Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect rootkit, MSE uninstalled, network issues


  • This topic is locked This topic is locked
20 replies to this topic

#1 dric

dric

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 09 November 2013 - 03:12 PM

I have

Win XP Home 32 bit SP 3

 

About a week ago I noticed that I was unable to copy large files from my PC to any other drive on the network.  I was able to copy from network drives to my local drive OK, but not able to go the other way.

 

About 3 days ago I noticed that MSE was not running.  Tried to start it manually and got the message that msseces.exe cannot be accessed by the system.  This morning I tried to reinstall MSE, it told me that it was already installed.  So I went to my control panel to uninstall it, and was told that it was already uninstalled.  When I tried to reinstall it, I get an error 0x80070643, "Cannot complete the Security Essentials Installation" "An error has prevented the Security Essentials setup wizard from completing successfully.  Please restart your computer and try again."  I restarted and got the same error.

 

I also ran MBAM which detected the following:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.09.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dave :: ANTEC [administrator]

11/9/2013 8:01:51 AM
mbam-log-2013-11-09 (08-01-51).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 404906
Time elapsed: 2 hour(s), 36 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE (Rootkit.0Access) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\etadpug (Rootkit.0Access) -> Delete on reboot.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG (Rootkit.0Access) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Google Update (Rootkit.0Access) -> Data: "C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Desktop\Install\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\GoogleUpdate.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
c:\program files\google\desktop\install\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\   \   \ﯹ๛\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\googleupdate.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Desktop\FreeFileSync_5.22_Windows_Setup.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
c:\program files\google\desktop\install\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\   \   \ﯹ๛\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\u\80000000.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
c:\program files\google\desktop\install\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\   \   \ﯹ๛\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\u\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

 

 

 

I had MBAM clean the problems but I am still unable to install MSE, getting the same error as previously mentioned.  I suspect there are still issues that MBAM was unable to resolve, not sure what my next step should be.



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 PM

Posted 09 November 2013 - 03:33 PM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 dric

dric
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 09 November 2013 - 04:30 PM

FRST.txt:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013
Ran by Dave (administrator) on ANTEC on 09-11-2013 16:24:02
Running from C:\Documents and Settings\Dave\Desktop\bc
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(VMware, Inc.) C:\Program Files\VMware\VMware Player\hqtray.exe
(Sony Corporation) C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
() C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\WINDOWS\system32\CSHelper.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Nero AG) C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
(Palm) C:\Program Files\Palm, Inc\novacomd\x86\novacomd.exe
(Sony Corporation) C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
(TiVo Inc.) C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
(VMware, Inc.) C:\WINDOWS\system32\vmnat.exe
(VMware, Inc.) C:\WINDOWS\system32\vmnetdhcp.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Player\vmware-authd.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [JMB36X IDE Setup] - C:\WINDOWS\RaidTool\xInsIDE.exe [36864 2007-03-20] ()
HKLM\...\Run: [36X Raid Configurer] - C:\WINDOWS\system32\xRaidSetup.exe [1966080 2007-08-29] (JMicron Technology Corp.)
HKLM\...\Run: [RTHDCPL] - C:\WINDOWS\RTHDCPL.exe [16384000 2007-08-10] (Realtek Semiconductor Corp.)
HKLM\...\Run: [VMware hqtray] - C:\Program Files\VMware\VMware Player\hqtray.exe [64048 2009-08-14] (VMware, Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2010-09-08] (Apple Inc.)
HKLM\...\Run: [PMBVolumeWatcher] - C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe [597792 2009-11-04] (Sony Corporation)
HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-08-12] ()
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKCU\...\Run: [SpybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll No File
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} https://www36.verizon.com/FiOSVoice/UnProtected/FiosVoiceVMUtil.CAB
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542}
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Winsock: Catalog9 16 C:\Program Files\VMware\VMware Player\vsocklib.dll [330288] (VMware, Inc.)
Winsock: Catalog9 17 C:\Program Files\VMware\VMware Player\vsocklib.dll [330288] (VMware, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\1ewm12l1.default
FF Homepage: hxxp://www.google.com/
FF NetworkProxy: "no_proxies_on", "*.local"
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)
FF Extension: Check4Change - C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\1ewm12l1.default\Extensions\check4change-owner@mozdev.org
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\1ewm12l1.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\30.0.1599.101\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\30.0.1599.101\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (CouponNetwork Coupon Activator Netscape Plugin v. 5.0.0.0) - C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\plugins\NPcol400.dll (Catalina Marketing Corporation)
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.310.5) - C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Google Update) - C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Atari - Lunar Lander) - C:\DOCUME~1\Dave\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\aheampccjiggeiflpcjolbabpohbpclg\1.0_0
CHR Extension: (Angry Birds) - C:\DOCUME~1\Dave\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.5.0.7_0
CHR Extension: (User-Agent Switcher for Chrome) - C:\DOCUME~1\Dave\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\djflhoibgkdhkhhcedjiklpkjnoahfmg\1.0.26_0
CHR Extension: (Super Mario Bros. Crossover) - C:\DOCUME~1\Dave\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\eeecbbkpegiknjlkklkajceokkdgipbm\2.1_0
CHR Extension: (Atari - Centipede) - C:\DOCUME~1\Dave\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\gakkiekmjcipgjlnenigjfgemakojanh\1.0_0
CHR Extension: (Plants vs Zombies) - C:\DOCUME~1\Dave\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\mmcegpfdgcoclcdfkjahiimlikdpnina\1.0.5_0
CHR Extension: (Chrome In-App Payments service) - C:\DOCUME~1\Dave\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
CHR Extension: (Atari - Missile Command) - C:\DOCUME~1\Dave\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\oobnopfjjndfekinfcddimnjbhjdgmbg\1.0_0
CHR StartMenuInternet: Google Chrome - C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

R2 CSHelper; C:\WINDOWS\system32\CSHelper.exe [266240 2009-02-20] ()
R2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [77824 2002-01-29] ()
R2 EPSONStatusAgent2; C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [94208 2002-07-17] (SEIKO EPSON CORPORATION)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-08-12] ()
R2 NovacomD; C:\Program Files\Palm, Inc\novacomd\x86\novacomd.exe [61440 2011-06-24] (Palm)
R2 TivoBeacon2; C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [867328 2007-09-25] (TiVo Inc.)
R2 VMAuthdService; C:\Program Files\VMware\VMware Player\vmware-authd.exe [113200 2009-08-14] (VMware, Inc.)
R2 VMnetDHCP; C:\WINDOWS\system32\vmnetdhcp.exe [326192 2009-08-14] (VMware, Inc.)
R2 VMware NAT Service; C:\WINDOWS\system32\vmnat.exe [399920 2009-08-14] (VMware, Inc.)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
S3 ufad-ws60; "C:\Program Files\VMware\VMware Player\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Player\\" -s ufad-p2v.xml
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\   \   \???\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 Andbus; C:\Windows\System32\DRIVERS\lgandbus.sys [14336 2012-03-02] (LG Electronics Inc.)
S3 AndDiag; C:\Windows\System32\DRIVERS\lganddiag.sys [20736 2012-03-02] (LG Electronics Inc.)
S3 AndGps; C:\Windows\System32\DRIVERS\lgandgps.sys [20096 2012-03-02] (LG Electronics Inc.)
S3 ANDModem; C:\Windows\System32\DRIVERS\lgandmodem.sys [25088 2012-03-02] (LG Electronics Inc.)
S3 androidusb; C:\Windows\System32\Drivers\lgandadb.sys [25728 2012-03-02] (Google Inc)
S3 FXDrv32; C:\PROGRA~1\FOXCONN\FOXLIV~1\FXDrv32.sys [23872 2005-12-20] (Your Corporation)
R2 hcmon; C:\WINDOWS\system32\drivers\hcmon.sys [32304 2009-08-14] (VMware, Inc.)
R0 JGOGO; C:\Windows\System32\DRIVERS\JGOGO.sys [6912 2006-02-07] (JMicron )
R0 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [63360 2007-08-31] (JMicron Technology Corp.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
R3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [91496 2010-06-21] (NVIDIA Corporation)
S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 vmkbd; C:\WINDOWS\system32\drivers\VMkbd.sys [23216 2009-08-14] (VMware, Inc.)
R3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [16560 2009-08-14] (VMware, Inc.)
R2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [31280 2009-08-14] (VMware, Inc.)
R2 VMnetuserif; C:\WINDOWS\system32\drivers\vmnetuserif.sys [26288 2009-08-14] (VMware, Inc.)
R2 VMparport; C:\WINDOWS\system32\Drivers\VMparport.sys [14896 2009-08-14] (VMware, Inc.)
S3 vmusb; C:\Windows\System32\Drivers\vmusb.sys [31280 2009-08-14] (VMware, Inc.)
R2 vmx86; C:\WINDOWS\system32\Drivers\vmx86.sys [857520 2009-08-14] (VMware, Inc.)
R2 vstor2-ws60; C:\Program Files\VMware\VMware Player\vstor2-ws60.sys [22448 2008-12-01] (VMware, Inc.)
S3 catchme; \??\C:\DOCUME~1\Dave\LOCALS~1\Temp\catchme.sys [x]
S4 IntelIde; No ImagePath
S3 PciCon; \??\D:\PciCon.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TlntSvr;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-09 16:23 - 2013-11-09 16:23 - 00000000 ____D C:\FRST
2013-11-09 16:23 - 2013-11-09 16:23 - 00000000 ____D C:\Documents and Settings\Dave\Desktop\bc
2013-11-09 13:11 - 2013-11-09 13:11 - 00000060 _____ C:\WINDOWS\setupact.log
2013-11-09 13:11 - 2013-11-09 13:11 - 00000000 _____ C:\WINDOWS\setuperr.log
2013-11-09 11:43 - 2013-11-09 13:19 - 93087592 _____ C:\avenger.txt
2013-11-09 11:43 - 2013-11-09 11:43 - 00000000 ____D C:\Avenger
2013-11-09 07:38 - 2013-11-09 07:40 - 11227472 _____ (Microsoft Corporation) C:\Documents and Settings\Dave\Desktop\MSEInstall.exe
2013-11-06 10:09 - 2013-11-06 10:52 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-05 10:37 - 2013-11-05 10:37 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2013-11-05 09:19 - 2013-11-06 21:39 - 00003881 _____ C:\Documents and Settings\Dave\Desktop\eye dr notes.txt
2013-11-03 19:30 - 2013-11-03 19:30 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2013-11-01 12:59 - 2013-11-06 14:33 - 00101376 _____ C:\Documents and Settings\Dave\Desktop\dwlog13.xls
2013-10-31 05:58 - 2013-10-31 05:59 - 00000000 ____D C:\Documents and Settings\Dave\Desktop\131023 jess ss test lat long
2013-10-24 09:05 - 2013-10-24 09:30 - 00000000 ____D C:\Documents and Settings\Dave\Application Data\FreeFileSync
2013-10-24 09:05 - 2013-10-24 09:05 - 00000812 _____ C:\Documents and Settings\All Users\Start Menu\Programs\FreeFileSync.lnk
2013-10-24 09:05 - 2013-10-24 09:05 - 00000788 _____ C:\Documents and Settings\All Users\Start Menu\Programs\RealtimeSync.lnk
2013-10-24 09:04 - 2013-10-24 09:05 - 00000000 ____D C:\Program Files\FreeFileSync
2013-10-22 07:11 - 2013-10-22 07:11 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2013-10-22 07:11 - 2013-10-22 07:11 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2013-10-22 07:11 - 2013-10-22 07:11 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2013-10-22 07:11 - 2013-10-22 07:11 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2013-10-22 07:11 - 2013-10-22 07:11 - 00000000 ____D C:\Program Files\Common Files\Java
2013-10-22 07:11 - 2013-10-22 07:11 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java
2013-10-17 15:46 - 2013-11-04 22:04 - 00000423 _____ C:\Documents and Settings\Dave\My Documents\Shortcut to GoFlex Home Personal on GoFlex Home (Goflex_home).lnk
2013-10-11 08:09 - 2013-11-03 09:31 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-10-10 07:40 - 2013-10-10 07:40 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2847311$
2013-10-10 07:39 - 2013-10-10 07:40 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862335$
2013-10-10 07:36 - 2013-10-10 07:36 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2868038$
2013-10-10 07:35 - 2013-10-10 07:35 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2883150$
2013-10-10 07:34 - 2013-10-10 07:34 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862330$

==================== One Month Modified Files and Folders =======

2013-11-09 16:23 - 2013-11-09 16:23 - 00000000 ____D C:\FRST
2013-11-09 16:23 - 2013-11-09 16:23 - 00000000 ____D C:\Documents and Settings\Dave\Desktop\bc
2013-11-09 15:55 - 2011-05-12 08:45 - 00000974 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1500820517-725345543-1004UA.job
2013-11-09 15:34 - 2012-08-26 06:46 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-09 15:08 - 2011-01-25 20:48 - 00001954 _____ C:\WINDOWS\epplauncher.mif
2013-11-09 13:55 - 2011-05-12 08:45 - 00000922 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1500820517-725345543-1004Core.job
2013-11-09 13:22 - 2008-01-23 15:05 - 02085887 _____ C:\WINDOWS\WindowsUpdate.log
2013-11-09 13:21 - 2009-10-20 22:08 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\VMware
2013-11-09 13:21 - 2009-10-20 22:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\VMware
2013-11-09 13:21 - 2008-01-23 10:00 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-11-09 13:21 - 2008-01-23 10:00 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-11-09 13:20 - 2012-08-26 06:46 - 00000878 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-09 13:20 - 2008-01-23 15:09 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-11-09 13:20 - 2006-02-28 07:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2013-11-09 13:19 - 2013-11-09 11:43 - 93087592 _____ C:\avenger.txt
2013-11-09 13:19 - 2008-01-23 15:09 - 00032434 _____ C:\WINDOWS\SchedLgU.Txt
2013-11-09 13:11 - 2013-11-09 13:11 - 00000060 _____ C:\WINDOWS\setupact.log
2013-11-09 13:11 - 2013-11-09 13:11 - 00000000 _____ C:\WINDOWS\setuperr.log
2013-11-09 11:43 - 2013-11-09 11:43 - 00000000 ____D C:\Avenger
2013-11-09 11:43 - 2008-04-11 07:11 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB945553$
2013-11-09 07:40 - 2013-11-09 07:38 - 11227472 _____ (Microsoft Corporation) C:\Documents and Settings\Dave\Desktop\MSEInstall.exe
2013-11-07 07:53 - 2012-05-07 20:40 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-11-06 21:39 - 2013-11-05 09:19 - 00003881 _____ C:\Documents and Settings\Dave\Desktop\eye dr notes.txt
2013-11-06 17:20 - 2013-09-01 21:54 - 00000000 ____D C:\Documents and Settings\Dave\Desktop\EJ school folder 5th grade
2013-11-06 14:33 - 2013-11-01 12:59 - 00101376 _____ C:\Documents and Settings\Dave\Desktop\dwlog13.xls
2013-11-06 10:52 - 2013-11-06 10:09 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-05 10:37 - 2013-11-05 10:37 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2013-11-05 10:33 - 2012-01-22 14:39 - 00105984 _____ C:\Documents and Settings\Dave\Desktop\staples notes.xls
2013-11-05 09:23 - 2008-01-23 16:29 - 00002479 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
2013-11-04 22:04 - 2013-10-17 15:46 - 00000423 _____ C:\Documents and Settings\Dave\My Documents\Shortcut to GoFlex Home Personal on GoFlex Home (Goflex_home).lnk
2013-11-04 21:19 - 2011-02-11 10:14 - 00000000 ____D C:\Documents and Settings\Dave\Application Data\vlc
2013-11-04 17:57 - 2008-05-16 16:19 - 00000765 _____ C:\WINDOWS\Ulead32.ini
2013-11-03 21:04 - 2008-01-23 15:09 - 00000000 __SHD C:\Documents and Settings\LocalService
2013-11-03 19:30 - 2013-11-03 19:30 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2013-11-03 19:26 - 2012-08-26 06:46 - 00000000 ____D C:\Program Files\Google
2013-11-03 19:26 - 2009-08-23 15:42 - 00000000 ____D C:\Documents and Settings\Dave\Local Settings\Application Data\Google
2013-11-03 09:31 - 2013-10-11 08:09 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-11-03 06:31 - 2008-03-30 07:55 - 00000000 ____D C:\Documents and Settings\Dave\Desktop\photos
2013-11-03 05:58 - 2008-01-23 09:58 - 00526962 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-10-31 05:59 - 2013-10-31 05:58 - 00000000 ____D C:\Documents and Settings\Dave\Desktop\131023 jess ss test lat long
2013-10-29 09:17 - 2011-08-23 07:04 - 00016479 _____ C:\Documents and Settings\Dave\Desktop\ds.txt
2013-10-29 09:17 - 2011-08-23 07:04 - 00015140 _____ C:\Documents and Settings\Dave\Desktop\ej.txt
2013-10-29 08:29 - 2011-02-11 16:47 - 00000000 ____D C:\Documents and Settings\Dave\Application Data\dvdcss
2013-10-28 13:35 - 2008-01-23 16:18 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\DVD Shrink
2013-10-28 09:35 - 2008-06-08 16:09 - 00000000 ____D C:\Jts
2013-10-27 16:55 - 2008-01-23 16:29 - 00002477 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
2013-10-25 22:04 - 2008-01-23 15:56 - 00020992 _____ C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-10-24 09:30 - 2013-10-24 09:05 - 00000000 ____D C:\Documents and Settings\Dave\Application Data\FreeFileSync
2013-10-24 09:05 - 2013-10-24 09:05 - 00000812 _____ C:\Documents and Settings\All Users\Start Menu\Programs\FreeFileSync.lnk
2013-10-24 09:05 - 2013-10-24 09:05 - 00000788 _____ C:\Documents and Settings\All Users\Start Menu\Programs\RealtimeSync.lnk
2013-10-24 09:05 - 2013-10-24 09:04 - 00000000 ____D C:\Program Files\FreeFileSync
2013-10-22 07:11 - 2013-10-22 07:11 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2013-10-22 07:11 - 2013-10-22 07:11 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2013-10-22 07:11 - 2013-10-22 07:11 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2013-10-22 07:11 - 2013-10-22 07:11 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2013-10-22 07:11 - 2013-10-22 07:11 - 00000000 ____D C:\Program Files\Common Files\Java
2013-10-22 07:11 - 2013-10-22 07:11 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java
2013-10-22 07:11 - 2011-01-06 10:08 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2013-10-22 07:08 - 2012-03-29 09:15 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-10-22 07:08 - 2011-06-02 12:28 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-10-14 22:09 - 2008-01-23 21:31 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2013-10-10 22:39 - 2012-04-30 19:49 - 00001698 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
2013-10-10 22:38 - 2011-01-25 20:47 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-10-10 07:47 - 2008-01-23 09:56 - 00176264 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-10-10 07:40 - 2013-10-10 07:40 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2847311$
2013-10-10 07:40 - 2013-10-10 07:39 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862335$
2013-10-10 07:40 - 2008-01-23 09:58 - 00001393 _____ C:\WINDOWS\imsins.BAK
2013-10-10 07:39 - 2013-07-24 07:21 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-10-10 07:36 - 2013-10-10 07:36 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2868038$
2013-10-10 07:36 - 2009-11-11 10:29 - 01032639 _____ C:\WINDOWS\setupapi.log.1.old
2013-10-10 07:36 - 2009-04-18 12:01 - 78106760 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-10-10 07:35 - 2013-10-10 07:35 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2883150$
2013-10-10 07:34 - 2013-10-10 07:34 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862330$

Files to move or delete:
====================
ZeroAccess:
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== End Of Log ============================

 

 

 

 

 

 

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 31-10-2013
Ran by Dave at 2013-11-09 16:24:40
Running from C:\Documents and Settings\Dave\Desktop\bc
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: Microsoft Security Essentials (Disabled - Up to date) {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials (Disabled - Up to date) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
Could not list Security Center items. Check WMI.

==================== Installed Programs ======================

"Nero SoundTrax Help (Version: 4.0.15.0)
7-Zip 4.57
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (Version: 11.9.900.117)
Adobe Reader 8.1.1 (Version: 8.1.1)
Advertising Center (Version: 0.0.0.1)
Amazon MP3 Downloader 1.0.17 (Version: 1.0.17)
Apple Application Support (Version: 1.3.2)
Apple Software Update (Version: 2.1.1.116)
ArtistScope Plugin IE 42 (Version: 4.2.0.0)
Audacity 1.2.6
AviSynth 2.5
Bonjour (Version: 1.0.104)
CDex extraction audio
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Coupon Printer for Windows (Version: 4.0)
Coupon Printer for Windows (Version: 5.0.0.1)
DirectShow Dump (Version: 1.0.0)
DolbyFiles (Version: 2.0)
DVD Shrink 3.1.7
DVDFab 8.0.7.3 (29/01/2011)
DVDFab 8.2.2.9 (18/06/2013) Qt
DVDFab HD Decrypter 4.0.1.2
Elecard MPEG-2 Decoder&Streaming Plug-in for WMP (Version: 3.5.71225)
EPSON Copy Utility
EPSON Photo Print
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
EVGA Precision 2.0.0 (Version: 2.0.0)
Fox LiveUpdate (Version: 1.0.0.7)
FOX ONE (Version: 1.00.0000)
Free iPod Video Converter 1.26
FreeFileSync 5.22 (Version: 5.22)
Google Chrome (HKCU Version: 30.0.1599.101)
Google Update Helper (Version: 1.3.21.165)
GoToMeeting 4.5.0.457
Half-Life 2: Deathmatch
Half-Life 2: Lost Coast
HandBrake 0.9.5 (Version: 0.9.5)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HijackThis 2.0.2 (Version: 2.0.2)
ImagXpress (Version: 7.0.74.0)
iPhoto Plus 4
Java 7 Update 45 (Version: 7.0.450)
Java Auto Updater (Version: 2.1.9.8)
Java™ 6 Update 23 (Version: 6.0.230)
JMB36X Raid Configurer (Version: 1.00.0000)
LG United Mobile Driver (Version: 3.8.1)
M2PMCEncoderZX (Version: 1.0.0)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Media Player Codec Pack 3.9.6
Menu Templates - Starter Kit (Version: 9.0.4.0)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional (Version: 9.00.2720)
Microsoft Security Client (Version: 4.3.0219.0)
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft WinUsb 1.0
Movie Templates - Starter Kit (Version: 9.0.4.0)
Mozilla Firefox 25.0 (x86 en-US) (Version: 25.0)
Mozilla Maintenance Service (Version: 25.0)
Mp3tag v2.43 (Version: v2.43)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB925673) (Version: 6.00.3888.0)
Nero 9
Nero BurningROM (Version: 9.0.0.0)
Nero BurnRights (Version: 2.99.6.100)
Nero ControlCenter (Version: 0.0.0.1)
Nero ControlCenter (Version: 9.0.0.1)
Nero CoverDesigner (Version: 4.0.5.100)
Nero CoverDesigner Help (Version: 4.0.0.0)
Nero Disc Copy Gadget (Version: 1.53.0.0)
Nero Disc Copy Gadget Help (Version: 2.0.0.0)
Nero DiscSpeed (Version: 4.99.5.105)
Nero DriveSpeed (Version: 3.99.5.105)
Nero Express (Version: 9.0.0.0)
Nero InfoTool (Version: 5.99.5.105)
Nero Installer (Version: 2.0.0.1)
Nero Live (Version: 1.0.164.0)
Nero Live Help (Version: 1.0.162.0)
Nero OEM
Nero PhotoSnap (Version: 1.53.2.0)
Nero PhotoSnap Help (Version: 1.53.2.0)
Nero Recode (Version: 3.53.0.0)
Nero Recode Help (Version: 3.53.0.0)
Nero Rescue Agent (Version: 1.99.0.1)
Nero ShowTime (Version: 4.99.0.0)
Nero StartSmart (Version: 9.0.9.100)
Nero StartSmart Help (Version: 9.0.0.0)
Nero Vision (Version: 6.0.0.100)
Nero Vision (Version: 6.0.6.100)
Nero WaveEditor (Version: 5.0.18.0)
Nero WaveEditor Help (Version: 5.0.15.0)
NeroBurningROM (Version: 9.0.9.100)
NeroExpress (Version: 9.0.9.100)
neroxml (Version: 1.0.0)
Novacomd (Version: 1.0.0.76)
NVIDIA Display Control Panel (Version: 6.14.12.5936)
NVIDIA Drivers (Version: 1.10.61.39)
NVIDIA nView Desktop Manager (Version: 6.14.10.13534)
NVIDIA PhysX (Version: 9.10.0224)
OLYMPUS CAMEDIA Master 1.0
OpenOffice.org Installer 1.0 (Version: 1.0.9221)
PDF reDirect (remove only) (Version: v2.1.7)
PMB (Version: 5.0.02.11130)
Portal
PowerDVD
Quicken 2007 (Version: 16.1.2.25)
QuickTime (Version: 7.68.75.0)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.06.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.5464)
ScanToWeb
Skype™ 5.10 (Version: 5.10.116)
SoundTrax (Version: 4.0.18.0)
Spotify (Version: 0.5.2)
Spybot - Search & Destroy (Version: 1.6.2)
Stanza
Steam (Version: 1.0.0.0)
TiVo Desktop 2.5.1 (Version: 2.5.279.957)
Trader Workstation 4.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
USB MP3 Player WIN98 Drivers
Videora TiVo Converter 0.80 (Version: 0.80)
VLC media player 2.0.5 (Version: 2.0.5)
VMware Player (Version: 2.5.3.8888)
VNC 3.3.7 (Version: 3.3.7)
WebFldrs XP (Version: 9.50.7523)
Whistle (Version: 1.10.13)
Windows Driver Package - Palm (WinUSB) Palm Devices  (10/09/2009 1.0.1) (Version: 10/09/2009 1.0.1)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0059.1)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.2980)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Support Tools (Version: 5.1.2600.2180)
Windows XP Service Pack 3 (Version: 20080414.031525)
XML Paper Specification Shared Components Pack 1.0

==================== Restore Points  =========================

09-11-2013 20:47:46 System Checkpoint

==================== Hosts content: ==========================

2006-02-28 07:00 - 2011-03-06 20:58 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1500820517-725345543-1004Core.job => C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1500820517-725345543-1004UA.job => C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => c:\Program Files\Microsoft Security Client\MpCmdRun.exe

==================== Loaded Modules (whitelisted) =============

2005-12-02 00:14 - 2005-12-02 00:14 - 00014336 _____ () C:\WINDOWS\system32\PDFreDirectMonNT.dll
2009-01-10 17:15 - 2009-01-10 17:15 - 00159744 _____ () C:\WINDOWS\system32\mmfinfo.dll
2010-05-19 15:55 - 2010-05-19 15:55 - 00024576 _____ () C:\WINDOWS\system32\mkunicode.dll
2009-08-14 19:12 - 2009-08-14 19:12 - 00970288 _____ () C:\Program Files\VMware\VMware Player\libxml2.dll
2009-08-14 19:13 - 2009-08-14 19:13 - 00068656 _____ () C:\Program Files\VMware\VMware Player\zlib1.dll
2006-02-28 07:00 - 2008-04-13 19:11 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2008-01-28 12:36 - 2002-04-04 23:07 - 00286720 _____ () C:\Program Files\Common Files\EPSON\EBAPI\eEBNWDev.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (11/09/2013 03:06:04 PM) (Source: MsiInstaller) (User: ANTEC)
Description: Product: Microsoft Security Client -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2324. The arguments are: 1920, c:\Program Files\Microsoft Security Client\SymSrv.yes,

Error: (11/09/2013 02:34:52 PM) (Source: MsiInstaller) (User: ANTEC)
Description: Product: Microsoft Security Client -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2324. The arguments are: 1920, c:\Program Files\Microsoft Security Client\SymSrv.yes,

Error: (11/09/2013 01:12:59 PM) (Source: ESENT) (User: )
Description: wuauclt (3924) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb. Error -1808.

Error: (11/09/2013 01:12:59 PM) (Source: ESENT) (User: )
Description: wuauclt (3924) An attempt to write to the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" at offset 0 (0x0000000000000000) for 8192 (0x00002000) bytes failed with system error 112 (0x00000070): "There is not enough space on the disk. ".  The write operation will fail with error -1808 (0xfffff8f0).  If this error persists then the file may be damaged and may need to be restored from a previous backup.

Error: (11/09/2013 01:12:58 PM) (Source: ESENT) (User: )
Description: wuauclt (1764) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb. Error -1808.

Error: (11/09/2013 01:12:58 PM) (Source: ESENT) (User: )
Description: wuauclt (1764) An attempt to write to the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" at offset 0 (0x0000000000000000) for 8192 (0x00002000) bytes failed with system error 112 (0x00000070): "There is not enough space on the disk. ".  The write operation will fail with error -1808 (0xfffff8f0).  If this error persists then the file may be damaged and may need to be restored from a previous backup.

Error: (11/09/2013 01:12:58 PM) (Source: ESENT) (User: )
Description: wuauclt (176) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb. Error -1808.

Error: (11/09/2013 01:12:58 PM) (Source: ESENT) (User: )
Description: wuauclt (176) An attempt to write to the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" at offset 0 (0x0000000000000000) for 8192 (0x00002000) bytes failed with system error 112 (0x00000070): "There is not enough space on the disk. ".  The write operation will fail with error -1808 (0xfffff8f0).  If this error persists then the file may be damaged and may need to be restored from a previous backup.

Error: (11/09/2013 11:45:56 AM) (Source: MsiInstaller) (User: ANTEC)
Description: Product: Microsoft Security Client -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2324. The arguments are: 1920, c:\Program Files\Microsoft Security Client\SymSrv.yes,

Error: (11/09/2013 11:30:55 AM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional.  The Windows installer cannot continue.

System errors:
=============
Error: (11/09/2013 01:22:30 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (11/09/2013 01:22:30 PM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%1920

Error: (11/09/2013 11:45:30 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (11/09/2013 11:45:30 AM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%1920

Error: (11/09/2013 07:48:49 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (11/09/2013 07:48:49 AM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%1920

Error: (11/09/2013 07:33:39 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (11/09/2013 07:33:39 AM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%1920

Error: (11/08/2013 09:13:47 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (11/08/2013 09:13:47 PM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%1920

Microsoft Office Sessions:
=========================
Error: (11/09/2013 03:06:04 PM) (Source: MsiInstaller)(User: ANTEC)
Description: Product: Microsoft Security Client -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2324. The arguments are: 1920, c:\Program Files\Microsoft Security Client\SymSrv.yes, (NULL)(NULL)(NULL)

Error: (11/09/2013 02:34:52 PM) (Source: MsiInstaller)(User: ANTEC)
Description: Product: Microsoft Security Client -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2324. The arguments are: 1920, c:\Program Files\Microsoft Security Client\SymSrv.yes, (NULL)(NULL)(NULL)

Error: (11/09/2013 01:12:59 PM) (Source: ESENT)(User: )
Description: wuauclt3924C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1808

Error: (11/09/2013 01:12:59 PM) (Source: ESENT)(User: )
Description: wuauclt3924C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb0 (0x0000000000000000)8192 (0x00002000)-1808 (0xfffff8f0)112 (0x00000070)There is not enough space on the disk.

Error: (11/09/2013 01:12:58 PM) (Source: ESENT)(User: )
Description: wuauclt1764C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1808

Error: (11/09/2013 01:12:58 PM) (Source: ESENT)(User: )
Description: wuauclt1764C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb0 (0x0000000000000000)8192 (0x00002000)-1808 (0xfffff8f0)112 (0x00000070)There is not enough space on the disk.

Error: (11/09/2013 01:12:58 PM) (Source: ESENT)(User: )
Description: wuauclt176C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1808

Error: (11/09/2013 01:12:58 PM) (Source: ESENT)(User: )
Description: wuauclt176C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb0 (0x0000000000000000)8192 (0x00002000)-1808 (0xfffff8f0)112 (0x00000070)There is not enough space on the disk.

Error: (11/09/2013 11:45:56 AM) (Source: MsiInstaller)(User: ANTEC)
Description: Product: Microsoft Security Client -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2324. The arguments are: 1920, c:\Program Files\Microsoft Security Client\SymSrv.yes, (NULL)(NULL)(NULL)

Error: (11/09/2013 11:30:55 AM) (Source: MsiInstaller)(User: NT AUTHORITY)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional.  The Windows installer cannot continue.(NULL)(NULL)(NULL)

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 3071.23 MB
Available physical RAM: 2412.36 MB
Total Pagefile: 4957.07 MB
Available Pagefile: 4512.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 1934.31 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:186.3 GB) (Free:3.51 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 186 GB) (Disk ID: F2B6F2B6)
Partition 1: (Active) - (Size=186 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

 

 

 

EDIT: added the same 2 files as attachments, in case you need them attached.

Attached Files


Edited by dric, 09 November 2013 - 05:04 PM.


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 PM

Posted 09 November 2013 - 07:01 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\   \   \???\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 dric

dric
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 09 November 2013 - 07:25 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-10-2013
Ran by Dave at 2013-11-09 19:24:28 Run:1
Running from C:\Documents and Settings\Dave\Desktop\bc
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\   \   \???\{af2ea4ce-bcd9-541d-0a34-82f585fc221d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
*etadpug => Service deleted successfully.
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Desktop\Install => Moved successfully.
C:\Program Files\Google\Desktop\Install => Moved successfully.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client\Antimalware" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Backup" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\DbgHelp.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Drivers" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\en-us" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\EppManifest.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\LegitLib.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\mpevmsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpOAv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpEng.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseces.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsseWat.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Setup.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SetupRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\shellext.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\sqmapi.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.yes" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.

The system needs a manual reboot.

==== End of Fixlog ====



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 PM

Posted 09 November 2013 - 09:31 PM

Reboot if you didn't already, then please do this next:

icon11.gif  Download ComboFix from the link below:
Link 1

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

  • Once the Microsoft Windows Recovery Console is installed click on Yes[/b], to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 dric

dric
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 09 November 2013 - 11:44 PM

C:\ComboFix.txt is pasted below

 

 

ComboFix 13-11-07.01 - Dave 11/09/2013  23:10:10.7.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3071.2652 [GMT -5:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\d64v714506ea2214yse2qo8c5an6nhhl6
c:\documents and settings\Dave\Local Settings\Application Data\d64v714506ea2214yse2qo8c5an6nhhl6
c:\documents and settings\Dave\Templates\d64v714506ea2214yse2qo8c5an6nhhl6
c:\documents and settings\Dave\WINDOWS
c:\windows\$NtUninstallKB49931$
c:\windows\$NtUninstallKB49931$\1773044155
c:\windows\$NtUninstallKB49931$\328454296\@
c:\windows\$NtUninstallKB49931$\328454296\bckfg.tmp
c:\windows\$NtUninstallKB49931$\328454296\cfg.ini
c:\windows\$NtUninstallKB49931$\328454296\Desktop.ini
c:\windows\$NtUninstallKB49931$\328454296\kwrd.dll
c:\windows\$NtUninstallKB49931$\328454296\L\fgeiuoof
c:\windows\$NtUninstallKB49931$\328454296\U\00000001.@
c:\windows\$NtUninstallKB49931$\328454296\U\00000002.@
c:\windows\$NtUninstallKB49931$\328454296\U\00000004.@
c:\windows\$NtUninstallKB49931$\328454296\U\80000000.@
c:\windows\$NtUninstallKB49931$\328454296\U\80000004.@
c:\windows\$NtUninstallKB49931$\328454296\U\80000032.@
c:\windows\system32\SET3B.tmp
c:\windows\system32\SET47.tmp
c:\windows\system32\SET50.tmp
c:\windows\system32\SET51.tmp
c:\windows\system32\SET52.tmp
c:\windows\system32\SET55.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-10 to 2013-11-10  )))))))))))))))))))))))))))))))
.
.
2013-11-10 03:54 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3638A5E6-39BD-4983-B51B-1B96CBBA1A2D}\mpengine.dll
2013-11-09 21:23 . 2013-11-10 00:24 -------- d-----w- C:\FRST
2013-11-05 19:23 . 2013-11-05 19:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2013-11-05 19:23 . 2013-11-05 19:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2013-11-03 14:32 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-10-24 14:05 . 2013-10-24 14:30 -------- d-----w- c:\documents and settings\Dave\Application Data\FreeFileSync
2013-10-24 14:04 . 2013-10-24 14:05 -------- d-----w- c:\program files\FreeFileSync
2013-10-22 12:11 . 2013-10-22 12:11 -------- d-----w- c:\program files\Common Files\Java
2013-10-22 12:11 . 2013-10-22 12:11 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-22 12:11 . 2011-01-06 15:08 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-22 12:08 . 2012-03-29 14:15 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-22 12:08 . 2011-06-02 17:28 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2006-02-28 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2006-02-28 12:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2008-05-31 16:14 . 2007-01-15 13:36 118784 ----a-w- c:\program files\FixVTS1.603.exe
2006-09-17 16:50 . 2008-01-23 21:07 458752 ----a-w- c:\program files\sgphoto.exe
2003-10-11 18:36 . 2003-10-11 18:36 1093632 ----a-w- c:\program files\IfoEdit.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-08-15 64048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2009-11-04 597792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-08-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-08-09 13925480]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^Check for TWS Updates.lnk]
path=c:\documents and settings\Dave\Start Menu\Programs\Startup\Check for TWS Updates.lnk
backup=c:\windows\pss\Check for TWS Updates.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 00:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3200]
2002-07-01 03:05 74752 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-14 01:51 1238352 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
2007-09-25 15:34 384000 ----a-w- c:\program files\TiVo\Desktop\TiVoNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
2007-09-25 15:35 1495040 ----a-w- c:\program files\TiVo\Desktop\TiVoServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
2007-09-25 15:33 1195008 ----a-w- c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/20/2009 6:47 PM 266240]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [6/24/2011 8:16 PM 61440]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 3:18 AM 360224]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [9/25/2007 10:33 AM 867328]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [8/14/2009 7:13 PM 54960]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [1/31/2012 9:10 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [1/31/2012 9:10 PM 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [1/31/2012 9:10 PM 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [1/31/2012 9:10 PM 25088]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [1/31/2012 9:10 PM 25728]
S3 FXDrv32;FXDrv32;c:\progra~1\FOXCONN\FOXLIV~1\FXDrv32.sys [1/23/2008 3:28 PM 23872]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-26 11:46]
.
2013-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-26 11:46]
.
2013-11-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-08-12 14:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/FiOSVoice/UnProtected/FiosVoiceVMUtil.CAB
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\1ewm12l1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - ExtSQL: !HIDDEN! 2009-08-06 20:52; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-09 23:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-11-09  23:37:18 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-10 04:37
ComboFix2.txt  2011-05-10 18:51
ComboFix3.txt  2011-03-07 02:00
ComboFix4.txt  2010-05-26 03:26
ComboFix5.txt  2013-11-10 04:02
.
Pre-Run: 3,655,606,272 bytes free
Post-Run: 4,351,938,560 bytes free
.
- - End Of File - - C2B1577DFA8F24CDCCCFA21906868884
8F558EB6672622401DA993E1E865C861
 



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 PM

Posted 10 November 2013 - 10:45 AM

Please do this next:

icon11.gif   Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

icon11.gif  You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:FRST\Quarantine or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • adwCleaner log
  • MBAM log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 dric

dric
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 10 November 2013 - 01:56 PM

AdwCleaner[R0].txt:

please note that as per your instructions, I ran SCAN and REPORT but did not CLEAN anything

 

 

# AdwCleaner v3.011 - Report created 10/11/2013 at 11:10:16
# Updated 03/11/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Dave - ANTEC
# Running from : C:\Documents and Settings\Dave\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v25.0 (en-US)

[ File : C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\1ewm12l1.default\prefs.js ]

-\\ Google Chrome v

[ File : C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [1172 octets] - [10/11/2013 11:10:16]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1232 octets] ##########

 

 

 

 

 

 

 

 

 

mbam-log-2013-11-10 (11-48-09).txt:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.10.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dave :: ANTEC [administrator]

11/10/2013 11:48:09 AM
mbam-log-2013-11-10 (11-48-09).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 361518
Time elapsed: 2 hour(s), 4 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 PM

Posted 10 November 2013 - 02:47 PM

How is your computer running now?  Please do this next:

icon11.gif  Uninstall the following outdated and unsecure version of Java via Control Panel > Add/Remove Programs:

Java™ 6 Update 23 (Version: 6.0.230)

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • How is the computer running now?
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 dric

dric
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 10 November 2013 - 06:26 PM

My computer is running well, with 1 remaining issue.  I had 3 issues at the start of this all:

1) A network issue that was preventing me from copying large files (> 10 MB or so) across my home network.  This appears to be fixed, I am now able to copy a 1G file to and from my NAS from this PC.  I was not able to do this earlier in the week.  Note that combofix had detected and apparently fixed a rootkit which had infected my tcp/ip stack.  It seems reasonable to me that this could affect network activity in unpredictable ways.  Can this be an issue for other PCs on my network, ie, could it be possible for this rootkit to spread from this pc to others on my network through normal network activity?

 

2) A MBAM scan which detected, reported, and supposedly removed a zeroaccess rootkit.  I reran MBAM as per one of your above steps (see post #9), and it ran cleanly.

 

3) I thought my MSE had been uninstalled.  It was not running in my sys tray and I was unable to start it manually.  I tried to reinstall MSE and the installation file told me it was already installed.  I went to add/remove programs and uninstalled it, and was told that it had already been uninstalled.  So apparently the rootkit did not uninstall MSE but rather disabled, or hid it somehow.  After uninstalling MSE, I was still unable to reinstall MSE, apparently because of the rootkit.  After running combofix, I am now able to start MSE manually.  I still do not see it in my sys tray, but this is not uncommon.  Sometimes it is not in my tray even though it is running.  I am also able to update it.  I would like to uninstall / reinstall MSE so I can be sure that it has not been compromised in any way, however, I'm not sure how to uninstall it since it has been removed from my add/remove programs list.

 

This is the only issue I see right now with my PC.

 

 

 

 

eset found 5 threats, the log file is attached. Gingerbreak is one that was intentional, used to root a cellphone.  Please note that as per your instructions, eset did not clean these files, it merely detected them.

eset_threats_detected.txt:

 

C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\6.0\35\38f8f1e3-4a358237 a variant of Java/JShrink.A application
C:\Documents and Settings\Dave\Desktop\Arlene backup\Documents\Documents (2)\Downloads\FFDictionaryToolbarInstaller_DIC2V5_askgog-187_tbr_sa_hpr_1.5.0.0.exe a variant of Win32/Bundled.Toolbar.Ask.A application
C:\Documents and Settings\Dave\Desktop\phone backup\download\GingerBreak-v1.20.apk Android/DroidRooter.B application
C:\Documents and Settings\Dave\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\48\1cfbd8f0-32e5c0b2 multiple threats
C:\Documents and Settings\Dave\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\61\61b9cdbd-7d89bb54 multiple threats
 


Edited by dric, 10 November 2013 - 07:18 PM.


#12 dric

dric
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 10 November 2013 - 10:32 PM

I was able to download and install a new MSE over my existing MSE, then remove the program from add/remove programs, then reinstall what I would consider to be a clean, uncompromised copy of MSE which appears in my sys tray as well as my add/remove programs.  So at this point, I would say that all issues I had with my PC have been resolved, at least as far as I can tell. 

 

I wonder if I should be cleaning the items found with eset and adwcleaner. 

 

I would also like some confirmation (if you can) that a tcp/ip stack infected with zeroaccess rootkit can or cannot pose a threat to other pcs and NASs on my network.

 

Any idea how I caught this infection, and is there any way to protect from it in the future?

 

Lastly, I await your "all clear".

 

Thanks for your help, I really appreciate it and would have been lost without it.



#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 PM

Posted 11 November 2013 - 11:31 PM

Sorry for the delayed response. Most of those ESET detections were related to your phone rooting. A few require attention though - please do this:

icon11.gif  Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard,  then paste it into Notepad, make sure there is no space before and above ClearJavaCache::
 

ClearJavaCache::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Edited by RPMcMurphy, 11 November 2013 - 11:32 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 dric

dric
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 12 November 2013 - 12:06 AM

C:\ComboFix.txt is pasted below:

Note that when I started combofix it told me that a new version was available.  I did not download the new version, I ran with the version I used previously, downloaded 2 days ago.

 

Also note that I ran a ful scan of MSE today and it ran clean except for a few files found in C:\FRST\Quarantine

 

Also note that I have been using the PC with no issues for about 24 hours now.

 

 

 

ComboFix 13-11-07.01 - Dave 11/11/2013  23:44:13.8.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3071.2289 [GMT -5:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dave\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-12 to 2013-11-12  )))))))))))))))))))))))))))))))
.
.
2013-11-11 15:59 . 2013-11-11 15:59 62576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A197A294-2086-47D5-A83A-D2527B3841B1}\offreg.dll
2013-11-11 15:59 . 2013-11-11 15:59 40392 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A197A294-2086-47D5-A83A-D2527B3841B1}\MpKsl476085f4.sys
2013-11-11 15:55 . 2013-10-14 04:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A197A294-2086-47D5-A83A-D2527B3841B1}\mpengine.dll
2013-11-11 12:15 . 2013-10-14 04:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-11 03:02 . 2013-11-11 03:02 -------- d-----w- c:\program files\Microsoft Security Client
2013-11-10 16:10 . 2013-11-10 16:10 -------- d-----w- C:\AdwCleaner
2013-11-09 21:23 . 2013-11-10 00:24 -------- d-----w- C:\FRST
2013-11-05 19:23 . 2013-11-05 19:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2013-11-05 19:23 . 2013-11-05 19:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2013-10-24 14:05 . 2013-10-24 14:30 -------- d-----w- c:\documents and settings\Dave\Application Data\FreeFileSync
2013-10-24 14:04 . 2013-10-24 14:05 -------- d-----w- c:\program files\FreeFileSync
2013-10-22 12:11 . 2013-10-22 12:11 -------- d-----w- c:\program files\Common Files\Java
2013-10-22 12:11 . 2013-10-22 12:11 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-22 12:11 . 2011-01-06 15:08 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-22 12:08 . 2012-03-29 14:15 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-22 12:08 . 2011-06-02 17:28 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2006-02-28 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2006-02-28 12:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2008-05-31 16:14 . 2007-01-15 13:36 118784 ----a-w- c:\program files\FixVTS1.603.exe
2006-09-17 16:50 . 2008-01-23 21:07 458752 ----a-w- c:\program files\sgphoto.exe
2003-10-11 18:36 . 2003-10-11 18:36 1093632 ----a-w- c:\program files\IfoEdit.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-08-15 64048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2009-11-04 597792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-08-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-08-09 13925480]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^Check for TWS Updates.lnk]
path=c:\documents and settings\Dave\Start Menu\Programs\Startup\Check for TWS Updates.lnk
backup=c:\windows\pss\Check for TWS Updates.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 00:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3200]
2002-07-01 03:05 74752 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-14 01:51 1238352 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
2007-09-25 15:34 384000 ----a-w- c:\program files\TiVo\Desktop\TiVoNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
2007-09-25 15:35 1495040 ----a-w- c:\program files\TiVo\Desktop\TiVoServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
2007-09-25 15:33 1195008 ----a-w- c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsl476085f4;MpKsl476085f4;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A197A294-2086-47D5-A83A-D2527B3841B1}\MpKsl476085f4.sys [11/11/2013 10:59 AM 40392]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [6/24/2011 8:16 PM 61440]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 3:18 AM 360224]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [9/25/2007 10:33 AM 867328]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [8/14/2009 7:13 PM 54960]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/20/2009 6:47 PM 266240]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [1/31/2012 9:10 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [1/31/2012 9:10 PM 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [1/31/2012 9:10 PM 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [1/31/2012 9:10 PM 25088]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [1/31/2012 9:10 PM 25728]
S3 FXDrv32;FXDrv32;c:\progra~1\FOXCONN\FOXLIV~1\FXDrv32.sys [1/23/2008 3:28 PM 23872]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL476085F4
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-26 11:46]
.
2013-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-26 11:46]
.
2013-11-11 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-08-12 15:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/FiOSVoice/UnProtected/FiosVoiceVMUtil.CAB
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\1ewm12l1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - ExtSQL: !HIDDEN! 2009-08-06 20:52; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-11 23:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1220)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-11-11  23:53:47
ComboFix-quarantined-files.txt  2013-11-12 04:53
ComboFix2.txt  2013-11-10 04:37
ComboFix3.txt  2011-05-10 18:51
ComboFix4.txt  2011-03-07 02:00
ComboFix5.txt  2013-11-12 04:43
.
Pre-Run: 3,850,600,448 bytes free
Post-Run: 4,066,287,616 bytes free
.
- - End Of File - - 10AD44EA1D8E2E40E187BBE985B86B9E
8F558EB6672622401DA993E1E865C861
 



#15 dric

dric
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 12 November 2013 - 09:11 AM

MSE is having a big issue with these files in C:\FRST\Quarantine.  This morning it is giving me a popup that says "Additional cleaning required.  Detected threats could not be cleaned.  To complete the cleaning process you need to download and run Windows Defender Offline on your PC."  I added the C:\FRST\Quarantine folder to my list of excluded locations in MSE but am still getting the error.  Is it OK to remove these files, and how should I remove them?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users