phil91
-
Posts
16 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by phil91
-
Yep, no problems anymore. Thank you very much!
-
RogueKiller V7.6.6 [08/10/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User: Phil [Admin rights] Mode: Scan -- Date: 08/20/2012 14:22:56 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST1000DM003-9YN162 ATA Device +++++ --- User --- [MBR] d468c87db872e7a5d0235b516de0f492 [bSP] d76edf8c497ff2d68ca004a9788a5952 : Windows 7 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: LEXAR JUMPDRIVE USB Device +++++ --- User --- [MBR] a65a02862693dbe666ae6f3ae5d50303 [bSP] d32a4993490c61a27c1edf6181181177 : MBR Code unknown Partition table: 0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 122 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[3].txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
-
RogueKiller V7.6.6 [08/10/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User: Phil [Admin rights] Mode: Scan -- Date: 08/20/2012 13:12:42 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 2 ¤¤¤ [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\L --> FOUND ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST1000DM003-9YN162 ATA Device +++++ --- User --- [MBR] d468c87db872e7a5d0235b516de0f492 [bSP] d76edf8c497ff2d68ca004a9788a5952 : Windows 7 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive2: LEXAR JUMPDRIVE USB Device +++++ --- User --- [MBR] a65a02862693dbe666ae6f3ae5d50303 [bSP] d32a4993490c61a27c1edf6181181177 : MBR Code unknown Partition table: 0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 122 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[1].txt >> RKreport[1].txt
-
Looks clean! Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.20.01 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Phil :: PHIL-PC [administrator] 8/20/2012 9:17:55 AM mbam-log-2012-08-20 (09-17-55).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 200505 Time elapsed: 1 minute(s), 41 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) ComboFix.txt
-
A malicious object was found, but cure was not available, so I skipped. TDSSKiller.2.8.6.0_20.08.2012_08.37.35_log.txt
-
Google redirects. Tried removing with Malwarebytes, but repeated scans showed that it was not successful. Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.20.01 Windows 7 Service Pack 1 x64 FAT Internet Explorer 9.0.8112.16421 Phil :: PHIL-PC [administrator] 8/20/2012 1:43:03 AM mbam-log-2012-08-20 (01-44-38).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 200919 Time elapsed: 1 minute(s), 26 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 3 C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken. C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U\000000cb.@ (Rootkit.0Access) -> No action taken. C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U\80000032.@ (Rootkit.0Access) -> No action taken. (end) RogueKiller V7.6.6 [08/10/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User: Phil [Admin rights] Mode: Scan -- Date: 08/20/2012 01:47:19 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 2 ¤¤¤ [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\L --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND [susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> FOUND [ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> FOUND ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST1000DM003-9YN162 ATA Device +++++ --- User --- [MBR] d468c87db872e7a5d0235b516de0f492 [bSP] d76edf8c497ff2d68ca004a9788a5952 : Windows 7 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive2: LEXAR JUMPDRIVE USB Device +++++ --- User --- [MBR] a65a02862693dbe666ae6f3ae5d50303 [bSP] d32a4993490c61a27c1edf6181181177 : MBR Code unknown Partition table: 0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 122 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[2].txt >> RKreport[1].txt ; RKreport[2].txt Attach.txt DDS.txt
-
Here is the log, it looks really good, thank you very much! Is there anything else I should do? mbam-log-2012-07-24 (12-05-53).txt
-
I think it worked! After combofix, I scanned with Malwarebytes again, found the Trojan and removed it. mbam-log-2012-07-24 (11-37-56).txt ComboFix.txt
-
It looks like vkyxdaqi0g.exe wasn't deleted. When combofix completed the number stages and displayed "deleting vkyxdaqi0g.exe...," the computer rebooted automatically. After logging back in, combofix resumed to preparing the log. I don't know if it's supposed to do that... ComboFix.txt
-
Ok I've attached the log. When I open TDSSKiller, I get the error "can't load driver," but I can still scan. TDSSKiller.2.7.47.0_24.07.2012_00.25.03_log.txt
-
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01 Ran by SYSTEM at 2012-07-23 21:12:20 Run:1 Running from G:\ ============================================== C:\Users\Phil\AppData\Local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d} moved successfully. C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d} moved successfully. C:\Windows\System32\services.exe moved successfully. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe ==== End of Fixlog ====
-
Scan result of Farbar Recovery Scan Tool Version: 20-07-2012 01 Ran by SYSTEM at 23-07-2012 20:44:24 Running from G:\ Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [162328 2011-03-02] (Intel Corporation) HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2011-03-02] (Intel Corporation) HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417304 2011-03-02] (Intel Corporation) HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10060320 2010-02-09] (Realtek Semiconductor) HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation) HKLM-x32\...\Run: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe [627304 2011-08-10] () HKLM-x32\...\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" [78008 2008-07-19] (ALWIL Software) HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.) HKU\Phil\...\Run: [Regedit32] C:\Windows\system32\regedit.exe [x] HKU\Phil\...\Run: [vkyxdaqi0g] C:\Users\Phil\vkyxdaqi0g.exe [37888 2012-07-10] (Sony) Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation) Tcpip\Parameters: [DhcpNameServer] 192.168.254.254 ==================== Services (Whitelisted) ====== 2 aswUpdSv; "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" [16056 2008-07-19] (ALWIL Software) 2 avast! Antivirus; "C:\Program Files\Alwil Software\Avast4\ashServ.exe" [147640 2008-07-19] (ALWIL Software) 3 avast! Mail Scanner; "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service [250040 2008-07-19] (ALWIL Software) 3 avast! Web Scanner; "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service [348344 2008-07-23] (ALWIL Software) 2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [36456 2011-05-29] (Acer Incorporated) 2 Live Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [244624 2011-04-22] (Acer Incorporated) 2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation) 2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation) ========================== Drivers (Whitelisted) ============= 0 31b476e88c154da3; C:\Windows\System32\Drivers\31b476e88c154da3.sys [84928 2012-07-11] () 2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [22096 2008-07-19] (ALWIL Software) 2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [63568 2008-07-19] (ALWIL Software) 1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [27216 2008-07-19] (ALWIL Software) 1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [89168 2008-07-19] (ALWIL Software) 1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [48720 2008-07-19] (ALWIL Software) 1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20120317.002\BHDrvx64.sys [1157240 2012-03-16] (Symantec Corporation) 1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1307010.005\ccSetx64.sys [167048 2011-11-29] (Symantec Corporation) 1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2012-03-24] (Symantec Corporation) 3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138360 2012-03-25] (Symantec Corporation) 1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120330.002\IDSvia64.sys [488568 2012-03-23] (Symantec Corporation) 3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120330.036\ENG64.SYS [117880 2012-03-31] (Symantec Corporation) 3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120330.036\EX64.SYS [2048632 2012-03-31] (Symantec Corporation) 3 SRTSP; C:\Windows\System32\Drivers\NISx64\1307010.005\SRTSP64.SYS [737912 2012-03-28] (Symantec Corporation) 1 SRTSPX; C:\Windows\system32\drivers\NISx64\1307010.005\SRTSPX64.SYS [37496 2012-03-28] (Symantec Corporation) 0 SymDS; C:\Windows\System32\drivers\NISx64\1307010.005\SYMDS64.SYS [451192 2011-05-16] (Symantec Corporation) 0 SymEFA; C:\Windows\System32\drivers\NISx64\1307010.005\SYMEFA64.SYS [1092728 2012-03-28] (Symantec Corporation) 3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-03-27] (Symantec Corporation) 1 SymIRON; C:\Windows\system32\drivers\NISx64\1307010.005\Ironx64.SYS [190072 2012-03-28] (Symantec Corporation) 1 SymNetS; C:\Windows\System32\Drivers\NISx64\1307010.005\SYMNETS.SYS [405624 2012-03-28] (Symantec Corporation) ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-07-23 20:44 - 2012-07-23 20:44 - 00000000 ____D C:\FRST 2012-07-23 17:15 - 2012-07-23 17:15 - 01437781 ____A (Farbar) C:\Users\Phil\Downloads\FRST64.exe 2012-07-23 16:47 - 2012-07-23 16:47 - 00002578 ____A C:\Users\Phil\Desktop\RKreport[1].txt 2012-07-23 16:46 - 2012-07-23 17:16 - 00000000 ____D C:\Users\Phil\Desktop\RK_Quarantine 2012-07-23 16:46 - 2012-07-23 16:46 - 01552384 ____A C:\Users\Phil\Desktop\RogueKiller.exe 2012-07-23 16:01 - 2012-07-23 16:01 - 00607260 ____R (Swearware) C:\Users\Phil\Downloads\dds.scr 2012-07-23 15:27 - 2012-07-23 15:27 - 00000000 ____D C:\TDSSKiller_Quarantine 2012-07-23 15:22 - 2012-07-23 15:22 - 02136152 ____A (Kaspersky Lab ZAO) C:\Users\Phil\Downloads\tdsskiller.exe 2012-07-23 15:00 - 2012-07-23 15:01 - 00000000 ____D C:\Users\Phil\AppData\Roaming\GetRightToGo 2012-07-23 15:00 - 2012-07-23 15:00 - 00367272 ____A (RegNow.com) C:\Users\Phil\Downloads\Download_9.0.0.912sdasetup-regnow_201_Trial.exe 2012-07-23 14:05 - 2012-07-23 14:05 - 00000000 ____D C:\Users\Phil\AppData\Roaming\Malwarebytes 2012-07-23 13:56 - 2012-07-23 13:56 - 00001122 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-07-23 13:56 - 2012-07-23 13:56 - 00000000 ____D C:\Users\All Users\Malwarebytes 2012-07-23 13:56 - 2012-07-23 13:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2012-07-23 13:56 - 2012-07-03 10:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-07-23 13:55 - 2012-07-23 13:55 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Phil\Downloads\mbam-setup-1.62.0.1300.exe 2012-07-19 16:15 - 2012-07-19 16:15 - 00000000 ____D C:\Users\Phil\AppData\Roaming\SpeedyPC Software 2012-07-19 16:15 - 2012-07-19 16:15 - 00000000 ____D C:\Users\Phil\AppData\Roaming\DriverCure 2012-07-19 16:14 - 2012-07-19 16:21 - 00000000 ____D C:\Users\All Users\SpeedyPC Software 2012-07-19 16:13 - 2012-07-19 16:14 - 04731432 ____A (SpeedyPC Software Inc.) C:\Users\Phil\Downloads\SpeedyPC_Error_Fix.exe 2012-07-11 15:03 - 2012-07-11 15:03 - 00084928 ____A C:\Windows\System32\Drivers\31b476e88c154da3.sys 2012-07-10 17:09 - 2012-07-10 17:09 - 00000000 __SHD C:\Windows\System32\%APPDATA% 2012-07-10 17:05 - 2012-07-10 17:05 - 00037888 ____A (Sony) C:\Users\Phil\vkyxdaqi0g.exe 2012-06-23 13:03 - 2012-06-23 13:03 - 00000000 ____D C:\Users\Phil\AppData\Local\Macromedia ============ 3 Months Modified Files ======================== 2012-07-23 17:30 - 2012-03-26 04:40 - 00000404 ____A C:\Windows\Tasks\eMachines Registration - Reminder Recall task.job 2012-07-23 17:22 - 2012-03-29 16:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-07-23 17:18 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-07-23 17:18 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-07-23 17:15 - 2012-07-23 17:15 - 01437781 ____A (Farbar) C:\Users\Phil\Downloads\FRST64.exe 2012-07-23 16:47 - 2012-07-23 16:47 - 00002578 ____A C:\Users\Phil\Desktop\RKreport[1].txt 2012-07-23 16:46 - 2012-07-23 16:46 - 01552384 ____A C:\Users\Phil\Desktop\RogueKiller.exe 2012-07-23 16:01 - 2012-07-23 16:01 - 00607260 ____R (Swearware) C:\Users\Phil\Downloads\dds.scr 2012-07-23 16:01 - 2009-07-13 21:13 - 00726270 ____A C:\Windows\System32\PerfStringBackup.INI 2012-07-23 15:48 - 2009-07-13 20:51 - 00044268 ____A C:\Windows\setupact.log 2012-07-23 15:22 - 2012-07-23 15:22 - 02136152 ____A (Kaspersky Lab ZAO) C:\Users\Phil\Downloads\tdsskiller.exe 2012-07-23 15:00 - 2012-07-23 15:00 - 00367272 ____A (RegNow.com) C:\Users\Phil\Downloads\Download_9.0.0.912sdasetup-regnow_201_Trial.exe 2012-07-23 14:23 - 2010-11-20 19:47 - 00010048 ____A C:\Windows\PFRO.log 2012-07-23 14:23 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-07-23 13:56 - 2012-07-23 13:56 - 00001122 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-07-23 13:55 - 2012-07-23 13:55 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Phil\Downloads\mbam-setup-1.62.0.1300.exe 2012-07-19 16:14 - 2012-07-19 16:13 - 04731432 ____A (SpeedyPC Software Inc.) C:\Users\Phil\Downloads\SpeedyPC_Error_Fix.exe 2012-07-11 20:24 - 2012-03-29 16:49 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2012-07-11 20:24 - 2011-07-13 12:54 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2012-07-11 15:03 - 2012-07-11 15:03 - 00084928 ____A C:\Windows\System32\Drivers\31b476e88c154da3.sys 2012-07-10 17:05 - 2012-07-10 17:05 - 00037888 ____A (Sony) C:\Users\Phil\vkyxdaqi0g.exe 2012-07-10 17:05 - 2011-11-18 13:12 - 01371681 ____A C:\Windows\WindowsUpdate.log 2012-07-03 10:46 - 2012-07-23 13:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-06-25 18:01 - 2009-07-13 21:08 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2012-06-14 12:03 - 2009-07-13 20:45 - 00413312 ____A C:\Windows\System32\FNTCACHE.DAT 2012-06-05 10:03 - 2011-07-13 12:55 - 00002501 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk 2012-06-02 14:19 - 2012-06-21 10:28 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-02 14:19 - 2012-06-21 10:28 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-02 14:19 - 2012-06-21 10:28 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-02 14:19 - 2012-06-21 10:28 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-02 14:19 - 2012-06-21 10:28 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-02 14:15 - 2012-06-21 10:28 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-02 14:15 - 2012-06-21 10:28 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-02 12:19 - 2012-06-21 10:28 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-02 12:15 - 2012-06-21 10:28 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-05-17 18:47 - 2012-06-13 23:41 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-05-17 18:16 - 2012-06-13 23:41 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-05-17 18:06 - 2012-06-13 23:41 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-05-17 17:59 - 2012-06-13 23:41 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-05-17 17:59 - 2012-06-13 23:41 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-05-17 17:58 - 2012-06-13 23:41 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-05-17 17:58 - 2012-06-13 23:41 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-05-17 17:56 - 2012-06-13 23:41 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-05-17 17:55 - 2012-06-13 23:41 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-05-17 17:55 - 2012-06-13 23:41 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-05-17 17:54 - 2012-06-13 23:41 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-05-17 17:51 - 2012-06-13 23:41 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-05-17 17:51 - 2012-06-13 23:41 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-05-17 17:47 - 2012-06-13 23:41 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-05-17 15:11 - 2012-06-13 23:41 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-05-17 14:48 - 2012-06-13 23:41 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-05-17 14:45 - 2012-06-13 23:41 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-05-17 14:36 - 2012-06-13 23:41 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-05-17 14:35 - 2012-06-13 23:41 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-05-17 14:35 - 2012-06-13 23:41 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-05-17 14:33 - 2012-06-13 23:41 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-05-17 14:31 - 2012-06-13 23:41 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-05-17 14:29 - 2012-06-13 23:41 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-05-17 14:29 - 2012-06-13 23:41 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-05-17 14:27 - 2012-06-13 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-05-17 14:25 - 2012-06-13 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-05-17 14:24 - 2012-06-13 23:41 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-05-17 14:20 - 2012-06-13 23:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-05-14 17:32 - 2012-06-13 19:35 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-05-04 03:06 - 2012-06-13 19:35 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe 2012-05-04 02:03 - 2012-06-13 19:35 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2012-05-04 02:03 - 2012-06-13 19:35 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2012-04-30 21:40 - 2012-06-13 19:35 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll 2012-04-27 19:55 - 2012-06-13 19:35 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys 2012-04-25 21:41 - 2012-06-13 19:35 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll 2012-04-25 21:41 - 2012-06-13 19:35 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll 2012-04-25 21:34 - 2012-06-13 19:35 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe ZeroAccess: C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d} C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\@ C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!. C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 21% Total physical RAM: 3037.24 MB Available physical RAM: 2397.63 MB Total Pagefile: 3035.44 MB Available Pagefile: 2387.13 MB Total Virtual: 8192 MB Available Virtual: 8191.89 MB ======================= Partitions ========================= 1 Drive c: (eMachines) (Fixed) (Total:913.84 GB) (Free:865.55 GB) NTFS 2 Drive e: (PQSERVICE) (Fixed) (Total:17.58 GB) (Free:6.69 GB) NTFS 4 Drive g: (LEXAR MEDIA) (Removable) (Total:0.12 GB) (Free:0.01 GB) FAT 6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 7 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 931 GB 0 B Disk 1 Online 123 MB 0 B Disk 2 No Media 0 B 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Recovery 17 GB 1024 KB Partition 2 Primary 100 MB 17 GB Partition 3 Primary 913 GB 17 GB ================================================================================== Disk: 0 Partition 1 Type : 27 Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 E PQSERVICE NTFS Partition 17 GB Healthy Hidden ================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy ================================================================================== Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C eMachines NTFS Partition 913 GB Healthy ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 122 MB 16 KB ================================================================================== Disk: 1 Partition 1 Type : 06 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 G LEXAR MEDIA FAT Removable 122 MB Healthy ================================================================================== testsigning: ==> Check for possible unsigned malware driver <===== ATTENTION! ========================================================== Last Boot: 2012-07-08 18:58 ======================= End Of Log ========================== Farbar Recovery Scan Tool Version: 20-07-2012 01 Ran by SYSTEM at 2012-07-23 20:47:48 Running from G:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06 ====== End Of Search ======
-
Should I proceed to Farbar Scan anyways?
-
I can't check mark any of the proccesses. It seems I can't delete vkyxdaqi0g.exe.
-
RogueKiller V7.6.4 [07/17/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User: Phil [Admin rights] Mode: Scan -- Date: 07/23/2012 19:47:21 ¤¤¤ Bad processes: 3 ¤¤¤ [sUSP PATH] vkyxdaqi0g.exe -- C:\Users\Phil\vkyxdaqi0g.exe -> NOT KILLED [0x5] [sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc] [RESIDUE] vkyxdaqi0g.exe -- C:\Users\Phil\vkyxdaqi0g.exe -> NOT KILLED [0x5] ¤¤¤ Registry Entries: 5 ¤¤¤ [sUSP PATH] HKCU\[...]\Run : vkyxdaqi0g (C:\Users\Phil\vkyxdaqi0g.exe) -> FOUND [sUSP PATH] HKUS\S-1-5-21-2271645420-2647512152-2546419352-1001[...]\Run : vkyxdaqi0g (C:\Users\Phil\vkyxdaqi0g.exe) -> FOUND [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Phil\AppData\Local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\n.) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\L --> FOUND [ZeroAccess][FILE] n : c:\users\phil\appdata\local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\n --> FOUND [ZeroAccess][FILE] @ : c:\users\phil\appdata\local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\phil\appdata\local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\phil\appdata\local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\L --> FOUND ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST1000DM003-9YN162 ATA Device +++++ --- User --- [MBR] d468c87db872e7a5d0235b516de0f492 [bSP] d76edf8c497ff2d68ca004a9788a5952 : Windows 7 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt
-
Ocassionally I hear background music on my computer. Tried to remove with Malwarebytes, but after rebooting, I still get notified with this rootkit after another scan. Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.23.11 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Phil :: PHIL-PC [administrator] 7/23/2012 5:20:31 PM mbam-log-2012-07-23 (17-20-31).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 193382 Time elapsed: 1 minute(s), 50 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Regedit32 (Trojan.Agent) -> Data: C:\Windows\system32\regedit.exe -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully. (end) Attach.txt DDS.txt