Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ZeroAccess rootkit


  • This topic is locked This topic is locked
26 replies to this topic

#1 Dominicana

Dominicana

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:09:33 PM

Posted 27 July 2013 - 11:50 AM

Thank you to Broni, who had me download software and post logs which he read that helped in identifying my problem- I appreciate it!

 

He determined that I am infected with ZeroAccess rootkit, and had me download DDS (here is the link to my previous topic and all the steps I followed).

 

This is the DDS.txt log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16447  BrowserJavaVersion: 10.25.2
Run by user at 12:34:56 on 2013-07-27
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3062.1538 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uProxyOverride = 192.168.*.*;*.local
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.0.318\McAfeeMSS_IE.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: NCO 2.0 IE BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\common files\symantec shared\ids\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Print Clips: {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\program files\hp\smart web printing\hpswp_framework.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Show Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [hpqSRMon] <no file>
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_5_502_135_ActiveX.exe -update activex
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.318\SSScheduler.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{7EE3A4D6-1D92-47B8-B3DF-71E84F16793D} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.72\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\xoqgps87.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.easylifeapp.com/?pid=34&abc=ff1&r=2013/02/11&hid=1669417642&lg=EN&cc=US&l=1&q=
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.easylifeapp.com/?pid=34&abc=ff1&r=2013/02/11&hid=1669417642&lg=EN&cc=US&l=1&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.14\npapicomadapter.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mapsgalaxy_39ei\installr\1.bin\NP39EISb.dll
FF - plugin: c:\program files\mcafee security scan\3.0.318\npMcAfeeMSS.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\4\NP_wtapp.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6R8uVMVp23&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 784e5bf3000000000000001f3c5de300
FF - user.js: extensions.incredibar_i.instlDay - 15495
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1421:41:47
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6R8uVMVp23
FF - user.js: extensions.incredibar_i.upn2n - 92824474740014459
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10650
FF - user.js: extensions.incredibar_i.ppd - 20%5F6
.
============= SERVICES / DRIVERS ===============
.
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20110826.001\IDSvix86.sys [2011-8-28 287792]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-1-27 226624]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.318\McCHSvc.exe [2013-2-5 235216]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
.
=============== Created Last 30 ================
.
2013-07-25 06:14:04    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-25 04:32:52    --------    d-----w-    c:\users\user\appdata\roaming\Malwarebytes
2013-07-25 04:32:39    --------    d-----w-    c:\programdata\Malwarebytes
2013-07-25 04:32:37    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-25 04:32:37    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-22 17:55:21    --------    d-----w-    c:\programdata\TomTom
2013-07-22 17:55:19    --------    d-----w-    c:\users\user\appdata\roaming\TomTom
2013-07-22 17:55:19    --------    d-----w-    c:\users\user\appdata\local\TomTom
2013-07-22 17:52:59    --------    d-----w-    c:\program files\TomTom HOME 2
2013-07-22 17:50:35    --------    d-----w-    c:\program files\TomTom International B.V
2013-07-16 19:06:02    26840    ----a-w-    c:\windows\system32\drivers\GEARAspiWDM.sys
2013-07-16 19:04:29    --------    d-----w-    c:\program files\iPod
2013-07-16 19:04:28    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-07-16 19:04:22    --------    d-----w-    c:\program files\iTunes
2013-07-16 18:43:55    --------    d-----w-    c:\program files\Bonjour
2013-07-16 16:47:18    3584    ----a-r-    c:\users\user\appdata\roaming\microsoft\installer\{121634b0-2f4b-11d3-ada3-00c04f52dd52}\Icon386ED4E3.exe
2013-07-16 16:47:17    --------    d-----w-    c:\program files\Windows Installer Clean Up
2013-07-16 16:46:50    --------    d-----w-    c:\program files\MSECACHE
2013-07-12 04:02:00    --------    d-----w-    c:\program files\common files\Oberon Media
2013-07-12 04:00:31    --------    d-----w-    c:\program files\GamesBar
2013-07-12 04:00:10    --------    d-----w-    c:\programdata\Oberon Media
2013-07-11 19:51:33    --------    d-----w-    c:\program files\Search Core Systems
2013-07-10 21:41:24    --------    d-----w-    c:\users\user\appdata\roaming\Leawo
.
==================== Find3M  ====================
.
2013-06-25 20:19:26    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-25 20:19:22    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-25 20:19:22    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-12 02:39:04    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 02:39:04    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 12:35:59.61 ===============
 

 

I have attached the attach.txt log as well.

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 PM

Posted 27 July 2013 - 06:49 PM

Hello,

Please run the following:

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Dominicana

Dominicana
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:09:33 PM

Posted 27 July 2013 - 09:27 PM


I'm getting an error message when I hit the 'fix' button. It says 'No fixlist.txt found. The fixlist.txt should be made and saved in the same directory the tool is located.' I saved the program to my desktop, so what does this mean?
 
Also, there was no link in the response, so I had to go to downloads and search for it.

Edited by CatByte, 28 July 2013 - 06:13 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 PM

Posted 28 July 2013 - 08:07 AM

My apologies,

please disregard my previous post.

Please do the following instead:


Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Dominicana

Dominicana
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:09:33 PM

Posted 28 July 2013 - 12:55 PM


Here is the frst.txt log:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-07-2013
Ran by user (administrator) on 28-07-2013 13:53:03
Running from C:\Users\user\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(LeapFrog Enterprises, Inc.) C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
() C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
() C:\Program Files\CyberLink\Shared Files\RichVideo.exe
(TomTom) C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
() C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
() C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
(Microsoft Corporation) C:\Windows\system32\schtasks.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Motorola Inc.) C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(CyberLink Corp.) C:\Program Files\HP\QuickPlay\QPService.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(LeapFrog Enterprises, Inc.) C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
() C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
() C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(TomTom) C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(Symantec Corporation) c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Hewlett-Packard) c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Synaptics Incorporated) C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
(Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SMSERIAL] - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [634880 2007-01-17] (Motorola Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7539232 2009-06-09] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] - C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-04-15] (Intel Corporation)
HKLM\...\Run: [QPService] - C:\Program Files\HP\QuickPlay\QPService.exe [468264 2007-12-19] (CyberLink Corp.)
HKLM\...\Run: [QlbCtrl] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2007-09-19] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [OnScreenDisplay] - C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [554320 2007-09-04] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [UCam_Menu] - C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2007-08-17] (CyberLink Corp.)
HKLM\...\Run: [ccApp] - c:\Program Files\Common Files\Symantec Shared\ccApp.exe [51048 2008-10-17] (Symantec Corporation)
HKLM\...\Run: [hpqSRMon] -  [x]
HKLM\...\Run: [HP Health Check Scheduler] - c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-16] (Hewlett-Packard)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-09-13] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [WAWifiMessage] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [311296 2007-01-08] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM\...\Run: [] -  [x]
HKLM\...\Run: [Monitor] - C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe [268640 2011-11-12] (LeapFrog Enterprises, Inc.)
HKLM\...\Run: [DivXUpdate] - C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1259376 2011-07-28] ()
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKCU\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [455968 2007-08-23] (Hewlett-Packard Company)
HKCU\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [2153472 2009-04-11] (Microsoft Corporation)
HKCU\...\Run: [HPAdvisor] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1783136 2007-10-01] (Hewlett-Packard)
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-06-26] (Google Inc.)
HKCU\...\Run: [TomTomHOME.exe] - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [248208 2013-03-22] (TomTom)
MountPoints2: {e5f96db4-2f4f-11e1-9bb2-001e68783d60} - I:\setup.exe -a
MountPoints2: {ec72cb50-6e17-11e0-ac89-806e6f6e6963} - E:\eFilmLite\eFilmLt.exe
MountPoints2: {ec72cc16-6e17-11e0-ac89-001e68783d60} - G:\LaunchU3.exe -a
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2007-10-01] (Hewlett-Packard)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2007-10-01] (Hewlett-Packard)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
SearchScopes: HKLM - {01bd49d7-c76b-4310-8beb-14d7e5f322c6} URL = http://search.easylifeapp.com/?q={searchTerms}&abc=ie&pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US
SearchScopes: HKLM - {7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM - {98C5ECE9-8E95-48C4-B2AA-8202E3547581} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKCU - {01bd49d7-c76b-4310-8beb-14d7e5f322c6} URL = http://search.easylifeapp.com/?q={searchTerms}&abc=ie&pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US
SearchScopes: HKCU - {105E99FF-8B9A-4492-B155-06194B9056D2} URL = http://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKCU - {7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {9044337E-CE41-48B1-8E9C-60EA2666DFFF} URL = http://us.yhs4.search.yahoo.com/yhs/search?hspart=w3i&hsimp=yhs-geneiotransfer&type=W3i_IA,206,0_0,StartPage,20120102,18482,0,0,6434&p={searchTerms}
SearchScopes: HKCU - {98C5ECE9-8E95-48C4-B2AA-8202E3547581} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKCU - {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incredibar.com/mb139/?search={searchTerms}&loc=IB_DS&a=6R8uVMVp23&i=26
BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO: No Name - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll (Symantec Corporation)
BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xoqgps87.default
FF user.js: detected! => C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xoqgps87.default\user.js
FF Homepage: about:home
FF Keyword.URL: hxxp://search.easylifeapp.com/?pid=34&abc=ff1&r=2013/02/11&hid=1669417642&lg=EN&cc=US&l=1&q=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @ei.MapsGalaxy_39.com/Plugin - C:\Program Files\MapsGalaxy_39EI\Installr\1.bin\NP39EISB.dll (MapsGalaxy)
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @oberon-media.com/ONCAdapter - C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.14\npapicomadapter.dll (Oberon-Media )
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @viewpoint.com/VMP - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF Plugin: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 - C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll ()
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: No Name - C:\Users\user\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
FF Extension: TheBflix - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xoqgps87.default\Extensions\4fcc132e30c78@4fcc132e30cb2.info
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF HKLM\...\Firefox\Extensions: [{336D0C35-8A85-403a-B9D2-65C292C39087}] C:\Program Files\Web Assistant\Firefox
FF HKLM\...\Firefox\Extensions: [lesstabs@lesstabs.com] C:\Program Files\Mozilla Firefox\extensions\lesstabs@lesstabs.com

Chrome:
=======
CHR HomePage: hxxp://search.easylifeapp.com/?pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US
CHR RestoreOnStartup: "hxxp://search.easylifeapp.com/?pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US"
CHR DefaultSearchURL: (EasyLife) - http://search.easylifeapp.com/?q={searchTerms}&abc=1&pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US
CHR DefaultSuggestURL: (EasyLife) - none
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\21.0.1180.83\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\28.0.1500.72\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\28.0.1500.72\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (DivX VOD Helper Plug-in) - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
CHR Plugin: (DivX Plus Web Player) - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (ADDICT-THING) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\henoddjbammmapdfiicfgnolhmliaeki\1.0_0
CHR Extension: (TheBflix) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ioigpbbefinmomapmghjgfaileiindec\5.1_0
CHR Extension: (DivX Plus Web Player HTML5 \u003Cvideo\u003E) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0
CHR HKLM\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\Web Assistant\source.crx
CHR HKLM\...\Chrome\Extension: [henoddjbammmapdfiicfgnolhmliaeki] - C:\ProgramData\ADDICT-THING\henoddjbammmapdfiicfgnolhmliaeki.crx
CHR HKLM\...\Chrome\Extension: [ioigpbbefinmomapmghjgfaileiindec] - C:\ProgramData\TheBflix\ioigpbbefinmomapmghjgfaileiindec.crx
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx

========================== Services (Whitelisted) =================

R2 Automatic LiveUpdate Scheduler; c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [243064 2007-08-31] (Symantec Corporation)
R2 ccEvtMgr; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
R2 ccSetMgr; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S2 CLTNetCnService; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S3 Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.)
S3 comHost; c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe [55640 2007-08-22] (Symantec Corporation)
R2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-06-16] (Hewlett-Packard)
S3 LiveUpdate; c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [3192184 2007-08-23] (Symantec Corporation)
S2 LiveUpdate Notice; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
R2 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [226624 2011-01-27] ()
R2 QPCapSvc; C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [271760 2007-12-19] ()
R2 QPSched; C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [112016 2007-12-19] ()
R2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] ()
R3 Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [1251720 2011-06-26] ()

==================== Drivers (Whitelisted) ====================

S3 COH_Mon; C:\Windows\system32\Drivers\COH_Mon.sys [23888 2008-07-30] (Symantec Corporation)
R2 CO_Mon; C:\Windows\system32\drivers\CO_Mon.sys [36056 2007-08-08] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [374392 2011-07-31] (Symantec Corporation)
U3 EraserUtilDrv11113; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [105592 2011-08-08] (Symantec Corporation)
R3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-11] (Hewlett-Packard Development Company, L.P.)
R1 IDSvix86; C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20110826.001\IDSvix86.sys [287792 2098-01-01] (Symantec Corporation)
R3 KMWDFILTER; C:\Windows\System32\DRIVERS\KMWDFILTER.sys [17408 2008-10-09] (Windows ® Codename Longhorn DDK provider)
S3 MotDev; C:\Windows\System32\DRIVERS\motodrv.sys [42752 2009-05-08] (Motorola Inc)
R3 NAVENG; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVENG.SYS [86136 2011-08-08] (Symantec Corporation)
R3 NAVEX15; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVEX15.SYS [1576312 2011-08-08] (Symantec Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [447024 2009-03-17] (Symantec Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [279088 2007-11-30] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2007-11-30] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2007-11-30] (Symantec Corporation)
R3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [13616 2009-02-19] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2011-06-26] (Symantec Corporation)
R3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [96560 2009-02-19] (Symantec Corporation)
R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [24112 2009-02-19] (Symantec Corporation)
R3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [41008 2009-02-19] (Symantec Corporation)
R3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [22320 2009-02-19] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [184496 2009-02-19] (Symantec Corporation)
S0 bwleyutf; System32\drivers\dlafctb.sys [x]
U1 eabfiltr;
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [x]
U3 mbr; \??\C:\Users\user\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-28 13:51 - 2013-07-28 13:51 - 01221130 _____ (Farbar) C:\Users\user\Desktop\FRST.exe
2013-07-27 22:23 - 2013-07-27 22:23 - 00000000 ____D C:\FRST
2013-07-27 12:37 - 2013-07-27 12:41 - 00017235 _____ C:\Users\user\Desktop\dds.txt
2013-07-27 12:37 - 2013-07-27 12:41 - 00009038 _____ C:\Users\user\Desktop\attach.txt
2013-07-27 12:33 - 2013-07-27 12:33 - 00688992 ____R (Swearware) C:\Users\user\Desktop\dds.com
2013-07-25 02:21 - 2013-07-25 02:22 - 00006138 _____ C:\Users\user\Desktop\Rkill.txt
2013-07-25 02:20 - 2013-07-25 02:20 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\user\Desktop\rkill.exe
2013-07-25 02:14 - 2013-07-25 02:18 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-07-25 02:13 - 2013-07-25 02:13 - 00000000 ____D C:\Users\user\Desktop\mbar-1.06.0.1004
2013-07-25 00:32 - 2013-07-25 00:32 - 00000906 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\Users\user\AppData\Roaming\Malwarebytes
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-25 00:32 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-07-24 23:59 - 2013-07-24 23:59 - 00026561 _____ C:\Users\user\Desktop\Result.txt
2013-07-24 23:58 - 2013-07-24 23:58 - 00760937 _____ (Farbar) C:\Users\user\Desktop\MiniToolBox.exe
2013-07-24 23:54 - 2013-07-24 23:57 - 00005897 _____ C:\Users\user\Desktop\FSS.txt
2013-07-24 23:53 - 2013-07-24 23:53 - 00357077 _____ (Farbar) C:\Users\user\Desktop\FSS.exe
2013-07-24 23:39 - 2013-07-24 23:39 - 00891098 _____ C:\Users\user\Desktop\SecurityCheck.exe
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\Documents\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\AppData\Roaming\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\AppData\Local\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\ProgramData\TomTom
2013-07-22 13:52 - 2013-07-22 13:53 - 00000000 ____D C:\Program Files\TomTom HOME 2
2013-07-22 13:50 - 2013-07-22 13:50 - 00000000 ____D C:\Program Files\TomTom International B.V
2013-07-22 13:46 - 2013-07-22 13:48 - 30898008 _____ C:\Users\user\Desktop\TomTomHOME2winlatest.exe
2013-07-16 15:06 - 2013-07-16 15:06 - 00001664 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-07-16 15:06 - 2012-08-21 13:01 - 00026840 _____ (GEAR Software Inc.) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2013-07-16 15:04 - 2013-07-16 15:05 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-07-16 15:04 - 2013-07-16 15:05 - 00000000 ____D C:\Program Files\iTunes
2013-07-16 15:04 - 2013-07-16 15:04 - 00000000 ____D C:\Program Files\iPod
2013-07-16 14:46 - 2013-07-16 14:46 - 00000000 ____D C:\Program Files\Apple Software Update
2013-07-16 14:43 - 2013-07-16 15:04 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-07-16 14:43 - 2013-07-16 14:43 - 00000000 ____D C:\Program Files\Bonjour
2013-07-16 12:47 - 2013-07-16 12:47 - 00002407 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Install Clean Up.lnk
2013-07-16 12:47 - 2013-07-16 12:47 - 00000000 ____D C:\Program Files\Windows Installer Clean Up
2013-07-16 12:46 - 2013-07-16 12:46 - 00359656 _____ (Microsoft Corporation) C:\Users\user\Desktop\msicuu2.exe
2013-07-16 12:46 - 2013-07-16 12:46 - 00000000 ____D C:\Program Files\MSECACHE
2013-07-16 11:12 - 2013-07-16 11:12 - 00142776 _____ C:\Windows\Minidump\Mini071613-01.dmp
2013-07-14 00:36 - 2013-07-26 21:51 - 00000000 ____D C:\Users\user\Desktop\Larry Edmonds
2013-07-12 03:45 - 2013-07-12 03:45 - 00457152 _____ (Oberon Media Inc.) C:\Users\user\Downloads\airlinetycoondeluxe-510006595-setup.s510006595.c110402287.len.u.dl (1).exe
2013-07-12 01:37 - 2013-07-12 01:37 - 00457152 _____ (Oberon Media Inc.) C:\Users\user\Downloads\airlinetycoondeluxe-510006595-setup.s510006595.c110402287.len.u.dl.exe
2013-07-12 00:02 - 2013-07-12 04:52 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yahoo US
2013-07-12 00:02 - 2013-07-12 00:02 - 00000000 ____D C:\Program Files\Common Files\Oberon Media
2013-07-12 00:00 - 2013-07-12 00:00 - 00000000 ____D C:\ProgramData\Oberon Media
2013-07-12 00:00 - 2013-07-12 00:00 - 00000000 ____D C:\Program Files\GamesBar
2013-07-11 15:51 - 2013-07-11 15:51 - 00000000 ____D C:\Program Files\Search Core Systems
2013-07-10 17:41 - 2013-07-10 17:41 - 00000000 ____D C:\Users\user\Documents\Leawo
2013-07-10 17:41 - 2013-07-10 17:41 - 00000000 ____D C:\Users\user\AppData\Roaming\Leawo
2013-07-09 20:17 - 2013-07-17 12:14 - 00011776 _____ C:\Users\user\Desktop\Resumewps.wps
2013-07-09 19:24 - 2013-07-09 19:37 - 89111376 _____ (Apple Inc.) C:\Users\user\Downloads\iTunesSetup.exe
2013-07-04 17:32 - 2013-07-04 17:32 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified Files and Folders =======

2013-07-28 13:51 - 2013-07-28 13:51 - 01221130 _____ (Farbar) C:\Users\user\Desktop\FRST.exe
2013-07-28 13:48 - 2011-06-26 16:27 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-28 13:47 - 2013-01-02 01:20 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-28 13:47 - 2012-06-04 15:24 - 00000314 ____H C:\Windows\Tasks\GenericUpdaterLogonTask.job
2013-07-28 13:47 - 2012-06-04 15:24 - 00000294 ____H C:\Windows\Tasks\GenericUpdaterRefreshTask.job
2013-07-28 07:46 - 2008-05-30 01:39 - 01535454 _____ C:\Windows\WindowsUpdate.log
2013-07-27 22:23 - 2013-07-27 22:23 - 00000000 ____D C:\FRST
2013-07-27 22:17 - 2011-06-26 16:27 - 00000878 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-27 12:41 - 2013-07-27 12:37 - 00017235 _____ C:\Users\user\Desktop\dds.txt
2013-07-27 12:41 - 2013-07-27 12:37 - 00009038 _____ C:\Users\user\Desktop\attach.txt
2013-07-27 12:33 - 2013-07-27 12:33 - 00688992 ____R (Swearware) C:\Users\user\Desktop\dds.com
2013-07-27 12:30 - 2006-11-02 08:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-27 12:30 - 2006-11-02 08:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-26 21:51 - 2013-07-14 00:36 - 00000000 ____D C:\Users\user\Desktop\Larry Edmonds
2013-07-25 08:54 - 2008-02-18 03:04 - 00000000 ____D C:\Program Files\Common Files\Java
2013-07-25 02:22 - 2013-07-25 02:21 - 00006138 _____ C:\Users\user\Desktop\Rkill.txt
2013-07-25 02:20 - 2013-07-25 02:20 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\user\Desktop\rkill.exe
2013-07-25 02:18 - 2013-07-25 02:14 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-07-25 02:13 - 2013-07-25 02:13 - 00000000 ____D C:\Users\user\Desktop\mbar-1.06.0.1004
2013-07-25 02:08 - 2008-05-30 01:53 - 00000279 _____ C:\Users\Public\Documents\hpqp.ini
2013-07-25 02:05 - 2008-01-20 22:47 - 00072124 _____ C:\Windows\PFRO.log
2013-07-25 02:05 - 2006-11-02 09:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-25 01:54 - 2008-02-18 02:59 - 00000000 ____D C:\Windows\SMINST
2013-07-25 01:19 - 2006-11-02 09:01 - 00032550 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-25 01:17 - 2012-06-03 21:49 - 00000000 ____D C:\ProgramData\TheBflix
2013-07-25 01:17 - 2012-06-03 21:40 - 00000000 ____D C:\ProgramData\ADDICT-THING
2013-07-25 00:32 - 2013-07-25 00:32 - 00000906 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\Users\user\AppData\Roaming\Malwarebytes
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-24 23:59 - 2013-07-24 23:59 - 00026561 _____ C:\Users\user\Desktop\Result.txt
2013-07-24 23:58 - 2013-07-24 23:58 - 00760937 _____ (Farbar) C:\Users\user\Desktop\MiniToolBox.exe
2013-07-24 23:57 - 2013-07-24 23:54 - 00005897 _____ C:\Users\user\Desktop\FSS.txt
2013-07-24 23:53 - 2013-07-24 23:53 - 00357077 _____ (Farbar) C:\Users\user\Desktop\FSS.exe
2013-07-24 23:39 - 2013-07-24 23:39 - 00891098 _____ C:\Users\user\Desktop\SecurityCheck.exe
2013-07-24 01:16 - 2006-11-02 06:33 - 00703214 _____ C:\Windows\system32\PerfStringBackup.INI
2013-07-22 22:05 - 2011-06-26 15:29 - 00000544 _____ C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - user.job
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\Documents\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\AppData\Roaming\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\AppData\Local\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\ProgramData\TomTom
2013-07-22 13:53 - 2013-07-22 13:52 - 00000000 ____D C:\Program Files\TomTom HOME 2
2013-07-22 13:50 - 2013-07-22 13:50 - 00000000 ____D C:\Program Files\TomTom International B.V
2013-07-22 13:50 - 2011-04-23 22:21 - 00000000 ____D C:\Users\user\AppData\Local\Downloaded Installations
2013-07-22 13:48 - 2013-07-22 13:46 - 30898008 _____ C:\Users\user\Desktop\TomTomHOME2winlatest.exe
2013-07-17 12:14 - 2013-07-09 20:17 - 00011776 _____ C:\Users\user\Desktop\Resumewps.wps
2013-07-17 12:14 - 2012-04-24 13:03 - 00001106 _____ C:\Users\user\AppData\Roaming\wklnhst.dat
2013-07-16 15:06 - 2013-07-16 15:06 - 00001664 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-07-16 15:05 - 2013-07-16 15:04 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-07-16 15:05 - 2013-07-16 15:04 - 00000000 ____D C:\Program Files\iTunes
2013-07-16 15:04 - 2013-07-16 15:04 - 00000000 ____D C:\Program Files\iPod
2013-07-16 15:04 - 2013-07-16 14:43 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-07-16 15:04 - 2011-06-16 21:36 - 00000000 ____D C:\ProgramData\Apple Computer
2013-07-16 14:46 - 2013-07-16 14:46 - 00000000 ____D C:\Program Files\Apple Software Update
2013-07-16 14:43 - 2013-07-16 14:43 - 00000000 ____D C:\Program Files\Bonjour
2013-07-16 12:47 - 2013-07-16 12:47 - 00002407 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Install Clean Up.lnk
2013-07-16 12:47 - 2013-07-16 12:47 - 00000000 ____D C:\Program Files\Windows Installer Clean Up
2013-07-16 12:46 - 2013-07-16 12:46 - 00359656 _____ (Microsoft Corporation) C:\Users\user\Desktop\msicuu2.exe
2013-07-16 12:46 - 2013-07-16 12:46 - 00000000 ____D C:\Program Files\MSECACHE
2013-07-16 11:12 - 2013-07-16 11:12 - 00142776 _____ C:\Windows\Minidump\Mini071613-01.dmp
2013-07-16 11:12 - 2012-09-15 02:36 - 336922445 _____ C:\Windows\MEMORY.DMP
2013-07-16 11:12 - 2012-09-15 02:36 - 00000000 ____D C:\Windows\Minidump
2013-07-15 11:17 - 2006-11-02 08:52 - 00091463 _____ C:\Windows\setupact.log
2013-07-13 20:37 - 2012-04-15 00:09 - 00001971 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-07-12 04:52 - 2013-07-12 00:02 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yahoo US
2013-07-12 03:45 - 2013-07-12 03:45 - 00457152 _____ (Oberon Media Inc.) C:\Users\user\Downloads\airlinetycoondeluxe-510006595-setup.s510006595.c110402287.len.u.dl (1).exe
2013-07-12 01:37 - 2013-07-12 01:37 - 00457152 _____ (Oberon Media Inc.) C:\Users\user\Downloads\airlinetycoondeluxe-510006595-setup.s510006595.c110402287.len.u.dl.exe
2013-07-12 00:13 - 2013-01-22 20:26 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-07-12 00:02 - 2013-07-12 00:02 - 00000000 ____D C:\Program Files\Common Files\Oberon Media
2013-07-12 00:00 - 2013-07-12 00:00 - 00000000 ____D C:\ProgramData\Oberon Media
2013-07-12 00:00 - 2013-07-12 00:00 - 00000000 ____D C:\Program Files\GamesBar
2013-07-11 15:51 - 2013-07-11 15:51 - 00000000 ____D C:\Program Files\Search Core Systems
2013-07-10 17:41 - 2013-07-10 17:41 - 00000000 ____D C:\Users\user\Documents\Leawo
2013-07-10 17:41 - 2013-07-10 17:41 - 00000000 ____D C:\Users\user\AppData\Roaming\Leawo
2013-07-09 20:06 - 2011-06-26 16:26 - 00000000 ____D C:\Users\user\AppData\Local\Google
2013-07-09 19:37 - 2013-07-09 19:24 - 89111376 _____ (Apple Inc.) C:\Users\user\Downloads\iTunesSetup.exe
2013-07-04 17:32 - 2013-07-04 17:32 - 00000000 ____D C:\Program Files\Mozilla Firefox

ZeroAccess:
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\@
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\o
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\U\00000001.@
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\U\80000000.@
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\U\800000cb.@

ZeroAccess:
C:\Users\user\AppData\Local\{dfb18deb-4293-e909-9f89-c187edf7ad5d}
C:\Users\user\AppData\Local\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\@
C:\Users\user\AppData\Local\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\n

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-07-25 02:12

==================== End Of Log ============================
 
 
 
 
 
Here is the Addition.txt. log:
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 28-07-2013
Ran by user at 2013-07-28 13:54:04
Running from C:\Users\user\Desktop
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

 Update for Microsoft Office 2007 (KB2508958)
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.2)
Adobe Digital Editions
Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
Adobe Flash Player 11 Plugin (Version: 11.7.700.224)
Adobe Reader X (10.1.7) (Version: 10.1.7)
Adobe Shockwave Player (Version: 10.2.0.023)
Adobe Shockwave Player 11.6 (Version: 11.6.8.638)
AIM 6
Amazon Kindle
Amelie's Cafe - Halloween (remove only)
AppCore (Version: 1.3)
Apple Application Support (Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (Version: 2.1.3.127)
Bing Bar (Version: 7.1.391.0)
Bing Rewards Client Installer (Version: 16.0.345.0)
Bonjour (Version: 3.0.0.10)
Burger Island (Version: 2.2.0.95)
calibre (Version: 0.8.54)
Cards_Calendar_OrderGift_DoMorePlugout (Version: 1.00.0000)
ccCommon (Version: 107.0.0.102)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Component Framework (Version: 2006.1.3.35)
Cooking Quest (remove only)
Coupon Printer for Windows (Version: 5.0.0.0)
CyberLink YouCam (Version: 1.0.1002)
Delicious - Emilys Taste of Fame (remove only)
DivX Setup (Version: 2.6.1.8)
DQ Tycoon (remove only)
DVD Suite (Version: 5.5.0928)
EA Link (Version: 3.1.1.4)
ePUBee DRM Removal 1.3.2
Expert PDF 7 Reader (Version: 7.0.1370.0)
Generic Updater
Google Chrome (Version: 28.0.1500.72)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4209.2358)
Google Update Helper (Version: 1.3.21.153)
Hauppauge MCE XP/Vista Software Encoder (2.0.25149) (Version: 2.0.25149)
HP Active Support Library (Version: 3.1.6.1)
HP Customer Experience Enhancements (Version: 5.4.0.2430)
HP Doc Viewer (Version: 1.02.0001)
HP Easy Setup - Frontend (Version: 5.4.0.2430)
HP Help and Support (Version: 2.0.10.0)
HP Photo Creations (Version: 1.0.0.3781)
HP Photosmart Essential 2.5 (Version: 1.02.0000)
HP Photosmart Essential 2.5 (Version: 2.5)
HP Photosmart Plus B210 series Basic Device Software (Version: 22.50.231.0)
HP Photosmart Plus B210 series Help (Version: 140.0.54.54)
HP Photosmart Plus B210 series Product Improvement Study (Version: 22.50.231.0)
HP Quick Launch Buttons 6.30 E1 (Version: 6.30 E1)
HP QuickPlay 3.6
HP QuickTouch 1.00 C4 (Version: 1.0.7)
HP Smart Web Printing (Version: 3.0.17.0)
HP Total Care Advisor (Version: 1.4.19.2433)
HP Update (Version: 5.002.006.003)
HP User Guides 0087 (Version: 1.02.0000)
HP Wireless Assistant (Version: 3.00 H2)
HPAsset component for HP Active Support Library (Version: 3.0.2.2)
HPNetworkAssistant (Version: 1.1.70)
HPPhotoSmartDiscLabel_PaperLabel (Version: 2.02.0000)
HPPhotoSmartDiscLabel_PrintOnDisc (Version: 2.02.0000)
HPPhotoSmartDiscLabel_Tattoo (Version: 2.02.0000)
HPPhotoSmartDiscLabelContent1 (Version: 2.02.0000)
hpphotosmartdisclabelplugin (Version: 2.02.0000)
HPPhotoSmartPhotobookHolidayPack1 (Version: 1.00.0000)
HPPhotoSmartPhotobookModernPack1 (Version: 1.00.0000)
HPPhotoSmartPhotobookPlayfulPack1 (Version: 1.00.0000)
HPPhotoSmartPhotobookScrapbookPack1 (Version: 1.00.0000)
HPPhotoSmartPhotobookWebPack1 (Version: 1.00.0000)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes (Version: 11.0.4.4)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Jenkat Games Arcade (HKCU Version: 5.1.0.0)
LabelPrint (Version: 2.20.2128)
LeapFrog Connect (Version: 3.2.19.13664)
LeapFrog My Pals Plugin (Version: 3.2.19.13664)
LightScribe System Software  1.10.13.1 (Version: 1.10.13.1)
LiveUpdate (Symantec Corporation) (Version: 3.4.0.162)
LiveUpdate (Symantec Corporation) (Version: 3.4.0.164)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
McAfee Security Scan Plus (Version: 3.0.318.3)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Works (Version: 9.7.0621)
MotoHelper 2.0.45 Driver 5.0.0 (Version: 2.0.45)
MotoHelper MergeModules (Version: 1.2.0)
Motorola Mobile Drivers Installation 5.0.0 (Version: 5.0.0)
Motorola SM56 Data Fax Modem
Mozilla Firefox 22.0 (x86 en-US) (Version: 22.0)
Mozilla Maintenance Service (Version: 22.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
muvee autoProducer 6.1 (Version: 6.10.050)
My HP Games (Version: HPCMPQ1902)
Norton AntiVirus (Version: 15.0.0.58)
Norton AntiVirus Help (Version: 15.0)
Norton Confidential Core (Version: 2.0.0.84)
Norton Internet Security (Symantec Corporation) (Version: 15.0.0.60)
Norton Internet Security (Version: 15.0.0.60)
Norton Protection Center (Version: 3.1.0.98)
OverDrive Media Console (Version: 3.2.20)
Pet Hotel Tycoon (remove only)
Power2Go (Version: 5.6.3327)
PowerDirector (Version: 6.5.2129)
PSSWCORE (Version: 2.02.0000)
QuickPlay SlingPlayer 0.4.6 (Version: 0.4.6)
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista (Version: 1.00.0000)
Realtek High Definition Audio Driver (Version: 6.0.1.5869)
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 (Version: 3.51.01)
RollerCoaster Tycoon 3: Platinum (Version: 2.2.0.98)
Slingbox Flash Tour (Version: 1.0.0)
SlingPlayer (Version: 1.04.0206)
SPBBC 32bit (Version: 4.0.0.134)
Supermarket Management 2 (Version: 2.2.0.98)
SupermarketMania (remove only)
swMSM (Version: 12.0.0.1)
Symantec Real Time Storage Protection Component (Version: 10.2.2.6)
SymNet (Version: 8.0.3.4)
Synaptics Pointing Device Driver (Version: 15.3.29.0)
The Sims™ Life Stories (Version: 1.00.0000)
TomTom HOME (Version: 2.9.5)
TomTom HOME Visual Studio Merge Modules (Version: 1.0.2)
Update (Version: 0.1)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update Installer for WildTangent Games App
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0)
VideoToolkit01 (Version: 100.0.128.000)
Viewpoint Media Player
WeatherBug Gadget (Version: 1.0.0.6)
Wedding Salon (remove only)
WildTangent Games (Version: 1.0.3.0)
WildTangent Games App (HP Games) (Version: 4.0.10.16)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (Version: 09/10/2009 02.03.05.012)
Windows Installer Clean Up (Version: 3.00.00.0000)
Yahoo! Toolbar
 

==================== Restore Points  =========================

12-07-2013 03:43:25 Removed Bonzuna
15-07-2013 10:24:16 Scheduled Checkpoint
16-07-2013 02:15:39 Removed iTunes
16-07-2013 16:25:04 Removed Apple Application Support
16-07-2013 16:29:07 Removed Apple Mobile Device Support
16-07-2013 16:32:37 Removed Bonjour
16-07-2013 16:35:11 Removed Apple Software Update
16-07-2013 16:36:25 Removed Apple Software Update
16-07-2013 16:47:04 Installed Windows Installer Clean Up
16-07-2013 18:44:23 Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
16-07-2013 18:45:19 Device Driver Package Install: Apple Network adapters
16-07-2013 18:46:46 Installed iTunes
16-07-2013 19:03:41 Installed iTunes
17-07-2013 17:17:16 Scheduled Checkpoint
18-07-2013 18:24:31 Scheduled Checkpoint
22-07-2013 17:50:39 Installed TomTom HOME.
25-07-2013 12:52:57 Removed Java™ 6 Update 2
25-07-2013 19:07:07 Removed Java™ 6 Update 35
28-07-2013 12:08:42 Scheduled Checkpoint

==================== Scheduled Tasks (whitelisted) =============

Task: {057D4E42-D827-48E9-B7F5-BC920B72EA18} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-06-26] (Google Inc.)
Task: {07312162-94FF-4C59-BA90-F634E8F99B8C} - System32\Tasks\DSite => C:\Users\user\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE No File
Task: {0A73C9CA-D00F-452A-90DA-3242B57B4F5E} - System32\Tasks\User_Feed_Synchronization-{D15F0807-E948-42D9-B089-5EA7856E8A00} => C:\Windows\system32\msfeedssync.exe [2012-02-03] (Microsoft Corporation)
Task: {1069E71F-6680-4BBB-BD26-39F5CC33206B} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {21910976-241A-4A7F-B593-825C02FDD509} - System32\Tasks\{68BE658B-3F9B-4AE9-813C-D4D3B93AA239} => c:\program files\google\chrome\application\chrome.exe [2013-07-12] (Google Inc.)
Task: {320124A7-D70F-41DE-A9D1-D5E8E19D5D91} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {3BCDF251-CA5C-4045-A1FC-8FCEF9FBDC93} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {44980BEE-7809-44A9-AC24-D6E578A3B7DF} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-20] (Microsoft Corporation)
Task: {52620087-3AE2-46A1-83E0-2DE0C01840BD} - System32\Tasks\{AC74A170-C3BC-4CAF-B269-948458A76D21} => c:\program files\google\chrome\application\chrome.exe [2013-07-12] (Google Inc.)
Task: {665B7E85-B0AC-4C0F-9D6D-0B2DCEC6B582} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-06-26] (Google Inc.)
Task: {9D378189-143C-4B59-8ACA-EB52E13625CB} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-11] (Adobe Systems Incorporated)
Task: {9F9280AE-77F8-49FF-921E-31FB8EA76328} - System32\Tasks\Norton Internet Security - Run Full System Scan - user => c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26] (Symantec Corporation)
Task: {A61555D3-7840-45C1-A5A9-0D49851DE37A} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\OptinNotification => C:\Windows\System32\wsqmcons.exe [2008-01-20] (Microsoft Corporation)
Task: {AFFA689D-74A1-4187-A6D5-6050D8B4335E} - System32\Tasks\MotoHelper Initial Update => C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27] ()
Task: {B246572E-3853-45F2-BC16-DA39633671F8} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => c:\program files\windows defender\MpCmdRun.exe [2008-01-20] (Microsoft Corporation)
Task: {BA6BC945-B13C-47EF-99C6-A87530991211} - System32\Tasks\GenericUpdaterRefreshTask => C:\ProgramData\TheBflixUpdater\updater.exe [2012-06-03] ()
Task: {BBE623BB-B702-4CDC-9242-FDF7843A4FCD} - System32\Tasks\HPCustParticipation HP Photosmart Plus B210 series => C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-11-16] (Hewlett-Packard Co.)
Task: {BC7504F0-3455-4CED-A8B7-5328B40C3AAA} - System32\Tasks\Update Logon => C:\Program Files\Search Core Systems\Update\update.exe [2013-06-14] ()
Task: {CEF7958F-D00B-462B-953C-0CCA931AD8A6} - System32\Tasks\HP Health Check => c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2008-06-16] (Hewlett-Packard)
Task: {E5150B95-F9B4-4D5D-95A2-7EC1ACBA95F8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-20] ()
Task: {ECA82E70-F4FF-4DC9-A1D4-607BA49F28B4} - System32\Tasks\Update Daily => C:\Program Files\Search Core Systems\Update\update.exe [2013-06-14] ()
Task: {F36BB114-95C0-4405-8695-8D8587B52F21} - System32\Tasks\MotoHelper MUM => C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27] ()
Task: {F49BFBAB-5AE7-4E2E-8578-9900776AE8BF} - System32\Tasks\GenericUpdaterLogonTask => C:\ProgramData\TheBflixUpdater\updater.exe [2012-06-03] ()
Task: {FA5CD514-3D7E-48C8-9110-6767FF0825B6} - System32\Tasks\MotoHelper Update => C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27] ()
Task: {FC80BEB1-F8AB-47C4-964E-71B3CBFF06F9} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\schtasks.exe [2008-01-20] (Microsoft Corporation)
Task: {FDCDCC80-269F-4F84-9871-1514A23C63D8} - System32\Tasks\MotoHelper Routing => C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27] ()
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\DSite.job => ?
Task: C:\Windows\Tasks\GenericUpdaterLogonTask.job => C:\ProgramData\TheBflixUpdater\updater.exe
Task: C:\Windows\Tasks\GenericUpdaterRefreshTask.job => C:\ProgramData\TheBflixUpdater\updater.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - user.job => c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe

==================== Faulty Device Manager Devices =============

Name: HP Webcam
Description: USB Video Device
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Microsoft
Service: usbvideo
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Intel® ICH8 Family USB2 Enhanced Host Controller - 2836
Description: Intel® ICH8 Family USB2 Enhanced Host Controller - 2836
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: Intel
Service: usbehci
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/28/2013 07:46:22 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 24063372

Error: (07/28/2013 07:46:22 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 24063372

Error: (07/28/2013 07:46:22 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/28/2013 01:05:30 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 11590

Error: (07/28/2013 01:05:30 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 11590

Error: (07/28/2013 01:05:30 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/28/2013 01:05:29 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 10592

Error: (07/28/2013 01:05:29 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 10592

Error: (07/28/2013 01:05:29 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/28/2013 01:05:26 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 7238


System errors:
=============
Error: (07/28/2013 01:48:28 PM) (Source: DCOM) (User: )
Description: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (07/27/2013 10:17:26 PM) (Source: Service Control Manager) (User: )
Description: LiveUpdate Notice1

Error: (07/27/2013 10:17:26 PM) (Source: Service Control Manager) (User: )
Description: Symantec Lic NetConnect service1

Error: (07/27/2013 10:17:26 PM) (Source: Service Control Manager) (User: )
Description: Symantec Settings Manager11001Restart the service

Error: (07/27/2013 10:17:26 PM) (Source: Service Control Manager) (User: )
Description: Symantec Event Manager12001Restart the service

Error: (07/26/2013 10:57:52 AM) (Source: Schannel) (User: )
Description: An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Error: (07/25/2013 02:05:45 AM) (Source: Service Control Manager) (User: )
Description: bwleyutf

Error: (07/25/2013 02:05:45 AM) (Source: Service Control Manager) (User: )
Description: IPsec Policy AgentBFE

Error: (07/25/2013 02:05:45 AM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBFE

Error: (07/25/2013 02:05:45 AM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2012-01-27 23:17:08.571
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2012-01-27 23:17:08.494
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2012-01-27 23:17:08.415
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2012-01-27 23:17:08.341
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2012-01-27 23:17:08.242
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2008-02-18 02:06:31.504
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2008-02-18 02:06:31.488
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2008-02-18 02:06:31.488
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2008-02-18 02:06:31.473
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2008-02-18 02:06:25.264
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 50%
Total physical RAM: 3061.68 MB
Available physical RAM: 1514.61 MB
Total Pagefile: 6329.64 MB
Available Pagefile: 4600.35 MB
Total Virtual: 2047.88 MB
Available Virtual: 1918.73 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:221.2 GB) (Free:133.26 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (HP_RECOVERY) (Fixed) (Total:11.68 GB) (Free:2.01 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (larry) (CDROM) (Total:0.09 GB) (Free:0 GB) CDFS
Drive g: (MyNOOKcolor) (Removable) (Total:1 GB) (Free:0.33 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: 475D475C)
Partition 1: (Active) - (Size=221 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=12 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 1 GB) (Disk ID: 00000000)

==================== End Of Log ============================

Edited by CatByte, 28 July 2013 - 06:13 PM.
removed quote


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 PM

Posted 28 July 2013 - 06:21 PM

Hello,

Please just use "add reply" rather than quotng my posts as it makes the thread very long, thanks.

You have a nasty rootkit called zero access on your machine, it is going to take us several rounds with different tools to clean it up, so stay with me.

your services.exe is also infected.

The next tool we will run MBAR, should replace it, but if it doesn't for some reason, we can find a replacemjent with FRSt,

so first we will run a fix with FRST, then we'll use MBAR.

Please do the following:


Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
Save it on your desktop as fixlist.txt

(if you saved FRST to a different folder and not your desktop originally, then save fixlist.txt to the same location as FRST was saved)


start
HKLM\...\Run: [] -  [x]
S0 bwleyutf; System32\drivers\dlafctb.sys [x]
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}
C:\Users\user\AppData\Local\{dfb18deb-4293-e909-9f89-c187edf7ad5d}
end
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now run FRST and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please attach that log to your reply.

Note: FixList.txt and FRST must be saved to the same location or the fix will not work

Reboot Normally.



NEXT


Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
~~~~~~~~~~~~~~~~~~~~~~~

Note: <<<This step is very important >>>
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit located in the mbar\plugins folder and reboot.
Verify that your system is now functioning normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Dominicana

Dominicana
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:09:33 PM

Posted 28 July 2013 - 09:36 PM

Ok, here is the fixlist.txt log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-07-2013
Ran by user at 2013-07-28 20:41:56 Run:1
Running from C:\Users\user\Desktop
Boot Mode: Normal

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
bwleyutf => Service deleted successfully.

"C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}" directory move:

C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\@ => Moved successfully.
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\o => Moved successfully.
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\U\00000001.@ => Moved successfully.
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\U\80000000.@ => Moved successfully.
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}\U\800000cb.@ => Moved successfully.
Could not move "C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d}" directory. => Scheduled to move on reboot.

C:\Users\user\AppData\Local\{dfb18deb-4293-e909-9f89-c187edf7ad5d} => Moved successfully.

=========== Result of Scheduled Files to move ===========
C:\Windows\Installer\{dfb18deb-4293-e909-9f89-c187edf7ad5d} => Moved successfully.

==== End of Fixlog ====

 

 

 

I ran the Malwarebytes Anti-Rootkit, and re-started the computer when prompted. As it was starting up, I got a blue screen, then it shut down. I had to manually start it back up, and when I came back up, I got an error which I was unable to copy to paste here. I was able to create a Restore point prior to running the program though.

 

Here are the logs:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.28.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
user :: USER-PC [administrator]

7/28/2013 9:06:42 PM
mbar-log-2013-07-28 (21-06-42).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 237017
Time elapsed: 34 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
c:\WINDOWS\System32\services.exe (Rootkit.0Access.S) -> Replace on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_35

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 3210407936, free: 1639473152

Downloaded database version: v2013.07.25.01
Downloaded database version: v2013.07.15.01
Initializing...
------------ Kernel report ------------
     07/25/2013 02:14:04
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw5v32.sys
\SystemRoot\system32\DRIVERS\Rtlh86.sys
\SystemRoot\system32\DRIVERS\ohci1394.sys
\SystemRoot\system32\DRIVERS\1394BUS.SYS
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\rimmptsk.sys
\SystemRoot\system32\DRIVERS\rimsptsk.sys
\SystemRoot\system32\DRIVERS\rixdptsk.sys
\SystemRoot\system32\DRIVERS\HpqRemHid.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\smserial.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\usbaapl.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\SystemRoot\System32\Drivers\SYMREDRV.SYS
\SystemRoot\System32\Drivers\SYMDNS.SYS
\SystemRoot\System32\Drivers\SYMNDISV.SYS
\SystemRoot\System32\Drivers\SYMFW.SYS
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\SymIMv.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\SRTSPX.SYS
\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20110826.001\IDSvix86.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\KMWDFILTER.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\wpdusb.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\WUDFPf.sys
\SystemRoot\system32\drivers\HTTP.sys
\??\C:\Windows\system32\drivers\CO_Mon.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\Drivers\SRTSP.SYS
\??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVEX15.SYS
\??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVENG.SYS
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\WINDOWS\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff89286ac8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000082\
Lower Device Object: 0xffffffff89145888
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff866a3858
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8553d028
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff866a3858, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff866a3478, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff866a3858, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff84b7c300, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8553d028, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 475D475C

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 463892877
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 463892940  Numsec = 24499125

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff89286ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff892d2478, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff89286ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff89145888, DeviceName: \Device\00000082\, DriverName: \Driver\USBSTOR\
------------ End ----------
Backup file found for a file c:\WINDOWS\System32\services.exe
Infected: c:\WINDOWS\System32\services.exe --> [Rootkit.0Access.S]
=======================================


Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_63_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\services.exe_k.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\services.exe_u.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\services.exe_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 3210407936, free: 1615200256

Downloaded database version: v2013.07.28.07
Initializing...
------------ Kernel report ------------
     07/28/2013 21:06:35
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw5v32.sys
\SystemRoot\system32\DRIVERS\Rtlh86.sys
\SystemRoot\system32\DRIVERS\ohci1394.sys
\SystemRoot\system32\DRIVERS\1394BUS.SYS
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\rimmptsk.sys
\SystemRoot\system32\DRIVERS\rimsptsk.sys
\SystemRoot\system32\DRIVERS\rixdptsk.sys
\SystemRoot\system32\DRIVERS\HpqRemHid.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\smserial.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\SystemRoot\System32\Drivers\SYMREDRV.SYS
\SystemRoot\System32\Drivers\SYMDNS.SYS
\SystemRoot\System32\Drivers\SYMNDISV.SYS
\SystemRoot\System32\Drivers\SYMFW.SYS
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\SymIMv.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\SRTSPX.SYS
\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20110826.001\IDSvix86.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\KMWDFILTER.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\??\C:\Windows\system32\drivers\CO_Mon.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\WUDFPf.sys
\SystemRoot\System32\Drivers\SRTSP.SYS
\??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVEX15.SYS
\??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVENG.SYS
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\WINDOWS\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff89059ac8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000082\
Lower Device Object: 0xffffffff88dcbcb8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8669aa58
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff85518028
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8669aa58, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8669a678, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8669aa58, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff85a9b6b0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85518028, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 475D475C

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 463892877
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 463892940  Numsec = 24499125

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff89059ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff890597b0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff89059ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff88dcbcb8, DeviceName: \Device\00000082\, DriverName: \Driver\USBSTOR\
------------ End ----------
Backup file found for a file c:\WINDOWS\System32\services.exe
Infected: c:\WINDOWS\System32\services.exe --> [Rootkit.0Access.S]
Scan finished
Cleaning up...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 3210407936, free: 1362554880

Initializing...
------------ Kernel report ------------
     07/28/2013 22:09:02
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw5v32.sys
\SystemRoot\system32\DRIVERS\Rtlh86.sys
\SystemRoot\system32\DRIVERS\ohci1394.sys
\SystemRoot\system32\DRIVERS\1394BUS.SYS
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\rimmptsk.sys
\SystemRoot\system32\DRIVERS\rimsptsk.sys
\SystemRoot\system32\DRIVERS\rixdptsk.sys
\SystemRoot\system32\DRIVERS\HpqRemHid.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\smserial.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\KMWDFILTER.sys
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\System32\Drivers\SYMREDRV.SYS
\SystemRoot\System32\Drivers\SYMDNS.SYS
\SystemRoot\System32\Drivers\SYMNDISV.SYS
\SystemRoot\System32\Drivers\SYMFW.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\SymIMv.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\SRTSPX.SYS
\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20110826.001\IDSvix86.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\??\C:\Windows\system32\drivers\CO_Mon.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\WUDFPf.sys
\SystemRoot\System32\Drivers\SRTSP.SYS
\??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVEX15.SYS
\??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVENG.SYS
\SystemRoot\System32\Drivers\usbaapl.sys
\SystemRoot\system32\DRIVERS\wpdusb.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\WINDOWS\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff88cf6ac8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000081\
Lower Device Object: 0xffffffff88a84888
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff866ac600
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8551c028
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff866ac600, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff866ac220, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff866ac600, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff8550b700, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8551c028, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

 

 

I ran the Malwarebytes Anti-Rootkit scan again, and it showed no malware. I'm hoping this means my system is clean, but I'm still wondering why I got the blue screen when it tried to restart?
 


Edited by Dominicana, 28 July 2013 - 09:52 PM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 PM

Posted 29 July 2013 - 07:52 AM

Ripping out this malware can cause that issue as it's deeply embedded, it also needed to replace the infected services.exe

it appears that was done successfully, but please run a fresh scan with FRST and post the new log so I can see

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Dominicana

Dominicana
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:09:33 PM

Posted 29 July 2013 - 02:21 PM

Here is the log from the scan:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-07-2013 01
Ran by user (administrator) on 29-07-2013 15:19:34
Running from C:\Users\user\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(LeapFrog Enterprises, Inc.) C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
() C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
() C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
() C:\Program Files\CyberLink\Shared Files\RichVideo.exe
(TomTom) C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
(Microsoft Corporation) C:\Windows\system32\schtasks.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Motorola Inc.) C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(CyberLink Corp.) C:\Program Files\HP\QuickPlay\QPService.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(LeapFrog Enterprises, Inc.) C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
() C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(TomTom) C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Symantec Corporation) c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
() C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard) c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
(Synaptics Incorporated) C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
(Microsoft Corporation) C:\Windows\system32\wuauclt.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmplayer.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
(Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
(Microsoft Corporation) c:\program files\windows defender\MpCmdRun.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SMSERIAL] - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [634880 2007-01-17] (Motorola Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7539232 2009-06-09] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] - C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-04-15] (Intel Corporation)
HKLM\...\Run: [QPService] - C:\Program Files\HP\QuickPlay\QPService.exe [468264 2007-12-19] (CyberLink Corp.)
HKLM\...\Run: [QlbCtrl] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2007-09-19] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [OnScreenDisplay] - C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [554320 2007-09-04] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [UCam_Menu] - C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2007-08-17] (CyberLink Corp.)
HKLM\...\Run: [ccApp] - c:\Program Files\Common Files\Symantec Shared\ccApp.exe [51048 2008-10-17] (Symantec Corporation)
HKLM\...\Run: [hpqSRMon] -  [x]
HKLM\...\Run: [HP Health Check Scheduler] - c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-16] (Hewlett-Packard)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-09-13] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [WAWifiMessage] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [311296 2007-01-08] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM\...\Run: [Monitor] - C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe [268640 2011-11-12] (LeapFrog Enterprises, Inc.)
HKLM\...\Run: [DivXUpdate] - C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1259376 2011-07-28] ()
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKCU\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [455968 2007-08-23] (Hewlett-Packard Company)
HKCU\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [2153472 2009-04-11] (Microsoft Corporation)
HKCU\...\Run: [HPAdvisor] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1783136 2007-10-01] (Hewlett-Packard)
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-06-26] (Google Inc.)
HKCU\...\Run: [TomTomHOME.exe] - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [248208 2013-03-22] (TomTom)
MountPoints2: {e5f96db4-2f4f-11e1-9bb2-001e68783d60} - I:\setup.exe -a
MountPoints2: {ec72cb50-6e17-11e0-ac89-806e6f6e6963} - E:\eFilmLite\eFilmLt.exe
MountPoints2: {ec72cc16-6e17-11e0-ac89-001e68783d60} - G:\LaunchU3.exe -a
MountPoints2: {ed124159-f4ef-11e2-9a23-001e68783d60} - G:\windows\AutoRun.exe {430A8AE3-8898-4DAB-8C5B-5E8ADA7D571E} 3.0.0.02 VID_19D2&PID_0358 {9B00E99F-83A4-40d4-B987-7EB04F722BB7}
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2007-10-01] (Hewlett-Packard)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2007-10-01] (Hewlett-Packard)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
SearchScopes: HKLM - {01bd49d7-c76b-4310-8beb-14d7e5f322c6} URL = http://search.easylifeapp.com/?q={searchTerms}&abc=ie&pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US
SearchScopes: HKLM - {7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM - {98C5ECE9-8E95-48C4-B2AA-8202E3547581} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKCU - {01bd49d7-c76b-4310-8beb-14d7e5f322c6} URL = http://search.easylifeapp.com/?q={searchTerms}&abc=ie&pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US
SearchScopes: HKCU - {105E99FF-8B9A-4492-B155-06194B9056D2} URL = http://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKCU - {7C9B2C5A-9AE0-4DD1-BF28-38E27DA72F33} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {9044337E-CE41-48B1-8E9C-60EA2666DFFF} URL = http://us.yhs4.search.yahoo.com/yhs/search?hspart=w3i&hsimp=yhs-geneiotransfer&type=W3i_IA,206,0_0,StartPage,20120102,18482,0,0,6434&p={searchTerms}
SearchScopes: HKCU - {98C5ECE9-8E95-48C4-B2AA-8202E3547581} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKCU - {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incredibar.com/mb139/?search={searchTerms}&loc=IB_DS&a=6R8uVMVp23&i=26
BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO: No Name - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll (Symantec Corporation)
BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xoqgps87.default
FF user.js: detected! => C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xoqgps87.default\user.js
FF Homepage: about:home
FF Keyword.URL: hxxp://search.easylifeapp.com/?pid=34&abc=ff1&r=2013/02/11&hid=1669417642&lg=EN&cc=US&l=1&q=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @ei.MapsGalaxy_39.com/Plugin - C:\Program Files\MapsGalaxy_39EI\Installr\1.bin\NP39EISB.dll (MapsGalaxy)
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @oberon-media.com/ONCAdapter - C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.14\npapicomadapter.dll (Oberon-Media )
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @viewpoint.com/VMP - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF Plugin: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 - C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll ()
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: No Name - C:\Users\user\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
FF Extension: TheBflix - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xoqgps87.default\Extensions\4fcc132e30c78@4fcc132e30cb2.info
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF HKLM\...\Firefox\Extensions: [{336D0C35-8A85-403a-B9D2-65C292C39087}] C:\Program Files\Web Assistant\Firefox
FF HKLM\...\Firefox\Extensions: [lesstabs@lesstabs.com] C:\Program Files\Mozilla Firefox\extensions\lesstabs@lesstabs.com

Chrome:
=======
CHR HomePage: hxxp://search.easylifeapp.com/?pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US
CHR RestoreOnStartup: "hxxp://search.easylifeapp.com/?pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US"
CHR DefaultSearchURL: (EasyLife) - http://search.easylifeapp.com/?q={searchTerms}&abc=1&pid=34&r=2013/02/11&hid=1669417642&lg=EN&cc=US
CHR DefaultSuggestURL: (EasyLife) - none
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\21.0.1180.83\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - c:\program files\google\chrome\application\28.0.1500.72\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - c:\program files\google\chrome\application\28.0.1500.72\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - c:\program files\google\chrome\application\28.0.1500.72\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (DivX VOD Helper Plug-in) - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
CHR Plugin: (DivX Plus Web Player) - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (ADDICT-THING) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\henoddjbammmapdfiicfgnolhmliaeki\1.0_0
CHR Extension: (TheBflix) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ioigpbbefinmomapmghjgfaileiindec\5.1_0
CHR Extension: (DivX Plus Web Player HTML5 \u003Cvideo\u003E) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0
CHR HKLM\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\Web Assistant\source.crx
CHR HKLM\...\Chrome\Extension: [henoddjbammmapdfiicfgnolhmliaeki] - C:\ProgramData\ADDICT-THING\henoddjbammmapdfiicfgnolhmliaeki.crx
CHR HKLM\...\Chrome\Extension: [ioigpbbefinmomapmghjgfaileiindec] - C:\ProgramData\TheBflix\ioigpbbefinmomapmghjgfaileiindec.crx
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx
CHR StartMenuInternet: Google Chrome - C:\Program Files\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

R2 Automatic LiveUpdate Scheduler; c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [243064 2007-08-31] (Symantec Corporation)
R2 ccEvtMgr; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
R2 ccSetMgr; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
R2 CLTNetCnService; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S3 Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.)
S3 comHost; c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe [55640 2007-08-22] (Symantec Corporation)
R2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-06-16] (Hewlett-Packard)
S3 LiveUpdate; c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [3192184 2007-08-23] (Symantec Corporation)
R2 LiveUpdate Notice; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
R2 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [226624 2011-01-27] ()
R2 QPCapSvc; C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [271760 2007-12-19] ()
S2 QPSched; C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [112016 2007-12-19] ()
R2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] ()
R3 Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [1251720 2011-06-26] ()

==================== Drivers (Whitelisted) ====================

S3 COH_Mon; C:\Windows\system32\Drivers\COH_Mon.sys [23888 2008-07-30] (Symantec Corporation)
R2 CO_Mon; C:\Windows\system32\drivers\CO_Mon.sys [36056 2007-08-08] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [374392 2011-07-31] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [105592 2011-08-08] (Symantec Corporation)
R3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-11] (Hewlett-Packard Development Company, L.P.)
R1 IDSvix86; C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20110826.001\IDSvix86.sys [287792 2098-01-01] (Symantec Corporation)
R3 KMWDFILTER; C:\Windows\System32\DRIVERS\KMWDFILTER.sys [17408 2008-10-09] (Windows ® Codename Longhorn DDK provider)
S3 MotDev; C:\Windows\System32\DRIVERS\motodrv.sys [42752 2009-05-08] (Motorola Inc)
R3 NAVENG; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVENG.SYS [86136 2011-08-08] (Symantec Corporation)
R3 NAVEX15; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110827.002\NAVEX15.SYS [1576312 2011-08-08] (Symantec Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [447024 2009-03-17] (Symantec Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [279088 2007-11-30] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2007-11-30] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2007-11-30] (Symantec Corporation)
R3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [13616 2009-02-19] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2011-06-26] (Symantec Corporation)
R3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [96560 2009-02-19] (Symantec Corporation)
R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [24112 2009-02-19] (Symantec Corporation)
R3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [41008 2009-02-19] (Symantec Corporation)
R3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [22320 2009-02-19] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [184496 2009-02-19] (Symantec Corporation)
U1 eabfiltr;
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-29 15:13 - 2013-07-29 15:15 - 01221282 _____ (Farbar) C:\Users\user\Desktop\FRST.exe
2013-07-28 23:27 - 2013-07-29 15:00 - 00000000 ____D C:\Users\user\AppData\Roaming\Skype
2013-07-28 23:26 - 2013-07-28 23:26 - 00001878 _____ C:\Users\Public\Desktop\Skype.lnk
2013-07-28 23:26 - 2013-07-28 23:26 - 00000000 ___RD C:\Program Files\Skype
2013-07-28 23:26 - 2013-07-28 23:26 - 00000000 ____D C:\Program Files\Common Files\Skype
2013-07-28 23:20 - 2013-07-28 23:25 - 31954536 _____ (Skype Technologies S.A.) C:\Users\user\Downloads\SkypeSetupFull (1).exe
2013-07-28 21:55 - 2013-07-28 21:55 - 00142776 _____ C:\Windows\Minidump\Mini072813-01.dmp
2013-07-28 13:54 - 2013-07-28 13:54 - 00022804 _____ C:\Users\user\Desktop\Addition.txt
2013-07-27 22:23 - 2013-07-28 20:45 - 00000000 ____D C:\FRST
2013-07-27 12:37 - 2013-07-27 12:41 - 00017235 _____ C:\Users\user\Desktop\dds.txt
2013-07-27 12:37 - 2013-07-27 12:41 - 00009038 _____ C:\Users\user\Desktop\attach.txt
2013-07-27 12:33 - 2013-07-27 12:33 - 00688992 ____R (Swearware) C:\Users\user\Desktop\dds.com
2013-07-25 02:21 - 2013-07-25 02:22 - 00006138 _____ C:\Users\user\Desktop\Rkill.txt
2013-07-25 02:20 - 2013-07-25 02:20 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\user\Desktop\rkill.exe
2013-07-25 02:14 - 2013-07-28 22:51 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-07-25 02:13 - 2013-07-25 02:13 - 00000000 ____D C:\Users\user\Desktop\mbar-1.06.0.1004
2013-07-25 00:32 - 2013-07-25 00:32 - 00000906 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\Users\user\AppData\Roaming\Malwarebytes
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-25 00:32 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-07-24 23:59 - 2013-07-24 23:59 - 00026561 _____ C:\Users\user\Desktop\Result.txt
2013-07-24 23:58 - 2013-07-24 23:58 - 00760937 _____ (Farbar) C:\Users\user\Desktop\MiniToolBox.exe
2013-07-24 23:54 - 2013-07-24 23:57 - 00005897 _____ C:\Users\user\Desktop\FSS.txt
2013-07-24 23:53 - 2013-07-24 23:53 - 00357077 _____ (Farbar) C:\Users\user\Desktop\FSS.exe
2013-07-24 23:39 - 2013-07-24 23:39 - 00891098 _____ C:\Users\user\Desktop\SecurityCheck.exe
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\Documents\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\AppData\Roaming\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\AppData\Local\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\ProgramData\TomTom
2013-07-22 13:52 - 2013-07-22 13:53 - 00000000 ____D C:\Program Files\TomTom HOME 2
2013-07-22 13:50 - 2013-07-22 13:50 - 00000000 ____D C:\Program Files\TomTom International B.V
2013-07-22 13:46 - 2013-07-22 13:48 - 30898008 _____ C:\Users\user\Desktop\TomTomHOME2winlatest.exe
2013-07-16 15:06 - 2013-07-16 15:06 - 00001664 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-07-16 15:06 - 2012-08-21 13:01 - 00026840 _____ (GEAR Software Inc.) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2013-07-16 15:04 - 2013-07-16 15:05 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-07-16 15:04 - 2013-07-16 15:05 - 00000000 ____D C:\Program Files\iTunes
2013-07-16 15:04 - 2013-07-16 15:04 - 00000000 ____D C:\Program Files\iPod
2013-07-16 14:46 - 2013-07-16 14:46 - 00000000 ____D C:\Program Files\Apple Software Update
2013-07-16 14:43 - 2013-07-16 15:04 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-07-16 14:43 - 2013-07-16 14:43 - 00000000 ____D C:\Program Files\Bonjour
2013-07-16 12:47 - 2013-07-16 12:47 - 00002407 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Install Clean Up.lnk
2013-07-16 12:47 - 2013-07-16 12:47 - 00000000 ____D C:\Program Files\Windows Installer Clean Up
2013-07-16 12:46 - 2013-07-16 12:46 - 00359656 _____ (Microsoft Corporation) C:\Users\user\Desktop\msicuu2.exe
2013-07-16 12:46 - 2013-07-16 12:46 - 00000000 ____D C:\Program Files\MSECACHE
2013-07-16 11:12 - 2013-07-16 11:12 - 00142776 _____ C:\Windows\Minidump\Mini071613-01.dmp
2013-07-14 00:36 - 2013-07-26 21:51 - 00000000 ____D C:\Users\user\Desktop\Larry Edmonds
2013-07-12 03:45 - 2013-07-12 03:45 - 00457152 _____ (Oberon Media Inc.) C:\Users\user\Downloads\airlinetycoondeluxe-510006595-setup.s510006595.c110402287.len.u.dl (1).exe
2013-07-12 01:37 - 2013-07-12 01:37 - 00457152 _____ (Oberon Media Inc.) C:\Users\user\Downloads\airlinetycoondeluxe-510006595-setup.s510006595.c110402287.len.u.dl.exe
2013-07-12 00:02 - 2013-07-12 04:52 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yahoo US
2013-07-12 00:02 - 2013-07-12 00:02 - 00000000 ____D C:\Program Files\Common Files\Oberon Media
2013-07-12 00:00 - 2013-07-12 00:00 - 00000000 ____D C:\ProgramData\Oberon Media
2013-07-12 00:00 - 2013-07-12 00:00 - 00000000 ____D C:\Program Files\GamesBar
2013-07-11 15:51 - 2013-07-11 15:51 - 00000000 ____D C:\Program Files\Search Core Systems
2013-07-10 17:41 - 2013-07-10 17:41 - 00000000 ____D C:\Users\user\Documents\Leawo
2013-07-10 17:41 - 2013-07-10 17:41 - 00000000 ____D C:\Users\user\AppData\Roaming\Leawo
2013-07-09 20:17 - 2013-07-17 12:14 - 00011776 _____ C:\Users\user\Desktop\Resumewps.wps
2013-07-09 19:24 - 2013-07-09 19:37 - 89111376 _____ (Apple Inc.) C:\Users\user\Downloads\iTunesSetup.exe
2013-07-04 17:32 - 2013-07-04 17:32 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified Files and Folders =======

2013-07-29 15:15 - 2013-07-29 15:13 - 01221282 _____ (Farbar) C:\Users\user\Desktop\FRST.exe
2013-07-29 15:10 - 2008-05-30 01:39 - 01135433 _____ C:\Windows\WindowsUpdate.log
2013-07-29 15:00 - 2013-07-28 23:27 - 00000000 ____D C:\Users\user\AppData\Roaming\Skype
2013-07-29 15:00 - 2013-01-02 01:20 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-29 15:00 - 2011-06-26 16:27 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-28 23:55 - 2006-11-02 08:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-28 23:55 - 2006-11-02 08:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-28 23:27 - 2012-12-12 20:37 - 00000000 ____D C:\ProgramData\Skype
2013-07-28 23:26 - 2013-07-28 23:26 - 00001878 _____ C:\Users\Public\Desktop\Skype.lnk
2013-07-28 23:26 - 2013-07-28 23:26 - 00000000 ___RD C:\Program Files\Skype
2013-07-28 23:26 - 2013-07-28 23:26 - 00000000 ____D C:\Program Files\Common Files\Skype
2013-07-28 23:25 - 2013-07-28 23:20 - 31954536 _____ (Skype Technologies S.A.) C:\Users\user\Downloads\SkypeSetupFull (1).exe
2013-07-28 22:51 - 2013-07-25 02:14 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-07-28 22:02 - 2013-04-15 16:42 - 00000000 ____D C:\Users\user\AppData\Local\HP Guide
2013-07-28 22:00 - 2008-05-30 01:53 - 00000279 _____ C:\Users\Public\Documents\hpqp.ini
2013-07-28 21:56 - 2012-06-04 15:24 - 00000314 ____H C:\Windows\Tasks\GenericUpdaterLogonTask.job
2013-07-28 21:56 - 2012-06-04 15:24 - 00000294 ____H C:\Windows\Tasks\GenericUpdaterRefreshTask.job
2013-07-28 21:56 - 2011-06-26 16:27 - 00000878 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-28 21:56 - 2011-04-30 00:20 - 00000021 _____ C:\Users\Public\Documents\hpqp.txt
2013-07-28 21:55 - 2013-07-28 21:55 - 00142776 _____ C:\Windows\Minidump\Mini072813-01.dmp
2013-07-28 21:55 - 2012-09-15 02:36 - 263378733 _____ C:\Windows\MEMORY.DMP
2013-07-28 21:55 - 2012-09-15 02:36 - 00000000 ____D C:\Windows\Minidump
2013-07-28 21:55 - 2006-11-02 09:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-28 21:45 - 2006-11-02 09:01 - 00032550 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-28 20:45 - 2013-07-27 22:23 - 00000000 ____D C:\FRST
2013-07-28 20:40 - 2006-11-02 06:33 - 00703214 _____ C:\Windows\system32\PerfStringBackup.INI
2013-07-28 13:54 - 2013-07-28 13:54 - 00022804 _____ C:\Users\user\Desktop\Addition.txt
2013-07-27 12:41 - 2013-07-27 12:37 - 00017235 _____ C:\Users\user\Desktop\dds.txt
2013-07-27 12:41 - 2013-07-27 12:37 - 00009038 _____ C:\Users\user\Desktop\attach.txt
2013-07-27 12:33 - 2013-07-27 12:33 - 00688992 ____R (Swearware) C:\Users\user\Desktop\dds.com
2013-07-26 21:51 - 2013-07-14 00:36 - 00000000 ____D C:\Users\user\Desktop\Larry Edmonds
2013-07-25 08:54 - 2008-02-18 03:04 - 00000000 ____D C:\Program Files\Common Files\Java
2013-07-25 02:22 - 2013-07-25 02:21 - 00006138 _____ C:\Users\user\Desktop\Rkill.txt
2013-07-25 02:20 - 2013-07-25 02:20 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\user\Desktop\rkill.exe
2013-07-25 02:13 - 2013-07-25 02:13 - 00000000 ____D C:\Users\user\Desktop\mbar-1.06.0.1004
2013-07-25 02:05 - 2008-01-20 22:47 - 00072124 _____ C:\Windows\PFRO.log
2013-07-25 01:54 - 2008-02-18 02:59 - 00000000 ____D C:\Windows\SMINST
2013-07-25 01:17 - 2012-06-03 21:49 - 00000000 ____D C:\ProgramData\TheBflix
2013-07-25 01:17 - 2012-06-03 21:40 - 00000000 ____D C:\ProgramData\ADDICT-THING
2013-07-25 00:32 - 2013-07-25 00:32 - 00000906 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\Users\user\AppData\Roaming\Malwarebytes
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-25 00:32 - 2013-07-25 00:32 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-24 23:59 - 2013-07-24 23:59 - 00026561 _____ C:\Users\user\Desktop\Result.txt
2013-07-24 23:58 - 2013-07-24 23:58 - 00760937 _____ (Farbar) C:\Users\user\Desktop\MiniToolBox.exe
2013-07-24 23:57 - 2013-07-24 23:54 - 00005897 _____ C:\Users\user\Desktop\FSS.txt
2013-07-24 23:53 - 2013-07-24 23:53 - 00357077 _____ (Farbar) C:\Users\user\Desktop\FSS.exe
2013-07-24 23:39 - 2013-07-24 23:39 - 00891098 _____ C:\Users\user\Desktop\SecurityCheck.exe
2013-07-22 22:05 - 2011-06-26 15:29 - 00000544 _____ C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - user.job
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\Documents\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\AppData\Roaming\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\Users\user\AppData\Local\TomTom
2013-07-22 13:55 - 2013-07-22 13:55 - 00000000 ____D C:\ProgramData\TomTom
2013-07-22 13:53 - 2013-07-22 13:52 - 00000000 ____D C:\Program Files\TomTom HOME 2
2013-07-22 13:50 - 2013-07-22 13:50 - 00000000 ____D C:\Program Files\TomTom International B.V
2013-07-22 13:50 - 2011-04-23 22:21 - 00000000 ____D C:\Users\user\AppData\Local\Downloaded Installations
2013-07-22 13:48 - 2013-07-22 13:46 - 30898008 _____ C:\Users\user\Desktop\TomTomHOME2winlatest.exe
2013-07-17 12:14 - 2013-07-09 20:17 - 00011776 _____ C:\Users\user\Desktop\Resumewps.wps
2013-07-17 12:14 - 2012-04-24 13:03 - 00001106 _____ C:\Users\user\AppData\Roaming\wklnhst.dat
2013-07-16 15:06 - 2013-07-16 15:06 - 00001664 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-07-16 15:05 - 2013-07-16 15:04 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-07-16 15:05 - 2013-07-16 15:04 - 00000000 ____D C:\Program Files\iTunes
2013-07-16 15:04 - 2013-07-16 15:04 - 00000000 ____D C:\Program Files\iPod
2013-07-16 15:04 - 2013-07-16 14:43 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-07-16 15:04 - 2011-06-16 21:36 - 00000000 ____D C:\ProgramData\Apple Computer
2013-07-16 14:46 - 2013-07-16 14:46 - 00000000 ____D C:\Program Files\Apple Software Update
2013-07-16 14:43 - 2013-07-16 14:43 - 00000000 ____D C:\Program Files\Bonjour
2013-07-16 12:47 - 2013-07-16 12:47 - 00002407 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Install Clean Up.lnk
2013-07-16 12:47 - 2013-07-16 12:47 - 00000000 ____D C:\Program Files\Windows Installer Clean Up
2013-07-16 12:46 - 2013-07-16 12:46 - 00359656 _____ (Microsoft Corporation) C:\Users\user\Desktop\msicuu2.exe
2013-07-16 12:46 - 2013-07-16 12:46 - 00000000 ____D C:\Program Files\MSECACHE
2013-07-16 11:12 - 2013-07-16 11:12 - 00142776 _____ C:\Windows\Minidump\Mini071613-01.dmp
2013-07-15 11:17 - 2006-11-02 08:52 - 00091463 _____ C:\Windows\setupact.log
2013-07-13 20:37 - 2012-04-15 00:09 - 00001971 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-07-12 04:52 - 2013-07-12 00:02 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yahoo US
2013-07-12 03:45 - 2013-07-12 03:45 - 00457152 _____ (Oberon Media Inc.) C:\Users\user\Downloads\airlinetycoondeluxe-510006595-setup.s510006595.c110402287.len.u.dl (1).exe
2013-07-12 01:37 - 2013-07-12 01:37 - 00457152 _____ (Oberon Media Inc.) C:\Users\user\Downloads\airlinetycoondeluxe-510006595-setup.s510006595.c110402287.len.u.dl.exe
2013-07-12 00:13 - 2013-01-22 20:26 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-07-12 00:02 - 2013-07-12 00:02 - 00000000 ____D C:\Program Files\Common Files\Oberon Media
2013-07-12 00:00 - 2013-07-12 00:00 - 00000000 ____D C:\ProgramData\Oberon Media
2013-07-12 00:00 - 2013-07-12 00:00 - 00000000 ____D C:\Program Files\GamesBar
2013-07-11 15:51 - 2013-07-11 15:51 - 00000000 ____D C:\Program Files\Search Core Systems
2013-07-10 17:41 - 2013-07-10 17:41 - 00000000 ____D C:\Users\user\Documents\Leawo
2013-07-10 17:41 - 2013-07-10 17:41 - 00000000 ____D C:\Users\user\AppData\Roaming\Leawo
2013-07-09 20:06 - 2011-06-26 16:26 - 00000000 ____D C:\Users\user\AppData\Local\Google
2013-07-09 19:37 - 2013-07-09 19:24 - 89111376 _____ (Apple Inc.) C:\Users\user\Downloads\iTunesSetup.exe
2013-07-04 17:32 - 2013-07-04 17:32 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-07-28 22:04

==================== End Of Log ============================



I'm still having the problem from my first post though- when I double-click on my desktop folders, it tells me that the application is not found. :/

Edited by Dominicana, 29 July 2013 - 02:25 PM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 PM

Posted 29 July 2013 - 02:45 PM

Please run the following:
  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    RGKRScan.png
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    RGKRDelete.png
  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • another report will be created on your desktop.
Please post: All RKreport.txt text files located on your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Dominicana

Dominicana
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:09:33 PM

Posted 29 July 2013 - 05:25 PM

I didn't see anything that said ALL RKreport.txt.

 

Three different logs saved to my desktop

 

RKreport[0]_S_07292013_181627.txt:

 

RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Scan -- Date : 07/29/2013 18:16:27
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GenericUpdaterRefreshTask.job : C:\ProgramData\TheBflixUpdater\updater.exe - /profilepath "/profilepath" [-][-][-] -> FOUND
[V1][SUSP PATH] GenericUpdaterLogonTask.job : C:\ProgramData\TheBflixUpdater\updater.exe - /schedule /profilepath "/profilepath" [-][-][-] -> FOUND
[V1][SUSP PATH] DSite.job : C:\Users\user\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
[V2][SUSP PATH] DSite : C:\Users\user\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x8229D5C3 -> HOOKED (Unknown @ 0x88D9EAA8)
[Address] SSDT[14] : NtAlertThread @ 0x82216255 -> HOOKED (Unknown @ 0x88D9EB68)
[Address] SSDT[18] : NtAllocateVirtualMemory @ 0x822524FB -> HOOKED (Unknown @ 0x88DC87E8)
[Address] SSDT[21] : NtAlpcConnectPort @ 0x821F4887 -> HOOKED (Unknown @ 0x88BE6B60)
[Address] SSDT[67] : NtCreateMutant @ 0x8222A812 -> HOOKED (Unknown @ 0x88D9E858)
[Address] SSDT[78] : NtCreateThread @ 0x8229BBE0 -> HOOKED (Unknown @ 0x88DC8940)
[Address] SSDT[116] : NtDebugActiveProcess @ 0x8226ED22 -> HOOKED (Unknown @ 0x88D9E5D8)
[Address] SSDT[147] : NtFreeVirtualMemory @ 0x8208EF1D -> HOOKED (Unknown @ 0x88DC8E68)
[Address] SSDT[156] : NtImpersonateAnonymousToken @ 0x821C4F12 -> HOOKED (Unknown @ 0x88D9E928)
[Address] SSDT[158] : NtImpersonateThread @ 0x821DA54F -> HOOKED (Unknown @ 0x88D9E9E8)
[Address] SSDT[177] : NtMapViewOfSection @ 0x8221A89A -> HOOKED (Unknown @ 0x88DC8D88)
[Address] SSDT[184] : NtOpenEvent @ 0x82203DCF -> HOOKED (Unknown @ 0x88D9E798)
[Address] SSDT[195] : NtOpenProcessToken @ 0x8220BA2E -> HOOKED (Unknown @ 0x88D9C4A0)
[Address] SSDT[197] : NtOpenSection @ 0x8221B66D -> HOOKED (Unknown @ 0x84DA5520)
[Address] SSDT[202] : NtOpenThreadToken @ 0x822262AD -> HOOKED (Unknown @ 0x88D9EF80)
[Address] SSDT[282] : NtResumeThread @ 0x82225B4A -> HOOKED (Unknown @ 0x88D97258)
[Address] SSDT[289] : NtSetContextThread @ 0x8229D06F -> HOOKED (Unknown @ 0x88D9EEC0)
[Address] SSDT[305] : NtSetInformationProcess @ 0x8221E8C8 -> HOOKED (Unknown @ 0x88DC4278)
[Address] SSDT[306] : NtSetInformationThread @ 0x822032AD -> HOOKED (Unknown @ 0x88D9EDF0)
[Address] SSDT[330] : NtSuspendProcess @ 0x8229D4FF -> HOOKED (Unknown @ 0x88D9E6B8)
[Address] SSDT[331] : NtSuspendThread @ 0x821A492B -> HOOKED (Unknown @ 0x88D9EC70)
[Address] SSDT[334] : NtTerminateProcess @ 0x821FB143 -> HOOKED (Unknown @ 0x88D95268)
[Address] SSDT[335] : NtTerminateThread @ 0x82226534 -> HOOKED (Unknown @ 0x88D9ED30)
[Address] SSDT[348] : NtUnmapViewOfSection @ 0x8221AB5D -> HOOKED (Unknown @ 0x88DC4560)
[Address] SSDT[358] : NtWriteVirtualMemory @ 0x8221792D -> HOOKED (Unknown @ 0x88DC8F38)
[Address] Shadow SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x853043D8)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVS-60UST0 +++++
--- User ---
[MBR] adee83bc9d397ad0f83202d403e554ce
[BSP] 99099082f465035c874ad6c7205c49ca : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 226510 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 463892940 | Size: 11962 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD2500BEVS-60UST0 +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_07292013_181627.txt >>
 

 

 

RKreport_D_07292013_181850.txt:

 

RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Remove -- Date : 07/29/2013 18:18:50
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GenericUpdaterRefreshTask.job : C:\ProgramData\TheBflixUpdater\updater.exe - /profilepath "/profilepath" [-][-][-] -> DELETED
[V1][SUSP PATH] GenericUpdaterLogonTask.job : C:\ProgramData\TheBflixUpdater\updater.exe - /schedule /profilepath "/profilepath" [-][-][-] -> DELETED
[V1][SUSP PATH] DSite.job : C:\Users\user\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> DELETED
[V2][SUSP PATH] DSite : C:\Users\user\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x8229D5C3 -> HOOKED (Unknown @ 0x88D9EAA8)
[Address] SSDT[14] : NtAlertThread @ 0x82216255 -> HOOKED (Unknown @ 0x88D9EB68)
[Address] SSDT[18] : NtAllocateVirtualMemory @ 0x822524FB -> HOOKED (Unknown @ 0x88DC87E8)
[Address] SSDT[21] : NtAlpcConnectPort @ 0x821F4887 -> HOOKED (Unknown @ 0x88BE6B60)
[Address] SSDT[67] : NtCreateMutant @ 0x8222A812 -> HOOKED (Unknown @ 0x88D9E858)
[Address] SSDT[78] : NtCreateThread @ 0x8229BBE0 -> HOOKED (Unknown @ 0x88DC8940)
[Address] SSDT[116] : NtDebugActiveProcess @ 0x8226ED22 -> HOOKED (Unknown @ 0x88D9E5D8)
[Address] SSDT[147] : NtFreeVirtualMemory @ 0x8208EF1D -> HOOKED (Unknown @ 0x88DC8E68)
[Address] SSDT[156] : NtImpersonateAnonymousToken @ 0x821C4F12 -> HOOKED (Unknown @ 0x88D9E928)
[Address] SSDT[158] : NtImpersonateThread @ 0x821DA54F -> HOOKED (Unknown @ 0x88D9E9E8)
[Address] SSDT[177] : NtMapViewOfSection @ 0x8221A89A -> HOOKED (Unknown @ 0x88DC8D88)
[Address] SSDT[184] : NtOpenEvent @ 0x82203DCF -> HOOKED (Unknown @ 0x88D9E798)
[Address] SSDT[195] : NtOpenProcessToken @ 0x8220BA2E -> HOOKED (Unknown @ 0x88D9C4A0)
[Address] SSDT[197] : NtOpenSection @ 0x8221B66D -> HOOKED (Unknown @ 0x84DA5520)
[Address] SSDT[202] : NtOpenThreadToken @ 0x822262AD -> HOOKED (Unknown @ 0x88D9EF80)
[Address] SSDT[282] : NtResumeThread @ 0x82225B4A -> HOOKED (Unknown @ 0x88D97258)
[Address] SSDT[289] : NtSetContextThread @ 0x8229D06F -> HOOKED (Unknown @ 0x88D9EEC0)
[Address] SSDT[305] : NtSetInformationProcess @ 0x8221E8C8 -> HOOKED (Unknown @ 0x88DC4278)
[Address] SSDT[306] : NtSetInformationThread @ 0x822032AD -> HOOKED (Unknown @ 0x88D9EDF0)
[Address] SSDT[330] : NtSuspendProcess @ 0x8229D4FF -> HOOKED (Unknown @ 0x88D9E6B8)
[Address] SSDT[331] : NtSuspendThread @ 0x821A492B -> HOOKED (Unknown @ 0x88D9EC70)
[Address] SSDT[334] : NtTerminateProcess @ 0x821FB143 -> HOOKED (Unknown @ 0x88D95268)
[Address] SSDT[335] : NtTerminateThread @ 0x82226534 -> HOOKED (Unknown @ 0x88D9ED30)
[Address] SSDT[348] : NtUnmapViewOfSection @ 0x8221AB5D -> HOOKED (Unknown @ 0x88DC4560)
[Address] SSDT[358] : NtWriteVirtualMemory @ 0x8221792D -> HOOKED (Unknown @ 0x88DC8F38)
[Address] Shadow SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x853043D8)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVS-60UST0 +++++
--- User ---
[MBR] adee83bc9d397ad0f83202d403e554ce
[BSP] 99099082f465035c874ad6c7205c49ca : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 226510 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 463892940 | Size: 11962 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD2500BEVS-60UST0 +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_D_07292013_181850.txt >>
RKreport[0]_S_07292013_181627.txt


 

RKreport[0]_SC_07292013_181918.txt:

 

RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Shortcuts HJfix -- Date : 07/29/2013 18:19:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 9 / Fail 0
My documents: Success 1 / Fail 1
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 1 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 168 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume3 -- 0x2 --> Restored

¤¤¤ Infection :  ¤¤¤

Finished : << RKreport[0]_SC_07292013_181918.txt >>
RKreport[0]_D_07292013_181850.txt;RKreport[0]_S_07292013_181627.txt


Edited by Dominicana, 29 July 2013 - 05:25 PM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 PM

Posted 30 July 2013 - 06:05 PM

how is the computer running now, are there any outstanding issues?


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Dominicana

Dominicana
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:09:33 PM

Posted 30 July 2013 - 07:24 PM

Besides my file folders still not opening the correct way, everything seems to be working correctly. Thank you very much for all your help, CatByte. Would you recommend me going back to the forum my original post was in to see if someone can help me with my problem?



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 PM

Posted 30 July 2013 - 07:44 PM

please post a screen shot of the error you get with your folders

(or describe in more detail)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Dominicana

Dominicana
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:09:33 PM

Posted 31 July 2013 - 10:35 AM

When I try to to open a folder on my desktop, for example, my music folder, I get  'C:/Users/user/Desktop/Music Application not found' error. I have to right-click, then select 'Open' to open it, and the sub-folders within that foder. Also, I cannot re-name my files (error message says 'If you change a file name extension, the file may become unusable. Are you sure you want to change it?') When I right-click, the first option in bold is 'compress files here'. The second option is (not in bold) 'compress here' and the third option is 'Open'.

 

A few months ago, I downloaded a software program TunesCleaner because I was having trouble with iTunes. But it wasn't what I thought it was and deleted it- I noticed problems opening my desktop folders right after that. I tried to do a System Restore, but all the dates prior to that date had been erased, and not only that, the System Restore could never fully run- I always got an error message saying it wasn't successful, but that could've had to do with the malware problem you helped me fix.


Edited by Dominicana, 31 July 2013 - 10:35 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users