Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection, not sure what, numerous issues.


  • This topic is locked This topic is locked
52 replies to this topic

#1 craigchaney

craigchaney

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 14 July 2013 - 02:02 PM

Hello BC community,

I've been a fan for years and this is the first time to ask for help, thank you,

Vista Home basic, sp2, desktop, has been infected with something bad that has corrupted sys. files, and continues to infect,  at this point I cannot download anything as all downloads are reported as a virus and deleted, I cannot complete SFC /scan now, goes to 96%, cannot delete or reinstall MSE, or Defender, says that I don't have permission and to contact administrator, I was running MSE at time of infection and the virus corrupted the entire file, System Restore points were also deleted, I was able to install AVG Free from flash drive, I have many repair programs on a flash drive and have run all, Malware Bytes, Rkill, TDSskiller, Hijack this, CCleaner, Spybot, Eset Scanner, Microsoft Scanner. I've run HiJack this, but am afraid to fix all, I have made some progress as I gor security Cener functioning again, and these programs have deleted some of the virus files, if I could get a little direction in how to completely get rid of these problems and get downloads, MSE, SFC etc, to all be running correctly again, it would be greatly appreciated.

Thank you,

Craig    



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 PM

Posted 19 July 2013 - 02:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/501086 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:29 PM

Posted 21 July 2013 - 03:20 PM

Hello craigchaney, and welcome to Bleeping Computer! :)

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:
  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
==========

Please let me know that you are still here and I will be glad to help you! Also, please let me know what version of Windows you are running (XP, Vista, 7, 8), so that I know the best steps for you to take.

==========

If you are unable to download DDS or any other tool, please use a flashdrive from a clean computer so that you can copy over any necessary tools to the infected machine.

I apologize for the delay in response, but now that I am helping you I will be here to the best of my ability so that we can get you straightened out!

bloopie

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:29 PM

Posted 24 July 2013 - 08:28 AM

Hello again,

Are you still with me? :)

This is a 3-Day Bump! If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, I will be forced to close this topic!

bloopie

#5 craigchaney

craigchaney
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 24 July 2013 - 06:15 PM

Thank you for the assistance

These posts are not saving, I'm sorry, I posted a reply two days ago.

Yes I still need help

Yes, I still have the origianl windows cd that came with the computer.

Vista home basic, sp2, 32 bit

DDS File below, I do not know how to zip up the other and attach, I'm sorry:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16496  BrowserJavaVersion: 10.17.2
Run by Craig at 17:59:00 on 2013-07-22
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.2039.818 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\AVG\AVG2013\avgemcx.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Users\Craig\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?hl%3Den%26source%3Dnavclient&scc=1&ltmpl=default&ltmplcache=2&hl=en
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=EM&Loc=ENG_US&Sys=DTP&M=T3656
mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={3145BD60-EC07-11E2-95C9-001E90396870}
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=EM&Loc=ENG_US&Sys=DTP&M=T3656
uProxyServer = hxxp=127.0.0.1:60182
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "c:\users\craig\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDg2NTk4MDcyLUZQOSs0LUZMKzktUUlYMSs0LVgyMDEwKzItRjEwTTEwRCsxLUZMMTArMS1MSUMrMi1TUDErMS1TUDFUQisxLVNVUCsyLUREVCswLVNUMTBGQVBQKzE"&"prod=90"&"ver=10.0.1392
mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} - hxxps://connect.freightquote.com/+CSCOL+/csvrloader32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} - hxxps://connect.freightquote.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {FDEC6ADD-C88F-4F17-96A9-45B86A7B4BFD} - hxxps://connect.freightquote.com/+CSCOL+/csvrmon32.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{7160BCBA-59F5-4840-95A0-0302E856AD40} : DHCPNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-2-8 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-2-8 245048]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-2-8 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-2-8 39224]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-3-29 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-3-1 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-2-8 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-3-21 182072]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-5-14 4937264]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-4-18 283136]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 100328]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-11-12 1153368]
S4 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
SUnknown NisSrv;NisSrv; [x]
.
=============== Created Last 30 ================
.
2013-07-13 22:01:59 -------- d-----w- c:\programdata\HitmanPro
2013-07-13 22:00:12 57492 ----a-w- c:\program files\windows defender\en-us\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\3leme4qk\wajam_update[1].exe
2013-07-13 21:59:38 33958 ----a-w- c:\programdata\uninstaller.exe
2013-07-13 21:57:30 632656 ----a-w- c:\windows\system32\msvcr80.dll
2013-07-13 21:57:30 554832 ----a-w- c:\windows\system32\msvcp80.dll
2013-07-13 21:57:30 479232 ----a-w- c:\windows\system32\msvcm80.dll
2013-07-13 21:31:07 -------- d-----w- c:\users\craig\Lang
2013-07-10 22:50:04 -------- d-----w- c:\windows\system32\MRT
2013-07-09 22:41:17 798208 ----a-w- c:\windows\system32\FntCache.dll
2013-07-09 22:41:17 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-07-09 22:41:17 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-07-09 22:41:16 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-07-09 22:41:16 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-07-09 22:41:16 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-07-09 22:41:16 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-07-09 22:41:15 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-07-09 22:41:15 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-07-09 22:41:12 505344 ----a-w- c:\windows\system32\qedit.dll
2013-07-09 22:41:12 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-07-09 22:41:11 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-09 22:38:29 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2013-07-04 21:17:59 -------- d-----w- c:\program files\ESET
2013-06-30 19:22:29 -------- d--h--w- c:\windows\PIF
2013-06-27 06:14:22 -------- d-----w- c:\users\craig\appdata\roaming\AVG2013
2013-06-27 06:13:49 -------- d-----w- c:\users\craig\appdata\roaming\TuneUp Software
2013-06-27 06:13:17 -------- d--h--w- C:\$AVG
2013-06-27 06:13:17 -------- d-----w- c:\programdata\AVG2013
2013-06-27 06:06:44 -------- d-----w- c:\users\craig\appdata\local\MFAData
2013-06-27 06:06:44 -------- d-----w- c:\users\craig\appdata\local\Avg2013
2013-06-26 03:24:41 -------- d-----w- c:\programdata\7809EF7C01A742730000780977774730
2013-06-26 03:24:00 60872 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e697ee53-27f5-404a-9e0d-e2352dcffff3}\offreg.dll
2013-06-25 21:33:37 7068072 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e697ee53-27f5-404a-9e0d-e2352dcffff3}\mpengine.dll
2013-06-24 20:16:42 7068072 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M  ====================
.
2013-06-23 15:25:35 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-23 15:25:34 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-19 14:31:04 150416 ----a-w- c:\users\craig\uninst.exe
2013-06-19 14:13:32 3611416 ----a-w- c:\users\craig\CCleaner.exe
2013-05-29 01:50:14 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-05-29 01:41:52 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-29 01:41:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-05-29 01:37:15 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-29 01:36:09 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-29 01:33:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-22 15:21:06 4325376 ----a-w- c:\programdata\ReadOnlyInstaller.msi
2013-05-08 03:40:36 914792 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-08 01:58:22 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2013-05-02 22:03:36 3603832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-02 22:03:36 3551096 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-02 04:04:25 443904 ----a-w- c:\windows\system32\win32spl.dll
2013-05-02 04:03:42 37376 ----a-w- c:\windows\system32\printcom.dll
2013-04-24 04:00:30 985600 ----a-w- c:\windows\system32\crypt32.dll
2013-04-24 04:00:30 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-04-24 04:00:30 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-04-24 04:00:24 41984 ----a-w- c:\windows\system32\certenc.dll
2013-04-24 01:46:29 812544 ----a-w- c:\windows\system32\certutil.exe
.
============= FINISH: 17:59:38.86 ===============
 



#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:29 PM

Posted 24 July 2013 - 07:11 PM

Hello again,
 

Thank you for the assistance

It's my pleasure. :)
 

I do not know how to zip up the other and attach, I'm sorry

No need to zip up the extra file from DDS. In fact, just skip the Attach.txt as we'll be getting another log to be attached below.

 

==========

Now let's get another log from a tool created by Farbar.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. Your version will be the 32-bit version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

To attach the file, just first click the "More Reply Options" button at the bottom of the reply box. Once that's done you should see the "Browse" button under "Attach Files". Click Browse, navigate to the Addition.txt file and then click Attach This File.

 

Let me know if you still have problems with attaching along with posting the FRST.txt log!

 

bloopie


Edited by bloopie, 24 July 2013 - 07:33 PM.
Fixed typo


#7 craigchaney

craigchaney
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 25 July 2013 - 06:09 PM

thank you again for the help!

FRST is pasted below and Addition is attached.

 

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-07-2013
Ran by Craig (administrator) on 25-07-2013 17:55:58
Running from K:\
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgui.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgwdsvc.exe
() C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgemcx.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Microsoft Corporation) C:\Windows\system32\wuauclt.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgcsrvx.exe
(Microsoft Corporation) C:\Windows\system32\UI0Detect.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Google) C:\Users\Craig\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2013\avgui.exe [4408368 2013-04-29] (AVG Technologies CZ, s.r.o.)
HKLM\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDg2NTk4MDcyLUZQOSs0LUZMKzktUUlYMSs0LVgyMDEwKzItRjEwTTEwRCsxLUZMMTArMS1MSUMrMi1TUDErMS1TUDFUQisxLVNVUCsyLUREVCswLVNUMTBGQVBQKzE"&"prod=90"&"ver=10.0.1392 [x]
HKLM\...\RunOnce: [Launcher] - %WINDIR%\SMINST\launcher.exe [40072 2008-01-18] (soft thinks)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKCU\...\Run: [Google Update] - C:\Users\Craig\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-10-25] (Google Inc.)
HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-01-28] (Google Inc.)
MountPoints2: {9794aff9-e183-11dd-83a5-001e90396870} - K:\LaunchU3.exe -a
HKU\Default\...\Run: [Sidebar] - C:\Program Files\Windows Sidebar\Sidebar.exe [ 2009-04-11] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] - C:\Program Files\Windows Sidebar\Sidebar.exe [ 2009-04-11] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

ProxyServer: http=127.0.0.1:60182
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?hl%3Den%26source%3Dnavclient&scc=1&ltmpl=default&ltmplcache=2&hl=en
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=EM&Loc=ENG_US&Sys=DTP&M=T3656
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={3145BD60-EC07-11E2-95C9-001E90396870}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=EM&Loc=ENG_US&Sys=DTP&M=T3656
SearchScopes: HKLM - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL =
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll (Gateway Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} https://connect.freightquote.com/+CSCOL+/csvrloader32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} https://connect.freightquote.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {FDEC6ADD-C88F-4F17-96A9-45B86A7B4BFD} https://connect.freightquote.com/+CSCOL+/csvrmon32.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

========================== Services (Whitelisted) =================

R2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-14] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
S4 GameConsoleService; C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe [181800 2007-08-29] (WildTangent, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] ()
R2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [88576 2011-09-15] ()
S4 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [167936 2008-03-16] ()
S4 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S4 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2011-08-19] (Logitech Inc.)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] ()

==================== Drivers (Whitelisted) ====================

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-03-29] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [170808 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [245048 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.)
S3 htcnprot; C:\Windows\System32\DRIVERS\htcnprot.sys [23040 2010-06-23] (Windows ® Win 7 DDK provider)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S0 PxHelp20; System32\Drivers\PxHelp20.sys [x]
S1 qkthsbad; \??\C:\Windows\system32\drivers\qkthsbad.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-25 17:56 - 2013-07-25 17:48 - 01220112 _____ (Farbar) C:\Users\Craig\Desktop\FRST.exe
2013-07-25 17:55 - 2013-07-25 17:55 - 00000000 ____D C:\FRST
2013-07-19 18:12 - 2013-07-22 17:59 - 00014373 _____ C:\Users\Craig\Desktop\dds.txt
2013-07-19 18:12 - 2013-07-22 17:59 - 00011864 _____ C:\Users\Craig\Desktop\attach.txt
2013-07-14 16:01 - 2013-07-25 14:12 - 01608381 _____ C:\Windows\WindowsUpdate.log
2013-07-14 13:05 - 2013-07-14 13:14 - 00000000 ____D C:\Users\Craig\Desktop\backups
2013-07-14 13:03 - 2013-07-14 13:05 - 00035585 _____ C:\Users\Craig\Desktop\hijackthis.log
2013-07-14 12:39 - 2013-07-21 15:51 - 00014638 _____ C:\Windows\PFRO.log
2013-07-14 12:37 - 2013-07-14 12:37 - 00004693 _____ C:\Windows\wininit.ini
2013-07-14 12:32 - 2013-07-14 12:24 - 00388608 _____ (Trend Micro Inc.) C:\Users\Craig\Desktop\HijackThis.exe
2013-07-14 11:32 - 2013-07-14 11:32 - 00005328 _____ C:\Users\Craig\Documents\cc_20130714_113212.reg
2013-07-14 11:22 - 2013-07-04 16:56 - 85323024 _____ (Microsoft Corporation) C:\Users\Craig\Desktop\msert.exe
2013-07-14 10:53 - 2013-06-26 23:43 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Craig\Desktop\tdsskiller.exe
2013-07-14 10:51 - 2013-06-26 23:41 - 01814144 _____ (Bleeping Computer, LLC) C:\Users\Craig\Desktop\iExplore.exe
2013-07-13 17:01 - 2013-07-13 17:02 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-13 17:00 - 2013-07-13 17:01 - 09171472 _____ (SurfRight B.V.) C:\Users\Craig\Downloads\HitmanPro.exe
2013-07-13 16:59 - 2013-07-13 16:59 - 00033958 _____ C:\ProgramData\uninstaller.exe
2013-07-13 16:57 - 2011-05-13 18:17 - 00632656 _____ (Microsoft Corporation) C:\Windows\system32\msvcr80.dll
2013-07-13 16:57 - 2011-05-13 18:17 - 00554832 _____ (Microsoft Corporation) C:\Windows\system32\msvcp80.dll
2013-07-13 16:57 - 2011-05-13 18:17 - 00479232 _____ (Microsoft Corporation) C:\Windows\system32\msvcm80.dll
2013-07-13 16:57 - 2011-05-13 09:59 - 00001870 _____ C:\Windows\system32\Microsoft.VC80.CRT.manifest
2013-07-13 16:35 - 2013-07-13 16:35 - 00001716 _____ C:\Users\Craig\Documents\cc_20130713_163520.reg
2013-07-13 16:34 - 2013-07-13 16:34 - 00252828 _____ C:\Users\Craig\Documents\cc_20130713_163415.reg
2013-07-13 16:31 - 2013-07-13 16:31 - 00000570 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-07-13 16:31 - 2013-07-13 16:31 - 00000000 ____D C:\Users\Craig\Lang
2013-07-12 18:57 - 2013-07-12 18:58 - 00001905 _____ C:\Windows\diagwrn.xml
2013-07-12 18:57 - 2013-07-12 18:58 - 00001905 _____ C:\Windows\diagerr.xml
2013-07-10 17:57 - 2013-07-13 16:58 - 00000000 ____D C:\Users\Craig\AppData\Roaming\Mozilla
2013-07-10 17:50 - 2013-07-10 17:53 - 00000000 ____D C:\Windows\system32\MRT
2013-07-09 17:57 - 2013-05-28 20:56 - 12333568 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-07-09 17:57 - 2013-05-28 20:50 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-07-09 17:57 - 2013-05-28 20:48 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-07-09 17:57 - 2013-05-28 20:41 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-07-09 17:57 - 2013-05-28 20:41 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-07-09 17:57 - 2013-05-28 20:41 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-07-09 17:57 - 2013-05-28 20:40 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-07-09 17:57 - 2013-05-28 20:38 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-07-09 17:57 - 2013-05-28 20:37 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-07-09 17:57 - 2013-05-28 20:36 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-07-09 17:57 - 2013-05-28 20:35 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-07-09 17:57 - 2013-05-28 20:35 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-07-09 17:57 - 2013-05-28 20:33 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-07-09 17:57 - 2013-05-28 20:33 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-07-09 17:57 - 2013-05-28 20:33 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-07-09 17:57 - 2013-05-28 20:29 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-07-09 17:41 - 2013-06-03 20:50 - 02049024 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-07-09 17:41 - 2013-05-31 23:06 - 00505344 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2013-07-09 17:41 - 2013-05-07 23:04 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-07-09 17:41 - 2013-04-17 06:28 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2013-07-09 17:41 - 2013-04-17 06:28 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2013-07-09 17:41 - 2013-04-17 06:28 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2013-07-09 17:41 - 2013-04-17 06:28 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2013-07-09 17:41 - 2013-04-17 05:34 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2013-07-09 17:41 - 2013-04-17 05:33 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2013-07-09 17:41 - 2013-04-17 05:14 - 00683008 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2013-07-09 17:41 - 2013-04-17 05:10 - 01069056 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2013-07-09 17:41 - 2013-04-17 05:10 - 00798208 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2013-07-08 09:55 - 2013-07-08 09:55 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2013-07-08 09:55 - 2013-07-08 09:55 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2013-07-04 16:17 - 2013-07-04 16:17 - 00000000 ____D C:\Program Files\ESET
2013-07-01 17:56 - 2013-07-01 17:56 - 00001768 _____ C:\Users\Craig\Desktop\Windows Movie Maker.lnk
2013-06-30 14:22 - 2013-06-30 14:22 - 00000000 ___HD C:\Windows\PIF
2013-06-27 01:15 - 2013-07-14 15:50 - 00006438 _____ C:\Users\Craig\Desktop\avgrep.txt
2013-06-27 01:14 - 2013-06-27 01:14 - 00000000 ____D C:\Users\Craig\AppData\Roaming\AVG2013
2013-06-27 01:13 - 2013-07-08 09:55 - 00000853 _____ C:\Users\Public\Desktop\AVG 2013.lnk
2013-06-27 01:13 - 2013-06-27 01:14 - 00000000 ____D C:\ProgramData\AVG2013
2013-06-27 01:13 - 2013-06-27 01:13 - 00000000 ___HD C:\$AVG
2013-06-27 01:13 - 2013-06-27 01:13 - 00000000 ____D C:\Users\Craig\AppData\Roaming\TuneUp Software
2013-06-27 01:06 - 2013-06-27 01:15 - 00000000 ____D C:\Users\Craig\AppData\Local\Avg2013
2013-06-27 01:06 - 2013-06-27 01:06 - 00000000 ____D C:\Users\Craig\AppData\Local\MFAData
2013-06-26 23:52 - 2013-07-14 13:00 - 00021158 _____ C:\Users\Craig\Desktop\Rkill.txt
2013-06-26 22:54 - 2013-07-14 13:22 - 00000680 _____ C:\Users\Craig\AppData\Local\d3d9caps.dat
2013-06-25 22:24 - 2013-06-26 22:35 - 00000000 ____D C:\ProgramData\7809EF7C01A742730000780977774730

==================== One Month Modified Files and Folders =======

2013-07-25 17:56 - 2008-09-15 10:09 - 00000000 ___RD C:\Users\Craig\Desktop
2013-07-25 17:55 - 2013-07-25 17:55 - 00000000 ____D C:\FRST
2013-07-25 17:48 - 2013-07-25 17:56 - 01220112 _____ (Farbar) C:\Users\Craig\Desktop\FRST.exe
2013-07-25 17:34 - 2011-03-24 17:21 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-25 17:28 - 2010-10-27 10:10 - 00000000 ____D C:\ProgramData\MFAData
2013-07-25 17:10 - 2011-11-12 17:13 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3233499728-556423929-4120436658-1000UA.job
2013-07-25 16:50 - 2006-11-02 07:45 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-25 16:50 - 2006-11-02 07:45 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-25 14:12 - 2013-07-14 16:01 - 01608381 _____ C:\Windows\WindowsUpdate.log
2013-07-24 18:33 - 2011-03-24 17:21 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-24 18:10 - 2011-11-12 17:13 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3233499728-556423929-4120436658-1000Core.job
2013-07-24 16:57 - 2006-11-02 05:33 - 00707520 _____ C:\Windows\system32\PerfStringBackup.INI
2013-07-24 16:50 - 2006-11-02 07:58 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-23 23:27 - 2006-11-02 07:58 - 00032590 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-22 17:59 - 2013-07-19 18:12 - 00014373 _____ C:\Users\Craig\Desktop\dds.txt
2013-07-22 17:59 - 2013-07-19 18:12 - 00011864 _____ C:\Users\Craig\Desktop\attach.txt
2013-07-21 15:51 - 2013-07-14 12:39 - 00014638 _____ C:\Windows\PFRO.log
2013-07-21 00:15 - 2011-07-15 17:06 - 00000043 _____ C:\Windows\hpfccopy.INI
2013-07-14 15:50 - 2013-06-27 01:15 - 00006438 _____ C:\Users\Craig\Desktop\avgrep.txt
2013-07-14 13:22 - 2013-06-26 22:54 - 00000680 _____ C:\Users\Craig\AppData\Local\d3d9caps.dat
2013-07-14 13:14 - 2013-07-14 13:05 - 00000000 ____D C:\Users\Craig\Desktop\backups
2013-07-14 13:10 - 2011-11-12 17:50 - 00002243 _____ C:\Windows\epplauncher.mif
2013-07-14 13:05 - 2013-07-14 13:03 - 00035585 _____ C:\Users\Craig\Desktop\hijackthis.log
2013-07-14 13:00 - 2013-06-26 23:52 - 00021158 _____ C:\Users\Craig\Desktop\Rkill.txt
2013-07-14 12:37 - 2013-07-14 12:37 - 00004693 _____ C:\Windows\wininit.ini
2013-07-14 12:24 - 2013-07-14 12:32 - 00388608 _____ (Trend Micro Inc.) C:\Users\Craig\Desktop\HijackThis.exe
2013-07-14 11:57 - 2011-11-12 19:05 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-07-14 11:32 - 2013-07-14 11:32 - 00005328 _____ C:\Users\Craig\Documents\cc_20130714_113212.reg
2013-07-14 11:04 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Globalization
2013-07-13 17:02 - 2013-07-13 17:01 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-13 17:01 - 2013-07-13 17:00 - 09171472 _____ (SurfRight B.V.) C:\Users\Craig\Downloads\HitmanPro.exe
2013-07-13 16:59 - 2013-07-13 16:59 - 00033958 _____ C:\ProgramData\uninstaller.exe
2013-07-13 16:58 - 2013-07-10 17:57 - 00000000 ____D C:\Users\Craig\AppData\Roaming\Mozilla
2013-07-13 16:54 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Resources
2013-07-13 16:35 - 2013-07-13 16:35 - 00001716 _____ C:\Users\Craig\Documents\cc_20130713_163520.reg
2013-07-13 16:34 - 2013-07-13 16:34 - 00252828 _____ C:\Users\Craig\Documents\cc_20130713_163415.reg
2013-07-13 16:33 - 2006-11-02 06:18 - 00000000 __RHD C:\Users\Public\Desktop
2013-07-13 16:32 - 2008-02-05 00:09 - 00000000 ____D C:\Windows\Panther
2013-07-13 16:31 - 2013-07-13 16:31 - 00000570 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-07-13 16:31 - 2013-07-13 16:31 - 00000000 ____D C:\Users\Craig\Lang
2013-07-13 16:31 - 2008-09-15 10:08 - 00000000 ____D C:\Users\Craig
2013-07-13 15:17 - 2006-11-02 05:23 - 00000244 _____ C:\Windows\win.ini
2013-07-12 18:58 - 2013-07-12 18:57 - 00001905 _____ C:\Windows\diagwrn.xml
2013-07-12 18:58 - 2013-07-12 18:57 - 00001905 _____ C:\Windows\diagerr.xml
2013-07-12 18:57 - 2008-09-25 18:00 - 00008192 _____ C:\Users\Craig\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-10 19:08 - 2013-01-19 14:37 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-07-10 17:53 - 2013-07-10 17:50 - 00000000 ____D C:\Windows\system32\MRT
2013-07-09 18:45 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-07-09 18:22 - 2006-11-02 07:44 - 00387560 _____ C:\Windows\system32\FNTCACHE.DAT
2013-07-09 18:20 - 2010-05-12 11:22 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-09 18:17 - 2006-11-02 07:35 - 00000000 ____D C:\Windows\system32\XPSViewer
2013-07-09 18:06 - 2008-05-05 14:47 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-08 09:55 - 2013-07-08 09:55 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2013-07-08 09:55 - 2013-07-08 09:55 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2013-07-08 09:55 - 2013-06-27 01:13 - 00000853 _____ C:\Users\Public\Desktop\AVG 2013.lnk
2013-07-04 16:56 - 2013-07-14 11:22 - 85323024 _____ (Microsoft Corporation) C:\Users\Craig\Desktop\msert.exe
2013-07-04 16:17 - 2013-07-04 16:17 - 00000000 ____D C:\Program Files\ESET
2013-07-01 17:56 - 2013-07-01 17:56 - 00001768 _____ C:\Users\Craig\Desktop\Windows Movie Maker.lnk
2013-06-30 14:22 - 2013-06-30 14:22 - 00000000 ___HD C:\Windows\PIF
2013-06-27 01:15 - 2013-06-27 01:06 - 00000000 ____D C:\Users\Craig\AppData\Local\Avg2013
2013-06-27 01:14 - 2013-06-27 01:14 - 00000000 ____D C:\Users\Craig\AppData\Roaming\AVG2013
2013-06-27 01:14 - 2013-06-27 01:13 - 00000000 ____D C:\ProgramData\AVG2013
2013-06-27 01:13 - 2013-06-27 01:13 - 00000000 ___HD C:\$AVG
2013-06-27 01:13 - 2013-06-27 01:13 - 00000000 ____D C:\Users\Craig\AppData\Roaming\TuneUp Software
2013-06-27 01:12 - 2010-01-22 13:33 - 00000000 ____D C:\Program Files\AVG
2013-06-27 01:06 - 2013-06-27 01:06 - 00000000 ____D C:\Users\Craig\AppData\Local\MFAData
2013-06-26 23:56 - 2012-06-17 17:06 - 00000671 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-26 23:56 - 2010-01-22 14:17 - 00000000 ____D C:\Malwarebytes' Anti-Malware
2013-06-26 23:43 - 2013-07-14 10:53 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Craig\Desktop\tdsskiller.exe
2013-06-26 23:41 - 2013-07-14 10:51 - 01814144 _____ (Bleeping Computer, LLC) C:\Users\Craig\Desktop\iExplore.exe
2013-06-26 23:14 - 2006-11-02 05:23 - 00449823 ____R C:\Windows\system32\Drivers\etc\hosts.20130712-190020.backup
2013-06-26 22:35 - 2013-06-25 22:24 - 00000000 ____D C:\ProgramData\7809EF7C01A742730000780977774730

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d620f31cc2c13a594f1c959ee09296a0

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d620f31cc2c13a594f1c959ee09296a0

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3233499728-556423929-4120436658-1000\$d620f31cc2c13a594f1c959ee09296a0

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d620f31cc2c13a594f1c959ee09296a0

Files to move or delete:
====================
C:\ProgramData\uninstaller.exe
C:\Users\Craig\CCleaner.exe
C:\Users\Craig\GoToAssistDownloadHelper.exe
C:\Users\Craig\uninst.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

LastRegBack: 2013-07-25 17:06

==================== End Of Log ============================

 

Attached Files



#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:29 PM

Posted 25 July 2013 - 06:24 PM

Hello again,
 

thank you again for the help!

It's my pleasure! :)

 

==========

I'm going to be mobile for most of the evening and may not get back to you until tomorrow...but in the meantime, I must issue you a warning.

Warning!

Your machine is severely infected with a rootkit called ZeroAccess!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
 
If you'd like to continue with the cleaning process, I will be back tomorrow with the next steps!

bloopie



#9 craigchaney

craigchaney
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 25 July 2013 - 06:42 PM

ok, yes, lets proceed, we do not do any banking from this computer, I'll delete all other sensitive information on it, please let me know what is next. 

Why is  MSE not able to catch that virus?  How did it get on the computer?

thanks



#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:29 PM

Posted 25 July 2013 - 11:13 PM

Hello again,
 
Okay, we will proceed. But we must take this slowly and methodically, for very good reason! Please do not run any tools on this machine without my instruction to do so!
 

Why is MSE not able to catch that virus? How did it get on the computer?

You are infected with a fairly new variant of a nasty rootkit. Even the best antivirus companies in the would likely still not catch it.
 
It is hard to tell exactly how it got on your computer. It could have been a number of ways...an exploit kit, outdated software, user error...etc. For instance, your Java is out of date (Java is a very big target for exploit kits), and you have more than one older version still installed. That could have easily been exploited by a kit that you unknowingly had running from any hacked website you may have visited.
 
Not only that, but you have two antivirus programs running simultaneously. That's a big no-no also. You should only have one AV program running at a time (no more and no less), but please do not do anything to MSE right now!!! We will take care of it in due time.
 
This rootkit variant has deeply involved MSE so you probably wouldn't be able to remove it if you tried. We must take this a couple of steps at a time.
 
====================
 
We will begin with a FRST fixlist:

Step :step1:

Download Attached File  fixlist.txt   804bytes   10 downloads and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

==========

Please post me the Fixlog.txt from your desktop in your next reply.

Once we've verified the fix worked as it should, we will run another fixlist to take care of the other part of the infection.

Let me know if you had any trouble with the above!

bloopie


Edited by bloopie, 26 July 2013 - 05:21 PM.


#11 craigchaney

craigchaney
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 26 July 2013 - 03:24 PM

Would I be better off to reformat and reinstall the OS, or is that much more difficult than cleaning? I do have the CD that came with this computer, If we were to reformat and re-install would my router and my modem plug and play immediately or would I have to completely re-install and reconfigure them to be able to get online? It has just been a long time since I did that.  Couple of other things, I am not able to download anything as all downloads say that they are a virus and deleted before downloading, so all of these tools that you have me using I have been downloading from a different computer onto a thumb drive. Also, I have never used two AV programs at the same time, I know that they can conflict, I was running MSE at the time that I was hit and of course it completed corrupted MSE, I couldn't run it, delete it or re-install it so I down loaded AVG so that I'd at least have something, but thats why you see two AV programs.  I have deleted all sensitive info off of the computer, including tax returns, and have most all photos backed up on an external hard drive, we have never done online banking from this computer.  I know what happened, my wife clicked on the bogus Java update and thats when the exploit happened.  I have the disk that came with the computer, or do you think that you could clean this one. I'll proceed with your previous post for now.

Thanks again for all of your help.   


Edited by craigchaney, 26 July 2013 - 03:28 PM.


#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:29 PM

Posted 26 July 2013 - 05:34 PM

Hello again,
 
About reformatting, ultimately the choice is yours. It's certainly easier to reformat and reinstall, but we should still continue with the cleaning process just to make sure you don't back up any infected files.
 
I can help you to clean this infection. Don't worry, I'll stay with you until the end. In some cases reformatting is the only option. But as long as we clear the infection, and even if your services are completely damaged, we could still continue to fix the machine back to normal...or we could abandon the tedious services repair and still go for a reformat. I think that is our best choice.
 
==========
 
Please take note: I have edited my fixlist.txt in the previous post, so make sure you use the new one before proceeding.

Let's get the infection neutralized first, then we can talk about reformatting if you'd like. :wink:
 
bloopie

#13 craigchaney

craigchaney
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 26 July 2013 - 09:06 PM

Excellent, here is the Fixlog, let me know the next step, and once again, thank you

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-07-2013
Ran by Craig at 2013-07-26 20:55:26 Run:1
Running from K:\
Boot Mode: Normal

==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9794aff9-e183-11dd-83a5-001e90396870} => Key deleted successfully.
HKCR\CLSID\{9794aff9-e183-11dd-83a5-001e90396870} => Key not found.
qkthsbad => Service deleted successfully.
C:\$Recycle.Bin\S-1-5-18\$d620f31cc2c13a594f1c959ee09296a0 => Directory moved successfully.
C:\$Recycle.Bin\S-1-5-21-3233499728-556423929-4120436658-1000\$d620f31cc2c13a594f1c959ee09296a0 => Directory moved successfully.
C:\ProgramData\uninstaller.exe => Moved successfully.
C:\Users\Craig\CCleaner.exe => Moved successfully.
C:\Users\Craig\GoToAssistDownloadHelper.exe => Moved successfully.
C:\Users\Craig\uninst.exe => Moved successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll

==== End of Fixlog ====



#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:29 PM

Posted 27 July 2013 - 09:20 AM

Hello again,
 
Good work! :)
 
Okay, now we'll run another fixlist to remove the symbolic links set by the malware. After that, we'll check the conditions of the services:

Step :step1:

Download Attached File  fixlist.txt   228bytes   8 downloads and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

==========

Step :step2:

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

==========

In your next reply, please include both requested logs, and let me know how the machine is running now!

bloopie



#15 craigchaney

craigchaney
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 27 July 2013 - 06:57 PM

excellent, thank you, on this FRST run it DID ask for a restart, which I did, I hope that I let it run long enough after it started up,

also, I'm not sure if the Fixlist is correct, I couldn't find the Fixlog after I restarted after running FRST this time, let me know if I need to do something different,

thanks again

 

 

Fixitlist:

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
MountPoints2: {9794aff9-e183-11dd-83a5-001e90396870} - K:\LaunchU3.exe -a
S1 qkthsbad; \??\C:\Windows\system32\drivers\qkthsbad.sys [x]
C:\$Recycle.Bin\S-1-5-18\$d620f31cc2c13a594f1c959ee09296a0
C:\$Recycle.Bin\S-1-5-21-3233499728-556423929-4120436658-1000\$d620f31cc2c13a594f1c959ee09296a0
C:\ProgramData\uninstaller.exe
C:\Users\Craig\CCleaner.exe
C:\Users\Craig\GoToAssistDownloadHelper.exe
C:\Users\Craig\uninst.exe
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

 

FSS Log:

Farbar Service Scanner Version: 26-07-2013
Ran by Craig (administrator) on 27-07-2013 at 18:54:07
Running from "K:\"
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****


Edited by craigchaney, 27 July 2013 - 07:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users