Solved SVChost.exe trojan, memory process help!

[BWashburn]

I have been having problems with my computer and the svchost.exe trojan. I have tried many things to delete it MBAM, AVG, etc. Seems to be coming back. I have a wedding to DJ next week and really dont want anything to happen while I am doing this. Here is a recent log from MBAM.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.03.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Uer :: UER-HP [administrator]

8/3/2012 4:39:02 PM
mbam-log-2012-08-03 (16-39-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236326
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 8968 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Please review the 5-Step removal instructions and post the logs back here for my review.

 

[BWashburn]

My AVG has detected a Trojan Virus named Generic29.DFS. It is from JUSCHED.exe java. Dont kow if this is part of Svchost.exe or what but I ran another scan on MBAM an nothing came up not even the svchost.exe infection. So I dont know what is going on.

 

[Jay Pfoutz]

We will need to get rid of ZeroAccess/Sirefef threat...

Download Farbar Recovery Scan Tool and save it to a flash drive.

Please make sure to download the 64-bit version.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst64 and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

 

[BWashburn]

Hi here is the log you requested. I want to inform you that my internet is being affected by this infection so bare with me. Also I have been getting these two error messages every time I boot my computer.
There was a problem starting:C:\Users\Uer\AppData\Local\Temp The specific module could not be found.
" " C:\Users\Uer\AppData\Local\Apps\Apple\bqqlo.dll



Scan result of Farbar Recovery Scan Tool Version: 04-08-2012 01
Ran by SYSTEM at 04-08-2012 13:43:37
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [568888 2010-01-18] ()
HKLM-x32\...\Run: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe [563736 2009-10-14] (PDF Complete Inc)
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-05-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2010-03-12] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2587008 2012-04-05] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\WI3C8A~1\Datamngr\DATAMN~1.EXE [1599376 2011-08-09] (Bandoo Media, inc)
HKLM-x32\...\Run: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup [593920 2011-05-12] ()
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1564872 2012-06-06] (Ask)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1147488 2012-07-20] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
HKU\Mcx1-UER-HP\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation)
HKU\Mcx1-UER-HP.Uer-HP\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation)
HKU\Uer\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
HKU\Uer\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [1305408 2011-01-20] (DT Soft Ltd)
HKU\Uer\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Uer\...\Run: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1 [1652736 2010-10-29] (AWS Convergence Technologies, Inc.)
HKU\Uer\...\Run: [Diagnostics] rundll32.exe "C:\Users\Uer\AppData\Local\Temp\",DllRegisterServer [x]
HKU\Uer\...\Run: [Apple] rundll32.exe "C:\Users\Uer\AppData\Local\Apps\Apple\bqqlo.dll",DllRegisterServer [x]
HKU\Uer\...\Run: [Google Update] "C:\Users\Uer\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-07-19] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll
Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Smart Wizard.lnk
ShortcutTarget: NETGEAR WNDA3100v2 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe ()

==================== Services (Whitelisted) ======

2 avgfws; "C:\Program Files (x86)\AVG\AVG2012\avgfws.exe" [2321560 2012-06-13] (AVG Technologies CZ, s.r.o.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe" [5160568 2012-07-04] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
4 CinemaNow Service; C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [400368 2010-06-12] (CinemaNow, Inc.)
4 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
4 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [81408 2011-05-04] ()
2 vToolbarUpdater12.1.3; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.1.3\ToolbarUpdater.exe [830048 2012-07-20] ()
2 WSWNDA3100; C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [272864 2010-08-19] ()

========================== Drivers (Whitelisted) =============

1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [48992 2011-05-22] (AVG Technologies CZ, s.r.o.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [289872 2012-02-22] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [383808 2012-03-19] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [30568 2012-07-20] (AVG Technologies)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [254528 2011-01-23] (DT Soft Ltd)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
1 nnfwdk; \??\C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\nnfwdk64.sys [23120 2009-12-29] (The Nielsen Company)
3 NPF; C:\Windows\System32\Drivers\NPF.sys [47632 2010-02-03] (CACE Technologies, Inc.)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-04 10:29 - 2012-08-04 10:32 - 01439619 ____A (Farbar) C:\Users\Uer\Downloads\FRST64.exe
2012-08-04 00:42 - 2012-08-04 00:42 - 00000000 ____D C:\Users\Uer\AppData\Local\{B44DC109-C9A4-4194-A318-84044716D3D1}
2012-08-04 00:42 - 2012-08-04 00:42 - 00000000 ____D C:\Users\Uer\AppData\Local\{863948AB-FBB3-47E0-81BA-B291443B7A3D}
2012-08-03 14:14 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-08-03 12:41 - 2012-08-03 12:42 - 00000000 ____D C:\Users\Uer\AppData\Local\{5831812A-818B-438F-8782-1E335356262F}
2012-08-03 12:41 - 2012-08-03 12:41 - 00000000 ____D C:\Users\Uer\AppData\Local\{7A7AB4CB-8EAA-4B82-ABD0-6300028F7419}
2012-08-02 16:25 - 2012-08-02 16:25 - 00000000 ____D C:\Users\Uer\AppData\Local\{CADA7C1B-3670-4221-8F9E-B4DC65CF86FB}
2012-08-02 16:25 - 2012-08-02 16:25 - 00000000 ____D C:\Users\Uer\AppData\Local\{8F2F8BA3-1DB8-4287-821F-3447C4D4AA59}
2012-08-01 17:02 - 2012-08-01 17:03 - 00000000 ____D C:\Users\Uer\AppData\Local\{F6DF757B-BD7E-43AE-A880-DAA8C37C7A91}
2012-08-01 05:02 - 2012-08-01 05:02 - 00000000 ____D C:\Users\Uer\AppData\Local\{3DB8E1E1-17E1-4765-AE1A-17EA133E35E6}
2012-07-31 17:02 - 2012-07-31 17:02 - 00000000 ____D C:\Users\Uer\AppData\Local\{693690A8-37A1-402A-9273-F56A1DECB676}
2012-07-31 05:01 - 2012-07-31 05:01 - 00000000 ____D C:\Users\Uer\AppData\Local\{A72AD8D8-7420-4E0D-B886-C75127946844}
2012-07-30 17:01 - 2012-07-30 17:01 - 00000000 ____D C:\Users\Uer\AppData\Local\{7D55C7F0-AD22-4A25-B5EF-5A7292A0896A}
2012-07-30 05:00 - 2012-07-30 05:01 - 00000000 ____D C:\Users\Uer\AppData\Local\{70B39129-B4F1-4432-A0D9-892D7F90332E}
2012-07-29 17:00 - 2012-08-01 17:02 - 00000000 ____D C:\Users\Uer\AppData\Local\{D0E34E2F-2D7D-4983-854E-995808B91F94}
2012-07-29 17:00 - 2012-07-29 17:00 - 00000000 ____D C:\Users\Uer\AppData\Local\{51B553BD-A493-472B-9C26-10EC2BD06ADE}
2012-07-26 20:16 - 2012-07-26 20:17 - 00000000 ____D C:\Users\Uer\Downloads\Barbie Lets All Party 2011
2012-07-26 20:10 - 2012-07-26 20:17 - 65351161 ____A C:\Users\Uer\Downloads\Cupid - Time For A Change (2007) - R&B.rar
2012-07-26 20:02 - 2012-07-26 20:17 - 00000000 ____D C:\Users\Uer\Downloads\Fisher Price-Silly Songs
2012-07-26 20:00 - 2012-07-26 20:19 - 00000000 ____D C:\Users\Uer\Downloads\100 Greatest Dance Hits of the 90s
2012-07-26 19:54 - 2012-07-26 19:58 - 00000000 ____D C:\Users\Uer\Downloads\Havens Dance Party Songs (2009)
2012-07-25 16:11 - 2012-07-25 16:11 - 00001745 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-25 16:10 - 2012-07-25 16:11 - 00000000 ____D C:\Program Files\iTunes
2012-07-25 16:10 - 2012-07-25 16:11 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-07-25 16:10 - 2012-07-25 16:10 - 00000000 ____D C:\Program Files\iPod
2012-07-25 16:07 - 2012-07-25 16:07 - 00000000 ____D C:\Program Files\Bonjour
2012-07-25 16:07 - 2012-07-25 16:07 - 00000000 ____D C:\Program Files (x86)\Bonjour
2012-07-25 15:51 - 2012-07-25 15:51 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2012-07-22 10:06 - 2012-07-22 10:06 - 00000000 ____D C:\Users\Uer\AppData\Local\{A1B725FB-8D10-4FEF-95AE-8A8AD2F828B8}
2012-07-21 22:05 - 2012-07-22 10:06 - 00000000 ____D C:\Users\Uer\AppData\Local\{FACF44FD-E93D-46EB-9B44-C3A613DA237B}
2012-07-21 22:05 - 2012-07-21 22:06 - 00000000 ____D C:\Users\Uer\AppData\Local\{D0DBE500-2C7F-4368-96D7-860D667FEBCB}
2012-07-21 10:05 - 2012-07-21 10:05 - 00000000 ____D C:\Users\Uer\AppData\Local\{AE931490-D50F-4268-94DE-8D4463D3C39F}
2012-07-20 22:04 - 2012-07-21 10:05 - 00000000 ____D C:\Users\Uer\AppData\Local\{CC4A9B43-760F-4D42-AC3D-09D6A74ADF58}
2012-07-20 22:04 - 2012-07-20 22:05 - 00000000 ____D C:\Users\Uer\AppData\Local\{3395FF8F-4744-4B16-BE07-26790AACBFEF}
2012-07-20 15:33 - 2012-07-20 15:33 - 00030568 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-07-20 15:33 - 2012-07-20 15:33 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-07-20 10:04 - 2012-07-20 10:04 - 00000000 ____D C:\Users\Uer\AppData\Local\{B52CEDBB-B744-4F63-95FB-27874388DE70}
2012-07-19 22:03 - 2012-07-19 22:04 - 00000000 ____D C:\Users\Uer\AppData\Local\{BB049792-F830-4E5C-9C59-70A24A11D252}
2012-07-19 13:07 - 2012-08-04 10:20 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308464352-3331396735-3360041561-1000UA.job
2012-07-19 13:07 - 2012-08-03 14:18 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308464352-3331396735-3360041561-1000Core.job
2012-07-19 10:03 - 2012-07-19 10:03 - 00000000 ____D C:\Users\Uer\AppData\Local\{3CFE7F66-42BF-4690-9D08-C3060D22AFA6}
2012-07-18 22:03 - 2012-07-18 22:03 - 00000000 ____D C:\Users\Uer\AppData\Local\{4D1E0B15-2091-43A8-8D8A-E2E9A099FA5F}
2012-07-18 10:02 - 2012-07-18 10:02 - 00000000 ____D C:\Users\Uer\AppData\Local\{8A451EE0-0C88-4371-B02B-1F15326C9E70}
2012-07-17 22:02 - 2012-07-20 10:04 - 00000000 ____D C:\Users\Uer\AppData\Local\{798D549F-E3A5-4C86-9758-2A5AE769153F}
2012-07-17 22:02 - 2012-07-17 22:02 - 00000000 ____D C:\Users\Uer\AppData\Local\{661D71C1-FEB9-49D0-AAAF-C7F78DBB6532}
2012-07-17 15:51 - 2012-07-17 15:51 - 00000000 ____D C:\Program Files (x86)\Yontoo
2012-07-17 10:01 - 2012-07-17 10:01 - 00000000 ____D C:\Users\Uer\AppData\Local\{9D2A3B76-B4F5-4B45-B57E-D5A1D4ADD750}
2012-07-16 22:01 - 2012-07-16 22:01 - 00000000 ____D C:\Users\Uer\AppData\Local\{292FA07D-30EC-4B1D-8AE6-6F0FD2937A92}
2012-07-16 16:51 - 2012-07-16 16:53 - 00000000 ____D C:\Users\Uer\Downloads\Project.X.2012.DVDRip.XviD-AMIABLE
2012-07-16 10:00 - 2012-07-16 10:00 - 00000000 ____D C:\Users\Uer\AppData\Local\{958DE89A-A8AA-4DB3-B38B-ADF87D6DE3C2}
2012-07-15 22:00 - 2012-07-15 22:00 - 00000000 ____D C:\Users\Uer\AppData\Local\{B946E2B0-495C-44EB-971D-A0BB3FB9B168}
2012-07-15 09:59 - 2012-07-15 10:00 - 00000000 ____D C:\Users\Uer\AppData\Local\{38964C63-7704-44AB-A6F3-6988F9C6A316}
2012-07-14 21:59 - 2012-07-17 10:01 - 00000000 ____D C:\Users\Uer\AppData\Local\{E2C1D9D7-DA83-4098-82E8-F15004569C03}
2012-07-14 21:59 - 2012-07-14 21:59 - 00000000 ____D C:\Users\Uer\AppData\Local\{E48823B5-E62F-4BA7-A184-DD787044BBE7}
2012-07-14 09:59 - 2012-07-14 09:59 - 00000000 ____D C:\Users\Uer\AppData\Local\{A6097DE3-C7DD-4269-AB2A-1D4ACAD1018D}
2012-07-14 09:58 - 2012-07-14 09:59 - 00000000 ____D C:\Users\Uer\AppData\Local\{8A10DCEF-4D7B-44DF-B672-CBC857C1FA3A}
2012-07-13 18:12 - 2012-07-13 18:12 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-12 17:49 - 2012-07-12 17:49 - 00000000 ____D C:\Users\Uer\AppData\Local\{9E8F2561-1100-40E1-940F-11703113BEEB}
2012-07-12 17:49 - 2012-07-12 17:49 - 00000000 ____D C:\Users\Uer\AppData\Local\{6968E8F1-17AB-4396-A6E9-87A9792BC79E}
2012-07-12 05:49 - 2012-07-12 05:49 - 00000000 ____D C:\Users\Uer\AppData\Local\{555C910D-C272-4D22-887F-48CCDAF6D7BE}
2012-07-12 05:48 - 2012-07-12 05:49 - 00000000 ____D C:\Users\Uer\AppData\Local\{B35AAD96-8458-4EBD-AC5C-FDCD14701C16}
2012-07-11 19:38 - 2012-07-11 19:38 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-07-11 19:35 - 2012-07-11 19:36 - 02135640 ____A (Kaspersky Lab ZAO) C:\Users\Uer\Downloads\tdsskiller.exe
2012-07-11 17:48 - 2012-07-11 17:48 - 00000000 ____D C:\Users\Uer\AppData\Local\{E9F4DB94-D03D-49ED-8F71-26F99F8A7328}
2012-07-11 05:48 - 2012-07-11 05:48 - 00000000 ____D C:\Users\Uer\AppData\Local\{DD5E2B5C-226E-43FA-9551-A15B72985079}
2012-07-11 05:47 - 2012-07-11 17:48 - 00000000 ____D C:\Users\Uer\AppData\Local\{D4B7E82E-649E-442D-B470-4D541C70E367}
2012-07-11 00:05 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 00:04 - 2012-07-11 00:05 - 00265966 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-11 00:01 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 00:01 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 00:01 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 00:01 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 00:01 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 00:01 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 00:01 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 00:01 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 00:01 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 00:01 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 00:01 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 00:01 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 00:01 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 00:01 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 00:01 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-11 00:01 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-11 00:01 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-11 00:01 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-11 00:01 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-11 00:01 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-11 00:01 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-11 00:01 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-11 00:01 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-11 00:01 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-11 00:01 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-11 00:01 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-11 00:01 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-11 00:01 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-10 19:23 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 19:23 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-10 19:23 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 19:23 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 19:23 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-10 19:23 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-10 19:23 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-10 19:23 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-10 19:23 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 19:23 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 19:23 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 19:23 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 19:23 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 19:23 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-10 19:23 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-10 19:23 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-10 19:23 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-10 19:23 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-10 19:23 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-10 17:47 - 2012-07-10 17:47 - 00000000 ____D C:\Users\Uer\AppData\Local\{A9BA3950-3991-41AE-A68A-E1102D2CC03E}
2012-07-10 05:46 - 2012-07-10 05:47 - 00000000 ____D C:\Users\Uer\AppData\Local\{7CE58793-3F36-40CD-A126-6E9ACC7396EE}
2012-07-09 17:46 - 2012-07-09 17:46 - 00000000 ____D C:\Users\Uer\AppData\Local\{942E5C79-4C36-4541-8FCC-02E95BA2357A}
2012-07-09 05:46 - 2012-07-09 05:46 - 00000000 ____D C:\Users\Uer\AppData\Local\{76BC2BB1-3088-41A9-8A09-414A3BA2687F}
2012-07-08 17:45 - 2012-07-08 17:45 - 00000000 ____D C:\Users\Uer\AppData\Local\{802D65A3-8B90-4308-AD4C-BCCE84A9B47B}
2012-07-08 05:45 - 2012-07-08 05:45 - 00000000 ____D C:\Users\Uer\AppData\Local\{4F223520-B1D5-467F-9F5C-29CF87FB54EA}
2012-07-07 17:44 - 2012-07-07 17:45 - 00000000 ____D C:\Users\Uer\AppData\Local\{9392EFA5-9C74-4FE2-A7B8-766AAF3A72C8}
2012-07-07 05:44 - 2012-07-07 05:44 - 00000000 ____D C:\Users\Uer\AppData\Local\{906A47BB-63DE-45A1-BEF4-D485EDCC07BE}
2012-07-06 17:44 - 2012-07-06 17:44 - 00000000 ____D C:\Users\Uer\AppData\Local\{13C0F5D6-A73D-4103-A009-D7BBC26BFAF0}
2012-07-06 05:43 - 2012-07-06 05:43 - 00000000 ____D C:\Users\Uer\AppData\Local\{73F99EDA-5E65-4EE6-A74C-268A80554155}
2012-07-05 17:43 - 2012-07-05 17:43 - 00000000 ____D C:\Users\Uer\AppData\Local\{F3B56936-38D4-4847-9E9B-3E7CBA720C70}
2012-07-05 05:42 - 2012-07-05 05:43 - 00000000 ____D C:\Users\Uer\AppData\Local\{9A810E96-75A8-4D2B-A60A-20C8A7C83E90}


============ 3 Months Modified Files ========================

2012-08-04 10:40 - 2010-09-04 12:45 - 01247241 ____A C:\Windows\WindowsUpdate.log
2012-08-04 10:40 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-04 10:40 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-04 10:35 - 2011-03-18 08:09 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-04 10:34 - 2011-03-09 01:20 - 00021740 ____A C:\Windows\setupact.log
2012-08-04 10:34 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-04 10:32 - 2012-08-04 10:29 - 01439619 ____A (Farbar) C:\Users\Uer\Downloads\FRST64.exe
2012-08-04 10:21 - 2011-03-18 08:09 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-04 10:20 - 2012-07-19 13:07 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308464352-3331396735-3360041561-1000UA.job
2012-08-04 10:12 - 2012-04-12 16:10 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-03 20:16 - 2012-04-12 16:10 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-03 20:16 - 2011-05-24 16:38 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-03 14:18 - 2012-07-19 13:07 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308464352-3331396735-3360041561-1000Core.job
2012-08-03 14:13 - 2011-03-09 01:19 - 00036224 ____A C:\Windows\PFRO.log
2012-08-03 12:40 - 2009-07-13 21:08 - 00032576 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-01 17:08 - 2009-07-13 21:13 - 00727334 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-26 20:17 - 2012-07-26 20:10 - 65351161 ____A C:\Users\Uer\Downloads\Cupid - Time For A Change (2007) - R&B.rar
2012-07-25 16:11 - 2012-07-25 16:11 - 00001745 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-20 15:33 - 2012-07-20 15:33 - 00030568 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-07-20 15:33 - 2011-10-11 21:03 - 00000927 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-07-14 09:57 - 2011-02-19 13:15 - 00000258 _RASH C:\Users\All Users\ntuser.pol
2012-07-12 15:55 - 2012-06-16 09:55 - 00001075 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-11 19:36 - 2012-07-11 19:35 - 02135640 ____A (Kaspersky Lab ZAO) C:\Users\Uer\Downloads\tdsskiller.exe
2012-07-11 00:22 - 2009-07-13 20:45 - 00273296 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 00:05 - 2012-07-11 00:04 - 00265966 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-11 00:04 - 2012-06-14 00:07 - 00000129 ____A C:\Windows\System32\MRT.INI
2012-07-11 00:02 - 2010-11-20 02:50 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-03 10:46 - 2012-06-16 09:55 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-26 18:45 - 2012-06-26 18:45 - 00001123 ____A C:\Users\Public\Desktop\DJ Intro.lnk
2012-06-25 13:04 - 2012-06-25 13:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll
2012-06-23 10:26 - 2012-06-23 10:26 - 00001104 ____A C:\Users\Uer\Desktop\ASIO4ALL v2 Instruction Manual.lnk
2012-06-11 19:08 - 2012-07-11 00:05 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-10 19:23 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-10 19:23 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-10 19:23 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-10 19:23 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-10 19:23 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-10 19:23 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-10 19:23 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-10 19:23 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-20 19:08 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-20 19:08 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-20 19:08 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-20 19:08 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-20 19:08 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-20 19:08 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-20 19:08 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-20 19:07 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-20 19:07 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-11 00:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 00:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 00:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 00:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 00:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 00:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 00:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 00:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 00:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 00:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 00:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 00:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 00:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 00:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 00:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 00:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 00:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 00:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 00:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 00:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 00:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 00:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 00:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 00:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 00:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 00:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 00:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 00:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-10 19:23 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-10 19:23 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-10 19:23 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-10 19:23 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-10 19:23 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-10 19:23 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-10 19:23 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-10 19:23 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-10 19:23 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-28 12:53 - 2012-05-28 12:53 - 00001351 ____A C:\Users\Uer\Desktop\Anteara Mod.lnk
2012-05-17 16:36 - 2012-05-17 16:36 - 00000929 ____A C:\Users\Public\Desktop\BitTorrent.lnk
2012-05-17 16:35 - 2012-05-17 16:34 - 06379888 ____A (BitTorrent, Inc.) C:\Users\Uer\Downloads\BitTorrent.exe


ZeroAccess:
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\@
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L\00000004.@
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L\1afb2d56
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L\201d3dde
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\00000004.@
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000000.@
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000064.@

ZeroAccess:
C:\Users\Uer\AppData\Local\{1ae38341-e383-e5cb-ae21-864215ad12c4}
C:\Users\Uer\AppData\Local\{1ae38341-e383-e5cb-ae21-864215ad12c4}\@
C:\Users\Uer\AppData\Local\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L
C:\Users\Uer\AppData\Local\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

Possible partition infection:
C:\Windows\svchost.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 7935.29 MB
Available physical RAM: 6951.18 MB
Total Pagefile: 7933.43 MB
Available Pagefile: 6931.2 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:919.35 GB) (Free:775.09 GB) NTFS
2 Drive e: (HP_RECOVERY) (Fixed) (Total:12.07 GB) (Free:1.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (Serato DJ Intro) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
4 Drive g: (BLAKE'S IPO) (Removable) (Total:3.77 GB) (Free:3.56 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
10 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 3867 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 919 GB 101 MB
Partition 3 Primary 12 GB 919 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 919 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 12 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3867 MB 0 B

==================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

==========================================================

Last Boot: 2012-07-27 21:06

======================= End Of Log ==========================

 

[Jay Pfoutz]

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Uer\...\Run: [Diagnostics] rundll32.exe "C:\Users\Uer\AppData\Local\Temp\",DllRegisterServer [x]
HKU\Uer\...\Run: [Apple] rundll32.exe "C:\Users\Uer\AppData\Local\Apps\Apple\bqqlo.dll",DllRegisterServer [x]
AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll
C:\PROGRA~2\WI3C8A~1
2012-08-03 14:14 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
CMD: bootrec /FixMBR
C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}
C:\Users\Uer\AppData\Local\{1ae38341-e383-e5cb-ae21-864215ad12c4}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[BWashburn]

Awesome they did not pop up this time! Here is the log.


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-08-2012 01
Ran by SYSTEM at 2012-08-05 17:56:17 Run:1
Running from G:\

==============================================

HKEY_USERS\Uer\Software\Microsoft\Windows\CurrentVersion\Run\\Diagnostics Value deleted successfully.
HKEY_USERS\Uer\Software\Microsoft\Windows\CurrentVersion\Run\\Apple Value deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs Value was restored successfully .
C:\PROGRA~2\WI3C8A~1 moved successfully.
C:\Windows\svchost.exe moved successfully.

========= bootrec /FixMBR =========

ÿþT h e o p e r a t I o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========

C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4} moved successfully.
C:\Users\Uer\AppData\Local\{1ae38341-e383-e5cb-ae21-864215ad12c4} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

 

[Jay Pfoutz]

Back to Normal Mode

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

 

[BWashburn]

Ok. First off I tried downloading ComboFix through Google Chrome which did not let me save this file. So instead I used Internet Explorer to save it as svchost.exe (which took many tries because the download kept getting interrupted, which I just pulled out my USB wireless adapter and put it back in which let me download it.) Now I disabled my AVG 2012 Free by going to the bottom of the tray and clicked disable protection until next reboot. I could not find a way to disable MBAM and I even looked on the link you provided which gave instructions on how to with the registered version and I have the free version. Now all that was done. I ran ComboFix and two windows came up saying that my AVG anti-virus 2012 and AVG spyware 2012 was still active so I clicked ok on both because AVG did say all protection was disabled. Now while it was running I noticed it DID NOT disconnect me from the internet like you said it would. I only got to the stage 4 completed which I let run for at least 30 minutes then closed it for I seen it should only take 10 minutes 20 at most to complete. During this process I did remove my USB wireless adapter while running ComboFix. Did I do someting wrong? Did I further damage my computer? Thanks for the quick replies!!!!

 

[BWashburn]

Ok I know I am getting ahead here but I just rebooted my computer and went into safe mode and tried running it there which it did not. so I rebooted again and ran it again with avg disabled still got the messages continued anyways and received the Blue Screen after the third stage completed. Rebooted and it booted normally.

 

[Jay Pfoutz]

Let's try this instead:

• Download RogueKiller and save it on your desktop.
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix
  
  
  
• The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

 

[BWashburn]

Here is the files.
RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Uer [Admin rights]
Mode: Scan -- Date: 08/06/2012 16:03:19
¤¤¤ Bad processes: 1 ¤¤¤
[SVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : Root.MBR ¤¤¤
¤¤¤ HOSTS File: ¤¤¤

205.185.122.188 key.gamespy.com

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: Hitachi HDS721010CLA332 SATA Disk Device +++++
--- User ---
[MBR] 18acd6881066114acbfe089a37760eb9
[BSP] 70389b2f75c637ed0eafbe7455bef1fb : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 941412 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1928218624 | Size: 12355 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 6fd06bbbdabc92f410f3bab65fba5e85
[BSP] 02e7035ffb54d97291fa39379734721d : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo
+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
+++++ PhysicalDrive2: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
+++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Uer [Admin rights]
Mode: Remove -- Date: 08/06/2012 16:04:53
¤¤¤ Bad processes: 1 ¤¤¤
[SVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : Root.MBR ¤¤¤
¤¤¤ HOSTS File: ¤¤¤

205.185.122.188 key.gamespy.com

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: Hitachi HDS721010CLA332 SATA Disk Device +++++
--- User ---
[MBR] 18acd6881066114acbfe089a37760eb9
[BSP] 70389b2f75c637ed0eafbe7455bef1fb : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 941412 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1928218624 | Size: 12355 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 6fd06bbbdabc92f410f3bab65fba5e85
[BSP] 02e7035ffb54d97291fa39379734721d : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Uer [Admin rights]
Mode: Shortcuts HJfix -- Date: 08/06/2012 16:05:45
¤¤¤ Bad processes: 1 ¤¤¤
[SVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 6 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 647 / Fail 0
My documents: Success 67 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 541 / Fail 0
My videos: Success 4 / Fail 0
Local drives: Success 773 / Fail 0
Backup: [NOT FOUND]
Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume4 -- 0x2 --> Restored
[G:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[H:] \Device\HarddiskVolume6 -- 0x2 --> Restored
[I:] \Device\HarddiskVolume7 -- 0x2 --> Restored
[J:] \Device\CdRom1 -- 0x5 --> Skipped
[Q:] \Device\SftVol -- 0x3 --> Restored
¤¤¤ Infection : ¤¤¤
Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

 

[Jay Pfoutz]

Now, try ComboFix, please.

 

[BWashburn]

Ok but before I run it I have a few questions: 1. Should I leave my wireless USB connected 2. Should I wait longer than 30 minutes (if need be) for it complete. 3. Is it ok if those two messages still pop up about avg being active even though I have it temporary disabled?

 

[Jay Pfoutz]

All of that should be fine. Go ahead with ComboFix when you can, please.

 

[BWashburn]

Ok. Did the same thing let it run for an hour and it got stuck at stage 4 again. When I rebooted my folder (Blake) was on my desktop and inside is some files with .dat extension (ntuser.dat.log(1) but when I open them nothing is in them. Also I guess have another virus WIN32.cryptor my avg detected.

 

[Jay Pfoutz]

Save these instructions so you can have access to them while in Safe Mode.

Please click hereto download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
• Double click the setup file to run it.
• Click Next to continue.
• Accept the License agreement and click on next.
• It will, by default, install it to your desktop folder. Click Next.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• [*]Hidden Startup Objects [*]System Memory [*]Disk Boot Sectors. [*]My Computer. Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be neutralized then choose the delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  Note: This tool will self uninstall when you close it so please save the log before closing it.

 

[BWashburn]

I am having a really hard time downloading this onto my desktop. My internet is not cooperating and gets to about 20 percent then it says download was interrupted. Would it be safe to save the setup file onto a flash drive from another computer then transfer it over to my infected computers desktop? Then run the setup in safe mode from there?

 

[Jay Pfoutz]

Here is the new set of instructions, sorry for your troubles...

Kaspersky Virus Removal Tool

The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

• Double-click the Setup file to install it on your computer.
• Once it has installed, review and accept the agreement and press the Start button.
• You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
  
  
• On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
  
  
• On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
  
  
• Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
• Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
  
  
• Then, choose Save. Also, in the Automatic Report tab, select Save:
  
  
• Please post the reports in your next reply.
• Once you exit, the tool should uninstall automatically.

 

[BWashburn]

Ok I downloaded the program to a USB drive from another computer because I could not get it to download to my (infected) computer. Now the set-up went smooth. Then I proceeded to check all the boxes you said to excluding the dvd/cd drive. When scan started these boxes began to pop up and I thought maybe if I just left it it would continue. But no it stopped until I chose an option which I went with the recomended unless skip was an only option. I work from 7am to 5pm and I had ran this program last night at 9 and let it do its thing till I came home today and it stopped by itself at 49 percent. here are the logs you requested.

Status: Vulnerability (events: 12)
8/12/2012 9:33:56 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/43267 C:\Documents and Settings\All Users\HP\HP Deskjet 3000 J310 series\Help\flash\FlashPla.exe Low
8/12/2012 10:33:19 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/46809 C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe Low
8/12/2012 10:35:49 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/49472 C:\Program Files (x86)\Java\jre6\bin\java.exe Low
8/12/2012 10:37:53 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/49831 C:\Program Files (x86)\Pidgin\pidgin.exe Low
8/12/2012 10:39:54 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/43267 C:\ProgramData\HP\HP Deskjet 3000 J310 series\Help\flash\FlashPla.exe Low
8/12/2012 10:44:01 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/43267 C:\Users\All Users\HP\HP Deskjet 3000 J310 series\Help\flash\FlashPla.exe Low
8/12/2012 11:03:06 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/49086 C:\Windows\SysWOW64\Adobe\Shockwave 11\SwInit.exe Low
8/13/2012 6:38:59 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/46809 c:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe Low
8/13/2012 6:47:27 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/49831 c:\Program Files (x86)\Pidgin\pidgin.exe Low
8/13/2012 6:47:28 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/47447 c:\Program Files (x86)\QuickTime\QuickTimePlayer.exe Low
8/13/2012 6:51:22 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/49472 c:\Program Files (x86)\Java\jre6\bin\java.exe Low
8/13/2012 6:54:25 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/43267 c:\ProgramData\HP\HP Deskjet 3000 J310 series\Help\flash\FlashPla.exe Low
Status: Deleted (events: 16)
8/13/2012 6:43:06 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BC.tmp High
8/13/2012 6:43:06 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BC.tmp//MPRESS High
8/13/2012 6:43:50 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BD.tmp High
8/13/2012 6:43:50 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BD.tmp//MPRESS High
8/13/2012 6:43:28 AM Deleted Trojan program Trojan.Win32.TDSS.istv C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BC.tmp.dat High
8/13/2012 6:44:38 AM Deleted Trojan program Trojan.Win32.TDSS.istw C:\Documents and Settings\All Users\Microsoft\Windows\DRM\9DB0.tmp High
8/13/2012 6:45:36 AM Deleted Trojan program Backdoor.Win32.ZAccess.uvz C:\FRST\Quarantine\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000064.@ High
8/13/2012 5:39:55 PM Deleted Trojan program Rootkit.Win32.TDSS.gq C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\tdlfs0000\tsk0009.dta High
8/13/2012 5:39:34 PM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\mbr0000\tsk0000.dta High
8/13/2012 5:39:34 PM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\mbr0000\tsk0000.dta//HDDImage High
8/13/2012 5:39:48 PM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\mbr0000\tsk0001.dta High
8/13/2012 5:39:48 PM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\mbr0000\tsk0001.dta//vbr0 High
8/13/2012 5:40:02 PM Deleted Trojan program Trojan.Win32.Miner.dw C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\00000008.@ High
8/13/2012 5:40:02 PM Deleted Trojan program Trojan.Win32.Miner.dw C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\00000008.@//data0000.res High
8/13/2012 5:40:05 PM Deleted Trojan program Backdoor.Win32.ZAccess.mbs C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\000000cb.@ High
8/13/2012 6:08:54 PM Deleted Trojan program Backdoor.Win32.ZAccess.mbs c:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\000000cb.@ High
Status: Absent (events: 10)
8/13/2012 5:41:54 PM Not found Trojan program Backdoor.Win64.ZAccess.bs C:\FRST\Quarantine\Desktop.ini High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win64.TDSS.a C:\ProgramData\Microsoft\Windows\DRM\97BD.tmp//MPRESS High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win32.TDSS.istw C:\ProgramData\Microsoft\Windows\DRM\9DB0.tmp High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win32.TDSS.istv C:\ProgramData\Microsoft\Windows\DRM\97BC.tmp.dat High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win64.TDSS.a C:\ProgramData\Microsoft\Windows\DRM\97BC.tmp//MPRESS High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win64.TDSS.a C:\Users\All Users\Microsoft\Windows\DRM\97BD.tmp//MPRESS High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win32.TDSS.istv C:\Users\All Users\Microsoft\Windows\DRM\97BC.tmp.dat High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win32.TDSS.istw C:\Users\All Users\Microsoft\Windows\DRM\9DB0.tmp High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win64.TDSS.a C:\Users\All Users\Microsoft\Windows\DRM\97BC.tmp//MPRESS High
8/13/2012 5:41:54 PM Not found Trojan program Backdoor.Win64.ZAccess.br C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n High
Status: Quarantined (events: 5)
8/13/2012 6:45:33 AM Quarantined Trojan program HEUR:Backdoor.Win64.Generic C:\FRST\Quarantine\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000000.@ High
8/13/2012 5:39:51 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\tdlfs0000\tsk0000.dta High
8/13/2012 5:39:58 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\tdlfs0000\tsk0014.dta High
8/13/2012 5:40:09 PM Quarantined Trojan program HEUR:Backdoor.Win64.Generic C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000000.@ High
8/13/2012 6:14:35 PM Quarantined Trojan program HEUR:Backdoor.Win64.Generic c:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000000.@ High
Status: Detected (events: 1)
8/13/2012 8:47:30 PM Detected Trojan program Backdoor.Win32.ZAccess.oun C:\Windows\assembly\GAC_32\Desktop.ini High
Status: Will be deleted when the computer is restarted (events: 2)
8/13/2012 5:41:54 PM Will be deleted when the computer is restarted Trojan program Backdoor.Win64.ZAccess.bs C:\Windows\assembly\GAC_64\Desktop.ini High
8/13/2012 5:40:13 PM Will be deleted when the computer is restarted Trojan program Backdoor.Win64.ZAccess.br C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n High
Status: Will be disinfected when the computer is restarted (events: 1)
8/13/2012 5:41:20 PM Will be disinfected when the computer is restarted virus Virus.Win64.ZAccess.b C:\Windows\System32\services.exe High
Status: Disinfected (events: 1)
8/13/2012 5:43:27 PM Disinfected virus Virus.Win64.ZAccess.b c:\Windows\System32\services.exe High

 

[BWashburn]

Ok I downloaded the program to a USB drive from another computer because I could not get it to download to my (infected) computer. Now the set-up went smooth. Then I proceeded to check all the boxes you said to excluding the dvd/cd drive. When scan started these boxes began to pop up and I thought maybe if I just left it it would continue. But no it stopped until I chose an option which I went with the recomended unless skip was an only option. I work from 7am to 5pm and I had ran this program last night at 9 and let it do its thing till I came home today and it stopped by itself at 49 percent. here are the logs you requested.

Status: Vulnerability (events: 12)
8/12/2012 9:33:56 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/43267 C:\Documents and Settings\All Users\HP\HP Deskjet 3000 J310 series\Help\flash\FlashPla.exe Low
8/12/2012 10:33:19 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/46809 C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe Low
8/12/2012 10:35:49 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/49472 C:\Program Files (x86)\Java\jre6\bin\java.exe Low
8/12/2012 10:37:53 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/49831 C:\Program Files (x86)\Pidgin\pidgin.exe Low
8/12/2012 10:39:54 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/43267 C:\ProgramData\HP\HP Deskjet 3000 J310 series\Help\flash\FlashPla.exe Low
8/12/2012 10:44:01 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/43267 C:\Users\All Users\HP\HP Deskjet 3000 J310 series\Help\flash\FlashPla.exe Low
8/12/2012 11:03:06 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/49086 C:\Windows\SysWOW64\Adobe\Shockwave 11\SwInit.exe Low
8/13/2012 6:38:59 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/46809 c:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe Low
8/13/2012 6:47:27 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/49831 c:\Program Files (x86)\Pidgin\pidgin.exe Low
8/13/2012 6:47:28 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/47447 c:\Program Files (x86)\QuickTime\QuickTimePlayer.exe Low
8/13/2012 6:51:22 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/49472 c:\Program Files (x86)\Java\jre6\bin\java.exe Low
8/13/2012 6:54:25 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/43267 c:\ProgramData\HP\HP Deskjet 3000 J310 series\Help\flash\FlashPla.exe Low
Status: Deleted (events: 16)
8/13/2012 6:43:06 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BC.tmp High
8/13/2012 6:43:06 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BC.tmp//MPRESS High
8/13/2012 6:43:50 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BD.tmp High
8/13/2012 6:43:50 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BD.tmp//MPRESS High
8/13/2012 6:43:28 AM Deleted Trojan program Trojan.Win32.TDSS.istv C:\Documents and Settings\All Users\Microsoft\Windows\DRM\97BC.tmp.dat High
8/13/2012 6:44:38 AM Deleted Trojan program Trojan.Win32.TDSS.istw C:\Documents and Settings\All Users\Microsoft\Windows\DRM\9DB0.tmp High
8/13/2012 6:45:36 AM Deleted Trojan program Backdoor.Win32.ZAccess.uvz C:\FRST\Quarantine\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000064.@ High
8/13/2012 5:39:55 PM Deleted Trojan program Rootkit.Win32.TDSS.gq C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\tdlfs0000\tsk0009.dta High
8/13/2012 5:39:34 PM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\mbr0000\tsk0000.dta High
8/13/2012 5:39:34 PM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\mbr0000\tsk0000.dta//HDDImage High
8/13/2012 5:39:48 PM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\mbr0000\tsk0001.dta High
8/13/2012 5:39:48 PM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\mbr0000\tsk0001.dta//vbr0 High
8/13/2012 5:40:02 PM Deleted Trojan program Trojan.Win32.Miner.dw C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\00000008.@ High
8/13/2012 5:40:02 PM Deleted Trojan program Trojan.Win32.Miner.dw C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\00000008.@//data0000.res High
8/13/2012 5:40:05 PM Deleted Trojan program Backdoor.Win32.ZAccess.mbs C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\000000cb.@ High
8/13/2012 6:08:54 PM Deleted Trojan program Backdoor.Win32.ZAccess.mbs c:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\000000cb.@ High
Status: Absent (events: 10)
8/13/2012 5:41:54 PM Not found Trojan program Backdoor.Win64.ZAccess.bs C:\FRST\Quarantine\Desktop.ini High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win64.TDSS.a C:\ProgramData\Microsoft\Windows\DRM\97BD.tmp//MPRESS High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win32.TDSS.istw C:\ProgramData\Microsoft\Windows\DRM\9DB0.tmp High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win32.TDSS.istv C:\ProgramData\Microsoft\Windows\DRM\97BC.tmp.dat High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win64.TDSS.a C:\ProgramData\Microsoft\Windows\DRM\97BC.tmp//MPRESS High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win64.TDSS.a C:\Users\All Users\Microsoft\Windows\DRM\97BD.tmp//MPRESS High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win32.TDSS.istv C:\Users\All Users\Microsoft\Windows\DRM\97BC.tmp.dat High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win32.TDSS.istw C:\Users\All Users\Microsoft\Windows\DRM\9DB0.tmp High
8/13/2012 5:41:54 PM Not found Trojan program Trojan.Win64.TDSS.a C:\Users\All Users\Microsoft\Windows\DRM\97BC.tmp//MPRESS High
8/13/2012 5:41:54 PM Not found Trojan program Backdoor.Win64.ZAccess.br C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n High
Status: Quarantined (events: 5)
8/13/2012 6:45:33 AM Quarantined Trojan program HEUR:Backdoor.Win64.Generic C:\FRST\Quarantine\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000000.@ High
8/13/2012 5:39:51 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\tdlfs0000\tsk0000.dta High
8/13/2012 5:39:58 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\TDSSKiller_Quarantine\11.07.2012_22.36.09\mbr0000\tdlfs0000\tsk0014.dta High
8/13/2012 5:40:09 PM Quarantined Trojan program HEUR:Backdoor.Win64.Generic C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000000.@ High
8/13/2012 6:14:35 PM Quarantined Trojan program HEUR:Backdoor.Win64.Generic c:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000000.@ High
Status: Detected (events: 1)
8/13/2012 8:47:30 PM Detected Trojan program Backdoor.Win32.ZAccess.oun C:\Windows\assembly\GAC_32\Desktop.ini High
Status: Will be deleted when the computer is restarted (events: 2)
8/13/2012 5:41:54 PM Will be deleted when the computer is restarted Trojan program Backdoor.Win64.ZAccess.bs C:\Windows\assembly\GAC_64\Desktop.ini High
8/13/2012 5:40:13 PM Will be deleted when the computer is restarted Trojan program Backdoor.Win64.ZAccess.br C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n High
Status: Will be disinfected when the computer is restarted (events: 1)
8/13/2012 5:41:20 PM Will be disinfected when the computer is restarted virus Virus.Win64.ZAccess.b C:\Windows\System32\services.exe High
Status: Disinfected (events: 1)
8/13/2012 5:43:27 PM Disinfected virus Virus.Win64.ZAccess.b c:\Windows\System32\services.exe High

 

[Jay Pfoutz]

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

 

[BWashburn]

Here is the log you requested.

 

[Jay Pfoutz]

Now, please run TDSSKiller once more and post a log, and then...

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
• Double click aswMBR.exe to run it
• Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review

 

[BWashburn]

Here is the updated log for TDSS.