Inactive Malware help por favor!

[even22even]

I ran mbam and it seemed to remove everything but the issue came back after about a half hour. Here is the original log. THANKS!

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.30.10

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Dan :: DAN-PC [administrator]

7/30/2012 2:06:28 PM
mbam-log-2012-07-30 (14-06-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210431
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\$Recycle.Bin\S-1-5-21-306565562-1877658302-3384597349-1000\$RRUCA6G.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Users\Dan\AppData\Local\Temp\Rar$EX03.001\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\n (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Please make sure to download the 64-bit version.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst64 and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

 

[even22even]

MUCH appreciated DMJay! The log is below...

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 30-07-2012 15:10:50
Running from G:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [305664 2009-03-31] (Alps Electric Co., Ltd.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [154648 2009-03-31] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [227352 2009-03-31] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [202264 2009-03-31] (Intel Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe [4119552 2008-12-21] (Dell Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [2115664 2009-03-26] (Dell Inc.)
HKLM\...\Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [178712 2008-06-15] (Intel Corporation)
HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe [462848 2009-03-31] (IDT, Inc.)
HKLM\...\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" [163552 2011-08-05] (Microsoft Corporation)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [250192 2009-04-24] (Microsoft Corporation)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128232 2009-02-04] (CyberLink Corp.)
HKLM-x32\...\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui [2838912 2010-09-07] (AVAST Software)
HKLM-x32\...\Run: [AT&T Communication Manager] "C:\Program Files (x86)\AT&T\Communication Manager\ATTCM.exe" -a [33280 2008-12-01] (ATT)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\MpcStar\Codecs\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-04-26] (Apple Inc.)
HKLM-x32\...\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe" [29984 2008-07-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [IndexSearch] "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe" [46368 2008-07-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort11reminder] "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" [346 2012-07-30] ()
HKLM-x32\...\Run: [ControlCenter3] "C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe" /autorun [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] "C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe" /AUTORUN [2621440 2010-02-09] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\Dan\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Dan\...\Run: [ComcastAntispyClient] "C:\Program Files (x86)\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide [1589208 2009-08-19] ()
HKU\Dan\...\Run: [Akamai NetSession Interface] "C:\Users\Dan\AppData\Local\Akamai\netsession_win.exe" [4327744 2012-05-26] (Akamai Technologies, Inc)
HKU\Dan\...\Run: [Google Update] "C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-06-29] (Google Inc.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Mcx1\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Mcx1\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [196608 2009-04-10] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1085000 2012-07-03] (Malwarebytes Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mcx1\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
==================== Services (Whitelisted) ======
2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll [4419392 2012-07-10] (Akamai Technologies, Inc)
2 AntiSpywareService; C:\Program Files (x86)\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [616408 2009-06-17] ()
3 ATTRcAppSvc; "C:\Program Files (x86)\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" [113152 2008-11-20] (SmithMicro Inc.)
2 avast! Antivirus; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [40384 2010-09-07] (AVAST Software)
3 avast! Mail Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [40384 2010-09-07] (AVAST Software)
3 avast! Web Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [40384 2010-09-07] (AVAST Software)
3 CAATT; "C:\Program Files (x86)\AT&T\Communication Manager\ConAppsSvc.exe" /n "CAATT" [125440 2008-11-20] (SmithMicro Inc.)
2 ITMRTSVC; "C:\Program Files (x86)\CA\PPRT\bin\ITMRTSVC.exe" [283912 2007-09-26] (CA, Inc.)
3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74384 2008-03-24] (MicroVision Development, Inc.)
2 wltrysvc; C:\Windows\System32\WLTRYSVC.EXE C:\Windows\System32\bcmwltry.exe [3051520 2008-12-21] (Dell Inc.)
3 WMZuneComm; "C:\Program Files\Zune\WMZuneComm.exe" [306400 2011-08-05] (Microsoft Corporation)
3 ZuneNetworkSvc; "C:\Program Files\Zune\ZuneNss.exe" [8277728 2011-08-05] (Microsoft Corporation)
3 ZuneWlanCfgSvc; "C:\Program Files\Zune\ZuneWlanCfgSvc.exe" [467680 2011-08-05] (Microsoft Corporation)
2 yksvc; RUNDLL32.EXE ykx64coinst,serviceStartProc [x]
========================== Drivers (Whitelisted) =============
3 a4djavs_x64; C:\Windows\System32\Drivers\a4djavs_x64.sys [44624 2009-10-08] (Native Instruments GmbH)
3 a4djusb_x64; C:\Windows\System32\Drivers\a4djusb_x64.sys [300112 2009-10-08] (Native Instruments GmbH)
2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [20048 2010-09-07] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [61008 2010-09-07] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [28752 2010-09-07] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [121936 2010-09-07] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [51280 2010-09-07] (AVAST Software)
3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [43032 2008-11-20] (Smith Micro Inc.)
3 swmsflt; C:\Windows\System32\Drivers\swmsflt.sys [30088 2008-08-22] ()
3 SWNC8U80; C:\Windows\System32\Drivers\SWNC8U80.sys [200192 2008-08-20] (Sierra Wireless Inc.)
3 SWUMX80; C:\Windows\System32\Drivers\SWUMX80.sys [191872 2008-08-20] (Sierra Wireless Inc.)
1 tcpipBM; C:\Windows\SysWow64\Drivers\tcpipBM.sys [18816 2008-11-20] (Bytemobile, Inc.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-07-30 12:07 - 2012-07-30 12:07 - 00000000 ____D C:\FRST
2012-07-30 11:28 - 2012-07-30 11:34 - 00000000 ____D C:\Users\Dan\Desktop\Speakers and Amp
2012-07-30 11:25 - 2011-08-25 10:14 - 00607260 ____R (Swearware) C:\Users\Dan\Desktop\dds.scr
2012-07-30 11:24 - 2012-07-30 11:24 - 00000000 ____A C:\Users\Dan\Desktop\gmer log.log
2012-07-30 11:08 - 2012-07-30 11:08 - 00302592 ____A C:\Users\Dan\Desktop\cip81i5h.exe
2012-07-30 11:05 - 2012-07-30 11:05 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-30 11:05 - 2012-07-30 11:05 - 00000950 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-30 11:05 - 2012-07-30 11:05 - 00000000 ____D C:\Users\Dan\Application Data\Malwarebytes
2012-07-30 11:05 - 2012-07-30 11:05 - 00000000 ____D C:\Users\Dan\AppData\Roaming\Malwarebytes
2012-07-30 11:05 - 2012-07-30 11:05 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-30 11:05 - 2012-07-30 11:05 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-07-30 11:05 - 2012-07-30 11:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-30 11:05 - 2012-07-03 10:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-30 11:04 - 2012-07-11 15:34 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Dan\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-30 10:12 - 2012-07-30 10:12 - 00001117 ____A C:\Users\Dan\Desktop\ComcastAntiSpyService - Shortcut.lnk
2012-07-30 10:12 - 2012-07-30 10:12 - 00001082 ____A C:\Users\Dan\Desktop\ComcastAntiSpy - Shortcut.lnk
2012-07-23 10:14 - 2012-07-23 10:16 - 00000000 ____D C:\Users\Dan\Desktop\New Folder
2012-07-23 09:26 - 2012-07-23 10:13 - 00000000 ____D C:\Users\Dan\Desktop\Nathan Daniel
2012-07-11 13:41 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 13:41 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 13:41 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 13:41 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 13:41 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 13:41 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 13:41 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 13:41 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 13:41 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 13:41 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 13:41 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 13:41 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 13:41 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 13:41 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 13:41 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-11 13:41 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-11 13:41 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-11 13:41 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-11 13:41 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-11 13:41 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-11 13:41 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-11 13:41 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-11 13:41 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-11 13:41 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-11 13:41 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-11 13:41 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-11 13:41 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-11 13:41 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-11 13:40 - 2012-06-13 05:58 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 11:34 - 2012-06-08 09:59 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 11:34 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-10 11:34 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-10 11:34 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-10 11:34 - 2012-06-05 08:22 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 11:34 - 2012-06-05 08:22 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 11:34 - 2012-06-04 07:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 11:34 - 2012-06-01 16:22 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 11:34 - 2012-06-01 16:22 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 11:34 - 2012-06-01 16:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-10 11:34 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-10 11:34 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
============ 3 Months Modified Files ========================
2012-07-30 12:07 - 2009-08-31 07:53 - 01902183 ____A C:\Windows\WindowsUpdate.log
2012-07-30 12:07 - 2006-11-02 07:42 - 00032572 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-30 12:07 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-30 12:07 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-30 12:07 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-30 12:07 - 2006-11-02 04:46 - 00703516 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-30 11:40 - 2012-06-29 17:35 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-306565562-1877658302-3384597349-1000UA.job
2012-07-30 11:24 - 2012-07-30 11:24 - 00000000 ____A C:\Users\Dan\Desktop\gmer log.log
2012-07-30 11:20 - 2012-05-03 15:33 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-30 11:13 - 2012-05-04 05:14 - 00001552 ____A C:\Windows\PFRO.log
2012-07-30 11:08 - 2012-07-30 11:08 - 00302592 ____A C:\Users\Dan\Desktop\cip81i5h.exe
2012-07-30 11:05 - 2012-07-30 11:05 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-30 11:05 - 2012-07-30 11:05 - 00000950 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-30 10:12 - 2012-07-30 10:12 - 00001117 ____A C:\Users\Dan\Desktop\ComcastAntiSpyService - Shortcut.lnk
2012-07-30 10:12 - 2012-07-30 10:12 - 00001082 ____A C:\Users\Dan\Desktop\ComcastAntiSpy - Shortcut.lnk
2012-07-30 07:19 - 2009-09-30 13:53 - 00006080 ____A C:\Users\Dan\Local Settings\d3d9caps.dat
2012-07-30 07:19 - 2009-09-30 13:53 - 00006080 ____A C:\Users\Dan\Local Settings\Application Data\d3d9caps.dat
2012-07-30 07:19 - 2009-09-30 13:53 - 00006080 ____A C:\Users\Dan\AppData\Local\d3d9caps.dat
2012-07-30 06:20 - 2012-05-03 15:33 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-30 06:20 - 2011-11-27 08:48 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-20 04:40 - 2012-06-29 17:35 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-306565562-1877658302-3384597349-1000Core.job
2012-07-12 11:42 - 2012-06-29 17:36 - 00002072 ____A C:\Users\Dan\Desktop\Google Chrome.lnk
2012-07-12 07:03 - 2006-11-02 07:21 - 00306784 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 15:34 - 2012-07-30 11:04 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Dan\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-11 13:45 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-03 10:46 - 2012-07-30 11:05 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-13 12:30 - 2012-06-13 12:30 - 02488320 ____A C:\Users\Dan\Desktop\FY12 Coaching and Training.ppt
2012-06-13 07:38 - 2009-09-05 17:27 - 00072960 ____A C:\Users\Dan\Local Settings\GDIPFONTCACHEV1.DAT
2012-06-13 07:38 - 2009-09-05 17:27 - 00072960 ____A C:\Users\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-06-13 07:38 - 2009-09-05 17:27 - 00072960 ____A C:\Users\Dan\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-13 05:58 - 2012-07-11 13:40 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 08:19 - 2010-10-01 16:58 - 00001630 ____A C:\Users\Dan\Application Data\wklnhst.dat
2012-06-12 08:19 - 2010-10-01 16:58 - 00001630 ____A C:\Users\Dan\AppData\Roaming\wklnhst.dat
2012-06-08 09:59 - 2012-07-10 11:34 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-10 11:34 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 08:47 - 2012-07-10 11:34 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-10 11:34 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-10 11:34 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-10 11:34 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-10 11:34 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-21 07:58 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 07:58 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 07:58 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-21 07:58 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 07:58 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 07:58 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-21 07:58 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-21 07:58 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 07:58 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-21 07:58 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 12:19 - 2012-06-21 07:58 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:19 - 2012-06-21 07:58 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 12:15 - 2012-06-21 07:58 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 12:12 - 2012-06-21 07:58 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-02 04:49 - 2012-07-11 13:41 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 13:41 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 13:41 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 13:41 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 13:41 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 13:41 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 13:41 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 13:41 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 13:41 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 13:41 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 13:41 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 13:41 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 13:41 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 13:41 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 13:41 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 13:41 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 13:41 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 13:41 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 13:41 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 13:41 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 13:41 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 13:41 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 13:41 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 13:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 13:41 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 13:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 13:41 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 13:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 16:22 - 2012-07-10 11:34 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-10 11:34 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-10 11:34 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-10 11:34 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-10 11:34 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-05-31 09:25 - 2009-10-02 12:38 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-29 08:02 - 2012-05-29 08:02 - 00000000 ____A C:\Users\Dan\Sti_Trace.log
2012-05-07 16:32 - 2012-05-07 16:32 - 00342542 ____A C:\Users\Dan\Local Settings\dd_vcredistMSI0A15.txt
2012-05-07 16:32 - 2012-05-07 16:32 - 00342542 ____A C:\Users\Dan\Local Settings\Application Data\dd_vcredistMSI0A15.txt
2012-05-07 16:32 - 2012-05-07 16:32 - 00342542 ____A C:\Users\Dan\AppData\Local\dd_vcredistMSI0A15.txt
2012-05-07 16:32 - 2012-05-07 16:32 - 00011134 ____A C:\Users\Dan\Local Settings\dd_vcredistUI0A15.txt
2012-05-07 16:32 - 2012-05-07 16:32 - 00011134 ____A C:\Users\Dan\Local Settings\Application Data\dd_vcredistUI0A15.txt
2012-05-07 16:32 - 2012-05-07 16:32 - 00011134 ____A C:\Users\Dan\AppData\Local\dd_vcredistUI0A15.txt
2012-05-07 16:21 - 2012-05-07 16:21 - 00011236 ____A C:\Users\Dan\Local Settings\dd_vcredistUI0165.txt
2012-05-07 16:21 - 2012-05-07 16:21 - 00011236 ____A C:\Users\Dan\Local Settings\Application Data\dd_vcredistUI0165.txt
2012-05-07 16:21 - 2012-05-07 16:21 - 00011236 ____A C:\Users\Dan\AppData\Local\dd_vcredistUI0165.txt
2012-05-07 16:21 - 2012-05-07 16:21 - 00004198 ____A C:\Users\Dan\Local Settings\dd_vcredistMSI0165.txt
2012-05-07 16:21 - 2012-05-07 16:21 - 00004198 ____A C:\Users\Dan\Local Settings\Application Data\dd_vcredistMSI0165.txt
2012-05-07 16:21 - 2012-05-07 16:21 - 00004198 ____A C:\Users\Dan\AppData\Local\dd_vcredistMSI0165.txt
2012-05-07 16:16 - 2012-05-07 16:16 - 00001025 ____A C:\Windows\SysWOW64\sysprs7.tgz
2012-05-07 16:16 - 2012-05-07 16:16 - 00001025 ____A C:\Windows\SysWOW64\sysprs7.dll
2012-05-07 16:16 - 2012-05-07 16:16 - 00000219 ____A C:\Windows\SysWOW64\lsprst7.tgz
2012-05-07 16:16 - 2012-05-07 16:16 - 00000205 ____A C:\Windows\SysWOW64\lsprst7.dll
2012-05-07 16:16 - 2012-05-07 16:16 - 00000016 ____H C:\Windows\SysWOW64\servdat.slm

ZeroAccess:
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\@
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\L
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\00000004.@
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\00000008.@
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\000000cb.@
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\80000000.@
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\80000064.@
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz1544.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz1555.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz1556.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz16BA.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz16CB.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz1A2C.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz25EE.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz36E0.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz376D.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz37D0.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz3E7A.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz4982.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz4BA1.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz5032.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz5B6B.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz5E0B.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz67FB.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz6AE4.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz6B23.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz6B93.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz6BB3.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz6DE2.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz7B1C.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz7D4F.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz7EC7.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz97B8.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trz9E9F.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzA710.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzABC2.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzAED1.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzAF61.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzAFB0.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzC59.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzE5D2.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzE74C.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzEABD.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzEB0C.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzF0F0.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzF467.tmp
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}\U\trzF478.tmp
ZeroAccess:
C:\Users\Dan\AppData\Local\{c791174a-e567-f19e-9677-adf66795fa27}
C:\Users\Dan\AppData\Local\{c791174a-e567-f19e-9677-adf66795fa27}\@
C:\Users\Dan\AppData\Local\{c791174a-e567-f19e-9677-adf66795fa27}\L
C:\Users\Dan\AppData\Local\{c791174a-e567-f19e-9677-adf66795fa27}\trzAF62.tmp
C:\Users\Dan\AppData\Local\{c791174a-e567-f19e-9677-adf66795fa27}\U
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 10%
Total physical RAM: 4055.45 MB
Available physical RAM: 3616.34 MB
Total Pagefile: 3929.09 MB
Available Pagefile: 3595.51 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
======================= Partitions =========================
1 Drive c: (OS) (Fixed) (Total:218.2 GB) (Free:117.15 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
5 Drive g: (DCURREN) (Removable) (Total:0.95 GB) (Free:0.95 GB) FAT
6 Drive x: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:5.3 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 974 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 15 GB 40 MB
Partition 3 Primary 218 GB 15 GB
==================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 FAT Partition 39 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 X RECOVERY NTFS Partition 15 GB Healthy Boot
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C OS NTFS Partition 218 GB Healthy
==================================================================================
Partitions of Disk 2:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 974 MB 8 KB
==================================================================================
Disk: 2
Partition 1
Type : 06
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 G DCURREN FAT Removable 974 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-30 11:19
======================= End Of Log ==========================

 

[Jay Pfoutz]

Okay...fixlist and searching to do. Please make sure log is posted from each task.

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27}
C:\Users\Dan\AppData\Local\{c791174a-e567-f19e-9677-adf66795fa27}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.

 

[even22even]

Much thanks again for the continued supprt! When I re-booted after running the fix it appeared to run smoothly. Prior to this the machine was bogging down and folders were having difficultly both opening and closing. After the re-boot they seemed to be functioning normally - granted I only playing around for a minute or so. The logs are as follows:

fixlog.txt -
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-31 08:05:51 Run:1
Running from G:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\Installer\{c791174a-e567-f19e-9677-adf66795fa27} moved successfully.
C:\Users\Dan\AppData\Local\{c791174a-e567-f19e-9677-adf66795fa27} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
==== End of Fixlog ====


search.txt -
Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-31 08:10:45
Running from G:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-12-03 13:24] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-12-03 13:24] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719
C:\Windows\SysWOW64\services.exe
[2009-12-03 13:24] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\System32\services.exe
[2009-12-03 13:24] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229
====== End Of Search ======

 

[Jay Pfoutz]

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe c:\windows\system32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[even22even]

After re-boot, the system appears to be running normally.


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-01 08:13:57 Run:2
Running from G:\
==============================================
c:\windows\system32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe copied successfully to c:\windows\system32\services.exe
==== End of Fixlog ====

 

[Jay Pfoutz]

Excellent work! Let's get rid of more malware with this tool:

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

 

[even22even]

Here is the combo-fix log. I have Avast on the machine and disabled all shields, but when the scan started, it advised that the program was still running. I visited the link you provided regarding how to disable the program, and that was exactly what I had already done. I went through the task manager and scanned all processes and applications and did not see Avast anywhere. However on the combo-fix log, it does read that Avast was active.

ComboFix 12-07-31.03 - Dan 08/02/2012 9:27.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4055.2554 [GMT -5:00]
Running from: c:\users\Dan\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
E:\AUTORUN.INF
.
.
((((((((((((((((((((((((( Files Created from 2012-07-02 to 2012-08-02 )))))))))))))))))))))))))))))))
.
.
2012-08-02 15:07 . 2012-08-02 15:09 -------- d-----w- c:\users\Dan\AppData\Local\temp
2012-07-30 20:07 . 2012-07-30 20:07 -------- d-----w- C:\FRST
2012-07-30 19:05 . 2012-07-30 19:05 -------- d-----w- c:\users\Dan\AppData\Roaming\Malwarebytes
2012-07-30 19:05 . 2012-07-30 19:05 -------- d-----w- c:\programdata\Malwarebytes
2012-07-30 19:05 . 2012-07-30 19:05 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-30 19:05 . 2012-07-03 18:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-27 18:30 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{353E1A26-84CC-4CBC-A13F-2E8B7F53012D}\mpengine.dll
2012-07-11 21:40 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-30 14:20 . 2012-05-03 23:33 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-30 14:20 . 2011-11-27 16:48 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 21:45 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-02 22:19 . 2012-06-21 15:58 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 15:58 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 15:58 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 15:58 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 15:58 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-21 15:58 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 15:58 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-21 15:58 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 15:58 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-21 15:58 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 20:19 . 2012-06-21 15:58 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:19 . 2012-06-21 15:58 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 20:15 . 2012-06-21 15:58 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 20:12 . 2012-06-21 15:58 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-05-31 17:25 . 2009-10-02 20:38 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"ComcastAntispyClient"="c:\program files (x86)\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]
"Akamai NetSession Interface"="c:\users\Dan\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"AT&T Communication Manager"="c:\program files (x86)\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"QuickTime Task"="c:\program files (x86)\MpcStar\Codecs\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files (x86)\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files (x86)\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"ControlCenter3"="c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R3 a4djavs_x64;a4djavs_x64;c:\windows\system32\Drivers\a4djavs_x64.sys [2009-10-08 44624]
R3 a4djusb_x64;a4djusb_x64;c:\windows\system32\Drivers\a4djusb_x64.sys [2009-10-08 300112]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-30 250056]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [2009-03-31 89600]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-03 14:20]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-306565562-1877658302-3384597349-1000Core.job
- c:\users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 01:35]
.
2012-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-306565562-1877658302-3384597349-1000UA.job
- c:\users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 01:35]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 305664]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-31 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-31 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-31 202264]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-21 4119552]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-03-26 2115664]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: &D&ownload &with BitComet - c:\program files (x86)\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files (x86)\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\cpp97wom.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-mcmscsvc
SafeBoot-MCODS
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
AddRemove-Stanton ScratchAmp Driver V2 (alpha release) Setup - c:\program files (x86)\Stanton\FinalScratch\uninst.exe Software\Stanton\1394AudioDriver_FinalScratch\Setup
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell\DellDock\DockLogin.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\CA\PPRT\bin\ITMRTSVC.exe
c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Brother\ControlCenter3\brccMCtl.exe
c:\program files (x86)\Browny02\BrYNSvc.exe
.
**************************************************************************
.
Completion time: 2012-08-02 10:14:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-02 15:14
.
Pre-Run: 125,545,431,040 bytes free
Post-Run: 125,646,757,888 bytes free
.
- - End Of File - - 90CCDAA4FD90710FBD95DF2188809CB1

 

[Jay Pfoutz]

That's okay. Good job! Probably best to remove BitComet from your Programs list. P2P programs are an active distributor of malware.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

 

[even22even]

Yikes! I ran ESET and it found multiple files infected by sirefef tm. When I pulled up the log file after the fix it was blank... I'm restarting and running again, I don't know what went wrong there.

 

[Jay Pfoutz]

Okay. Let me know what happens.

 

[even22even]

I've run it two more times, and both detected no threats. Both did produce a log this time. I can't imagine why the initial scan produce a log, but it did initially find something like 35 files infected - most of which by sirefef. It seems to have clean them up however, you would know better than me though! Anyhow, thanks again for the continued support here is the latest ESET log:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f6af01dfd5ba8d4da689d297ed5ea05a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-03 04:47:01
# local_time=2012-08-03 11:47:01 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=770 16774141 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 56 0 180607137 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=183645
# found=0
# cleaned=0
# scan_time=3989
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f6af01dfd5ba8d4da689d297ed5ea05a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-04 04:02:31
# local_time=2012-08-04 11:02:31 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=770 16774141 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 56 0 180690935 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=183785
# found=0
# cleaned=0
# scan_time=3921

 

[Jay Pfoutz]

Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
• Ran OTC
• Ran TFC
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

 

[Jay Pfoutz]

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.