Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ZeroAccess.eh Trojan & Lots of messages saying file infected [Sol


  • This topic is locked This topic is locked

#1
khphoto1

khphoto1

    Member

  • Member
  • PipPipPip
  • 102 posts
Dell Optiplex 390 MT - using now for personal home use. Running Vista. On start-up message pops up saying that the recycle bin is corrupt. Cannot open the bin to see what is in there. McAfee then pops up with "Trojan Detected" Details say:
Quarantined From: C?\Program Files\Google\Desktop\Install\{9a662039-ac21-56da-a4d9-a465d89b88f6}\\...\$.10000008\U\............

We cannot remove a trojan while the infected file is in use. Retarting your PC frees up the infected file allowing McAfee to fix the issue. Have tried with no success. Have tried downloading other programs I know you will recommend OTL, Malwayebytes.... and McAfee is block all downloads saying they are viruses. Now what can I do?

Kathy
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there lets see if this will enable you to download FRST

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

  • Click on the Start Posted Image button and in the search box, type Notepad and click on it
  • Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\en-US" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpAsDesc.dll" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpClient.dll" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCmdRun.exe" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCommu.dll" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpEvMsg.dll" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpOAV.dll" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRTP.dll" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSvc.dll" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MSASCui.exe" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpCom.dll" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows DefenderMsMpLics.dll" /c 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpRes.dll" /c 
    
    CD \
    DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt
    start %USERPROFILE%\Desktop\JunctionPoints.txt .
    EXIT
    
    
  • Go to File > Save As... and save it to your Desktop named fix.bat. Make sure you change the Save as type to All Files (*.*)
  • Locate fix.bat on your Desktop and right click then select Run as administrator
  • A log Junction.txt will be located on the desktop attach that

THEN

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

  • 0

#3
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Sorry I made a slight error on that batch file, it will do no harm just fail to run

This is the revised one :blush:

  • Click on the Start Posted Image button and in the search box, type Notepad and click on it
  • Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\en-US"  
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpAsDesc.dll" 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpClient.dll"   
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCmdRun.exe" 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCommu.dll" 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpEvMsg.dll"   
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpOAV.dll" 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRTP.dll"  
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSvc.dll"  
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MSASCui.exe"   
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpCom.dll"   
    fsutil reparsepoint delete "C:\Program Files\Windows DefenderMsMpLics.dll"   
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpRes.dll"  
    
    CD \
    DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt
    start %USERPROFILE%\Desktop\JunctionPoints.txt .
    EXIT
    
    
  • Go to File > Save As... and save it to your Desktop named fix.bat. Make sure you change the Save as type to All Files (*.*)
  • Locate fix.bat on your Desktop and right click then select Run as administrator
  • A log Junction.txt will be located on the desktop attach that

  • 0

#4
khphoto1

khphoto1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Thanks for the quick response. I will be out of town tomorrow, so it will be Thursday before I can get back to you. I am messaging you from a different computer for now - laptop. The one infected is the desktop at home.
  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problem

As a thought could you download FRST to a USB drive in case my batch file does not kill it all

If you are unable to download after running the batch file, then insert the USB with FRST on it and run from the USB drive
  • 0

#6
khphoto1

khphoto1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Hi,
Yesterday I downloaded to my laptop and copied to a flash drive the following tools: FRST, OTL, ComboFix, Adwcleaner, rkill, mbam-setup.exe and both the exe and zip tdsskiller. So I have them. Can you tell me which of these take over an hour to run. That way if or when needed I will know how to schedule the run and my time (overnight...). Will be at the desktop in an hour.
Kathy
  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
FRST will take maybe 10-15 minutes. That will be our main tool, the fix element will take about 2 minutes. Then OTL will take about 15 minutes to scan and the fix (if any) will take a minute or two. We may not need combofix :)
  • 0

#8
khphoto1

khphoto1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
I can no longer access the IE on the desktop. Ran FRST from USB, Here are the files:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-09-2013
Ran by Owner (administrator) on BREWER-PC on 26-09-2013 12:43:59
Running from E:\
Microsoft® Windows Vista™ Business Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(PCRx.com, LLC) C:\Program Files\24x7Help\App24x7Svc.exe
(COMPANYVERS_NAME) C:\PROGRA~1\MAPSGA~2\bar\1.bin\39barsvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Ask) C:\Program Files\Ask.com\Updater\Updater.exe
(McAfee, Inc.) C:\Program Files\McAfee.com\Agent\mcagent.exe
(Inbox.com, Inc.) C:\Program Files\Inbox Toolbar\Inbox.exe
(Crawler.com) C:\Program Files\PCPowerSpeed\PCPowerTray.exe
(Crawler.com) C:\Program Files\OnlineVault\OVTray.exe
(MindSpark) C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrchMn.exe
(VER_COMPANY_NAME) C:\Program Files\MapsGalaxy_39\bar\1.bin\39brmon.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Inbox.com, Inc.) C:\Program Files\RebateInformer\RebateInf.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.0.287\SSScheduler.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit Inc.) C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE
(Crawler, LLC) C:\Program Files\24x7Help\App24x7Help.exe
(PCRx.com, LLC) C:\Program Files\24x7Help\App24x7Hook.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(McAfee, Inc.) C:\Program Files\McAfee Online Backup\MOBKbackup.exe
(McAfee, Inc.) C:\Program Files\McAfee Online Backup\MOBKbackup.exe
(McAfee, Inc.) C:\Program Files\McAfee\MAT\McPvTray.exe
(McAfee, Inc.) c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(McAfee, Inc.) c:\PROGRA~1\mcafee\VIRUSS~1\mcvsmap.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Core\mchost.exe
(Microsoft Corporation) \\?\C:\Windows\system32\wbem\WMIADAP.EXE

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SoundMAXPnP] - C:\Program Files\Analog Devices\Core\smax4pnp.exe [1261568 2007-05-08] (Analog Devices, Inc.)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1646216 2013-01-24] (Ask)
HKLM\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1278064 2013-03-13] (McAfee, Inc.)
HKLM\...\Run: [InboxToolbar] - C:\Program Files\Inbox Toolbar\Inbox.exe [1708696 2013-02-20] (Inbox.com, Inc.)
HKLM\...\Run: [24x7HELP] - C:\Program Files\24x7Help\App24x7Help.exe [1773648 2013-03-12] (Crawler, LLC)
HKLM\...\Run: [PCPowerSpeed] - C:\Program Files\PCPowerSpeed\PCPowerTray.exe [374880 2013-01-30] (Crawler.com)


Next File

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-09-2013
Ran by Owner at 2013-09-26 12:45:18
Running from E:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall (Enabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

==================== Installed Programs ======================

24x7 Help (Version: 2.1.0.29)
Adobe Flash Player 11 ActiveX (Version: 11.5.502.146)
Adobe Reader XI (11.0.04) (Version: 11.0.04)
AppGraffiti (Version: 1.0.0.33)
Ask Toolbar (Version: 1.15.15.0)
Ask Toolbar Updater (HKCU Version: 1.2.4.35882)
BackUpDutyLite (Version: 1.1.0.1)
Broadcom Gigabit Integrated Controller (Version: 10.50.03)
Dell Resource CD (Version: 1.10.0000)
Files Opened (Version: 1.0)
Inbox Toolbar (Version: 2.0.0.55)
Intel® Graphics Media Accelerator Driver
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
MapsGalaxy Firefox Toolbar
MapsGalaxy Internet Explorer Toolbar
McAfee Online Backup
McAfee Online Backup (Version: 1.16.4.0)
McAfee Security Scan Plus (Version: 3.0.287.1)
McAfee Total Protection (Version: 11.6.511)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
Online Vault
PC Power Speed 1.1.0.36 (Version: 1.1.0.36)
QuickBooks (Version: 22.0.4001.2206)
QuickBooks Pro 2012 (Version: 22.0.4001.2206)
RebateInformer (Version: 1.0.0.87)
RegWork (Version: 1.0.4.12)
Shared C Run-time for x86 (Version: 10.0.0)
SoundMAX (Version: 6.10.1.5450)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940) (Version: 1)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
ZoomTown Software

==================== Restore Points =========================

22-07-2013 23:11:24 Scheduled Checkpoint
27-07-2013 00:06:30 Installed Java 7 Update 25
27-07-2013 17:31:53 Scheduled Checkpoint
28-07-2013 18:25:34 Scheduled Checkpoint
30-07-2013 15:05:32 Scheduled Checkpoint
09-08-2013 19:10:17 Scheduled Checkpoint
10-08-2013 16:23:29 Scheduled Checkpoint
11-08-2013 07:00:11 Windows Update
13-08-2013 16:56:35 Scheduled Checkpoint
18-08-2013 16:07:54 Windows Update
21-08-2013 00:09:13 Windows Update
30-08-2013 19:32:25 Scheduled Checkpoint
02-09-2013 14:54:39 Windows Update
18-09-2013 02:33:43 Scheduled Checkpoint
18-09-2013 07:00:34 Windows Update
18-09-2013 23:01:30 Windows Modules Installer
24-09-2013 21:28:05 Scheduled Checkpoint
26-09-2013 04:00:02 Scheduled Checkpoint

==================== Hosts content: ==========================

2006-11-02 06:23 - 2006-09-18 17:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {0CAB7B68-718C-40E0-B83B-89DDF7007DC8} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => C:\Windows\system32\pla.dll [2008-01-19] (Microsoft Corporation)
Task: {155723BA-60E2-4354-93AF-84EAC8D3C2D8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-05] ()
Task: {197E3AC5-7B44-4D87-BE9C-1BA57F46CDA5} - System32\Tasks\Regwork => C:\Program Files\RegWork\RegWork.exe [2012-12-25] ()
Task: {258A0B44-7460-404E-B124-54807C42BDDB} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {2DE18FE4-6467-484F-8431-206702EC5546} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: {2E5B7D97-F14C-4CFF-864E-620AABA892D1} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {31D074C6-862C-489E-8C71-04A05C40A5CF} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files\Ask.com\UpdateTask.exe [2013-01-24] ()
Task: {4D54D985-A397-4AB6-91F6-04BD42ACA048} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-02] (Adobe Systems Incorporated)
Task: {4D72741E-769C-45DB-8604-CB8EBDADAA29} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Regwork.job => C:\Program Files\RegWork\RegWork.exe

==================== Loaded Modules (whitelisted) =============

2013-02-23 13:02 - 2013-02-17 23:27 - 00042064 _____ (PCRx.com, LLC) C:\Program Files\24x7Help\App24x7Hook.dll
2013-07-16 11:00 - 2013-07-16 11:00 - 00034344 _____ (MindSpark) C:\Program Files\MapsGalaxy_39\bar\1.bin\39hkstub.dll
2013-07-16 11:00 - 2013-07-16 11:00 - 00034192 _____ (VER_COMPANY_NAME) C:\Program Files\MapsGalaxy_39\bar\1.bin\39brstub.dll
2013-02-23 13:03 - 2013-01-30 14:09 - 00410720 _____ (Crawler.com) C:\Program Files\OnlineVault\OVShell.dll
2013-02-02 11:15 - 2007-05-01 01:47 - 00249856 _____ () C:\Windows\system32\igfxTMM.dll
2013-02-02 11:20 - 2007-05-01 01:46 - 00172032 _____ (Intel Corporation) C:\Intel\ExtremeGraphics\CUI\Resource\igfxres.dll
2011-08-19 22:38 - 2011-08-19 22:38 - 01721752 _____ (Intuit Inc.) C:\Windows\system32\InetClnt.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00268648 _____ () C:\Program Files\Intuit\QuickBooks 2012\boost_regex-vc90-mt-p-1_33.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00776568 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dblib11.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 01250168 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dbtool11.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00020840 _____ () C:\Program Files\Intuit\QuickBooks 2012\QBCompressor.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00059904 _____ () C:\Program Files\Intuit\QuickBooks 2012\zlib1.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00379752 _____ () C:\Program Files\Intuit\QuickBooks 2012\BackupLib.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00138088 _____ () C:\Program Files\Intuit\QuickBooks 2012\QBMAPILibrary.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00176488 _____ () C:\Program Files\Intuit\QuickBooks 2012\boost_serialization-vc90-mt-p-1_33.dll
2011-08-20 01:58 - 2011-08-20 01:58 - 00155648 _____ (Wintertree Software Inc.) C:\Program Files\Intuit\QuickBooks 2012\SSCE5232.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00877432 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dbicu11.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 04360056 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dbicudt11.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00861048 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dblgen11.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00042344 _____ () C:\Program Files\Intuit\QuickBooks 2012\mbpopup.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00053608 _____ (TODO: <Company name>) C:\Program Files\Intuit\QuickBooks 2012\PRNotificationLoader.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcmscsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/24/2013 04:42:34 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2212 (0x8a4)

Thread address : 0x77395D14

Thread message :

Build VSCORE.15.1.0.520 / 5500.1093
Object being scanned = \Device\HarddiskVolume2\Program Files\Google\Desktop\Install\{9a662039-ac21-56da-a4d9-a465d89b88f6}\ \...\ﯹ๛\{9a662039-ac21-56da-a4d9-a465d89b88f6}\U\80000000.$
by C:\Windows\system32\services.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (09/24/2013 04:36:03 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {7a8c089d-fda3-466a-8cc0-e0aad46a145e}

Error: (09/24/2013 04:34:09 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/24/2013 04:34:09 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/24/2013 04:34:09 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/24/2013 04:14:59 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
ExcelHelper::SetCustomPropertyString - Cannot add variable to excel : QBSUBSTORAGE

Error: (09/24/2013 04:14:59 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
ExcelHelper::WriteExcelVariable Com Error#: 800a03ec

Error: (09/24/2013 03:48:19 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 8144 (0x1fd0)

Thread address : 0x77185D14

Thread message :

Build VSCORE.15.1.0.520 / 5500.1093
Object being scanned = \Device\HarddiskVolume2\Program Files\Google\Desktop\Install\{9a662039-ac21-56da-a4d9-a465d89b88f6}\ \...\ﯹ๛\{9a662039-ac21-56da-a4d9-a465d89b88f6}\U\[email protected]
by C:\Windows\system32\services.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (09/24/2013 03:45:55 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 4684 (0x124c)

Thread address : 0x77185D14

Thread message :

Build VSCORE.15.1.0.520 / 5500.1093
Object being scanned = \Device\HarddiskVolume2\Program Files\Google\Desktop\Install\{9a662039-ac21-56da-a4d9-a465d89b88f6}\ \...\ﯹ๛\{9a662039-ac21-56da-a4d9-a465d89b88f6}\U\80000000.$
by C:\Windows\system32\services.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (09/24/2013 03:10:05 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2376 (0x948)
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you run an FRST scan again please as I did not get the entire log
  • 0

#10
khphoto1

khphoto1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
ok
  • 0

Advertisements


#11
khphoto1

khphoto1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Here is the Junction file. The rerun of FRST is now saying directory name is invalid.

Volume in drive C has no label.
Volume Serial Number is E236-736E

Directory of C:\

11/02/2006 09:02 AM <JUNCTION> Documents and Settings [C:\Users]
0 File(s) 0 bytes

Directory of C:\Program Files\Windows Defender

01/19/2008 12:38 AM <SYMLINK> MpRtMon.dll [c:\windows\system32\config]
01/19/2008 12:38 AM <SYMLINK> MpRtPlug.dll [c:\windows\system32\config]
01/19/2008 12:38 AM <SYMLINK> MpSigDwn.dll [c:\windows\system32\config]
04/11/2009 12:27 AM <SYMLINK> MpSoftEx.dll [c:\windows\system32\config]
11/02/2006 08:34 AM <SYMLINK> MsMpLics.dll [c:\windows\system32\config]
5 File(s) 1,388,792 bytes

Directory of C:\ProgramData

11/02/2006 09:02 AM <JUNCTION> Application Data [C:\ProgramData]
11/02/2006 09:02 AM <JUNCTION> Desktop [C:\Users\Public\Desktop]
11/02/2006 09:02 AM <JUNCTION> Documents [C:\Users\Public\Documents]
11/02/2006 09:02 AM <JUNCTION> Favorites [C:\Users\Public\Favorites]
11/02/2006 09:02 AM <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006 09:02 AM <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
0 File(s) 0 bytes

Directory of C:\Users

11/02/2006 09:02 AM <SYMLINKD> All Users [C:\ProgramData]
11/02/2006 09:02 AM <JUNCTION> Default User [C:\Users\Default]
0 File(s) 0 bytes

Directory of C:\Users\All Users

11/02/2006 09:02 AM <JUNCTION> Application Data [C:\ProgramData]
11/02/2006 09:02 AM <JUNCTION> Desktop [C:\Users\Public\Desktop]
11/02/2006 09:02 AM <JUNCTION> Documents [C:\Users\Public\Documents]
11/02/2006 09:02 AM <JUNCTION> Favorites [C:\Users\Public\Favorites]
11/02/2006 09:02 AM <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006 09:02 AM <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
0 File(s) 0 bytes

Directory of C:\Users\Default

11/02/2006 09:02 AM <JUNCTION> Application Data [C:\Users\Default\AppData\Roaming]
11/02/2006 09:02 AM <JUNCTION> Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies]
11/02/2006 09:02 AM <JUNCTION> Local Settings [C:\Users\Default\AppData\Local]
11/02/2006 09:02 AM <JUNCTION> My Documents [C:\Users\Default\Documents]
11/02/2006 09:02 AM <JUNCTION> NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
11/02/2006 09:02 AM <JUNCTION> PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
11/02/2006 09:02 AM <JUNCTION> Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent]
11/02/2006 09:02 AM <JUNCTION> SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo]
11/02/2006 09:02 AM <JUNCTION> Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
11/02/2006 09:02 AM <JUNCTION> Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes

Directory of C:\Users\Default\AppData\Local

11/02/2006 09:02 AM <JUNCTION> Application Data [C:\Users\Default\AppData\Local]
11/02/2006 09:02 AM <JUNCTION> History [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
11/02/2006 09:02 AM <JUNCTION> Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes

Directory of C:\Users\Default\Documents

11/02/2006 09:02 AM <JUNCTION> My Music [C:\Users\Default\Music]
11/02/2006 09:02 AM <JUNCTION> My Pictures [C:\Users\Default\Pictures]
11/02/2006 09:02 AM <JUNCTION> My Videos [C:\Users\Default\Videos]
0 File(s) 0 bytes

Directory of C:\Users\Owner

02/02/2013 10:57 AM <JUNCTION> Application Data [C:\Users\Owner\AppData\Roaming]
02/02/2013 10:57 AM <JUNCTION> Cookies [C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies]
02/02/2013 10:57 AM <JUNCTION> Local Settings [C:\Users\Owner\AppData\Local]
02/02/2013 10:57 AM <JUNCTION> My Documents [C:\Users\Owner\Documents]
02/02/2013 10:57 AM <JUNCTION> NetHood [C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
02/02/2013 10:57 AM <JUNCTION> PrintHood [C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
02/02/2013 10:57 AM <JUNCTION> Recent [C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Recent]
02/02/2013 10:57 AM <JUNCTION> SendTo [C:\Users\Owner\AppData\Roaming\Microsoft\Windows\SendTo]
02/02/2013 10:57 AM <JUNCTION> Start Menu [C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu]
02/02/2013 10:57 AM <JUNCTION> Templates [C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes

Directory of C:\Users\Owner\AppData\Local

02/02/2013 10:57 AM <JUNCTION> Application Data [C:\Users\Owner\AppData\Local]
02/02/2013 10:57 AM <JUNCTION> History [C:\Users\Owner\AppData\Local\Microsoft\Windows\History]
02/02/2013 10:57 AM <JUNCTION> Temporary Internet Files [C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes

Directory of C:\Users\Owner\Documents

02/02/2013 10:57 AM <JUNCTION> My Music [C:\Users\Owner\Music]
02/02/2013 10:57 AM <JUNCTION> My Pictures [C:\Users\Owner\Pictures]
02/02/2013 10:57 AM <JUNCTION> My Videos [C:\Users\Owner\Videos]
0 File(s) 0 bytes

Directory of C:\Users\Public\Documents

11/02/2006 09:02 AM <JUNCTION> My Music [C:\Users\Public\Music]
11/02/2006 09:02 AM <JUNCTION> My Pictures [C:\Users\Public\Pictures]
11/02/2006 09:02 AM <JUNCTION> My Videos [C:\Users\Public\Videos]
0 File(s) 0 bytes
  • 0

#12
khphoto1

khphoto1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Since I could not re-run FRST - I tried downloading it to the desktop - I now have access again to the internet. However - it is now giving me the error message: C:\Users\owner\appdata\roaming\microsoft\windows\network shortcuts\FRST.exe - directory invalid. I'll try re-downloading onto another USB drive and try again.
Kathy
  • 0

#13
khphoto1

khphoto1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
I did not cut and paste the entire log file - so here it is again. The ADDITION log:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-09-2013
Ran by Owner at 2013-09-26 12:45:18
Running from E:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall (Enabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

==================== Installed Programs ======================

24x7 Help (Version: 2.1.0.29)
Adobe Flash Player 11 ActiveX (Version: 11.5.502.146)
Adobe Reader XI (11.0.04) (Version: 11.0.04)
AppGraffiti (Version: 1.0.0.33)
Ask Toolbar (Version: 1.15.15.0)
Ask Toolbar Updater (HKCU Version: 1.2.4.35882)
BackUpDutyLite (Version: 1.1.0.1)
Broadcom Gigabit Integrated Controller (Version: 10.50.03)
Dell Resource CD (Version: 1.10.0000)
Files Opened (Version: 1.0)
Inbox Toolbar (Version: 2.0.0.55)
Intel® Graphics Media Accelerator Driver
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
MapsGalaxy Firefox Toolbar
MapsGalaxy Internet Explorer Toolbar
McAfee Online Backup
McAfee Online Backup (Version: 1.16.4.0)
McAfee Security Scan Plus (Version: 3.0.287.1)
McAfee Total Protection (Version: 11.6.511)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
Online Vault
PC Power Speed 1.1.0.36 (Version: 1.1.0.36)
QuickBooks (Version: 22.0.4001.2206)
QuickBooks Pro 2012 (Version: 22.0.4001.2206)
RebateInformer (Version: 1.0.0.87)
RegWork (Version: 1.0.4.12)
Shared C Run-time for x86 (Version: 10.0.0)
SoundMAX (Version: 6.10.1.5450)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940) (Version: 1)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
ZoomTown Software

==================== Restore Points =========================

22-07-2013 23:11:24 Scheduled Checkpoint
27-07-2013 00:06:30 Installed Java 7 Update 25
27-07-2013 17:31:53 Scheduled Checkpoint
28-07-2013 18:25:34 Scheduled Checkpoint
30-07-2013 15:05:32 Scheduled Checkpoint
09-08-2013 19:10:17 Scheduled Checkpoint
10-08-2013 16:23:29 Scheduled Checkpoint
11-08-2013 07:00:11 Windows Update
13-08-2013 16:56:35 Scheduled Checkpoint
18-08-2013 16:07:54 Windows Update
21-08-2013 00:09:13 Windows Update
30-08-2013 19:32:25 Scheduled Checkpoint
02-09-2013 14:54:39 Windows Update
18-09-2013 02:33:43 Scheduled Checkpoint
18-09-2013 07:00:34 Windows Update
18-09-2013 23:01:30 Windows Modules Installer
24-09-2013 21:28:05 Scheduled Checkpoint
26-09-2013 04:00:02 Scheduled Checkpoint

==================== Hosts content: ==========================

2006-11-02 06:23 - 2006-09-18 17:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {0CAB7B68-718C-40E0-B83B-89DDF7007DC8} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => C:\Windows\system32\pla.dll [2008-01-19] (Microsoft Corporation)
Task: {155723BA-60E2-4354-93AF-84EAC8D3C2D8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-05] ()
Task: {197E3AC5-7B44-4D87-BE9C-1BA57F46CDA5} - System32\Tasks\Regwork => C:\Program Files\RegWork\RegWork.exe [2012-12-25] ()
Task: {258A0B44-7460-404E-B124-54807C42BDDB} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {2DE18FE4-6467-484F-8431-206702EC5546} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: {2E5B7D97-F14C-4CFF-864E-620AABA892D1} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {31D074C6-862C-489E-8C71-04A05C40A5CF} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files\Ask.com\UpdateTask.exe [2013-01-24] ()
Task: {4D54D985-A397-4AB6-91F6-04BD42ACA048} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-02] (Adobe Systems Incorporated)
Task: {4D72741E-769C-45DB-8604-CB8EBDADAA29} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Regwork.job => C:\Program Files\RegWork\RegWork.exe

==================== Loaded Modules (whitelisted) =============

2013-02-23 13:02 - 2013-02-17 23:27 - 00042064 _____ (PCRx.com, LLC) C:\Program Files\24x7Help\App24x7Hook.dll
2013-07-16 11:00 - 2013-07-16 11:00 - 00034344 _____ (MindSpark) C:\Program Files\MapsGalaxy_39\bar\1.bin\39hkstub.dll
2013-07-16 11:00 - 2013-07-16 11:00 - 00034192 _____ (VER_COMPANY_NAME) C:\Program Files\MapsGalaxy_39\bar\1.bin\39brstub.dll
2013-02-23 13:03 - 2013-01-30 14:09 - 00410720 _____ (Crawler.com) C:\Program Files\OnlineVault\OVShell.dll
2013-02-02 11:15 - 2007-05-01 01:47 - 00249856 _____ () C:\Windows\system32\igfxTMM.dll
2013-02-02 11:20 - 2007-05-01 01:46 - 00172032 _____ (Intel Corporation) C:\Intel\ExtremeGraphics\CUI\Resource\igfxres.dll
2011-08-19 22:38 - 2011-08-19 22:38 - 01721752 _____ (Intuit Inc.) C:\Windows\system32\InetClnt.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00268648 _____ () C:\Program Files\Intuit\QuickBooks 2012\boost_regex-vc90-mt-p-1_33.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00776568 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dblib11.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 01250168 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dbtool11.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00020840 _____ () C:\Program Files\Intuit\QuickBooks 2012\QBCompressor.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00059904 _____ () C:\Program Files\Intuit\QuickBooks 2012\zlib1.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00379752 _____ () C:\Program Files\Intuit\QuickBooks 2012\BackupLib.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00138088 _____ () C:\Program Files\Intuit\QuickBooks 2012\QBMAPILibrary.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00176488 _____ () C:\Program Files\Intuit\QuickBooks 2012\boost_serialization-vc90-mt-p-1_33.dll
2011-08-20 01:58 - 2011-08-20 01:58 - 00155648 _____ (Wintertree Software Inc.) C:\Program Files\Intuit\QuickBooks 2012\SSCE5232.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00877432 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dbicu11.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 04360056 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dbicudt11.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00861048 _____ (iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2012\dblgen11.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00042344 _____ () C:\Program Files\Intuit\QuickBooks 2012\mbpopup.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00053608 _____ (TODO: <Company name>) C:\Program Files\Intuit\QuickBooks 2012\PRNotificationLoader.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcmscsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/24/2013 04:42:34 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2212 (0x8a4)

Thread address : 0x77395D14

Thread message :

Build VSCORE.15.1.0.520 / 5500.1093
Object being scanned = \Device\HarddiskVolume2\Program Files\Google\Desktop\Install\{9a662039-ac21-56da-a4d9-a465d89b88f6}\ \...\ﯹ๛\{9a662039-ac21-56da-a4d9-a465d89b88f6}\U\80000000.$
by C:\Windows\system32\services.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (09/24/2013 04:36:03 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {7a8c089d-fda3-466a-8cc0-e0aad46a145e}

Error: (09/24/2013 04:34:09 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/24/2013 04:34:09 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/24/2013 04:34:09 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/24/2013 04:14:59 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
ExcelHelper::SetCustomPropertyString - Cannot add variable to excel : QBSUBSTORAGE

Error: (09/24/2013 04:14:59 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
ExcelHelper::WriteExcelVariable Com Error#: 800a03ec

Error: (09/24/2013 03:48:19 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 8144 (0x1fd0)

Thread address : 0x77185D14

Thread message :

Build VSCORE.15.1.0.520 / 5500.1093
Object being scanned = \Device\HarddiskVolume2\Program Files\Google\Desktop\Install\{9a662039-ac21-56da-a4d9-a465d89b88f6}\ \...\ﯹ๛\{9a662039-ac21-56da-a4d9-a465d89b88f6}\U\[email protected]
by C:\Windows\system32\services.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (09/24/2013 03:45:55 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 4684 (0x124c)

Thread address : 0x77185D14

Thread message :

Build VSCORE.15.1.0.520 / 5500.1093
Object being scanned = \Device\HarddiskVolume2\Program Files\Google\Desktop\Install\{9a662039-ac21-56da-a4d9-a465d89b88f6}\ \...\ﯹ๛\{9a662039-ac21-56da-a4d9-a465d89b88f6}\U\80000000.$
by C:\Windows\system32\services.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (09/24/2013 03:10:05 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2376 (0x948)

Thread address : 0x77185D14

Thread message :

Build VSCORE.15.1.0.520 / 5500.1093
Object being scanned = \Device\HarddiskVolume2\Program Files\Google\Desktop\Install\{9a662039-ac21-56da-a4d9-a465d89b88f6}\ \...\ﯹ๛\{9a662039-ac21-56da-a4d9-a465d89b88f6}\U\80000000.$
by C:\Windows\system32\services.exe
4(16)(0)
4(16)(0)
7200(16)(0)
7595(16)(0)
7005(16)(0)
7004(16)(0)
5006(0)(0)
5004(0)(0)


System errors:
=============
Error: (09/24/2013 04:42:35 PM) (Source: Service Control Manager) (User: )
Description: McAfee Scanner1

Error: (09/24/2013 04:42:35 PM) (Source: Service Control Manager) (User: )
Description: McAfee McShield150001Restart the service

Error: (09/24/2013 04:34:08 PM) (Source: Service Control Manager) (User: )
Description: IPsec Policy AgentBFE

Error: (09/24/2013 04:34:08 PM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBFE

Error: (09/24/2013 04:34:08 PM) (Source: Service Control Manager) (User: )
Description: Computer Browser%%1060

Error: (09/24/2013 03:48:19 PM) (Source: Service Control Manager) (User: )
Description: McAfee McShield250001Restart the service

Error: (09/24/2013 03:45:56 PM) (Source: Service Control Manager) (User: )
Description: McAfee Scanner2

Error: (09/24/2013 03:45:55 PM) (Source: Service Control Manager) (User: )
Description: McAfee McShield150001Restart the service

Error: (09/24/2013 03:10:06 PM) (Source: Service Control Manager) (User: )
Description: McAfee Scanner1

Error: (09/24/2013 03:10:06 PM) (Source: Service Control Manager) (User: )
Description: McAfee McShield150001Restart the service


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
Date: 2013-02-02 11:44:05.622
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-02-02 11:44:05.559
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-02-02 11:44:05.497
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-02-02 11:44:05.247
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-02-02 11:44:05.185
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 54%
Total physical RAM: 2036.24 MB
Available physical RAM: 924.34 MB
Total Pagefile: 4317.8 MB
Available Pagefile: 2915.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 1912.5 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:298.05 GB) (Free:222.35 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: () (Removable) (Total:7.45 GB) (Free:7.38 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: F1AA1AE5)
Partition 1: (Not Active) - (Size=40 MB) - (Type=DE)
Partition 2: (Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

==================== End Of Log ============================
  • 0

#14
khphoto1

khphoto1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
And this is the FRST.txt log:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-09-2013
Ran by Owner (administrator) on BREWER-PC on 26-09-2013 12:43:59
Running from E:\
Microsoft® Windows Vista™ Business Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(PCRx.com, LLC) C:\Program Files\24x7Help\App24x7Svc.exe
(COMPANYVERS_NAME) C:\PROGRA~1\MAPSGA~2\bar\1.bin\39barsvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Ask) C:\Program Files\Ask.com\Updater\Updater.exe
(McAfee, Inc.) C:\Program Files\McAfee.com\Agent\mcagent.exe
(Inbox.com, Inc.) C:\Program Files\Inbox Toolbar\Inbox.exe
(Crawler.com) C:\Program Files\PCPowerSpeed\PCPowerTray.exe
(Crawler.com) C:\Program Files\OnlineVault\OVTray.exe
(MindSpark) C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrchMn.exe
(VER_COMPANY_NAME) C:\Program Files\MapsGalaxy_39\bar\1.bin\39brmon.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Inbox.com, Inc.) C:\Program Files\RebateInformer\RebateInf.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.0.287\SSScheduler.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit Inc.) C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE
(Crawler, LLC) C:\Program Files\24x7Help\App24x7Help.exe
(PCRx.com, LLC) C:\Program Files\24x7Help\App24x7Hook.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(McAfee, Inc.) C:\Program Files\McAfee Online Backup\MOBKbackup.exe
(McAfee, Inc.) C:\Program Files\McAfee Online Backup\MOBKbackup.exe
(McAfee, Inc.) C:\Program Files\McAfee\MAT\McPvTray.exe
(McAfee, Inc.) c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(McAfee, Inc.) c:\PROGRA~1\mcafee\VIRUSS~1\mcvsmap.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Core\mchost.exe
(Microsoft Corporation) \\?\C:\Windows\system32\wbem\WMIADAP.EXE

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SoundMAXPnP] - C:\Program Files\Analog Devices\Core\smax4pnp.exe [1261568 2007-05-08] (Analog Devices, Inc.)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1646216 2013-01-24] (Ask)
HKLM\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1278064 2013-03-13] (McAfee, Inc.)
HKLM\...\Run: [InboxToolbar] - C:\Program Files\Inbox Toolbar\Inbox.exe [1708696 2013-02-20] (Inbox.com, Inc.)
HKLM\...\Run: [24x7HELP] - C:\Program Files\24x7Help\App24x7Help.exe [1773648 2013-03-12] (Crawler, LLC)
HKLM\...\Run: [PCPowerSpeed] - C:\Program Files\PCPowerSpeed\PCPowerTray.exe [374880 2013-01-30] (Crawler.com)
HKLM\...\Run: [Online Vault] - C:\Program Files\OnlineVault\OVTray.exe [371808 2013-04-22] (Crawler.com)
HKLM\...\Run: [Intuit SyncManager] - C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [1874264 2011-08-19] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [RegWork] - C:\Program Files\RegWork\RegWork.exe [13780656 2012-12-25] ()
HKLM\...\Run: [MapsGalaxy Search Scope Monitor] - C:\PROGRA~1\MAPSGA~2\bar\1.bin\39srchmn.exe [44784 2013-07-16] (MindSpark)
HKLM\...\Run: [MapsGalaxy_39 Browser Plugin Loader] - C:\PROGRA~1\MAPSGA~2\bar\1.bin\39brmon.exe [30096 2013-07-16] (VER_COMPANY_NAME)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Run: [RebateInformer] - C:\PROGRA~1\REBATE~1\REBATE~1.EXE [1006216 2013-07-02] (Inbox.com, Inc.)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
MountPoints2: {e9ae00ad-6d4b-11e2-b66a-001d091c6c65} - E:\mri.exe

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.tb.ask.c...CFcKZ4Aodjw4AEQ
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x291664E0A801CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.msn.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com
URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
URLSearchHook: (No Name) - {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrcAs.dll (MindSpark)
SearchScopes: HKLM - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.tb.ask...r={searchTerms}
SearchScopes: HKCU - {3565FC24-BBA4-4982-9B5D-C22EADEF05F5} URL = http://websearch.ask...0E-FA8ED1062057
SearchScopes: HKCU - {8C2D655D-0429-465F-866B-3940416A6102} URL = http://search.yahoo....p={SearchTerms}
SearchScopes: HKCU - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.tb.ask...r={searchTerms}
SearchScopes: HKCU - {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://www2.inbox.co...&iwk=244&lng=en
BHO: Toolbar BHO - {1e91a655-bb4b-4693-a05e-2edebc4c9d89} - C:\PROGRA~1\MAPSGA~2\bar\1.bin\39bar.dll (MindSpark)
BHO: AppGraffiti - {6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} - C:\PROGRA~1\APPGRA~1\APPGRA~1.DLL (Omega Partners Ltd)
BHO: Search Assistant BHO - {71c1d63a-c944-428a-a5bd-ba513190e5d2} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrcAs.dll (MindSpark)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
BHO: No Name - {CCB69577-088B-4004-9ED8-FF5BCC83A039} - C:\PROGRA~1\REBATE~1\RebateI.dll (Inbox.com, Inc.)
BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll (Inbox.com, Inc.)
BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Toolbar: HKLM - &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll (Inbox.com, Inc.)
Toolbar: HKLM - MapsGalaxy - {364ea597-e728-4ce4-bb4a-ed846ef47970} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll (MindSpark)
Toolbar: HKCU -Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU -&Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll (Inbox.com, Inc.)
Toolbar: HKCU -MapsGalaxy - {364EA597-E728-4CE4-BB4A-ED846EF47970} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll (MindSpark)
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll (Inbox.com, Inc.)
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - C:\PROGRA~1\REBATE~1\RebateI.dll (Inbox.com, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~1\mcafee\msc\mcsniepl.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.200.1

========================== Services (Whitelisted) =================

R2 24x7HelpSvc; C:\Program Files\24x7Help\App24x7Svc.exe [342608 2013-02-17] (PCRx.com, LLC)
R2 MapsGalaxy_39Service; C:\PROGRA~1\MAPSGA~2\bar\1.bin\39barsvc.exe [42504 2013-07-16] (COMPANYVERS_NAME)
R2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.287\McCHSvc.exe [234776 2012-09-11] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 mcmscsvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McNASvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [279048 2012-11-16] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [203840 2013-02-19] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-02-19] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [172416 2013-02-19] (McAfee, Inc.)
R2 MOBKbackup; C:\Program Files\McAfee Online Backup\MOBKbackup.exe [229688 2010-04-13] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2011-08-19] (Intuit Inc.)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{9a662039-ac21-56da-a4d9-a465d89b88f6}\ \...\???\{9a662039-ac21-56da-a4d9-a465d89b88f6}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-02-19] (McAfee, Inc.)
R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.)
R0 McPvDrv; C:\Windows\System32\drivers\McPvDrv.sys [64832 2012-09-14] (McAfee, Inc.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133416 2013-02-19] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [235264 2013-02-19] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-02-19] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [363080 2013-02-19] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565888 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92632 2013-02-19] (McAfee, Inc.)
R1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210608 2013-02-19] (McAfee, Inc.)
R1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [54776 2010-04-13] (Mozy, Inc.)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
U3 mfeavfk01; No ImagePath
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-26 12:43 - 2013-09-26 12:43 - 00000795 _____ C:\Windows\setupact.log
2013-09-26 12:43 - 2013-09-26 12:43 - 00000000 ____D C:\FRST
2013-09-26 12:43 - 2013-09-26 12:43 - 00000000 _____ C:\Windows\setuperr.log
2013-09-24 16:31 - 2013-09-24 16:31 - 00152576 _____ C:\Users\Owner\Desktop\khphone list.xls
2013-09-18 19:04 - 2013-07-31 06:30 - 12335104 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-09-18 19:04 - 2013-07-31 06:05 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-09-18 19:04 - 2013-07-31 06:00 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-09-18 19:04 - 2013-07-31 05:53 - 01104896 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-09-18 19:04 - 2013-07-31 05:52 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-09-18 19:04 - 2013-07-31 05:52 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-09-18 19:04 - 2013-07-31 05:51 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-09-18 19:04 - 2013-07-31 05:49 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-09-18 19:04 - 2013-07-31 05:48 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-09-18 19:04 - 2013-07-31 05:48 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-09-18 19:04 - 2013-07-31 05:48 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-09-18 19:04 - 2013-07-31 05:47 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-09-18 19:04 - 2013-07-31 05:46 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-09-18 19:04 - 2013-07-31 05:45 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-09-18 19:04 - 2013-07-31 05:45 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-09-18 19:04 - 2013-07-31 05:42 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-09-18 03:00 - 2013-09-18 03:01 - 00000000 ____D C:\c70df3d1364b32f65251fb52e695db7c
2013-09-17 20:55 - 2013-07-16 00:35 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\themeui.dll
2013-09-17 20:54 - 2013-08-07 21:45 - 02049536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-08-30 14:31 - 2013-08-02 00:09 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL

==================== One Month Modified Files and Folders =======

2013-09-26 12:43 - 2013-09-26 12:43 - 00000795 _____ C:\Windows\setupact.log
2013-09-26 12:43 - 2013-09-26 12:43 - 00000000 ____D C:\FRST
2013-09-26 12:43 - 2013-09-26 12:43 - 00000000 _____ C:\Windows\setuperr.log
2013-09-26 12:33 - 2006-11-02 08:52 - 01994382 _____ C:\Windows\WindowsUpdate.log
2013-09-26 12:33 - 2006-11-02 08:47 - 00003648 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-26 12:33 - 2006-11-02 08:47 - 00003648 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-26 11:57 - 2013-02-02 11:31 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-24 16:38 - 2013-02-13 21:53 - 00001735 _____ C:\Users\Public\Desktop\McAfee Total Protection.lnk
2013-09-24 16:34 - 2013-02-13 21:19 - 00002627 _____ C:\Users\Owner\Desktop\Microsoft Office Word 2007.lnk
2013-09-24 16:33 - 2006-11-02 09:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-24 16:32 - 2006-11-02 09:01 - 00032578 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-24 16:31 - 2013-09-24 16:31 - 00152576 _____ C:\Users\Owner\Desktop\khphone list.xls
2013-09-24 15:04 - 2013-02-23 13:02 - 00000000 ____D C:\Program Files\RebateInformer
2013-09-23 12:14 - 2013-02-13 21:11 - 00000000 ____D C:\Users\Owner\Documents\Condo - 2012
2013-09-23 11:56 - 2013-02-13 21:19 - 00002585 _____ C:\Users\Owner\Desktop\Microsoft Office Excel 2007.lnk
2013-09-18 19:10 - 2006-11-02 08:47 - 00279512 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-18 19:05 - 2013-02-04 20:27 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-18 03:01 - 2013-09-18 03:00 - 00000000 ____D C:\c70df3d1364b32f65251fb52e695db7c
2013-09-18 03:01 - 2013-08-18 12:22 - 00000000 ____D C:\Windows\system32\MRT
2013-09-18 03:01 - 2006-11-02 06:24 - 76725432 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-09-17 20:41 - 2013-02-13 21:50 - 00000000 ____D C:\Program Files\McAfee

Files to move or delete:
====================
ZeroAccess:
C:\Users\Owner\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender


LastRegBack: 2013-09-26 04:47

==================== End Of Log ============================
  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Sorry for the delay I had to help someone recover data

Download attached fixlist.txt file and save it to the Desktop.
[attachment=66715:fixlist.txt]
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP