TechSpot

Patched.B.Gen trojan!!

Inactive
By chunky521
Aug 4, 2012
  1. Hello all,

    I stumbled onto this forum from google searches about this persistent trojan. I'm not an expert but I like to consider myself somewhat computer savvy.

    However, I can't seem to get rid of this one. I see a lot of posts on this virus but as far as I know, each solution is unique to the user.

    Can anybody offer me some help?

    I'm running 64 bit Windows 7, and use ESET anti-virus and malwarebytes.
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Please make sure to download the 64-bit version.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
     
  3. chunky521

    chunky521 TS Rookie Topic Starter

    Scan result of Farbar Recovery Scan Tool Version: 04-08-2012 01
    Ran by SYSTEM at 04-08-2012 12:14:36
    Running from E:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1822504 2009-08-24] (Synaptics Incorporated)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-29] (IDT, Inc.)
    HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice [4081008 2012-03-07] (ESET)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-11-12] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKU\Master\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [4910912 2011-08-01] (DT Soft Ltd)
    HKU\Master\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1353080 2012-08-03] (Valve Corporation)
    HKU\Master\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5661056 2012-07-09] (SUPERAntiSpyware.com)
    Tcpip\Parameters: [DhcpNameServer] 167.206.245.129 167.206.245.130 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

    ==================== Services (Whitelisted) ======

    2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
    2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
    2 CSIScanner; "C:\Program Files\Prevx\prevx.exe" /service [6746280 2012-07-28] (Prevx)
    2 ekrn; "C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe" [913144 2012-03-07] (ESET)
    2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-29] (IDT, Inc.)
    2 USADISK_AGENT; C:\Program Files (x86)\USADISK\WEBHARD_Agent.exe /run USADISK_AGENT [155856 2011-06-13] ()

    ========================== Drivers (Whitelisted) =============

    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [270912 2011-09-21] (DT Soft Ltd)
    1 eamonm; C:\Windows\System32\Drivers\eamonm.sys [209768 2012-03-14] (ESET)
    1 ehdrv; C:\Windows\System32\Drivers\ehdrv.sys [148528 2012-03-14] (ESET)
    2 epfw; C:\Windows\System32\Drivers\epfw.sys [187632 2012-03-14] (ESET)
    1 EpfwLWF; C:\Windows\System32\Drivers\EpfwLWF.sys [38288 2012-03-14] (ESET)
    0 epfwwfp; C:\Windows\System32\Drivers\epfwwfp.sys [62496 2012-03-14] (ESET)
    3 pxkbf; C:\Windows\System32\Drivers\pxkbf.sys [24024 2012-07-28] (Prevx)
    1 pxrts; C:\Windows\System32\Drivers\pxrts.sys [65736 2012-07-28] (Prevx)
    0 pxscan; C:\Windows\System32\Drivers\pxscan.sys [36384 2012-07-28] (Prevx)
    1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-04 12:13 - 2012-08-04 12:14 - 00000000 ____D C:\FRST
    2012-08-03 20:06 - 2012-08-03 20:06 - 01552384 ____A C:\Users\Master\Downloads\RogueKiller.exe
    2012-08-03 11:52 - 2012-08-03 11:52 - 00000000 ____D C:\Users\Master\AppData\Roaming\Worksimaging
    2012-08-02 21:59 - 2012-08-02 21:59 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-08-02 18:50 - 2012-08-02 18:50 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-08-02 18:49 - 2012-08-02 18:49 - 03907920 ____A (Piriform Ltd) C:\Users\Master\Downloads\ccsetup321.exe
    2012-08-02 06:12 - 2012-08-02 06:28 - 00000000 ____D C:\Users\Master\AppData\Local\Microsoft Games
    2012-07-31 22:00 - 2012-08-01 21:27 - 00000000 ___HD C:\Users\Master\Downloads\[ www.Speed.Cd ] - London.2012.Olympics.Womens.Artistic.Gymnastics.Team.Final.720p.HDTV.x264-2HD
    2012-07-31 21:49 - 2012-08-02 00:01 - 1881916215 ___AH C:\Users\Master\Downloads\London.2012.Olympics.Womens.Artistic.Gymnastics.Qualifications.720p.HDTV.x264-2HD.mkv
    2012-07-31 21:48 - 2012-08-01 02:26 - 00000000 ____D C:\Users\Master\Downloads\{www.scenetime.com}London.2012.Olympics.Womens.Artistic.Gymnastics.Qualifications.480p.HDTV.x264-mSD
    2012-07-29 21:22 - 2012-07-29 21:22 - 00000000 ____D C:\Users\Master\AppData\Roaming\ESET
    2012-07-29 21:22 - 2012-07-29 21:22 - 00000000 ____D C:\Users\Master\AppData\Local\ESET
    2012-07-29 21:16 - 2012-07-29 21:16 - 00000000 ____D C:\Users\All Users\ESET
    2012-07-29 21:16 - 2012-07-29 21:16 - 00000000 ____D C:\Program Files\ESET
    2012-07-29 21:12 - 2012-07-29 21:12 - 01374624 ____A (ESET) C:\Users\Master\Downloads\eset_smart_security_live_installer.exe
    2012-07-28 14:53 - 2012-07-28 14:53 - 00000000 ____D C:\Users\Master\AppData\Roaming\Mozilla
    2012-07-28 14:53 - 2012-07-28 14:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2012-07-28 14:53 - 2012-07-28 14:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2012-07-28 14:46 - 2012-07-28 14:46 - 00028206 ___AH C:\Users\Master\Downloads\bookmarks.html
    2012-07-28 14:38 - 2012-07-28 14:45 - 00000000 ____D C:\Users\All Users\PrevxCSI
    2012-07-28 14:38 - 2012-07-28 14:38 - 00945272 ____A (Prevx) C:\Users\Master\Downloads\440464597C4E4626AA08.EXE
    2012-07-28 14:38 - 2012-07-28 14:38 - 00065736 ____A (Prevx) C:\Windows\System32\Drivers\pxrts.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00062976 ____A (Prevx) C:\Windows\SysWOW64\PxSecure.dll
    2012-07-28 14:38 - 2012-07-28 14:38 - 00036384 ____A (Prevx) C:\Windows\System32\Drivers\pxscan.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00024024 ____A (Prevx) C:\Windows\System32\Drivers\pxkbf.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00000000 ____D C:\Program Files\Prevx
    2012-07-28 14:21 - 2012-07-28 14:21 - 00000000 ____D C:\Windows\pss
    2012-07-28 10:52 - 2012-07-28 10:52 - 00294912 ____A C:\Users\Master\Desktop\music sheet.ppt
    2012-07-26 21:44 - 2012-07-26 21:44 - 00211854 ___AH C:\Users\Master\Downloads\iD58RjjUch6D0.JPEG
    2012-07-26 21:44 - 2012-07-26 21:44 - 00199489 ___AH C:\Users\Master\Downloads\i2AuL0UyMKLn6.JPEG
    2012-07-26 02:26 - 2012-07-27 02:16 - 00000000 ___HD C:\Users\Master\Downloads\0724-151co04721
    2012-07-25 20:50 - 2012-07-25 20:55 - 04503728 ___AT C:\Users\All Users\z7_0ytr.pad
    2012-07-24 20:53 - 2012-07-26 21:26 - 00000000 ____D C:\Users\Master\AppData\Roaming\QuickScan
    2012-07-24 13:37 - 2012-07-24 13:37 - 00000000 ____D C:\Users\Master\AppData\Roaming\SUPERAntiSpyware.com
    2012-07-24 13:36 - 2012-07-24 13:37 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2012-07-24 13:36 - 2012-07-24 13:36 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
    2012-07-20 14:20 - 2012-07-20 14:20 - 00000000 ____D C:\Users\Master\AppData\Local\{E057D215-F9A7-4654-AF18-99C2206596FF}
    2012-07-20 14:20 - 2012-07-20 14:20 - 00000000 ____D C:\Users\Master\AppData\Local\{1AA0F252-F835-471F-80B9-3CBC752CDE1D}
    2012-07-19 11:12 - 2012-07-19 11:13 - 00000000 ____D C:\Users\Master\Downloads\coupons
    2012-07-18 06:53 - 2012-07-18 06:53 - 00032256 ____H C:\Users\Master\Downloads\~WRL4095.tmp
    2012-07-13 05:39 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-12 05:06 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-07-12 05:06 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-07-12 05:06 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-07-12 05:06 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-07-12 05:06 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-07-12 05:06 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-07-12 05:04 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-12 05:04 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-12 05:04 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-07-12 05:04 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-07-12 05:04 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
    2012-07-12 05:03 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-12 05:03 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-07-12 05:03 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-12 04:51 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-12 04:51 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-12 04:51 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-12 04:51 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-12 04:51 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-12 04:51 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-12 04:51 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-12 04:51 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-12 04:51 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-12 04:51 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-12 04:51 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-12 04:51 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-12 04:51 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-12 04:51 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-12 04:51 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-07-12 04:51 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-07-12 04:51 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-07-12 04:51 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-07-12 04:51 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-07-12 04:51 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-07-12 04:51 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-07-12 04:51 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-07-12 04:51 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-07-12 04:51 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-07-12 04:51 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-07-12 04:51 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-07-12 04:51 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-07-12 04:51 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-07-11 05:41 - 2012-07-27 17:44 - 00000000 ___HD C:\Users\Master\Downloads\071112
    2012-07-11 04:18 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-11 04:18 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-07-11 03:57 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-11 03:57 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-11 03:57 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-11 03:57 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-11 03:57 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-11 03:57 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-07-11 03:57 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-07-11 03:57 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-07-11 03:57 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
    2012-07-09 17:20 - 2012-07-10 20:10 - 00000346 ____A C:\Users\Master\Downloads\Diablo 3 Magic Find.AMK
    2012-07-09 17:07 - 2012-07-09 17:07 - 00000000 ____D C:\Program Files (x86)\MurGee Auto Mouse Click

    ============ 3 Months Modified Files ========================

    2012-08-04 08:06 - 2011-10-26 20:23 - 68157952 __ASH C:\Users\Master\Downloads\Thumbs.db
    2012-08-04 07:52 - 2012-06-20 10:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-03 20:52 - 2011-09-16 12:19 - 01517520 ____A C:\Windows\WindowsUpdate.log
    2012-08-03 20:29 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-03 20:29 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-03 20:22 - 2012-05-23 21:09 - 00005426 ____A C:\Windows\setupact.log
    2012-08-03 20:22 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-03 20:21 - 2012-06-26 07:23 - 00003472 ____A C:\Windows\PFRO.log
    2012-08-03 20:06 - 2012-08-03 20:06 - 01552384 ____A C:\Users\Master\Downloads\RogueKiller.exe
    2012-08-03 11:36 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-02 21:08 - 2012-06-20 10:42 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-02 21:08 - 2011-09-25 08:23 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-02 18:50 - 2012-08-02 18:50 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-08-02 18:49 - 2012-08-02 18:49 - 03907920 ____A (Piriform Ltd) C:\Users\Master\Downloads\ccsetup321.exe
    2012-08-02 06:10 - 2012-01-28 08:44 - 00010024 ____A C:\Users\Master\Desktop\hours from 092011.txt
    2012-08-02 00:01 - 2012-07-31 21:49 - 1881916215 ___AH C:\Users\Master\Downloads\London.2012.Olympics.Womens.Artistic.Gymnastics.Qualifications.720p.HDTV.x264-2HD.mkv
    2012-07-29 21:12 - 2012-07-29 21:12 - 01374624 ____A (ESET) C:\Users\Master\Downloads\eset_smart_security_live_installer.exe
    2012-07-28 14:46 - 2012-07-28 14:46 - 00028206 ___AH C:\Users\Master\Downloads\bookmarks.html
    2012-07-28 14:38 - 2012-07-28 14:38 - 00945272 ____A (Prevx) C:\Users\Master\Downloads\440464597C4E4626AA08.EXE
    2012-07-28 14:38 - 2012-07-28 14:38 - 00065736 ____A (Prevx) C:\Windows\System32\Drivers\pxrts.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00062976 ____A (Prevx) C:\Windows\SysWOW64\PxSecure.dll
    2012-07-28 14:38 - 2012-07-28 14:38 - 00036384 ____A (Prevx) C:\Windows\System32\Drivers\pxscan.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00024024 ____A (Prevx) C:\Windows\System32\Drivers\pxkbf.sys
    2012-07-28 10:52 - 2012-07-28 10:52 - 00294912 ____A C:\Users\Master\Desktop\music sheet.ppt
    2012-07-26 21:44 - 2012-07-26 21:44 - 00211854 ___AH C:\Users\Master\Downloads\iD58RjjUch6D0.JPEG
    2012-07-26 21:44 - 2012-07-26 21:44 - 00199489 ___AH C:\Users\Master\Downloads\i2AuL0UyMKLn6.JPEG
    2012-07-25 20:55 - 2012-07-25 20:50 - 04503728 ___AT C:\Users\All Users\z7_0ytr.pad
    2012-07-18 06:53 - 2012-07-18 06:53 - 00032256 ____H C:\Users\Master\Downloads\~WRL4095.tmp
    2012-07-13 05:57 - 2009-07-13 20:45 - 00422064 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-12 04:59 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
    2012-07-12 04:53 - 2010-01-15 08:40 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-10 20:10 - 2012-07-09 17:20 - 00000346 ____A C:\Users\Master\Downloads\Diablo 3 Magic Find.AMK
    2012-07-04 07:52 - 2012-07-04 07:52 - 00056827 ____A C:\Users\Master\Downloads\fab060fecfab0e9ddd47aafac086896a44f20487.zip
    2012-07-03 09:46 - 2011-09-20 20:38 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-27 19:10 - 2012-06-27 19:10 - 00714343 ____A C:\Users\Master\Downloads\Game_of_Thrones - season 1.en.zip
    2012-06-26 15:32 - 2012-06-26 15:32 - 00099991 ___AH C:\Users\Master\Desktop\062612.html
    2012-06-25 16:37 - 2012-06-25 16:37 - 00000268 ____A C:\Users\Master\Desktop\farm.txt
    2012-06-15 07:56 - 2012-06-15 07:56 - 00000017 ____A C:\Users\Master\AppData\Local\resmon.resmoncfg
    2012-06-11 19:08 - 2012-07-13 05:39 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 21:43 - 2012-07-11 04:18 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 20:41 - 2012-07-11 04:18 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-05 22:06 - 2012-07-12 05:04 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 22:06 - 2012-07-12 05:04 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 22:02 - 2012-07-12 05:03 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-05 21:05 - 2012-07-12 05:04 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-06-05 21:05 - 2012-07-12 05:04 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-06-05 21:03 - 2012-07-12 05:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-06-02 14:19 - 2012-06-21 17:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 17:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 17:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 17:18 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 17:18 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-21 17:19 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 17:18 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 17:18 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:15 - 2012-06-21 17:18 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 04:49 - 2012-07-12 04:51 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 04:17 - 2012-07-12 04:51 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 04:12 - 2012-07-12 04:51 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 04:05 - 2012-07-12 04:51 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 04:05 - 2012-07-12 04:51 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 04:04 - 2012-07-12 04:51 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 04:04 - 2012-07-12 04:51 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 04:03 - 2012-07-12 04:51 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 04:01 - 2012-07-12 04:51 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 04:00 - 2012-07-12 04:51 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 03:59 - 2012-07-12 04:51 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 03:57 - 2012-07-12 04:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 03:57 - 2012-07-12 04:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 03:54 - 2012-07-12 04:51 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-02 01:07 - 2012-07-12 04:51 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-02 00:43 - 2012-07-12 04:51 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-02 00:33 - 2012-07-12 04:51 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-02 00:26 - 2012-07-12 04:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-02 00:25 - 2012-07-12 04:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-12 04:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-02 00:23 - 2012-07-12 04:51 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-02 00:21 - 2012-07-12 04:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-02 00:20 - 2012-07-12 04:51 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-12 04:51 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-02 00:19 - 2012-07-12 04:51 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-02 00:17 - 2012-07-12 04:51 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-02 00:16 - 2012-07-12 04:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-02 00:14 - 2012-07-12 04:51 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-01 21:50 - 2012-07-11 03:57 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 21:48 - 2012-07-11 03:57 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 21:48 - 2012-07-11 03:57 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 21:45 - 2012-07-11 03:57 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 21:44 - 2012-07-11 03:57 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 20:40 - 2012-07-11 03:57 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-06-01 20:40 - 2012-07-11 03:57 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-06-01 20:39 - 2012-07-11 03:57 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-06-01 20:34 - 2012-07-11 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
    2012-05-31 08:25 - 2010-01-15 08:40 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-29 12:44 - 2012-05-29 12:44 - 00016384 __ASH C:\Users\Master\Desktop\Thumbs.db
    2012-05-23 21:09 - 2012-05-23 21:09 - 00000000 ____A C:\Windows\setuperr.log
    2012-05-23 20:55 - 2012-05-23 20:54 - 03654896 ____A (Piriform Ltd) C:\Users\Master\Downloads\ccsetup318.exe
    2012-05-18 10:42 - 2012-05-18 10:42 - 00158720 ____A C:\Users\Master\Desktop\mouse femur.ppt
    2012-05-12 12:42 - 2012-05-07 16:07 - 00011168 ____A C:\Users\Master\Desktop\Money.xlsx
    2012-05-11 12:02 - 2012-05-11 12:02 - 00018432 ____A C:\Users\Master\Desktop\Batch 2 splenocyte samples used.xls
    2012-05-09 11:07 - 2012-05-09 11:07 - 00071168 ____A C:\Users\Master\Downloads\Budget Planner.xls

    ZeroAccess:
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\@
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\L
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U\00000001.@
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U\800000cb.@

    ZeroAccess:
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\@
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\L
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\L\00000004.@
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U\00000004.@
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U\80000064.@

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 12%
    Total physical RAM: 8180.54 MB
    Available physical RAM: 7191.13 MB
    Total Pagefile: 8178.69 MB
    Available Pagefile: 7186.96 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:298.09 GB) (Free:1.84 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (Photo Disc) (CDROM) (Total:4.19 GB) (Free:0 GB) UDF
    3 Drive e: () (Removable) (Total:0.95 GB) (Free:0.75 GB) FAT
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 974 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 298 GB 1024 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 298 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 973 MB 120 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E FAT Removable 973 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-17 20:05

    ======================= End Of Log ==========================
     
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
     
  5. chunky521

    chunky521 TS Rookie Topic Starter

    Scan result of Farbar Recovery Scan Tool Version: 04-08-2012 01
    Ran by SYSTEM at 04-08-2012 12:14:36
    Running from E:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1822504 2009-08-24] (Synaptics Incorporated)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-29] (IDT, Inc.)
    HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice [4081008 2012-03-07] (ESET)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-11-12] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKU\Master\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [4910912 2011-08-01] (DT Soft Ltd)
    HKU\Master\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1353080 2012-08-03] (Valve Corporation)
    HKU\Master\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5661056 2012-07-09] (SUPERAntiSpyware.com)
    Tcpip\Parameters: [DhcpNameServer] 167.206.245.129 167.206.245.130 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

    ==================== Services (Whitelisted) ======

    2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
    2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
    2 CSIScanner; "C:\Program Files\Prevx\prevx.exe" /service [6746280 2012-07-28] (Prevx)
    2 ekrn; "C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe" [913144 2012-03-07] (ESET)
    2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-29] (IDT, Inc.)
    2 USADISK_AGENT; C:\Program Files (x86)\USADISK\WEBHARD_Agent.exe /run USADISK_AGENT [155856 2011-06-13] ()

    ========================== Drivers (Whitelisted) =============

    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [270912 2011-09-21] (DT Soft Ltd)
    1 eamonm; C:\Windows\System32\Drivers\eamonm.sys [209768 2012-03-14] (ESET)
    1 ehdrv; C:\Windows\System32\Drivers\ehdrv.sys [148528 2012-03-14] (ESET)
    2 epfw; C:\Windows\System32\Drivers\epfw.sys [187632 2012-03-14] (ESET)
    1 EpfwLWF; C:\Windows\System32\Drivers\EpfwLWF.sys [38288 2012-03-14] (ESET)
    0 epfwwfp; C:\Windows\System32\Drivers\epfwwfp.sys [62496 2012-03-14] (ESET)
    3 pxkbf; C:\Windows\System32\Drivers\pxkbf.sys [24024 2012-07-28] (Prevx)
    1 pxrts; C:\Windows\System32\Drivers\pxrts.sys [65736 2012-07-28] (Prevx)
    0 pxscan; C:\Windows\System32\Drivers\pxscan.sys [36384 2012-07-28] (Prevx)
    1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-04 12:13 - 2012-08-04 12:14 - 00000000 ____D C:\FRST
    2012-08-03 20:06 - 2012-08-03 20:06 - 01552384 ____A C:\Users\Master\Downloads\RogueKiller.exe
    2012-08-03 11:52 - 2012-08-03 11:52 - 00000000 ____D C:\Users\Master\AppData\Roaming\Worksimaging
    2012-08-02 21:59 - 2012-08-02 21:59 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-08-02 18:50 - 2012-08-02 18:50 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-08-02 18:49 - 2012-08-02 18:49 - 03907920 ____A (Piriform Ltd) C:\Users\Master\Downloads\ccsetup321.exe
    2012-08-02 06:12 - 2012-08-02 06:28 - 00000000 ____D C:\Users\Master\AppData\Local\Microsoft Games\
    2012-07-31 22:00 - 2012-08-01 21:27 - 00000000 ___HD C:\Users\Master\Downloads\[ www.Speed.Cd ] - London.2012.Olympics.Womens.Artistic.Gymnastics.Team.Final.720p.HDTV.x264-2HD
    2012-07-31 21:49 - 2012-08-02 00:01 - 1881916215 ___AH C:\Users\Master\Downloads\London.2012.Olympics.Womens.Artistic.Gymnastics.Qualifications.720p.HDTV.x264-2HD.mkv
    2012-07-31 21:48 - 2012-08-01 02:26 - 00000000 ____D C:\Users\Master\Downloads\{www.scenetime.com}London.2012.Olympics.Womens.Artistic.Gymnastics.Qualifications.480p.HDTV.x264-mSD
    2012-07-29 21:22 - 2012-07-29 21:22 - 00000000 ____D C:\Users\Master\AppData\Roaming\ESET
    2012-07-29 21:22 - 2012-07-29 21:22 - 00000000 ____D C:\Users\Master\AppData\Local\ESET
    2012-07-29 21:16 - 2012-07-29 21:16 - 00000000 ____D C:\Users\All Users\ESET
    2012-07-29 21:16 - 2012-07-29 21:16 - 00000000 ____D C:\Program Files\ESET
    2012-07-29 21:12 - 2012-07-29 21:12 - 01374624 ____A (ESET) C:\Users\Master\Downloads\eset_smart_security_live_installer.exe
    2012-07-28 14:53 - 2012-07-28 14:53 - 00000000 ____D C:\Users\Master\AppData\Roaming\Mozilla
    2012-07-28 14:53 - 2012-07-28 14:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2012-07-28 14:53 - 2012-07-28 14:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2012-07-28 14:46 - 2012-07-28 14:46 - 00028206 ___AH C:\Users\Master\Downloads\bookmarks.html
    2012-07-28 14:38 - 2012-07-28 14:45 - 00000000 ____D C:\Users\All Users\PrevxCSI
    2012-07-28 14:38 - 2012-07-28 14:38 - 00945272 ____A (Prevx) C:\Users\Master\Downloads\440464597C4E4626AA08.EXE
    2012-07-28 14:38 - 2012-07-28 14:38 - 00065736 ____A (Prevx) C:\Windows\System32\Drivers\pxrts.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00062976 ____A (Prevx) C:\Windows\SysWOW64\PxSecure.dll
    2012-07-28 14:38 - 2012-07-28 14:38 - 00036384 ____A (Prevx) C:\Windows\System32\Drivers\pxscan.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00024024 ____A (Prevx) C:\Windows\System32\Drivers\pxkbf.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00000000 ____D C:\Program Files\Prevx
    2012-07-28 14:21 - 2012-07-28 14:21 - 00000000 ____D C:\Windows\pss
    2012-07-28 10:52 - 2012-07-28 10:52 - 00294912 ____A C:\Users\Master\Desktop\music sheet.ppt
    2012-07-26 21:44 - 2012-07-26 21:44 - 00211854 ___AH C:\Users\Master\Downloads\iD58RjjUch6D0.JPEG
    2012-07-26 21:44 - 2012-07-26 21:44 - 00199489 ___AH C:\Users\Master\Downloads\i2AuL0UyMKLn6.JPEG
    2012-07-25 20:50 - 2012-07-25 20:55 - 04503728 ___AT C:\Users\All Users\z7_0ytr.pad
    2012-07-24 20:53 - 2012-07-26 21:26 - 00000000 ____D C:\Users\Master\AppData\Roaming\QuickScan
    2012-07-24 13:37 - 2012-07-24 13:37 - 00000000 ____D C:\Users\Master\AppData\Roaming\SUPERAntiSpyware.com
    2012-07-24 13:36 - 2012-07-24 13:37 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2012-07-24 13:36 - 2012-07-24 13:36 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
    2012-07-20 14:20 - 2012-07-20 14:20 - 00000000 ____D C:\Users\Master\AppData\Local\{E057D215-F9A7-4654-AF18-99C2206596FF}
    2012-07-20 14:20 - 2012-07-20 14:20 - 00000000 ____D C:\Users\Master\AppData\Local\{1AA0F252-F835-471F-80B9-3CBC752CDE1D}
    2012-07-19 11:12 - 2012-07-19 11:13 - 00000000 ____D C:\Users\Master\Downloads\coupons
    2012-07-18 06:53 - 2012-07-18 06:53 - 00032256 ____H C:\Users\Master\Downloads\~WRL4095.tmp
    2012-07-13 05:39 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-12 05:06 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-07-12 05:06 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-07-12 05:06 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-07-12 05:06 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-07-12 05:06 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-07-12 05:06 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-07-12 05:04 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-12 05:04 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-12 05:04 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-07-12 05:04 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-07-12 05:04 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
    2012-07-12 05:03 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-12 05:03 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-07-12 05:03 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-12 04:51 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-12 04:51 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-12 04:51 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-12 04:51 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-12 04:51 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-12 04:51 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-12 04:51 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-12 04:51 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-12 04:51 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-12 04:51 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-12 04:51 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-12 04:51 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-12 04:51 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-12 04:51 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-12 04:51 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-07-12 04:51 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-07-12 04:51 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-07-12 04:51 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-07-12 04:51 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-07-12 04:51 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-07-12 04:51 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-07-12 04:51 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-07-12 04:51 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-07-12 04:51 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-07-12 04:51 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-07-12 04:51 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-07-12 04:51 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-07-12 04:51 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-07-11 05:41 - 2012-07-27 17:44 - 00000000 ___HD C:\Users\Master\Downloads\071112
    2012-07-11 04:18 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-11 04:18 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-07-11 03:57 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-11 03:57 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-11 03:57 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-11 03:57 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-11 03:57 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-11 03:57 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-07-11 03:57 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-07-11 03:57 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-07-11 03:57 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
    2012-07-09 17:20 - 2012-07-10 20:10 - 00000346 ____A C:\Users\Master\Downloads\Diablo 3 Magic Find.AMK
    2012-07-09 17:07 - 2012-07-09 17:07 - 00000000 ____D C:\Program Files (x86)\MurGee Auto Mouse Click

    ============ 3 Months Modified Files ========================

    2012-08-04 08:06 - 2011-10-26 20:23 - 68157952 __ASH C:\Users\Master\Downloads\Thumbs.db
    2012-08-04 07:52 - 2012-06-20 10:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-03 20:52 - 2011-09-16 12:19 - 01517520 ____A C:\Windows\WindowsUpdate.log
    2012-08-03 20:29 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-03 20:29 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-03 20:22 - 2012-05-23 21:09 - 00005426 ____A C:\Windows\setupact.log
    2012-08-03 20:22 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-03 20:21 - 2012-06-26 07:23 - 00003472 ____A C:\Windows\PFRO.log
    2012-08-03 20:06 - 2012-08-03 20:06 - 01552384 ____A C:\Users\Master\Downloads\RogueKiller.exe
    2012-08-03 11:36 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-02 21:08 - 2012-06-20 10:42 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-02 21:08 - 2011-09-25 08:23 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-02 18:50 - 2012-08-02 18:50 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-08-02 18:49 - 2012-08-02 18:49 - 03907920 ____A (Piriform Ltd) C:\Users\Master\Downloads\ccsetup321.exe
    2012-08-02 06:10 - 2012-01-28 08:44 - 00010024 ____A C:\Users\Master\Desktop\hours from 092011.txt
    2012-08-02 00:01 - 2012-07-31 21:49 - 1881916215 ___AH C:\Users\Master\Downloads\London.2012.Olympics.Womens.Artistic.Gymnastics.Qualifications.720p.HDTV.x264-2HD.mkv
    2012-07-29 21:12 - 2012-07-29 21:12 - 01374624 ____A (ESET) C:\Users\Master\Downloads\eset_smart_security_live_installer.exe
    2012-07-28 14:46 - 2012-07-28 14:46 - 00028206 ___AH C:\Users\Master\Downloads\bookmarks.html
    2012-07-28 14:38 - 2012-07-28 14:38 - 00945272 ____A (Prevx) C:\Users\Master\Downloads\440464597C4E4626AA08.EXE
    2012-07-28 14:38 - 2012-07-28 14:38 - 00065736 ____A (Prevx) C:\Windows\System32\Drivers\pxrts.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00062976 ____A (Prevx) C:\Windows\SysWOW64\PxSecure.dll
    2012-07-28 14:38 - 2012-07-28 14:38 - 00036384 ____A (Prevx) C:\Windows\System32\Drivers\pxscan.sys
    2012-07-28 14:38 - 2012-07-28 14:38 - 00024024 ____A (Prevx) C:\Windows\System32\Drivers\pxkbf.sys
    2012-07-28 10:52 - 2012-07-28 10:52 - 00294912 ____A C:\Users\Master\Desktop\music sheet.ppt
    2012-07-26 21:44 - 2012-07-26 21:44 - 00211854 ___AH C:\Users\Master\Downloads\iD58RjjUch6D0.JPEG
    2012-07-26 21:44 - 2012-07-26 21:44 - 00199489 ___AH C:\Users\Master\Downloads\i2AuL0UyMKLn6.JPEG
    2012-07-25 20:55 - 2012-07-25 20:50 - 04503728 ___AT C:\Users\All Users\z7_0ytr.pad
    2012-07-18 06:53 - 2012-07-18 06:53 - 00032256 ____H C:\Users\Master\Downloads\~WRL4095.tmp
    2012-07-13 05:57 - 2009-07-13 20:45 - 00422064 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-12 04:59 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
    2012-07-12 04:53 - 2010-01-15 08:40 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-10 20:10 - 2012-07-09 17:20 - 00000346 ____A C:\Users\Master\Downloads\Diablo 3 Magic Find.AMK
    2012-07-04 07:52 - 2012-07-04 07:52 - 00056827 ____A C:\Users\Master\Downloads\fab060fecfab0e9ddd47aafac086896a44f20487.zip
    2012-07-03 09:46 - 2011-09-20 20:38 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-27 19:10 - 2012-06-27 19:10 - 00714343 ____A C:\Users\Master\Downloads\Game_of_Thrones - season 1.en.zip
    2012-06-26 15:32 - 2012-06-26 15:32 - 00099991 ___AH C:\Users\Master\Desktop\062612.html
    2012-06-25 16:37 - 2012-06-25 16:37 - 00000268 ____A C:\Users\Master\Desktop\farm.txt
    2012-06-15 07:56 - 2012-06-15 07:56 - 00000017 ____A C:\Users\Master\AppData\Local\resmon.resmoncfg
    2012-06-11 19:08 - 2012-07-13 05:39 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 21:43 - 2012-07-11 04:18 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 20:41 - 2012-07-11 04:18 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-05 22:06 - 2012-07-12 05:04 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 22:06 - 2012-07-12 05:04 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 22:02 - 2012-07-12 05:03 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-05 21:05 - 2012-07-12 05:04 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-06-05 21:05 - 2012-07-12 05:04 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-06-05 21:03 - 2012-07-12 05:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-06-02 14:19 - 2012-06-21 17:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 17:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 17:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 17:18 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 17:18 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-21 17:19 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 17:18 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 17:18 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:15 - 2012-06-21 17:18 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 04:49 - 2012-07-12 04:51 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 04:17 - 2012-07-12 04:51 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 04:12 - 2012-07-12 04:51 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 04:05 - 2012-07-12 04:51 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 04:05 - 2012-07-12 04:51 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 04:04 - 2012-07-12 04:51 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 04:04 - 2012-07-12 04:51 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 04:03 - 2012-07-12 04:51 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 04:01 - 2012-07-12 04:51 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 04:00 - 2012-07-12 04:51 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 03:59 - 2012-07-12 04:51 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 03:57 - 2012-07-12 04:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 03:57 - 2012-07-12 04:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 03:54 - 2012-07-12 04:51 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-02 01:07 - 2012-07-12 04:51 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-02 00:43 - 2012-07-12 04:51 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-02 00:33 - 2012-07-12 04:51 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-02 00:26 - 2012-07-12 04:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-02 00:25 - 2012-07-12 04:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-12 04:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-02 00:23 - 2012-07-12 04:51 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-02 00:21 - 2012-07-12 04:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-02 00:20 - 2012-07-12 04:51 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-12 04:51 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-02 00:19 - 2012-07-12 04:51 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-02 00:17 - 2012-07-12 04:51 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-02 00:16 - 2012-07-12 04:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-02 00:14 - 2012-07-12 04:51 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-01 21:50 - 2012-07-11 03:57 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 21:48 - 2012-07-11 03:57 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 21:48 - 2012-07-11 03:57 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 21:45 - 2012-07-11 03:57 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 21:44 - 2012-07-11 03:57 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 20:40 - 2012-07-11 03:57 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-06-01 20:40 - 2012-07-11 03:57 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-06-01 20:39 - 2012-07-11 03:57 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-06-01 20:34 - 2012-07-11 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
    2012-05-31 08:25 - 2010-01-15 08:40 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-29 12:44 - 2012-05-29 12:44 - 00016384 __ASH C:\Users\Master\Desktop\Thumbs.db
    2012-05-23 21:09 - 2012-05-23 21:09 - 00000000 ____A C:\Windows\setuperr.log
    2012-05-23 20:55 - 2012-05-23 20:54 - 03654896 ____A (Piriform Ltd) C:\Users\Master\Downloads\ccsetup318.exe
    2012-05-18 10:42 - 2012-05-18 10:42 - 00158720 ____A C:\Users\Master\Desktop\mouse femur.ppt
    2012-05-12 12:42 - 2012-05-07 16:07 - 00011168 ____A C:\Users\Master\Desktop\Money.xlsx
    2012-05-11 12:02 - 2012-05-11 12:02 - 00018432 ____A C:\Users\Master\Desktop\Batch 2 splenocyte samples used.xls
    2012-05-09 11:07 - 2012-05-09 11:07 - 00071168 ____A C:\Users\Master\Downloads\Budget Planner.xls

    ZeroAccess:
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\@
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\L
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U\00000001.@
    C:\Windows\Installer\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U\800000cb.@

    ZeroAccess:
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\@
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\L
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\L\00000004.@
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U\00000004.@
    C:\Users\Master\AppData\Local\{eb173c79-e83f-aa20-8351-e971a1e4e41d}\U\80000064.@

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 12%
    Total physical RAM: 8180.54 MB
    Available physical RAM: 7191.13 MB
    Total Pagefile: 8178.69 MB
    Available Pagefile: 7186.96 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:298.09 GB) (Free:1.84 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (Photo Disc) (CDROM) (Total:4.19 GB) (Free:0 GB) UDF
    3 Drive e: () (Removable) (Total:0.95 GB) (Free:0.75 GB) FAT
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 974 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 298 GB 1024 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 298 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 973 MB 120 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E FAT Removable 973 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-17 20:05

    ======================= End Of Log ==========================
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please redo this...

    Once again, please boot to the System Recovery Options and run FRST, as done previously, but do not run the scanner.

    We need to search for a file!!

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
     
  7. chunky521

    chunky521 TS Rookie Topic Starter

    Sorry about that!

    Anyway, I found search.txt on my flash drive instead of C: if it matters.

    Farbar Recovery Scan Tool Version: 04-08-2012 01
    Ran by SYSTEM at 2012-08-06 22:03:57
    Running from E:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

    ====== End Of Search ======
     
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  9. chunky521

    chunky521 TS Rookie Topic Starter

    Your script seems to have done the trick. I haven't gotten the ESET notification since I rebooted after following the last step.

    Thank you so much for all of your help!
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Probably be best to check for and remove other malware, since this infection likes to install other infections along with it.

    Please post the fix log and the do the following:

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
     
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.