb78ce}\mpengine.dll
2013-05-16 18:02:35 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-16 18:02:35 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-16 18:02:34 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-16 18:02:30 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 18:02:29 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-16 18:02:25 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-16 18:02:25 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-16 18:02:25 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-14 20:09:15 7016152 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-05-10 07:57:26 187456 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2013-05-09 18:28:46 706640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{fd493f96-2d1c-4c24-bd38-65f3c73b2a4e}\gapaengine.dll
2013-05-09 18:26:52 -------- d-----w- c:\program files\Microsoft Security Client
2013-05-06 19:03:30 -------- d-----w- c:\program files\x264 Video Codec
2013-05-03 14:03:24 6906960 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{27b1206d-7189-462b-b4e3-6e1614d6f8d0}\mpengine.dll
.
==================== Find3M  ====================
.
2013-05-30 13:15:08 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-30 13:15:08 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-14 21:51:17 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-14 21:51:17 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-02 15:28:50 238872 ----a-w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45:29 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-05 05:28:24 1767424 ----a-w- c:\windows\system32\wininet.dll
2013-04-05 05:26:26 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-04-05 05:26:21 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-04-05 05:26:21 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-04-05 04:29:45 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-04-05 03:38:25 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-03-31 14:57:29 9728 ----a-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-19 05:04:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48:45 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49:16 69632 ----a-w- c:\windows\system32\smss.exe
.
============= FINISH:  9:28:46.60 ===============
 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:01:13 PM

Posted 01 June 2013 - 08:29 AM

Hy
my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • I am currently visiting an evening school and working nightshift only which might be evening for you. In this time I am mostly online with my mobile devices and won't be able to reply.
:spacer:
:spacer:
:spacer:
You mentioned that you ran ComboFix. While you may see ComboFix being used quite often without incident, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool)


Why we don't ask you to run ComboFix from the onset

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix
.


That being said, the log it produced contains very important information for me. You'll find it located at C:\ComboFix.txt. Please include that log in your next reply, along with the following:
:spacer:
:spacer:
:spacer:
Please download Farbar's Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
:spacer:
:spacer:
:spacer:
Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Edited by Larusso, 01 June 2013 - 08:30 AM.

regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#3 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 02 June 2013 - 04:59 AM

Hi Daniel,

 

Thank you for replying and helping me with my PC problems. It was foolish of me to run combofix without seeking the necessary advice, I think like a lot of people I just assumed by using it my problems would be fixed and my pc would work again. Unfortunately that has not been the case and I may have actually made things worse by running the software without first getting the advice to do so.

 

I will start to follow your steps today and write back with all the required logs.

 

Really thank you for your time helping me, it is hugely appreciated.

Thanks,

 

Tom



#4 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 02 June 2013 - 08:05 AM

Sorry I don't have the combofix.txt log, there is nothing in the folder located at C:\ComboFix.txt. I think I must have deleted the log. 

 

I will skip this step and continue with  Farbar's Service Scanner.

 

Thanks,

 

Tom



#5 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 02 June 2013 - 08:08 AM

Farbar's Service Scanner Log

 

Farbar Service Scanner Version: 14-04-2013

Ran by Toms (administrator) on 02-06-2013 at 14:06:49
Running from "C:\Users\Toms\Desktop\Mine\anti malware and spyware?"
Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2009-07-14 00:37] - [2009-07-14 02:15] - 0680960 ____A () D41D8CD98F00B204E9800998ECF8427E
 
ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll IS INFECTED AND SHOULD BE REPLACED.
 
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
 
 
**** End of log ****


#6 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 02 June 2013 - 08:14 AM

Farbar Recovery Scan Tool

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-06-2013
Ran by Toms (administrator) on 02-06-2013 14:09:56
Running from C:\Users\Toms\Desktop
Windows 7 Ultimate Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\D-Link\DWA-140 revB\ANIWConnService.exe
() C:\Windows\system32\PnkBstrA.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(D-Link Corp.) C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe
() C:\Program Files\Razer\DeathAdder\razerhid.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
() C:\Program Files\Razer\DeathAdder\razertra.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Razer Inc.) C:\Program Files\Razer\DeathAdder\razerofa.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\AirVideoServer\AirVideoServer.exe
(Valve Corporation) T:\Games\Steam\Steam.exe
(Spotify Ltd) C:\Users\Toms\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Panda Security) C:\Program Files\Panda USB Vaccine\USBVaccine.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Valve Corporation) C:\Program Files\Common Files\Steam\SteamService.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [D-Link D-Link Wireless N DWA-140] C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe [1024000 2010-06-30] (D-Link Corp.)
HKLM\...\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe [159744 2007-09-07] ()
HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-01-21] (Microsoft Corporation)
HKLM\...\Run: [AdobeCS6ServiceManager] "C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin [1073352 2012-06-25] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [Windows Defender] % [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
HKCU\...\Run: [AirVideoServer] C:\Program Files\AirVideoServer\AirVideoServer.exe [4923784 2010-09-22] ()
HKCU\...\Run: [Steam] "T:\Games\Steam\steam.exe" -silent [x]
HKCU\...\Run: [Spotify Web Helper] "C:\Users\Toms\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1105408 2013-05-04] (Spotify Ltd)
HKCU\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [18642024 2013-02-28] (Skype Technologies S.A.)
HKCU\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
Startup: C:\Users\Toms\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Toms\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
PDF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
Chrome: 
=======
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\27.0.1453.94\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (AdobeExManDetect) - C:\Program Files\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll (Adobe Systems)
CHR Plugin: (ESN Launch Mozilla Plugin) - C:\Program Files\Battlelog Web Plugins\2.1.2\npesnlaunch.dll (ESN Social Software AB)
CHR Plugin: (ESN Sonar API) - C:\Program Files\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
CHR Plugin: (AdobeAAMDetect) - C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
CHR Plugin: (Java™ Platform SE 7 U15) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.)
CHR Plugin: (Java Deployment Toolkit 7.0.150.3) - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
CHR Extension: (Google Docs) - C:\Users\Toms\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\Toms\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\Toms\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\Toms\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Gmail) - C:\Users\Toms\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
 
========================== Services (Whitelisted) =================
 
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2011-10-20] (Creative Labs)
R2 D-Link Wireless N DWA-140_WPS; C:\Program Files\D-Link\DWA-140 revB\ANIWConnService.exe [53248 2010-06-03] ()
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] ()
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] ()
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2012-01-03] ()
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] ()
 
==================== Drivers (Whitelisted) ====================
 
R1 anodlwf; C:\Windows\System32\DRIVERS\anodlwf.sys [12800 2009-03-06] ()
R2 cpuz132; C:\Windows\system32\drivers\cpuz132_x32.sys [12672 2009-03-27] (Windows ® Codename Longhorn DDK provider)
R3 DAdderFltr; C:\Windows\System32\drivers\dadder.sys [22784 2007-08-02] (Razer (Asia-Pacific) Pte Ltd)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 netr28u; C:\Windows\System32\DRIVERS\Dnetr28u.sys [855392 2010-05-05] (Ralink Technology Corp.)
R3 P17; C:\Windows\System32\drivers\P17.sys [1168896 2009-10-16] (Creative Technology Ltd.)
S3 ALSysIO; \??\C:\Users\Toms\AppData\Local\Temp\ALSysIO.sys [x]
S3 catchme; \??\C:\Users\Toms\AppData\Local\Temp\catchme.sys [x]
S1 MpKsl956b8a89; \??\C:\Windows\Temp\MpKsl956b8a89.sys [x]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-06-02 14:09 - 2013-06-02 14:09 - 00000000 ____D C:\FRST
2013-06-02 14:05 - 2013-06-02 14:02 - 01355887 ____A (Farbar) C:\Users\Toms\Desktop\FRST.exe
2013-05-31 09:28 - 2013-05-31 09:28 - 00015274 ____A C:\Users\Toms\Desktop\dds.txt
2013-05-31 09:28 - 2013-05-31 09:28 - 00011093 ____A C:\Users\Toms\Desktop\attach.txt
2013-05-31 09:26 - 2013-05-31 09:24 - 00688992 ____R (Swearware) C:\Users\Toms\Desktop\dds.com
2013-05-30 16:45 - 2013-05-30 16:46 - 00162428 ____A C:\Windows\System32\sfcdetails.txt
2013-05-30 14:17 - 2013-05-30 14:17 - 00000000 ____D C:\Program Files\Common Files\Java
2013-05-30 14:15 - 2013-05-30 14:15 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-05-30 14:15 - 2013-05-30 14:15 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-05-30 14:15 - 2013-05-30 14:15 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-05-30 14:15 - 2013-05-30 14:15 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-05-30 14:04 - 2013-05-30 11:54 - 00903072 ____A (Oracle Corporation) C:\Users\Toms\Desktop\jxpiinstall.exe
2013-05-30 09:19 - 2013-05-30 12:28 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-05-30 09:13 - 2013-05-30 12:31 - 00001552 ____A C:\Windows\PFRO.log
2013-05-29 23:20 - 2013-05-29 23:20 - 00000000 ____D C:\Program Files\Tweaking.com
2013-05-29 23:16 - 2013-05-29 23:17 - 00000000 ____D C:\Users\Toms\Desktop\RK_Quarantine
2013-05-29 22:21 - 2013-05-29 22:25 - 00000417 ____A C:\Users\Toms\Desktop\EnableWD.reg
2013-05-29 17:45 - 2013-06-02 13:54 - 00000504 ____A C:\Windows\setupact.log
2013-05-29 17:45 - 2013-05-29 17:45 - 00000000 ____A C:\Windows\setuperr.log
2013-05-29 17:36 - 2013-05-29 17:37 - 00000000 ____D C:\Program Files\Common Files\Little Registry Cleaner
2013-05-29 17:28 - 2013-05-29 17:28 - 00000000 ____D C:\Program Files\Little Registry Cleaner
2013-05-29 17:04 - 2013-05-29 17:04 - 00000000 ____D C:\Program Files\CCleaner
2013-05-22 07:04 - 2013-05-22 07:04 - 00000000 __SHD C:\$$PendingFiles
2013-05-21 22:35 - 2013-05-21 22:35 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Local\Google
2013-05-21 22:34 - 2013-05-21 22:34 - 00183400 ____A C:\Users\Jodie Clissold\AppData\Local\GDIPFONTCACHEV1.DAT
2013-05-21 22:34 - 2013-05-21 22:34 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Roaming\Apple Computer
2013-05-21 22:34 - 2013-05-21 22:34 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Local\Adobe
2013-05-21 22:33 - 2013-05-21 22:34 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Roaming\Adobe
2013-05-21 22:33 - 2013-05-21 22:33 - 00000000 __SHD C:\Users\Jodie Clissold\UserData
2013-05-21 22:33 - 2013-05-21 22:33 - 00000000 __SHD C:\Users\Jodie Clissold\PrivacIE
2013-05-21 22:33 - 2013-05-21 22:33 - 00000000 __SHD C:\Users\Jodie Clissold\IETldCache
2013-05-21 22:33 - 2013-05-21 22:33 - 00000000 __SHD C:\Users\Jodie Clissold\IECompatCache
2013-05-21 22:32 - 2013-05-21 22:34 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Local\VirtualStore
2013-05-21 22:32 - 2013-05-21 22:32 - 00000020 ___SH C:\Users\Jodie Clissold\ntuser.ini
2013-05-21 21:26 - 2013-05-21 21:26 - 00000077 ____A C:\Users\Toms\Desktop\reset.bat
2013-05-21 21:16 - 2013-05-21 21:16 - 00018385 ____A C:\ComboFix.txt
2013-05-21 21:03 - 2013-05-21 21:16 - 00000000 ____D C:\ComboFix
2013-05-21 21:03 - 2011-06-26 07:45 - 00256000 ____A C:\Windows\PEV.exe
2013-05-21 21:03 - 2010-11-07 18:20 - 00208896 ____A C:\Windows\MBR.exe
2013-05-21 21:03 - 2009-04-20 05:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-05-21 21:03 - 2000-08-31 01:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-05-21 21:03 - 2000-08-31 01:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-05-21 21:03 - 2000-08-31 01:00 - 00098816 ____A C:\Windows\sed.exe
2013-05-21 21:03 - 2000-08-31 01:00 - 00080412 ____A C:\Windows\grep.exe
2013-05-21 21:03 - 2000-08-31 01:00 - 00068096 ____A C:\Windows\zip.exe
2013-05-21 20:55 - 2013-05-29 13:53 - 00002151 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-20 22:10 - 2013-05-20 22:10 - 00000000 ____D C:\ProgramData\Panda Security
2013-05-20 22:10 - 2013-05-20 22:10 - 00000000 ____D C:\Program Files\Panda USB Vaccine
2013-05-20 21:33 - 2013-05-20 21:33 - 00000000 ____D C:\Program Files\NirSoft
2013-05-20 21:32 - 2013-05-20 21:31 - 00138984 ____A C:\Users\Toms\Desktop\shexview_setup.exe
2013-05-20 21:27 - 2013-05-20 21:27 - 00000396 _RASH C:\ProgramData\ntuser.pol
2013-05-20 20:34 - 2013-05-20 20:34 - 00000000 ____D C:\Windows\ERUNT
2013-05-20 20:34 - 2013-05-20 20:34 - 00000000 ____D C:\JRT
2013-05-20 20:31 - 2013-05-20 20:31 - 00006042 ____A C:\AdwCleaner[R1].txt
2013-05-20 20:31 - 2013-05-20 20:31 - 00004477 ____A C:\AdwCleaner[S1].txt
2013-05-20 20:25 - 2013-05-20 20:16 - 00006336 ____A C:\Users\Toms\Desktop\WinDefend.reg
2013-05-20 12:53 - 2013-05-20 12:53 - 00000000 ____D C:\Users\Toms\AppData\Roaming\Malwarebytes
2013-05-20 12:52 - 2013-05-20 12:52 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-20 12:52 - 2013-05-20 12:52 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-20 12:52 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-19 16:55 - 2013-05-19 16:55 - 00000000 ____D C:\Program Files\ESET
2013-05-17 23:24 - 2011-04-25 03:18 - 00338944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2013-05-17 23:21 - 2013-05-17 23:39 - 00000000 ____D C:\Windows\erdnt
2013-05-17 22:37 - 2013-05-17 22:37 - 00000000 ____D C:\Users\Toms\AppData\Roaming\SUPERAntiSpyware.com
2013-05-17 22:16 - 2013-05-17 22:30 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-17 21:28 - 2012-02-07 10:10 - 00002380 ____A C:\Users\Toms\Desktop\Firewall-Repair-Windows-7.reg
2013-05-17 19:55 - 2013-05-17 19:55 - 00000000 ____D C:\Users\Toms\Desktop\Old Firefox Data
2013-05-16 22:17 - 2013-04-05 06:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-16 22:17 - 2013-04-05 06:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-16 22:17 - 2013-04-05 06:28 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-05-16 22:17 - 2013-04-05 06:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-16 22:17 - 2013-04-05 06:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-05-16 22:17 - 2013-04-05 05:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-16 22:17 - 2013-04-05 04:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-16 19:02 - 2013-04-10 06:18 - 00728424 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-16 19:02 - 2013-04-10 06:18 - 00218984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-16 19:02 - 2013-04-10 04:14 - 02347520 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-16 19:02 - 2013-03-19 05:53 - 00186368 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-16 19:02 - 2013-03-19 04:33 - 00040960 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-16 19:02 - 2013-02-27 06:05 - 00101720 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-16 19:02 - 2013-02-27 05:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-16 19:02 - 2013-02-27 05:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-16 19:02 - 2013-02-27 05:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-16 19:02 - 2013-02-27 05:49 - 00047104 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-11 12:01 - 2013-05-11 12:01 - 00000799 ____A C:\Users\Toms\Desktop\Dropbox - Shortcut.lnk
2013-05-09 19:27 - 2013-05-09 19:27 - 00001945 ____A C:\Windows\epplauncher.mif
2013-05-09 19:26 - 2013-05-09 19:27 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-05-06 20:03 - 2013-05-06 20:03 - 00000000 ____D C:\Program Files\x264 Video Codec
2013-05-05 12:50 - 2013-05-05 12:50 - 00000000 ____D C:\Users\Toms\Documents\BioWare
 
==================== One Month Modified Files and Folders ========
 
2013-06-02 14:09 - 2013-06-02 14:09 - 00000000 ____D C:\FRST
2013-06-02 14:05 - 2011-10-07 03:14 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-02 14:04 - 2011-11-11 11:59 - 00000000 ____D C:\Users\Toms\AppData\Local\Adobe
2013-06-02 14:02 - 2013-06-02 14:05 - 01355887 ____A (Farbar) C:\Users\Toms\Desktop\FRST.exe
2013-06-02 14:02 - 2009-07-14 05:34 - 00013440 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-02 14:02 - 2009-07-14 05:34 - 00013440 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-02 13:54 - 2013-05-29 17:45 - 00000504 ____A C:\Windows\setupact.log
2013-06-02 13:54 - 2012-01-17 23:41 - 00000000 ____D C:\Users\Toms\AppData\Roaming\Dropbox
2013-06-02 13:54 - 2011-10-20 20:26 - 00000000 ____D C:\jexepackres
2013-06-02 13:54 - 2011-10-06 22:14 - 00000000 ____D C:\ProgramData\NVIDIA
2013-06-02 13:54 - 2011-10-06 19:52 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-02 13:54 - 2009-07-14 05:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-31 10:55 - 2011-10-07 02:48 - 01230273 ____A C:\Windows\WindowsUpdate.log
2013-05-31 10:51 - 2012-04-02 18:40 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-31 10:47 - 2011-10-06 19:52 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-31 09:28 - 2013-05-31 09:28 - 00015274 ____A C:\Users\Toms\Desktop\dds.txt
2013-05-31 09:28 - 2013-05-31 09:28 - 00011093 ____A C:\Users\Toms\Desktop\attach.txt
2013-05-31 09:24 - 2013-05-31 09:26 - 00688992 ____R (Swearware) C:\Users\Toms\Desktop\dds.com
2013-05-30 16:46 - 2013-05-30 16:45 - 00162428 ____A C:\Windows\System32\sfcdetails.txt
2013-05-30 15:39 - 2011-10-06 19:53 - 00183400 ____A C:\Users\Toms\AppData\Local\GDIPFONTCACHEV1.DAT
2013-05-30 14:18 - 2013-01-05 23:57 - 00000000 ____D C:\Users\Toms\Documents\OpenTTD
2013-05-30 14:17 - 2013-05-30 14:17 - 00000000 ____D C:\Program Files\Common Files\Java
2013-05-30 14:15 - 2013-05-30 14:15 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-05-30 14:15 - 2013-05-30 14:15 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-05-30 14:15 - 2013-05-30 14:15 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-05-30 14:15 - 2013-05-30 14:15 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-05-30 14:15 - 2012-05-21 20:27 - 00866720 ____A (Oracle Corporation) C:\Windows\System32\npdeployJava1.dll
2013-05-30 14:15 - 2011-10-06 22:23 - 00788896 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-05-30 12:31 - 2013-05-30 09:13 - 00001552 ____A C:\Windows\PFRO.log
2013-05-30 12:31 - 2009-07-14 05:33 - 04063320 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-30 12:28 - 2013-05-30 09:19 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-05-30 11:54 - 2013-05-30 14:04 - 00903072 ____A (Oracle Corporation) C:\Users\Toms\Desktop\jxpiinstall.exe
2013-05-30 10:59 - 2011-10-06 22:23 - 00000000 ____D C:\Program Files\Java
2013-05-30 10:08 - 2012-01-02 21:36 - 00000855 ____A C:\Windows\System32\Drivers\etc\hosts_bak_524
2013-05-30 09:13 - 2012-09-24 16:09 - 00000000 ____D C:\Users\Toms\AppData\Roaming\Skype
2013-05-29 23:20 - 2013-05-29 23:20 - 00000000 ____D C:\Program Files\Tweaking.com
2013-05-29 23:17 - 2013-05-29 23:16 - 00000000 ____D C:\Users\Toms\Desktop\RK_Quarantine
2013-05-29 22:25 - 2013-05-29 22:21 - 00000417 ____A C:\Users\Toms\Desktop\EnableWD.reg
2013-05-29 17:45 - 2013-05-29 17:45 - 00000000 ____A C:\Windows\setuperr.log
2013-05-29 17:37 - 2013-05-29 17:36 - 00000000 ____D C:\Program Files\Common Files\Little Registry Cleaner
2013-05-29 17:28 - 2013-05-29 17:28 - 00000000 ____D C:\Program Files\Little Registry Cleaner
2013-05-29 17:06 - 2012-05-14 21:57 - 00000000 ____D C:\Users\Toms\AppData\Roaming\FileZilla
2013-05-29 17:06 - 2012-01-21 22:07 - 00000000 ____D C:\Windows\Minidump
2013-05-29 17:06 - 2011-12-05 21:52 - 00000000 ____D C:\Users\Toms\AppData\Roaming\Ventrilo
2013-05-29 17:06 - 2011-10-20 20:41 - 00000000 ____D C:\Users\Toms\AppData\Roaming\Azureus
2013-05-29 17:06 - 2011-10-07 03:42 - 00000000 ____D C:\Windows\Panther
2013-05-29 17:04 - 2013-05-29 17:04 - 00000000 ____D C:\Program Files\CCleaner
2013-05-29 13:53 - 2013-05-21 20:55 - 00002151 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-22 07:04 - 2013-05-22 07:04 - 00000000 __SHD C:\$$PendingFiles
2013-05-21 22:35 - 2013-05-21 22:35 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Local\Google
2013-05-21 22:34 - 2013-05-21 22:34 - 00183400 ____A C:\Users\Jodie Clissold\AppData\Local\GDIPFONTCACHEV1.DAT
2013-05-21 22:34 - 2013-05-21 22:34 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Roaming\Apple Computer
2013-05-21 22:34 - 2013-05-21 22:34 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Local\Adobe
2013-05-21 22:34 - 2013-05-21 22:33 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Roaming\Adobe
2013-05-21 22:34 - 2013-05-21 22:32 - 00000000 ____D C:\Users\Jodie Clissold\AppData\Local\VirtualStore
2013-05-21 22:34 - 2011-10-06 19:55 - 00000000 ____D C:\users\Jodie Clissold
2013-05-21 22:33 - 2013-05-21 22:33 - 00000000 __SHD C:\Users\Jodie Clissold\UserData
2013-05-21 22:33 - 2013-05-21 22:33 - 00000000 __SHD C:\Users\Jodie Clissold\PrivacIE
2013-05-21 22:33 - 2013-05-21 22:33 - 00000000 __SHD C:\Users\Jodie Clissold\IETldCache
2013-05-21 22:33 - 2013-05-21 22:33 - 00000000 __SHD C:\Users\Jodie Clissold\IECompatCache
2013-05-21 22:32 - 2013-05-21 22:32 - 00000020 ___SH C:\Users\Jodie Clissold\ntuser.ini
2013-05-21 21:26 - 2013-05-21 21:26 - 00000077 ____A C:\Users\Toms\Desktop\reset.bat
2013-05-21 21:16 - 2013-05-21 21:16 - 00018385 ____A C:\ComboFix.txt
2013-05-21 21:16 - 2013-05-21 21:03 - 00000000 ____D C:\ComboFix
2013-05-21 21:16 - 2010-05-20 13:14 - 00000000 ___AD C:\Qoobox
2013-05-21 21:11 - 2009-07-14 03:04 - 00000215 ____A C:\Windows\system.ini
2013-05-21 20:55 - 2011-10-06 19:52 - 00000000 ____D C:\Users\Toms\AppData\Local\Google
2013-05-21 20:55 - 2011-10-06 19:52 - 00000000 ____D C:\Program Files\Google
2013-05-20 23:02 - 2012-01-02 21:36 - 00000019 ____A C:\Windows\System32\Drivers\etc\hosts_bak_744
2013-05-20 22:13 - 2012-01-03 20:08 - 00000000 ____D C:\Program Files\Notepad++
2013-05-20 22:10 - 2013-05-20 22:10 - 00000000 ____D C:\ProgramData\Panda Security
2013-05-20 22:10 - 2013-05-20 22:10 - 00000000 ____D C:\Program Files\Panda USB Vaccine
2013-05-20 21:33 - 2013-05-20 21:33 - 00000000 ____D C:\Program Files\NirSoft
2013-05-20 21:31 - 2013-05-20 21:32 - 00138984 ____A C:\Users\Toms\Desktop\shexview_setup.exe
2013-05-20 21:27 - 2013-05-20 21:27 - 00000396 _RASH C:\ProgramData\ntuser.pol
2013-05-20 21:26 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\GroupPolicy
2013-05-20 21:14 - 2013-03-31 19:10 - 00000000 __SHD C:\Users\Toms\PrivacIE
2013-05-20 21:08 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\NDF
2013-05-20 21:06 - 2013-04-11 21:29 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-05-20 21:06 - 2011-10-06 19:55 - 00000000 ____D C:\Users\Toms\AppData\Roaming\Mozilla
2013-05-20 20:34 - 2013-05-20 20:34 - 00000000 ____D C:\Windows\ERUNT
2013-05-20 20:34 - 2013-05-20 20:34 - 00000000 ____D C:\JRT
2013-05-20 20:31 - 2013-05-20 20:31 - 00006042 ____A C:\AdwCleaner[R1].txt
2013-05-20 20:31 - 2013-05-20 20:31 - 00004477 ____A C:\AdwCleaner[S1].txt
2013-05-20 20:16 - 2013-05-20 20:25 - 00006336 ____A C:\Users\Toms\Desktop\WinDefend.reg
2013-05-20 12:53 - 2013-05-20 12:53 - 00000000 ____D C:\Users\Toms\AppData\Roaming\Malwarebytes
2013-05-20 12:52 - 2013-05-20 12:52 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-20 12:52 - 2013-05-20 12:52 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-19 21:13 - 2011-10-20 20:41 - 00000000 ____D C:\Program Files\Vuze
2013-05-19 16:55 - 2013-05-19 16:55 - 00000000 ____D C:\Program Files\ESET
2013-05-18 10:12 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\rescache
2013-05-17 23:40 - 2009-07-14 03:37 - 00000000 ___RD C:\users\Public
2013-05-17 23:40 - 2009-07-14 03:37 - 00000000 ___RD C:\users\Default
2013-05-17 23:39 - 2013-05-17 23:21 - 00000000 ____D C:\Windows\erdnt
2013-05-17 23:26 - 2009-07-14 05:53 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-17 23:24 - 2009-07-14 03:03 - 55836672 ____A C:\Windows\System32\config\SOFTWARE.bak
2013-05-17 23:24 - 2009-07-14 03:03 - 19136512 ____A C:\Windows\System32\config\SYSTEM.bak
2013-05-17 23:24 - 2009-07-14 03:03 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
2013-05-17 23:24 - 2009-07-14 03:03 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2013-05-17 23:24 - 2009-07-14 03:03 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bak
2013-05-17 22:37 - 2013-05-17 22:37 - 00000000 ____D C:\Users\Toms\AppData\Roaming\SUPERAntiSpyware.com
2013-05-17 22:30 - 2013-05-17 22:16 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-17 21:53 - 2009-09-16 18:52 - 00000000 ____D C:\Users\Toms\Desktop\Mine
2013-05-17 21:50 - 2011-10-06 21:33 - 00000000 ____D C:\ProgramData\AVAST Software
2013-05-17 21:04 - 2011-11-11 12:00 - 00000000 ____D C:\ProgramData\Adobe
2013-05-17 20:49 - 2009-07-14 03:04 - 00002577 ____A C:\Windows\System32\config.nt
2013-05-17 20:48 - 2011-10-06 21:33 - 00000000 ____D C:\Program Files\AVAST Software
2013-05-17 19:55 - 2013-05-17 19:55 - 00000000 ____D C:\Users\Toms\Desktop\Old Firefox Data
2013-05-17 19:53 - 2012-03-03 14:59 - 00000000 ____D C:\Users\Toms\AppData\Roaming\Spotify
2013-05-17 19:48 - 2012-03-03 14:59 - 00000000 ____D C:\Users\Toms\AppData\Local\Spotify
2013-05-17 18:42 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-05-16 22:12 - 2012-09-21 11:21 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-14 22:51 - 2012-04-02 18:40 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-14 22:51 - 2011-10-06 19:52 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-05-12 11:51 - 2012-01-21 18:20 - 00001456 ____A C:\Users\Toms\AppData\Local\Adobe Save for Web 12.0 Prefs
2013-05-11 12:01 - 2013-05-11 12:01 - 00000799 ____A C:\Users\Toms\Desktop\Dropbox - Shortcut.lnk
2013-05-09 21:26 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-05-09 19:27 - 2013-05-09 19:27 - 00001945 ____A C:\Windows\epplauncher.mif
2013-05-09 19:27 - 2013-05-09 19:26 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-05-09 17:48 - 2011-10-06 20:58 - 00000000 ____D C:\Program Files\Common Files\Steam
2013-05-06 20:03 - 2013-05-06 20:03 - 00000000 ____D C:\Program Files\x264 Video Codec
2013-05-05 12:50 - 2013-05-05 12:50 - 00000000 ____D C:\Users\Toms\Documents\BioWare
2013-05-05 12:50 - 2011-11-11 12:33 - 00000000 ____D C:\Users\Toms\AppData\Roaming\NVIDIA
2013-05-03 15:57 - 2011-10-06 20:21 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
 
 
Last Boot: 2013-05-29 11:52
 
==================== End Of Log ============================

 

Attached Files



#7 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 02 June 2013 - 08:16 AM

Do I use the fix option with Farbar Recovery Scan Tool? So far I have only pressed 'Scan'

 

Thanks,

Tom



#8 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:01:13 PM

Posted 03 June 2013 - 10:11 AM

Download attached Attached File  fixlist.txt   135bytes   32 downloads file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#9 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 03 June 2013 - 01:30 PM

It is saying there is an updated version of FRST before I click the 'Fix' button. Should I download this from my other computer before proceeding? 



#10 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 03 June 2013 - 01:45 PM


Note: If the tool warned you about the outdated version please download and run the updated version.

 

Sorry only just noticed this, my bad. Download latest version and now running fix. Will reply with the log



#11 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 03 June 2013 - 01:49 PM

Farbar Fixlog

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-06-2013 03
Ran by Toms at 2013-06-03 19:45:55 Run:1
Running from C:\Users\Toms\Desktop
Boot Mode: Normal
 
==============================================
 
"C:\Program Files\Windows Defender" => Deleting junctions and unlocking files completed successfully.
"C:\Program Files\Microsoft Security Client" => Deleting junctions and unlocking files completed successfully.
 
==== End of Fixlog ====


#12 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:01:13 PM

Posted 04 June 2013 - 12:28 PM

Great.

I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware.

Here are a few very good free Antivirus products which are available:Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Install, update definitions, and run a full system scan with the Anti-Virus of your choice.



I notice that you have a registry cleaner installed (Little Registry Cleaner, CCleaner). Registry cleaners tend to present more problems than they solve, one false positive then more than often it means a re-installation of the operating system. The positive effects of registry cleaners are barely noticeable - if any. I recommend that you uninstall the product to minimize any risk to your system. I have placed a couple of links for you to read below in your own time.

Information from Bill Castner (MS-MVP) on why you should NOT use one here - http://aumha.net/viewtopic.php?t=28099
Information from miekiemoes (MS-MVP) on why you should NOT use one here - http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html



I see you have P2P ( peer to peer ) software installed on your machine ( In your case Vuze ). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here , here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.



Please launch DDS and post the dds.txt and attach.txt
Please note any open issues.
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#13 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 05 June 2013 - 06:14 AM

Hi Daniel,

 

I have installed Avast, I was previously using it, I also have two licenses for the full version which I use on this computer and another of mine.

 

I am running the full system scan at the moment and noticed that the avast virus alert notification pops up at least once an hour with the same message, 

 

Infection Details URL: http://inuxland.eu/xmlrpc.php Process: C:\Windows\Explorer.EXE Infection: URL:Mal

 

Is this something I should be concerned about?

 

I have tried running windefend from the 'services' program. I have noticed that it now says Windows Defender now, whereas before it just said windefend - so it is looking much more promising. I am now getting a different message when I try and manually start the service, it says '

 

The windows Defender serice on Local Computer started and then stopped. Some sercices stop automatically if they are not in use by other services or programs.' 

 

I also note that a new error message now displays under description it is, <Failed to Read Description. Error Code: 1168 > 

 

I realize I am making a lot of fuss over windows defender, and I know it is not always recommend to have it enabled when running some antivirus software, but I know this service was working before I was infected so ideally for peace of mind like to get it running again.

 

As for downloading files from browsers and running sfc /scannow through CMD I have no tried these actions yet. I will once avast full system scan has been completed, before I create the next batch of DDS logs. 

 

Any help on the windows defender issue in the meantime would be greatly appreciated.

Thanks,

Tom



#14 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:01:13 PM

Posted 05 June 2013 - 09:59 AM

Please post the DDS logs first than I can see what still needs our attention.
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#15 ruddyidiot

ruddyidiot
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 05 June 2013 - 11:54 AM

 

I notice that you have a registry cleaner installed (Little Registry Cleaner, CCleaner). Registry cleaners tend to present more problems than they solve, one false positive then more than often it means a re-installation of the operating system. The positive effects of registry cleaners are barely noticeable - if any. I recommend that you uninstall the product to minimize any risk to your system. I have placed a couple of links for you to read below in your own time.
I see you have P2P ( peer to peer ) software installed on your machine ( In your case Vuze ). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here , here and here.

 

I have taken these two points on board and will be deleting the software shortly.

 

DDS logs to follow






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users