I initially noticed this heinous thing a few days ago, and immediately knew it was probably bad news. Promptly, I attempted to remove it, but it was incredibly stubborn and refused to budge -- nothing I did seemed to have any effect on it. I spoke to my brother (whom is infinitely more tech savvy than myself) about the issue, and he suggested a program called "FileASSASSIN". So, I proceeded to locate, download and install it. I followed the instructions, and used it on '0i763f66bz.exe'. To my surprise, it actually appeared to have successfully worked.
So, that's good; except the problems when it was still around remain, and seemingly have not been resolved. Uncertain of the full-impact, I've noticed primarily its influence (or that's what I suspect it to be, at least) is still currently negatively affecting the following programs:
- MicroSoft Security Essentials
- Windows FireWall
- Windows UpDate
None of them are working properly, for various reasons, and I have a hunch it's all because of this one file. Despite the fact itself it's no longer even present, of course. So I finally decided to do what I should've done in the first place, and punch the file-name into Google. Oddly enough, there were only a handful of results, and they were all in in Spanish...? Eventually, during a subsequent search, this place appeared alongside as the only English-site. So, here I am.
[Oh, and greetings to everyone. First-post -- obviously.]
Anyway, here are those requested preliminary log files:
====
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.24.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jeff :: N5X6G2 [administrator]
Protection: Disabled
06/24/2012 08:53:15AM 08:53:15
mbam-log-2012-06-24 (08-53-15).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 230603
Time elapsed: 31 minute(s), 6 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\n. -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Regedit32 (Trojan.Agent) -> Data: C:\WINDOWS\system32\regedit.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 6
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|StartMenuLogOff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 8
C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\n (Trojan.Dropper.PE4) -> Delete on reboot.
C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\n (Trojan.Dropper.PE4) -> Delete on reboot.
C:\WINDOWS\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
(end)
====
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-24 09:54:32
Windows 5.1.2600 Service Pack 3
Running: gvy8ndqh[1].exe
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\System32\Drivers\35f653a090572886.sys (*** hidden *** ) [BOOT] 35f653a090572886 <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@ImagePath \SystemRoot\System32\Drivers\35f653a090572886.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@Tag 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@DisplayName 0i763f66bz.exe
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@ImagePath \SystemRoot\System32\Drivers\35f653a090572886.sys
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@Tag 1
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@DisplayName 0i763f66bz.exe
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\CLSID\{CAF9FB67-43D3-E485-2E8D-2D6C0E4B9F7D}\bsQed@ ZX_[SQX}OOW_Hzymif]kfCs
Reg HKLM\SOFTWARE\Classes\CLSID\{CAF9FB67-43D3-E485-2E8D-2D6C0E4B9F7D}\GbJBby@ MW`
Reg HKLM\SOFTWARE\Classes\CLSID\{CAF9FB67-43D3-E485-2E8D-2D6C0E4B9F7D}\UwtxkgCuxgZ@ YVzQ{qoZl_LjtF|kq}jb
---- EOF - GMER 1.0.15 ----
====
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jeff at 9:45:51 on 2012-06-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.223.19 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Cisco Systems\Cisco Valet Connector\CiscoAdapterSvc.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OrbitDownloader\orbitdm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp-5.53\winamp.exe
C:\WINDOWS\SYSTEM32\notepad.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Windows-Internet-Explorer
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg 8.0\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg 8.0\toolbar\IEToolbar.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg 8.0\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SystemTray] SysTray.Exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?
lic=SUFMQTktSVM0SEwtRFVJR1ItQUlaSkwtREFCTUMtMw"&"inst=NzYtNzU5MjkyODQ2LUtWMys3LUJBKzEtWEwrMS1UMS1VQ0FMTCsxLVVDQUxMMisyLVRCOCsyLUZMKzgtRjhNOUErM
y1GOE0xMUMrMS1VUEcrMjAxMS1GOE0xMUUrMQ"&"prod=94"&"ver=10.0.1204
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-system: RunLogonScriptSync = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - f:\getright\GRdownload.htm
IE: Open with GetRight Browser - f:\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} - hxxp://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1340471657296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196095297234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} - hxxp://www.programchecker.com/dll/nixon.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://www.shawsecure.ca/pchealthcheck/fscax.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://shawsecure.ca/virusscanner/fscax.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 64.59.135.133 64.59.135.135 64.59.128.120
TCP: Interfaces\{9D84FC67-567D-4897-893B-C4AF6C57FC6E} : DhcpNameServer = 64.59.135.133 64.59.135.135 64.59.128.120
TCP: Interfaces\{A03B9F89-80BF-4483-80AF-C4E26E807093} : DhcpNameServer = 192.168.1.1 64.59.135.133 64.59.135.135
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 RaAutoInstSrv_AM10;Cisco Valet Connector Service;c:\program files\cisco systems\cisco valet connector\CiscoAdapterSvc.exe [2010-9-14 529024]
R3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [2010-9-13 816672]
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S1 qzjdthwg;qzjdthwg;\??\c:\windows\system32\drivers\qzjdthwg.sys --> c:\windows\system32\drivers\qzjdthwg.sys [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-24 654408]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-8-26 816672]
S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2001-10-17 25434]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\jeff\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\jeff\locals~1\temp\onlinescanner\anti-
virus\fsgk.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-28 29744]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-24 22344]
.
=============== Created Last 30 ================
.
2012-06-24 10:49:23 -------- d-----w- c:\documents and settings\jeff\application data\Malwarebytes
2012-06-24 10:49:23 -------- d-----w- c:\documents and settings\jeff\application data\Malwarebytes
2012-06-24 10:49:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-06-24 10:49:09 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-24 10:49:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-24 10:34:54 -------- d-----w- c:\program files\FileASSASSIN
2012-06-24 10:24:31 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{878898ce-9a8c-4250-b936-08f3f63ee2d3}
\offreg.dll
2012-06-24 09:20:45 -------- d-----w- c:\documents and settings\jeff\application data\PCHealth
2012-06-24 09:20:45 -------- d-----w- c:\documents and settings\jeff\application data\PCHealth
2012-06-24 08:11:36 6762896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{878898ce-9a8c-4250-b936-08f3f63ee2d3}
\mpengine.dll
2012-06-24 07:58:52 -------- d-----w- C:\1ef01b77f09c47636f688c2d3b6875
2012-06-24 07:47:57 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-06-24 07:39:14 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-23 19:23:42 -------- d-----w- c:\documents and settings\jeff\application data\DriverCure
2012-06-23 19:23:42 -------- d-----w- c:\documents and settings\jeff\application data\DriverCure
2012-06-23 19:23:41 -------- d-----w- c:\documents and settings\jeff\application data\ParetoLogic
2012-06-23 19:23:41 -------- d-----w- c:\documents and settings\jeff\application data\ParetoLogic
2012-06-23 19:21:21 -------- d-----w- c:\program files\common files\ParetoLogic
2012-06-23 19:21:19 -------- d-----w- c:\program files\ParetoLogic
2012-06-23 19:21:19 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
2012-06-23 05:57:00 66488 ----a-w- c:\windows\system32\drivers\35f653a090572886.sys
2012-06-11 06:22:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-03 07:31:20 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
.
==================== Find3M ====================
.
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10:58 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-01-20 10:27:06 1454656 ----a-w- c:\program files\Silverlight.exe
.
============= FINISH: 9:51:27.98 ===============
So, that's good; except the problems when it was still around remain, and seemingly have not been resolved. Uncertain of the full-impact, I've noticed primarily its influence (or that's what I suspect it to be, at least) is still currently negatively affecting the following programs:
- MicroSoft Security Essentials
- Windows FireWall
- Windows UpDate
None of them are working properly, for various reasons, and I have a hunch it's all because of this one file. Despite the fact itself it's no longer even present, of course. So I finally decided to do what I should've done in the first place, and punch the file-name into Google. Oddly enough, there were only a handful of results, and they were all in in Spanish...? Eventually, during a subsequent search, this place appeared alongside as the only English-site. So, here I am.
[Oh, and greetings to everyone. First-post -- obviously.]
Anyway, here are those requested preliminary log files:
====
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.24.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jeff :: N5X6G2 [administrator]
Protection: Disabled
06/24/2012 08:53:15AM 08:53:15
mbam-log-2012-06-24 (08-53-15).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 230603
Time elapsed: 31 minute(s), 6 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\n. -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Regedit32 (Trojan.Agent) -> Data: C:\WINDOWS\system32\regedit.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 6
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|StartMenuLogOff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 8
C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\n (Trojan.Dropper.PE4) -> Delete on reboot.
C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\{3111d73b-c925-5cf3-d143-385d63565d26}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\n (Trojan.Dropper.PE4) -> Delete on reboot.
C:\WINDOWS\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{3111d73b-c925-5cf3-d143-385d63565d26}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
(end)
====
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-24 09:54:32
Windows 5.1.2600 Service Pack 3
Running: gvy8ndqh[1].exe
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\System32\Drivers\35f653a090572886.sys (*** hidden *** ) [BOOT] 35f653a090572886 <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@ImagePath \SystemRoot\System32\Drivers\35f653a090572886.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@Tag 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\35f653a090572886@DisplayName 0i763f66bz.exe
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@ImagePath \SystemRoot\System32\Drivers\35f653a090572886.sys
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@Tag 1
Reg HKLM\SYSTEM\ControlSet003\Services\35f653a090572886@DisplayName 0i763f66bz.exe
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\CLSID\{CAF9FB67-43D3-E485-2E8D-2D6C0E4B9F7D}\bsQed@ ZX_[SQX}OOW_Hzymif]kfCs
Reg HKLM\SOFTWARE\Classes\CLSID\{CAF9FB67-43D3-E485-2E8D-2D6C0E4B9F7D}\GbJBby@ MW`
Reg HKLM\SOFTWARE\Classes\CLSID\{CAF9FB67-43D3-E485-2E8D-2D6C0E4B9F7D}\UwtxkgCuxgZ@ YVzQ{qoZl_LjtF|kq}jb
---- EOF - GMER 1.0.15 ----
====
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jeff at 9:45:51 on 2012-06-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.223.19 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Cisco Systems\Cisco Valet Connector\CiscoAdapterSvc.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OrbitDownloader\orbitdm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp-5.53\winamp.exe
C:\WINDOWS\SYSTEM32\notepad.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Windows-Internet-Explorer
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg 8.0\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg 8.0\toolbar\IEToolbar.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg 8.0\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SystemTray] SysTray.Exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?
lic=SUFMQTktSVM0SEwtRFVJR1ItQUlaSkwtREFCTUMtMw"&"inst=NzYtNzU5MjkyODQ2LUtWMys3LUJBKzEtWEwrMS1UMS1VQ0FMTCsxLVVDQUxMMisyLVRCOCsyLUZMKzgtRjhNOUErM
y1GOE0xMUMrMS1VUEcrMjAxMS1GOE0xMUUrMQ"&"prod=94"&"ver=10.0.1204
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-system: RunLogonScriptSync = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - f:\getright\GRdownload.htm
IE: Open with GetRight Browser - f:\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} - hxxp://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1340471657296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196095297234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} - hxxp://www.programchecker.com/dll/nixon.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://www.shawsecure.ca/pchealthcheck/fscax.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://shawsecure.ca/virusscanner/fscax.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 64.59.135.133 64.59.135.135 64.59.128.120
TCP: Interfaces\{9D84FC67-567D-4897-893B-C4AF6C57FC6E} : DhcpNameServer = 64.59.135.133 64.59.135.135 64.59.128.120
TCP: Interfaces\{A03B9F89-80BF-4483-80AF-C4E26E807093} : DhcpNameServer = 192.168.1.1 64.59.135.133 64.59.135.135
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 RaAutoInstSrv_AM10;Cisco Valet Connector Service;c:\program files\cisco systems\cisco valet connector\CiscoAdapterSvc.exe [2010-9-14 529024]
R3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [2010-9-13 816672]
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S1 qzjdthwg;qzjdthwg;\??\c:\windows\system32\drivers\qzjdthwg.sys --> c:\windows\system32\drivers\qzjdthwg.sys [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-24 654408]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-8-26 816672]
S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2001-10-17 25434]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\jeff\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\jeff\locals~1\temp\onlinescanner\anti-
virus\fsgk.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-28 29744]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-24 22344]
.
=============== Created Last 30 ================
.
2012-06-24 10:49:23 -------- d-----w- c:\documents and settings\jeff\application data\Malwarebytes
2012-06-24 10:49:23 -------- d-----w- c:\documents and settings\jeff\application data\Malwarebytes
2012-06-24 10:49:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-06-24 10:49:09 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-24 10:49:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-24 10:34:54 -------- d-----w- c:\program files\FileASSASSIN
2012-06-24 10:24:31 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{878898ce-9a8c-4250-b936-08f3f63ee2d3}
\offreg.dll
2012-06-24 09:20:45 -------- d-----w- c:\documents and settings\jeff\application data\PCHealth
2012-06-24 09:20:45 -------- d-----w- c:\documents and settings\jeff\application data\PCHealth
2012-06-24 08:11:36 6762896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{878898ce-9a8c-4250-b936-08f3f63ee2d3}
\mpengine.dll
2012-06-24 07:58:52 -------- d-----w- C:\1ef01b77f09c47636f688c2d3b6875
2012-06-24 07:47:57 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-06-24 07:39:14 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-23 19:23:42 -------- d-----w- c:\documents and settings\jeff\application data\DriverCure
2012-06-23 19:23:42 -------- d-----w- c:\documents and settings\jeff\application data\DriverCure
2012-06-23 19:23:41 -------- d-----w- c:\documents and settings\jeff\application data\ParetoLogic
2012-06-23 19:23:41 -------- d-----w- c:\documents and settings\jeff\application data\ParetoLogic
2012-06-23 19:21:21 -------- d-----w- c:\program files\common files\ParetoLogic
2012-06-23 19:21:19 -------- d-----w- c:\program files\ParetoLogic
2012-06-23 19:21:19 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
2012-06-23 05:57:00 66488 ----a-w- c:\windows\system32\drivers\35f653a090572886.sys
2012-06-11 06:22:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-03 07:31:20 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
.
==================== Find3M ====================
.
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10:58 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-01-20 10:27:06 1454656 ----a-w- c:\program files\Silverlight.exe
.
============= FINISH: 9:51:27.98 ===============