Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor/Rootkit: ZeroAccess help


  • This topic is locked This topic is locked
35 replies to this topic

#1 White Rose

White Rose

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 09 August 2013 - 03:48 PM

After running MBAR as advised in this thread http://www.bleepingcomputer.com/forums/t/503686/infected-with-something-and-out-of-my-depth/, GodFatherKing advised me to follow the instructions in here and ask for more help.  Most of my work files are on this computer, as usual I've always intended to back them up and never got round to it - as things currently stand I can't work so would be very grateful for help!  I don't think I've been anywhere dodgy to pick up a virus, my browsing is generally limited to camping information, amazon and ebay, but my laptop is grinding to a halt/

 

The DDS file is below - running DDS for the first time turned my screen blue, flashed up some message about physical memory dump and crashed my laptop, second time was fine though.

 

Thank you for your help and time!

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_37
Run by HPUSER at 21:19:40 on 2013-08-09
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.1903.1124 [GMT 1:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {18665805-C3D5-4A69-8B4A-71642F659DB2}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\DesktopAuthority\DaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\SLClient.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\CBM\ScriptLogic.CBM.Agent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\CBM\ScriptLogic.CBM.UserExperience.exe
C:\Program Files\DesktopAuthority\rmgui.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\PROGRA~1\COMMON~1\HEALTH~1\cvassist.exe
C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Sapro Systems WinCalendarV3\WinCalendarV3_SysTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\PROGRA~1\COMMON~1\HEALTH~1\hvced.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/news/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee DLP Internet Explorer Plugin: {4B988589-D11C-4762-806E-0E4A6EC5F76B} - c:\program files\mcafee\dlp\agent\fcplie.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [WinCalendarV3] "c:\program files\sapro systems wincalendarv3\WinCalendarV3_SysTray.exe /q /c"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [DesktopAuthority User Experience] "c:\program files\scriptlogic\desktop authority\client files\8.08004.63486\cbm\ScriptLogic.CBM.UserExperience.exe"
mRun: [DA Remote Management GUI] "c:\program files\desktopauthority\rmgui.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [CVAssist] c:\progra~1\common~1\health~1\cvassist.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [QLBController] c:\program files\hewlett-packard\hp hotkey support\QLBController.exe /start
mRun: [WinCalendarV3] "c:\program files\sapro systems wincalendarv3\WinCalendarV3_SysTray.exe" /q /c
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [WinCalendarV3] "c:\program files\sapro systems wincalendarv3\WinCalendarV3_SysTray.exe" /q /c
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: HideLogonScripts = dword:0
mPolicies-System: MaxGPOScriptWait = dword:3600
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{D77926ED-9021-431F-BD72-F4F9062EABC7} : DHCPNameServer = 194.168.4.100 194.168.8.100
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Notify: FCAGWL - fcagwl.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hpuser\application data\mozilla\firefox\profiles\40jnxjpt.default-1374652594187\
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-07-24 07:27; {4ED1F68A-5463-4931-9384-8FFF5ED91D92}; c:\program files\mcafee\SiteAdvisor
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-9-17 343760]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 211560]
R1 fcdrv1;fcdrv1;c:\windows\system32\drivers\fcdrv1.sys [2010-1-14 67016]
R1 fcdrv5;fcdrv5;c:\windows\system32\drivers\fcdrv5.sys [2010-1-14 95176]
R1 MpKsl759c2f10;MpKsl759c2f10;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{5d63b0d5-c611-4b0d-84aa-8f878e50c340}\MpKsl759c2f10.sys [2013-8-9 29904]
R2 DAInfo;DAInfo;c:\program files\desktopauthority\DAinfo.sys [2010-9-17 12168]
R2 DAMaint;DA Remote Management Maintenance Service;c:\program files\desktopauthority\DAMaint.exe [2010-9-17 63496]
R2 DAtf;DAtf;c:\program files\desktopauthority\DAtf.sys [2010-9-17 11144]
R2 DesktopAuthority;DA Remote Management Service;c:\program files\desktopauthority\DesktopAuthority.exe [2010-9-17 1275912]
R2 DisplayLinkService;DisplayLinkManager;c:\program files\displaylink core software\DisplayLinkManager.exe [2009-11-20 4715880]
R2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\hewlett-packard\hp hotkey support\hpHotkeyMonitor.exe [2010-3-1 264248]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2012-5-3 101552]
R2 McAfeeDLPAgentService;McAfee DLP Agent Service;c:\program files\mcafee\dlp\agent\fcags.exe [2010-1-14 4224320]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-3-10 103744]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-9-17 70728]
R2 ScriptLogic CBM Service;ScriptLogic CBM Service;c:\program files\scriptlogic\desktop authority\client files\8.08004.63486\cbm\ScriptLogic.CBM.Agent.exe [2010-2-2

420352]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-11-26 1225312]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-11-26 659040]
R2 SLClient;ScriptLogic Service;c:\program files\scriptlogic\desktop authority\client files\8.08004.63486\SLClient.exe [2010-2-2 552288]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-9-17 51792]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2009-11-10 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-11-10 36368]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-9-17

2320920]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-9-17 113664]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [2010-9-17 9352]
R3 DisplayLinkFilter;DisplayLinkFilter;c:\windows\system32\drivers\DisplayLinkFilter.sys [2009-11-20 7040]
R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [2009-11-20 24320]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-9-17 167080]
R3 fcdrv2;fcdrv2;c:\windows\system32\drivers\fcdrv2.sys [2010-1-14 114632]
R3 fcdrv3;fcdrv3;c:\windows\system32\drivers\fcdrv3.sys [2010-1-14 96072]
R3 fcdrv4;fcdrv4;c:\windows\system32\drivers\fcdrv4.sys [2010-9-17 22856]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-9-17 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-9-17 235520]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-9-17 48488]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2009-10-25 57600]
RUnknown MpKslf26f984f;MpKslf26f984f; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 GemSAFE Card Server;GemSAFE Card Server;c:\program files\gemalto\classic client\bin\GCardSrvNT.exe [2008-4-14 118784]
S3 GslShmSrvc ;GSL Share Memory;c:\program files\gemalto\classic client\bin\GslShmSrvc.exe [2007-10-19 57344]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-8-9 35144]
S3 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-8-9 146648]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-11-10 652552]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
.
=============== Created Last 30 ================
.
2013-08-09 20:09:10    29904    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{5d63b0d5-c611-4b0d-84aa-8f878e50c340}\MpKsl759c2f10.sys
2013-08-09 19:36:22    29904    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{5d63b0d5-c611-4b0d-84aa-8f878e50c340}\MpKslf26f984f.sys
2013-08-09 13:30:39    60872    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{5d63b0d5-c611-4b0d-84aa-8f878e50c340}\offreg.dll
2013-08-09 11:36:27    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-08-09 11:36:24    146648    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-08-09 11:35:12    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-08-09 11:08:26    7143960    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{5d63b0d5-c611-4b0d-84aa-8f878e50c340}\mpengine.dll
2013-08-09 07:08:27    7143960    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\backup\mpengine.dll
2013-08-07 23:35:30    --------    d-----w-    c:\documents and settings\hpuser\local settings\application data\Google
2013-08-07 20:56:35    --------    d-----w-    c:\documents and settings\hpuser\local settings\application data\Apple Computer
2013-08-07 20:50:52    --------    d-----w-    c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-08-07 20:48:50    --------    d-----w-    c:\documents and settings\hpuser\local settings\application data\Apple
2013-08-06 21:26:44    --------    d-----w-    c:\documents and settings\all users\application data\Sophos
2013-08-06 21:26:31    73728    ----a-r-    c:\documents and settings\hpuser\application

data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-06 21:26:31    73728    ----a-r-    c:\documents and settings\hpuser\application

data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-06 21:26:31    73728    ----a-r-    c:\documents and settings\hpuser\application

data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2013-08-06 21:25:15    --------    d-----w-    c:\program files\Sophos
2013-08-05 06:43:08    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2013-08-05 06:43:08    --------    d-----w-    c:\documents and settings\all users\application data\Spybot - Search & Destroy
2013-08-05 06:40:59    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2013-08-05 06:31:15    --------    d-----w-    c:\program files\HitmanPro
2013-07-24 07:57:18    --------    d-----w-    c:\program files\ESET
2013-07-24 07:52:46    --------    d-----w-    c:\windows\ERUNT
2013-07-23 22:49:27    --------    d-----w-    c:\program files\CCleaner
2013-07-23 20:40:00    --------    d-----w-    c:\documents and settings\all users\application data\HitmanPro
2013-07-23 13:34:54    --------    d-----w-    c:\documents and settings\hpuser\application data\Malwarebytes
2013-07-23 13:34:39    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-07-23 13:34:37    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-23 13:34:37    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-23 13:24:35    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-07-23 13:15:06    --------    d-----w-    c:\windows\snack
2013-07-23 11:43:39    --------    d-----w-    c:\windows\system32\MpEngineStore
2013-07-23 11:41:44    --------    d-----w-    C:\a91048e17c5c1579e26e
2013-07-18 10:01:21    --------    d-----w-    c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-07-23 13:26:10    456320    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2013-06-18 20:50:08    211560    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-06-07 22:55:44    385024    ------w-    c:\windows\system32\html.iec
2013-06-07 21:56:06    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56:06    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40:45    1876736    ----a-w-    c:\windows\system32\win32k.sys
.
============= FINISH: 21:21:30.70 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 PM

Posted 09 August 2013 - 05:05 PM

Hello,

sometimes ripping out malware can cause issues, so you are advised to create a new restore point and back up data as an infected restore point and files are better than none at all.

Please re-run MBAR and this time allow it to clean what it has found.

Test your windows updates, firewall, defender, action center etc., if they are not running be sure to run the fixdamage.exe tool which can be found in the mbar\plugins folder,

once that is completed, then please run the following:


Download ComboFix from the following location:
Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

CF_RC_notice.png
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
cfRC_screen_2.png
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 10 August 2013 - 05:40 PM

Thank you for your help.

 

I did as you instructed but I think Combofix gave up... I clicked Yes to continue searching for Malware, that was over an hour ago and nothing seems to be happening, I can't see it running in TaskManager, and Search can't find any relevant .txt files. 



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 PM

Posted 10 August 2013 - 06:06 PM

Please try running it in safe mode with networking:

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with networking
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 10 August 2013 - 07:26 PM

Hi Katbyte - I've just finished running it in Safe Mode with Networking.  It said I had rootkit in the TCP/IP stack, went through fifty steps to fix it, did lots of rebooting, but the log file it created in Notepad is completely empty ....



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 PM

Posted 11 August 2013 - 06:16 AM

That's interesting, it must have had quite a fight with the rootkit.

Please run MBAR again, let's see if there is anything remaining,

post the new log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 11 August 2013 - 03:55 PM

Thank you Cat (yet again!).  MBAR took a couple of attempts to run, it crashed my computer a couple of times, but finally ran through perfectly smoothly - though it seemed to finish a bit abruptly, fired up a couple of messages too fast to read and closed itself down.  My fingers are cautiously crossed that the logs look OK though ...?

 

Malwarebytes Anti-Rootkit BETA 1.06.1.1005
www.malwarebytes.org

Database version: v2013.08.07.08

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
HPUSER :: 6550-03525 [administrator]

11/08/2013 20:34:15
mbar-log-2013-08-11 (20-34-15).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 258825
Time elapsed: 1 hour(s), 11 minute(s), 11 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

OK, how do I attach the system log, have I completely failed to see an obvious button?!  Or shall I C&P it?



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 PM

Posted 11 August 2013 - 06:03 PM

Hit the "more reply Options" button at the bottom of the reply window and that will open a bigger window with the attachment option, or you can copy/paste it.

How is the computer running now?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 11 August 2013 - 06:38 PM

Weellll - the computer is not exactly running well ... It's just taken 9 minutes from turn on to log in, a first her 5 minute from log in to the desktop being populated (during part of which time I had a cmd.exe box perched on the screen) then after another five minutes waiting for IE to load I've just resorted to using my phone! Part of the problem may be that Spybot Search and Destroy is flashing up with various messages "Spybot Search and Destroy has detected an important registry entry that has been changed" ...

Thank you, will try More Reply options tomorrow morning and post the second half of the files (am falling asleep at the keyboard!).

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 PM

Posted 11 August 2013 - 07:27 PM

yes, teatimer would likely have accounted for that behaviour.

Make sure it is disabled before running other scans we may have to run.

Please run the following:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 12 August 2013 - 03:45 PM

At least I now know I have a 32 bit computer :-)  The computer will currently only run in Safe Mode with Networking, but I've just uninstalled some of the anti virus stuff I'd put onto it last week so maybe that will help..

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-08-2013
Ran by HPUSER (administrator) on 12-08-2013 21:36:17
Running from C:\Documents and Settings\HPUSER\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(McAfee Inc.) C:\Program Files\McAfee\DLP\Agent\fcags.exe
(McAfee Inc.) C:\Program Files\McAfee\DLP\Agent\fcagswd.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [DesktopAuthority User Experience] - C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\CBM\ScriptLogic.CBM.UserExperience.exe [137216 2010-02-02] (ScriptLogic Software Corporation)
HKLM\...\Run: [DA Remote Management GUI] - C:\Program Files\DesktopAuthority\rmgui.exe [309256 2009-11-24] (ScriptLogic Corporation)
HKLM\...\Run: [OfficeScanNT Monitor] - C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [746792 2009-04-16] (Trend Micro Inc.)
HKLM\...\Run: [McAfeeUpdaterUI] - C:\Program Files\McAfee\Common Framework\udaterui.exe [136512 2009-03-10] (McAfee, Inc.)
HKLM\...\Run: [CVAssist] - C:\PROGRA~1\COMMON~1\HEALTH~1\cvassist.exe [110592 2008-02-26] (iSOFT Group plc)
HKLM\...\Run: [snp2uvc] - C:\WINDOWS\system32\csnp2uvc.dll [211840 2010-01-18] ( )
HKLM\...\Run: [QLBController] - C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe [256056 2010-03-01] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-06-20] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
Winlogon\Notify\FCAGWL: fcagwl.dll (McAfee Inc.)
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news/
URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKCU - DefaultScope {7727DD2B-4191-460A-B6AF-31E3E9F1B4CD} URL = http://www.google.co.uk/search?hl=en&source=hp&q={searchTerms}&aq=f&aqi=&aql=&oq=
SearchScopes: HKCU - {7727DD2B-4191-460A-B6AF-31E3E9F1B4CD} URL = http://www.google.co.uk/search?hl=en&source=hp&q={searchTerms}&aq=f&aqi=&aql=&oq=
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?fr=mcafee&p={searchTerms}
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: McAfee DLP Internet Explorer Plugin - {4B988589-D11C-4762-806E-0E4A6EC5F76B} - C:\Program Files\McAfee\DLP\Agent\fcplie.dll (McAfee Inc.)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Handler: ipp - No CLSID Value -
Handler: msdaipp - No CLSID Value -
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100

FireFox:
========
FF ProfilePath: C:\Documents and Settings\HPUSER\Application Data\Mozilla\Firefox\Profiles\40jnxjpt.default
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_37 - C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @mcafee.com/SAFFPlugin - C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] C:\Program Files\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files\McAfee\SiteAdvisor
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff

========================== Services (Whitelisted) =================

S3 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-27] (LSI Corporation)
S2 DAMaint; C:\Program Files\DesktopAuthority\DaMaint.exe [63496 2009-11-24] (ScriptLogic Corporation)
S2 DesktopAuthority; C:\Program Files\DesktopAuthority\DesktopAuthority.exe [1275912 2009-11-24] (ScriptLogic Corporation)
S2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [4715880 2009-11-20] (DisplayLink Corp.)
S3 GemSAFE Card Server; C:\Program Files\Gemalto\Classic Client\BIN\GCardSrvNT.exe [118784 2008-04-14] (Gemplus)
S3 GslShmSrvc ; C:\Program Files\Gemalto\Classic Client\BIN\GslShmSrvc.exe [57344 2007-10-19] (Gemalto)
S2 hpHotkeyMonitor; C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [264248 2010-03-01] (Hewlett-Packard Company)
S2 McAfee SiteAdvisor Service; c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe [101552 2013-05-22] (McAfee, Inc.)
R2 McAfeeDLPAgentService; C:\Program Files\McAfee\DLP\Agent\fcags.exe [4224320 2010-01-14] (McAfee Inc.)
S2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [103744 2009-03-10] (McAfee, Inc.)
S2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [70728 2009-09-02] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-06-20] (Microsoft Corporation)
S2 MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [28768528 2005-10-14] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45272 2005-10-14] (Microsoft Corporation)
S4 msvsmon80; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2799808 2005-09-23] (Microsoft Corporation)
S2 ntrtscan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [1332520 2009-04-15] (Trend Micro Inc.)
S2 ScriptLogic CBM Service; C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\CBM\ScriptLogic.CBM.Agent.exe [420352 2010-02-02] (ScriptLogic Software Corporation)
S2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1225312 2012-11-26] (Secunia)
S2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [659040 2012-11-26] (Secunia)
S2 SLClient; C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\SLClient.exe [552288 2010-02-02] (ScriptLogic Software Corporation)
S3 SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [318680 2005-10-14] (Microsoft Corporation)
S2 STacSV; c:\program files\idt\wdm\STacSV.exe [229458 2010-03-17] (IDT, Inc.)
S3 TMBMServer; C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe [341256 2009-03-12] (Trend Micro Inc.)
S2 tmlisten; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [1246848 2009-04-21] (Trend Micro Inc.)
S3 TmProxy; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [652552 2009-02-23] (Trend Micro Inc.)
S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
S2 msftesql; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER [x]

==================== Drivers (Whitelisted) ====================

S3 AESTAud; C:\Windows\System32\drivers\AESTAud.sys [113664 2009-04-21] (Andrea Electronics Corporation)
S3 BTKRNL; C:\Windows\System32\DRIVERS\btkrnl.sys [991264 2009-12-03] (Broadcom Corporation.)
S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [45984 2009-12-03] (Broadcom Corporation.)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
S2 DAInfo; C:\Program Files\DesktopAuthority\DAInfo.sys [12168 2009-11-24] (ScriptLogic Corporation)
S3 DAmirr; C:\Windows\System32\DRIVERS\DAmirr.sys [9352 2009-11-24] (ScriptLogic Corporation)
S2 DAtf; C:\Program Files\DesktopAuthority\DAtf.sys [11144 2009-11-24] (ScriptLogic Corporation)
S3 DisplayLinkFilter; C:\Windows\System32\DRIVERS\DisplayLinkFilter.sys [7040 2009-11-20] (DisplayLink Corp.)
S3 DisplayLinkmirror; C:\Windows\System32\DRIVERS\DisplayLinkmirrorport.sys [24320 2009-11-20] (DisplayLink Corp.)
S4 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
R3 e1kexpress; C:\Windows\System32\DRIVERS\e1k5132.sys [167080 2009-12-10] (Intel Corporation)
S1 fcdrv1; C:\Windows\System32\drivers\fcdrv1.sys [67016 2010-01-14] (McAfee Inc.)
S3 fcdrv2; C:\Windows\System32\drivers\fcdrv2.sys [114632 2010-01-14] ()
S3 fcdrv3; C:\Windows\System32\drivers\fcdrv3.sys [96072 2010-01-14] ()
R3 fcdrv4; C:\Windows\System32\drivers\fcdrv4.sys [22856 2010-01-14] (McAfee Inc.)
S1 fcdrv5; C:\Windows\System32\drivers\fcdrv5.sys [95176 2010-01-14] (McAfee Inc.)
R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows ® Server 2003 DDK provider)
R3 IFXTPM; C:\Windows\System32\DRIVERS\IFXTPM.SYS [44800 2008-07-23] (Infineon Technologies AG)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [343760 2009-09-02] (McAfee, Inc.)
S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [48488 2009-09-02] (McAfee, Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-14] (Microsoft Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R3 NETw5x32; C:\Windows\System32\DRIVERS\NETw5x32.sys [6601216 2010-04-05] (Intel Corporation)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
S3 SCR3XX2K; C:\Windows\System32\DRIVERS\SCR3XX2K.sys [57600 2009-10-25] (SCM Microsystems Inc.)
S3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [11136 2008-04-14] (Microsoft Corporation)
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1763968 2010-01-18] ()
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1659283 2010-03-17] (IDT, Inc.)
S3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [15232 2008-04-14] (Microsoft Corporation)
S2 tmactmon; C:\WINDOWS\system32\drivers\tmactmon.sys [59472 2010-07-19] (Trend Micro Inc.)
S2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [163408 2010-07-19] (Trend Micro Inc.)
S2 tmevtmgr; C:\WINDOWS\system32\drivers\tmevtmgr.sys [51792 2010-07-19] (Trend Micro Inc.)
S2 TmFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys [230928 2009-12-04] (Trend Micro Inc.)
S2 TmPreFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys [36368 2009-12-04] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [78352 2009-02-23] (Trend Micro Inc.)
S2 VSApiNt; C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys [1322680 2009-12-04] (Trend Micro Inc.)
S3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-14] (Microsoft Corporation)
S3 catchme; \??\C:\DOCUME~1\HPUSER\LOCALS~1\Temp\catchme.sys [x]
U2 CertPropSvc;
S4 IntelIde; No ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-12 21:33 - 2013-08-12 21:34 - 01068631 _____ (Farbar) C:\Documents and Settings\HPUSER\Desktop\FRST.exe
2013-08-11 01:20 - 2013-08-11 01:20 - 00021187 _____ C:\ComboFix.txt
2013-08-11 00:12 - 2013-08-11 00:12 - 05102523 ____R (Swearware) C:\Documents and Settings\HPUSER\Desktop\ComboFix.exe
2013-08-10 22:37 - 2013-08-10 22:37 - 00000000 _RSHD C:\cmdcons
2013-08-10 22:37 - 2011-02-14 11:29 - 00000211 _____ C:\Boot.bak
2013-08-10 22:37 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2013-08-10 22:34 - 2011-06-26 07:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2013-08-10 22:34 - 2010-11-07 18:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2013-08-10 22:34 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2013-08-10 22:34 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2013-08-10 22:34 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2013-08-10 22:34 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2013-08-10 22:34 - 2000-08-31 01:00 - 00098816 _____ C:\WINDOWS\sed.exe
2013-08-10 22:34 - 2000-08-31 01:00 - 00080412 _____ C:\WINDOWS\grep.exe
2013-08-10 22:34 - 2000-08-31 01:00 - 00068096 _____ C:\WINDOWS\zip.exe
2013-08-10 22:06 - 2013-08-11 01:20 - 00000000 ____D C:\Qoobox
2013-08-10 22:05 - 2013-08-11 01:16 - 00000000 ____D C:\WINDOWS\erdnt
2013-08-10 08:44 - 2013-08-12 00:11 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\mbar
2013-08-09 21:21 - 2013-08-09 21:21 - 00035505 _____ C:\Documents and Settings\HPUSER\Desktop\attach.txt
2013-08-09 21:21 - 2013-08-09 21:21 - 00018502 _____ C:\Documents and Settings\HPUSER\Desktop\dds.txt
2013-08-09 21:02 - 2013-08-10 22:04 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\fix computer
2013-08-09 12:36 - 2013-08-11 23:05 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-08-09 12:24 - 2013-08-11 20:01 - 00006835 _____ C:\WINDOWS\setupapi.log
2013-08-08 00:50 - 2013-08-08 00:50 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Apple Computer
2013-08-08 00:35 - 2013-08-08 00:35 - 00000000 ____D C:\Documents and Settings\HPUSER\Local Settings\Application Data\Google
2013-08-07 21:56 - 2013-08-07 22:10 - 00000000 ____D C:\Documents and Settings\HPUSER\Application Data\Apple Computer
2013-08-07 21:56 - 2013-08-07 21:56 - 00000000 ____D C:\Documents and Settings\HPUSER\Local Settings\Application Data\Apple Computer
2013-08-07 21:50 - 2013-08-09 08:05 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Apple Computer
2013-08-07 21:50 - 2013-08-09 08:05 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-08-07 21:48 - 2013-08-07 21:48 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Apple Computer
2013-08-07 21:48 - 2013-08-07 21:48 - 00000000 ____D C:\Documents and Settings\HPUSER\Local Settings\Application Data\Apple
2013-08-07 21:44 - 2013-08-09 09:11 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Apple
2013-08-07 21:37 - 2013-08-07 21:38 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\itunes
2013-08-06 22:26 - 2013-08-07 11:08 - 00002563 _____ C:\Documents and Settings\HPUSER\Desktop\Sophos Virus Removal Tool.lnk
2013-08-06 22:26 - 2013-08-06 22:26 - 00000000 ____D C:\Documents and Settings\HPUSER\Start Menu\Programs\Sophos
2013-08-06 22:26 - 2013-08-06 22:26 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sophos
2013-08-06 22:25 - 2013-08-06 22:25 - 00000000 ____D C:\Program Files\Sophos
2013-08-05 07:43 - 2013-08-12 21:20 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2013-08-05 07:43 - 2013-08-12 21:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2013-08-05 07:40 - 2013-08-05 07:40 - 00012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2013-08-05 07:31 - 2013-08-05 07:31 - 00000000 ____D C:\Program Files\HitmanPro
2013-07-24 11:09 - 2013-08-12 08:48 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-07-24 11:09 - 2013-08-12 07:04 - 00000157 _____ C:\WINDOWS\wiadebug.log
2013-07-24 11:09 - 2013-08-12 00:41 - 00021448 _____ C:\WINDOWS\SchedLgU.Txt
2013-07-24 11:09 - 2013-07-24 11:09 - 00000000 ____N C:\WINDOWS\Sti_Trace.log
2013-07-24 08:59 - 2013-08-12 21:17 - 00320259 _____ C:\WINDOWS\WindowsUpdate.log
2013-07-24 08:57 - 2013-07-24 08:57 - 00000000 ____D C:\Program Files\ESET
2013-07-24 08:56 - 2013-07-24 08:56 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\Old Firefox Data
2013-07-24 08:52 - 2013-07-24 08:52 - 00000000 ____D C:\WINDOWS\ERUNT
2013-07-24 08:45 - 2013-07-24 08:45 - 00000985 _____ C:\AdwCleaner[S1].txt
2013-07-24 08:44 - 2013-07-24 08:45 - 00000926 _____ C:\AdwCleaner[R2].txt
2013-07-24 08:44 - 2013-07-24 08:44 - 00000867 _____ C:\AdwCleaner[R1].txt
2013-07-23 21:45 - 2013-07-23 21:45 - 00000656 _____ C:\WINDOWS\system32\.crusader
2013-07-23 21:40 - 2013-07-23 21:46 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-07-23 14:34 - 2013-07-23 14:34 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-23 14:34 - 2013-07-23 14:34 - 00000000 ____D C:\Documents and Settings\HPUSER\Application Data\Malwarebytes
2013-07-23 14:34 - 2013-07-23 14:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-07-23 14:34 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2013-07-23 14:24 - 2013-07-23 14:24 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-07-23 14:15 - 2013-07-23 14:15 - 00000000 ____D C:\WINDOWS\snack
2013-07-23 12:43 - 2013-07-23 14:25 - 00000000 ____D C:\WINDOWS\system32\MpEngineStore
2013-07-23 12:41 - 2013-07-23 12:41 - 20874888 _____ (Microsoft Corporation) C:\Documents and Settings\HPUSER\Desktop\Windows-KB890830-V5.2.exe
2013-07-23 12:41 - 2013-07-23 12:41 - 00000000 ____D C:\a91048e17c5c1579e26e
2013-07-23 11:07 - 2013-07-23 11:07 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Macromedia
2013-07-23 11:07 - 2013-07-23 11:07 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Adobe
2013-07-23 11:03 - 2013-07-23 11:03 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\hpqLog
2013-07-22 21:39 - 2013-08-12 21:25 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-07-22 21:39 - 2013-07-22 21:39 - 00000000 __SHD C:\Documents and Settings\LocalService\IETldCache
2013-07-22 21:39 - 2013-07-22 21:39 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2013-07-22 21:39 - 2013-07-22 21:39 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2013-07-18 11:39 - 2013-08-12 21:26 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-07-18 11:01 - 2013-07-18 11:05 - 00000000 ____D C:\WINDOWS\system32\MRT

==================== One Month Modified Files and Folders =======

2013-08-12 21:35 - 2013-08-12 21:35 - 00000000 ____D C:\FRST
2013-08-12 21:34 - 2013-08-12 21:33 - 01068631 _____ (Farbar) C:\Documents and Settings\HPUSER\Desktop\FRST.exe
2013-08-12 21:26 - 2013-07-18 11:39 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-08-12 21:25 - 2013-07-22 21:39 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-08-12 21:20 - 2013-08-05 07:43 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2013-08-12 21:20 - 2013-08-05 07:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2013-08-12 21:17 - 2013-07-24 08:59 - 00320259 _____ C:\WINDOWS\WindowsUpdate.log
2013-08-12 21:15 - 2008-04-14 13:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-08-12 08:48 - 2013-07-24 11:09 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-08-12 08:48 - 2010-09-16 12:33 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-08-12 07:04 - 2013-07-24 11:09 - 00000157 _____ C:\WINDOWS\wiadebug.log
2013-08-12 00:41 - 2013-07-24 11:09 - 00021448 _____ C:\WINDOWS\SchedLgU.Txt
2013-08-12 00:40 - 2011-02-14 13:12 - 00000278 ___SH C:\Documents and Settings\HPUSER\ntuser.ini
2013-08-12 00:17 - 2010-09-17 11:20 - 00000000 ____D C:\Program Files\DesktopAuthority
2013-08-12 00:11 - 2013-08-10 08:44 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\mbar
2013-08-11 23:05 - 2013-08-09 12:36 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-08-11 20:01 - 2013-08-09 12:24 - 00006835 _____ C:\WINDOWS\setupapi.log
2013-08-11 01:20 - 2013-08-11 01:20 - 00021187 _____ C:\ComboFix.txt
2013-08-11 01:20 - 2013-08-10 22:06 - 00000000 ____D C:\Qoobox
2013-08-11 01:16 - 2013-08-10 22:05 - 00000000 ____D C:\WINDOWS\erdnt
2013-08-11 01:15 - 2008-04-14 13:00 - 00000227 _____ C:\WINDOWS\system.ini
2013-08-11 00:12 - 2013-08-11 00:12 - 05102523 ____R (Swearware) C:\Documents and Settings\HPUSER\Desktop\ComboFix.exe
2013-08-10 22:37 - 2013-08-10 22:37 - 00000000 _RSHD C:\cmdcons
2013-08-10 22:37 - 2010-09-16 12:32 - 00000327 __RSH C:\boot.ini
2013-08-10 22:04 - 2013-08-09 21:02 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\fix computer
2013-08-10 10:52 - 2010-09-16 12:25 - 00000000 ___DC C:\WINDOWS\$NtUninstallKB64746$
2013-08-10 07:16 - 2013-06-13 11:55 - 00029696 ___SH C:\Documents and Settings\HPUSER\My Documents\Thumbs.db
2013-08-09 21:21 - 2013-08-09 21:21 - 00035505 _____ C:\Documents and Settings\HPUSER\Desktop\attach.txt
2013-08-09 21:21 - 2013-08-09 21:21 - 00018502 _____ C:\Documents and Settings\HPUSER\Desktop\dds.txt
2013-08-09 12:32 - 2011-05-02 21:09 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\Caravan things
2013-08-09 09:11 - 2013-08-07 21:44 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Apple
2013-08-09 08:05 - 2013-08-07 21:50 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Apple Computer
2013-08-09 08:05 - 2013-08-07 21:50 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-08-08 00:50 - 2013-08-08 00:50 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Apple Computer
2013-08-08 00:35 - 2013-08-08 00:35 - 00000000 ____D C:\Documents and Settings\HPUSER\Local Settings\Application Data\Google
2013-08-07 22:10 - 2013-08-07 21:56 - 00000000 ____D C:\Documents and Settings\HPUSER\Application Data\Apple Computer
2013-08-07 21:56 - 2013-08-07 21:56 - 00000000 ____D C:\Documents and Settings\HPUSER\Local Settings\Application Data\Apple Computer
2013-08-07 21:48 - 2013-08-07 21:48 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Apple Computer
2013-08-07 21:48 - 2013-08-07 21:48 - 00000000 ____D C:\Documents and Settings\HPUSER\Local Settings\Application Data\Apple
2013-08-07 21:38 - 2013-08-07 21:37 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\itunes
2013-08-07 11:08 - 2013-08-06 22:26 - 00002563 _____ C:\Documents and Settings\HPUSER\Desktop\Sophos Virus Removal Tool.lnk
2013-08-06 22:26 - 2013-08-06 22:26 - 00000000 ____D C:\Documents and Settings\HPUSER\Start Menu\Programs\Sophos
2013-08-06 22:26 - 2013-08-06 22:26 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sophos
2013-08-06 22:25 - 2013-08-06 22:25 - 00000000 ____D C:\Program Files\Sophos
2013-08-05 07:40 - 2013-08-05 07:40 - 00012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2013-08-05 07:31 - 2013-08-05 07:31 - 00000000 ____D C:\Program Files\HitmanPro
2013-07-24 11:09 - 2013-07-24 11:09 - 00000000 ____N C:\WINDOWS\Sti_Trace.log
2013-07-24 08:57 - 2013-07-24 08:57 - 00000000 ____D C:\Program Files\ESET
2013-07-24 08:56 - 2013-07-24 08:56 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\Old Firefox Data
2013-07-24 08:52 - 2013-07-24 08:52 - 00000000 ____D C:\WINDOWS\ERUNT
2013-07-24 08:45 - 2013-07-24 08:45 - 00000985 _____ C:\AdwCleaner[S1].txt
2013-07-24 08:45 - 2013-07-24 08:44 - 00000926 _____ C:\AdwCleaner[R2].txt
2013-07-24 08:44 - 2013-07-24 08:44 - 00000867 _____ C:\AdwCleaner[R1].txt
2013-07-23 21:46 - 2013-07-23 21:40 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-07-23 21:45 - 2013-07-23 21:45 - 00000656 _____ C:\WINDOWS\system32\.crusader
2013-07-23 15:34 - 2011-03-26 00:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB952287$
2013-07-23 14:34 - 2013-07-23 14:34 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-23 14:34 - 2013-07-23 14:34 - 00000000 ____D C:\Documents and Settings\HPUSER\Application Data\Malwarebytes
2013-07-23 14:34 - 2013-07-23 14:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-07-23 14:26 - 2008-04-14 13:00 - 00456320 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2013-07-23 14:25 - 2013-07-23 12:43 - 00000000 ____D C:\WINDOWS\system32\MpEngineStore
2013-07-23 14:24 - 2013-07-23 14:24 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-07-23 14:15 - 2013-07-23 14:15 - 00000000 ____D C:\WINDOWS\snack
2013-07-23 14:06 - 2012-07-14 22:47 - 00001954 _____ C:\WINDOWS\epplauncher.mif
2013-07-23 12:46 - 2012-07-14 22:42 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\ms sec essentials
2013-07-23 12:41 - 2013-07-23 12:41 - 20874888 _____ (Microsoft Corporation) C:\Documents and Settings\HPUSER\Desktop\Windows-KB890830-V5.2.exe
2013-07-23 12:41 - 2013-07-23 12:41 - 00000000 ____D C:\a91048e17c5c1579e26e
2013-07-23 11:14 - 2010-09-16 12:33 - 00000000 __SHD C:\Documents and Settings\NetworkService
2013-07-23 11:07 - 2013-07-23 11:07 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Macromedia
2013-07-23 11:07 - 2013-07-23 11:07 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Adobe
2013-07-23 11:03 - 2013-07-23 11:03 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\hpqLog
2013-07-22 21:46 - 2010-09-16 12:33 - 00000000 __SHD C:\Documents and Settings\LocalService
2013-07-22 21:39 - 2013-07-22 21:39 - 00000000 __SHD C:\Documents and Settings\LocalService\IETldCache
2013-07-22 21:39 - 2013-07-22 21:39 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2013-07-22 21:39 - 2013-07-22 21:39 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2013-07-18 15:28 - 2013-01-31 14:11 - 00000000 ____D C:\Documents and Settings\HPUSER\Desktop\Ongoing collated comments
2013-07-18 11:29 - 2012-06-17 22:32 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-07-18 11:05 - 2013-07-18 11:01 - 00000000 ____D C:\WINDOWS\system32\MRT

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

 

 

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 PM

Posted 12 August 2013 - 06:35 PM

Hello White Rose

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
Save it on your desktop as fixlist.txt

(if you saved FRST to a different folder and not your desktop originally, then save fixlist.txt to the same location as FRST was saved)


start
Folder: C:\WINDOWS\$NtUninstallKB64746$
end
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please attach that log to your reply.

Note: FixList.txt and FRST must be saved to the same location or the fix will not work

Reboot Normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 12 August 2013 - 07:10 PM

I'm pretty sure I followed the instructions correctly, but I have an Autolt Error, Line 11239, Array Variable Incorrect Number of Subscripts  or Subscript Dimension Range Exceeded,  What have I done wrong?!



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 PM

Posted 12 August 2013 - 07:35 PM

Please try the following:

Please download copy of swxcacls.exe and save it to your desktop.

Now copy SWXCACLS.EXE into your C:\windows\system32 folder.

Once you have that, continue with the next steps.

Click Start > All Programs > Accessories, right click on Command Prompt and select "Run as administrator".

Copy/paste the following text at the command prompt and press enter after each line:

cd c:\windows\system32

swxcacls "C:\WINDOWS\$NtUninstallKB64746$" /reset /q

fsutil reparsepoint delete C:\WINDOWS\$NtUninstallKB64746$

rd /s /q C:\WINDOWS\$NtUninstallKB64746$

Please reboot your computer and re-run ComboFix,

let me know if it mentions zeroaccess in the TCP/IP stack again

post the fresh log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 13 August 2013 - 01:18 AM

Hi Cat - my laptop is one I bought from work, the techie boys told me I had full administrator rights but, when I tried to follow your steps and select "run as administrator" it asks for the password and won't let me go further without one... Will I try doing it just as myself?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users