phil91
-
Posts
16 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by phil91
-
-
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Phil [Admin rights]
Mode: Scan -- Date: 08/20/2012 14:22:56
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-9YN162 ATA Device +++++
--- User ---
[MBR] d468c87db872e7a5d0235b516de0f492
[bSP] d76edf8c497ff2d68ca004a9788a5952 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: LEXAR JUMPDRIVE USB Device +++++
--- User ---
[MBR] a65a02862693dbe666ae6f3ae5d50303
[bSP] d32a4993490c61a27c1edf6181181177 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 122 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
-
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Phil [Admin rights]
Mode: Scan -- Date: 08/20/2012 13:12:42
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\L --> FOUND
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-9YN162 ATA Device +++++
--- User ---
[MBR] d468c87db872e7a5d0235b516de0f492
[bSP] d76edf8c497ff2d68ca004a9788a5952 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive2: LEXAR JUMPDRIVE USB Device +++++
--- User ---
[MBR] a65a02862693dbe666ae6f3ae5d50303
[bSP] d32a4993490c61a27c1edf6181181177 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 122 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
Looks clean!
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.20.01
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Phil :: PHIL-PC [administrator]
8/20/2012 9:17:55 AM
mbam-log-2012-08-20 (09-17-55).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200505
Time elapsed: 1 minute(s), 41 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
A malicious object was found, but cure was not available, so I skipped.
-
Google redirects. Tried removing with Malwarebytes, but repeated scans showed that it was not successful.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.20.01
Windows 7 Service Pack 1 x64 FAT
Internet Explorer 9.0.8112.16421
Phil :: PHIL-PC [administrator]
8/20/2012 1:43:03 AM
mbam-log-2012-08-20 (01-44-38).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200919
Time elapsed: 1 minute(s), 26 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.
C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U\000000cb.@ (Rootkit.0Access) -> No action taken.
C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U\80000032.@ (Rootkit.0Access) -> No action taken.
(end)
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Phil [Admin rights]
Mode: Scan -- Date: 08/20/2012 01:47:19
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND
[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> FOUND
[ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> FOUND
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-9YN162 ATA Device +++++
--- User ---
[MBR] d468c87db872e7a5d0235b516de0f492
[bSP] d76edf8c497ff2d68ca004a9788a5952 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive2: LEXAR JUMPDRIVE USB Device +++++
--- User ---
[MBR] a65a02862693dbe666ae6f3ae5d50303
[bSP] d32a4993490c61a27c1edf6181181177 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 122 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
-
Here is the log, it looks really good, thank you very much! Is there anything else I should do?
-
I think it worked! After combofix, I scanned with Malwarebytes again, found the Trojan and removed it.
-
It looks like vkyxdaqi0g.exe wasn't deleted. When combofix completed the number stages and displayed "deleting vkyxdaqi0g.exe...," the computer rebooted automatically. After logging back in, combofix resumed to preparing the log. I don't know if it's supposed to do that...
-
Ok I've attached the log. When I open TDSSKiller, I get the error "can't load driver," but I can still scan.
-
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-23 21:12:20 Run:1
Running from G:\
==============================================
C:\Users\Phil\AppData\Local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d} moved successfully.
C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====
-
Scan result of Farbar Recovery Scan Tool Version: 20-07-2012 01
Ran by SYSTEM at 23-07-2012 20:44:24
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [162328 2011-03-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2011-03-02] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417304 2011-03-02] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10060320 2010-02-09] (Realtek Semiconductor)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe [627304 2011-08-10] ()
HKLM-x32\...\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" [78008 2008-07-19] (ALWIL Software)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKU\Phil\...\Run: [Regedit32] C:\Windows\system32\regedit.exe [x]
HKU\Phil\...\Run: [vkyxdaqi0g] C:\Users\Phil\vkyxdaqi0g.exe [37888 2012-07-10] (Sony)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
==================== Services (Whitelisted) ======
2 aswUpdSv; "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" [16056 2008-07-19] (ALWIL Software)
2 avast! Antivirus; "C:\Program Files\Alwil Software\Avast4\ashServ.exe" [147640 2008-07-19] (ALWIL Software)
3 avast! Mail Scanner; "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service [250040 2008-07-19] (ALWIL Software)
3 avast! Web Scanner; "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service [348344 2008-07-23] (ALWIL Software)
2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [36456 2011-05-29] (Acer Incorporated)
2 Live Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [244624 2011-04-22] (Acer Incorporated)
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
========================== Drivers (Whitelisted) =============
0 31b476e88c154da3; C:\Windows\System32\Drivers\31b476e88c154da3.sys [84928 2012-07-11] ()
2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [22096 2008-07-19] (ALWIL Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [63568 2008-07-19] (ALWIL Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [27216 2008-07-19] (ALWIL Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [89168 2008-07-19] (ALWIL Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [48720 2008-07-19] (ALWIL Software)
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20120317.002\BHDrvx64.sys [1157240 2012-03-16] (Symantec Corporation)
1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1307010.005\ccSetx64.sys [167048 2011-11-29] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2012-03-24] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138360 2012-03-25] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120330.002\IDSvia64.sys [488568 2012-03-23] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120330.036\ENG64.SYS [117880 2012-03-31] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120330.036\EX64.SYS [2048632 2012-03-31] (Symantec Corporation)
3 SRTSP; C:\Windows\System32\Drivers\NISx64\1307010.005\SRTSP64.SYS [737912 2012-03-28] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NISx64\1307010.005\SRTSPX64.SYS [37496 2012-03-28] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NISx64\1307010.005\SYMDS64.SYS [451192 2011-05-16] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1307010.005\SYMEFA64.SYS [1092728 2012-03-28] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-03-27] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NISx64\1307010.005\Ironx64.SYS [190072 2012-03-28] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NISx64\1307010.005\SYMNETS.SYS [405624 2012-03-28] (Symantec Corporation)
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-07-23 20:44 - 2012-07-23 20:44 - 00000000 ____D C:\FRST
2012-07-23 17:15 - 2012-07-23 17:15 - 01437781 ____A (Farbar) C:\Users\Phil\Downloads\FRST64.exe
2012-07-23 16:47 - 2012-07-23 16:47 - 00002578 ____A C:\Users\Phil\Desktop\RKreport[1].txt
2012-07-23 16:46 - 2012-07-23 17:16 - 00000000 ____D C:\Users\Phil\Desktop\RK_Quarantine
2012-07-23 16:46 - 2012-07-23 16:46 - 01552384 ____A C:\Users\Phil\Desktop\RogueKiller.exe
2012-07-23 16:01 - 2012-07-23 16:01 - 00607260 ____R (Swearware) C:\Users\Phil\Downloads\dds.scr
2012-07-23 15:27 - 2012-07-23 15:27 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-07-23 15:22 - 2012-07-23 15:22 - 02136152 ____A (Kaspersky Lab ZAO) C:\Users\Phil\Downloads\tdsskiller.exe
2012-07-23 15:00 - 2012-07-23 15:01 - 00000000 ____D C:\Users\Phil\AppData\Roaming\GetRightToGo
2012-07-23 15:00 - 2012-07-23 15:00 - 00367272 ____A (RegNow.com) C:\Users\Phil\Downloads\Download_9.0.0.912sdasetup-regnow_201_Trial.exe
2012-07-23 14:05 - 2012-07-23 14:05 - 00000000 ____D C:\Users\Phil\AppData\Roaming\Malwarebytes
2012-07-23 13:56 - 2012-07-23 13:56 - 00001122 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-23 13:56 - 2012-07-23 13:56 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-23 13:56 - 2012-07-23 13:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-23 13:56 - 2012-07-03 10:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-23 13:55 - 2012-07-23 13:55 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Phil\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-19 16:15 - 2012-07-19 16:15 - 00000000 ____D C:\Users\Phil\AppData\Roaming\SpeedyPC Software
2012-07-19 16:15 - 2012-07-19 16:15 - 00000000 ____D C:\Users\Phil\AppData\Roaming\DriverCure
2012-07-19 16:14 - 2012-07-19 16:21 - 00000000 ____D C:\Users\All Users\SpeedyPC Software
2012-07-19 16:13 - 2012-07-19 16:14 - 04731432 ____A (SpeedyPC Software Inc.) C:\Users\Phil\Downloads\SpeedyPC_Error_Fix.exe
2012-07-11 15:03 - 2012-07-11 15:03 - 00084928 ____A C:\Windows\System32\Drivers\31b476e88c154da3.sys
2012-07-10 17:09 - 2012-07-10 17:09 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-10 17:05 - 2012-07-10 17:05 - 00037888 ____A (Sony) C:\Users\Phil\vkyxdaqi0g.exe
2012-06-23 13:03 - 2012-06-23 13:03 - 00000000 ____D C:\Users\Phil\AppData\Local\Macromedia
============ 3 Months Modified Files ========================
2012-07-23 17:30 - 2012-03-26 04:40 - 00000404 ____A C:\Windows\Tasks\eMachines Registration - Reminder Recall task.job
2012-07-23 17:22 - 2012-03-29 16:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-23 17:18 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-23 17:18 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-23 17:15 - 2012-07-23 17:15 - 01437781 ____A (Farbar) C:\Users\Phil\Downloads\FRST64.exe
2012-07-23 16:47 - 2012-07-23 16:47 - 00002578 ____A C:\Users\Phil\Desktop\RKreport[1].txt
2012-07-23 16:46 - 2012-07-23 16:46 - 01552384 ____A C:\Users\Phil\Desktop\RogueKiller.exe
2012-07-23 16:01 - 2012-07-23 16:01 - 00607260 ____R (Swearware) C:\Users\Phil\Downloads\dds.scr
2012-07-23 16:01 - 2009-07-13 21:13 - 00726270 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-23 15:48 - 2009-07-13 20:51 - 00044268 ____A C:\Windows\setupact.log
2012-07-23 15:22 - 2012-07-23 15:22 - 02136152 ____A (Kaspersky Lab ZAO) C:\Users\Phil\Downloads\tdsskiller.exe
2012-07-23 15:00 - 2012-07-23 15:00 - 00367272 ____A (RegNow.com) C:\Users\Phil\Downloads\Download_9.0.0.912sdasetup-regnow_201_Trial.exe
2012-07-23 14:23 - 2010-11-20 19:47 - 00010048 ____A C:\Windows\PFRO.log
2012-07-23 14:23 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-23 13:56 - 2012-07-23 13:56 - 00001122 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-23 13:55 - 2012-07-23 13:55 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Phil\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-19 16:14 - 2012-07-19 16:13 - 04731432 ____A (SpeedyPC Software Inc.) C:\Users\Phil\Downloads\SpeedyPC_Error_Fix.exe
2012-07-11 20:24 - 2012-03-29 16:49 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-11 20:24 - 2011-07-13 12:54 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-11 15:03 - 2012-07-11 15:03 - 00084928 ____A C:\Windows\System32\Drivers\31b476e88c154da3.sys
2012-07-10 17:05 - 2012-07-10 17:05 - 00037888 ____A (Sony) C:\Users\Phil\vkyxdaqi0g.exe
2012-07-10 17:05 - 2011-11-18 13:12 - 01371681 ____A C:\Windows\WindowsUpdate.log
2012-07-03 10:46 - 2012-07-23 13:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-25 18:01 - 2009-07-13 21:08 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-14 12:03 - 2009-07-13 20:45 - 00413312 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-05 10:03 - 2011-07-13 12:55 - 00002501 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk
2012-06-02 14:19 - 2012-06-21 10:28 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 10:28 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 10:28 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 10:28 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 10:28 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-21 10:28 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 10:28 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-21 10:28 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-21 10:28 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-17 18:47 - 2012-06-13 23:41 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-13 23:41 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-13 23:41 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-13 23:41 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-13 23:41 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-13 23:41 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-13 23:41 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-13 23:41 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-13 23:41 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-13 23:41 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-13 23:41 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-13 23:41 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-13 23:41 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-13 23:41 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-13 23:41 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-13 23:41 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-13 23:41 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-13 23:41 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-13 23:41 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 23:41 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-13 23:41 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-13 23:41 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 23:41 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-13 23:41 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-13 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 23:41 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 23:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 17:32 - 2012-06-13 19:35 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-04 03:06 - 2012-06-13 19:35 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-13 19:35 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 19:35 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-30 21:40 - 2012-06-13 19:35 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:55 - 2012-06-13 19:35 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 21:41 - 2012-06-13 19:35 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-13 19:35 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-13 19:35 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
ZeroAccess:
C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}
C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\@
C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 21%
Total physical RAM: 3037.24 MB
Available physical RAM: 2397.63 MB
Total Pagefile: 3035.44 MB
Available Pagefile: 2387.13 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
======================= Partitions =========================
1 Drive c: (eMachines) (Fixed) (Total:913.84 GB) (Free:865.55 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:17.58 GB) (Free:6.69 GB) NTFS
4 Drive g: (LEXAR MEDIA) (Removable) (Total:0.12 GB) (Free:0.01 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 123 MB 0 B
Disk 2 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 17 GB 1024 KB
Partition 2 Primary 100 MB 17 GB
Partition 3 Primary 913 GB 17 GB
==================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 17 GB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C eMachines NTFS Partition 913 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 122 MB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G LEXAR MEDIA FAT Removable 122 MB Healthy
==================================================================================
testsigning: ==> Check for possible unsigned malware driver <===== ATTENTION!
==========================================================
Last Boot: 2012-07-08 18:58
======================= End Of Log ==========================
Farbar Recovery Scan Tool Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-23 20:47:48
Running from G:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
====== End Of Search ======
-
Should I proceed to Farbar Scan anyways?
-
I can't check mark any of the proccesses. It seems I can't delete vkyxdaqi0g.exe.
-
RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Phil [Admin rights]
Mode: Scan -- Date: 07/23/2012 19:47:21
¤¤¤ Bad processes: 3 ¤¤¤
[sUSP PATH] vkyxdaqi0g.exe -- C:\Users\Phil\vkyxdaqi0g.exe -> NOT KILLED [0x5]
[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]
[RESIDUE] vkyxdaqi0g.exe -- C:\Users\Phil\vkyxdaqi0g.exe -> NOT KILLED [0x5]
¤¤¤ Registry Entries: 5 ¤¤¤
[sUSP PATH] HKCU\[...]\Run : vkyxdaqi0g (C:\Users\Phil\vkyxdaqi0g.exe) -> FOUND
[sUSP PATH] HKUS\S-1-5-21-2271645420-2647512152-2546419352-1001[...]\Run : vkyxdaqi0g (C:\Users\Phil\vkyxdaqi0g.exe) -> FOUND
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Phil\AppData\Local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\n.) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\L --> FOUND
[ZeroAccess][FILE] n : c:\users\phil\appdata\local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\n --> FOUND
[ZeroAccess][FILE] @ : c:\users\phil\appdata\local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\phil\appdata\local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\phil\appdata\local\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\L --> FOUND
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-9YN162 ATA Device +++++
--- User ---
[MBR] d468c87db872e7a5d0235b516de0f492
[bSP] d76edf8c497ff2d68ca004a9788a5952 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
Ocassionally I hear background music on my computer. Tried to remove with Malwarebytes, but after rebooting, I still get notified with this rootkit after another scan.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.23.11
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Phil :: PHIL-PC [administrator]
7/23/2012 5:20:31 PM
mbam-log-2012-07-23 (17-20-31).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193382
Time elapsed: 1 minute(s), 50 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Regedit32 (Trojan.Agent) -> Data: C:\Windows\system32\regedit.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\Installer\{52aed44d-3ed1-7b80-2d00-c14629a49e7d}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
(end)
Trojan.Dropper.BCMiner
in Resolved Malware Removal Logs
Posted
Yep, no problems anymore. Thank you very much!