mollysneighbor
-
Posts
6 -
Joined
-
Last visited
-
ZeroAccess infection
mollysneighbor replied to mollysneighbor's topic in Resolved Malware Removal Logs
I will ... thanks again for your assistance! -
You are the wind beneath my wings, MrCharlie :-) Thanks so much for the fabulous help.
-
ZeroAccess infection
mollysneighbor replied to mollysneighbor's topic in Resolved Malware Removal Logs
Hello again, it looks good! Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.15.08 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 8.0.7601.17514 Sue :: SUE-PC [administrator] 8/15/2012 6:06:50 PM mbam-log-2012-08-15 (18-06-50).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 196842 Time elapsed: 4 minute(s), 50 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) -
ZeroAccess infection
mollysneighbor replied to mollysneighbor's topic in Resolved Malware Removal Logs
MrCharlie, here is the ComboFix log: ComboFix 12-08-15.01 - Sue 08/15/2012 17:25:05.1.2 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3964.2891 [GMT -4:00] Running from: c:\users\Sue\Desktop\ComboFix.exe AV: Trend Micro Titanium Internet Security *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902} SP: Trend Micro Titanium Internet Security *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\9F10101B-73FD-2F0D-F397-825EE14DA198.ico c:\programdata\Microsoft\Windows\Start Menu\Programs\Security Defender c:\programdata\Microsoft\Windows\Start Menu\Programs\Security Defender\Security Defender.lnk c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\V500_DLAgent.exe.lnk c:\programdata\Roaming c:\users\Sue\AppData\Roaming\3534.2C9 c:\users\Sue\AppData\Roaming\9F10101B-73FD-2F0D-F397-825EE14DA198.ico c:\users\Sue\AppData\Roaming\Adobe\plugs c:\users\Sue\AppData\Roaming\Adobe\plugs\mmc155 c:\users\Sue\AppData\Roaming\Adobe\shed c:\users\Sue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Defender c:\users\Sue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Defender\Security Defender.lnk . . ((((((((((((((((((((((((( Files Created from 2012-07-15 to 2012-08-15 ))))))))))))))))))))))))))))))) . . 2012-08-16 00:11 . 2012-08-16 00:11 -------- d-----w- C:\FRST 2012-07-20 23:37 . 2012-08-15 11:35 -------- d-----w- c:\users\Sue\AppData\Roaming\Systweak 2012-07-20 23:37 . 2012-07-16 18:25 18856 ----a-w- c:\windows\system32\roboot64.exe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-15 14:26 . 2011-04-10 23:44 21520 ----a-w- c:\windows\DCEBoot64.exe 2012-07-12 01:48 . 2011-07-03 01:45 59701280 ----a-w- c:\windows\system32\MRT.exe 2012-07-12 01:30 . 2012-04-18 04:02 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-07-12 01:30 . 2011-06-18 02:52 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-06 03:32 . 2012-06-21 04:03 129024 ----a-w- c:\windows\RegBootClean64.exe 2012-07-03 17:46 . 2011-04-08 11:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-12 03:08 . 2012-07-12 02:14 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-06-09 05:43 . 2012-07-12 01:26 14172672 ----a-w- c:\windows\system32\shell32.dll 2012-06-06 06:06 . 2012-07-12 01:26 2004480 ----a-w- c:\windows\system32\msxml6.dll 2012-06-06 06:06 . 2012-07-12 01:26 1881600 ----a-w- c:\windows\system32\msxml3.dll 2012-06-06 06:02 . 2012-07-12 01:25 1133568 ----a-w- c:\windows\system32\cdosys.dll 2012-06-06 05:05 . 2012-07-12 01:26 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll 2012-06-06 05:05 . 2012-07-12 01:26 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll 2012-06-06 05:03 . 2012-07-12 01:25 805376 ----a-w- c:\windows\SysWow64\cdosys.dll 2012-06-05 07:37 . 2012-06-23 01:11 256904 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys 2012-06-02 22:19 . 2012-06-23 15:36 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-23 15:36 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:19 . 2012-06-23 15:36 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-23 15:36 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-23 15:36 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:15 . 2012-06-23 15:36 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:15 . 2012-06-23 15:36 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 19:19 . 2012-06-23 15:36 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 19:15 . 2012-06-23 15:36 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-02 05:50 . 2012-07-12 01:25 458704 ----a-w- c:\windows\system32\drivers\cng.sys 2012-06-02 05:48 . 2012-07-12 01:25 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2012-06-02 05:48 . 2012-07-12 01:25 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-06-02 05:45 . 2012-07-12 01:25 340992 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 05:44 . 2012-07-12 01:25 307200 ----a-w- c:\windows\system32\ncrypt.dll 2012-06-02 04:40 . 2012-07-12 01:25 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2012-06-02 04:40 . 2012-07-12 01:25 225280 ----a-w- c:\windows\SysWow64\schannel.dll 2012-06-02 04:39 . 2012-07-12 01:25 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll 2012-06-02 04:34 . 2012-07-12 01:25 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2012-05-31 04:04 . 2012-06-19 16:14 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B297B822-353D-43D5-9263-03AE01160E75}\mpengine.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 163328] "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-12 39408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "TWebCamera"="%ProgramFiles(x86)%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer] 2009-02-17 00:09 196608 ----a-w- c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe] 2009-07-13 19:24 304496 ----a-w- c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMAgent] 2009-02-17 00:09 143360 ----a-w- c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 135664] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056] R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x] R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072] R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 135664] R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-08 1255736] R4 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\rselect\RSelSvc.exe [2009-02-19 55808] R4 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-04-15 251392] S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 34880] S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 14784] S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2009-07-24 482384] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x] S2 camsvc;TOSHIBA Web Camera Service;c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [2009-04-17 20544] S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-08-10 248688] S2 ConfigFree Gadget Service;ConfigFree Gadget Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [2009-07-14 42368] S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448] S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-02-12 57344] S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2009-01-14 55296] S2 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-01 62776] S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2011-01-29 67664] S2 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-04-09 803696] S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-03-23 14472] S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 8704] S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 139264] S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392] S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-03-18 32832] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-21 413800] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-08-15 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 01:30] . 2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 04:34] . 2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 04:34] . 2012-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272393853-854540987-2418330432-1000Core.job - c:\users\Sue\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-22 23:54] . 2012-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272393853-854540987-2418330432-1000UA.job - c:\users\Sue\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-22 23:54] . 2012-08-15 c:\windows\Tasks\SDMsgUpdate (TE).job - c:\progra~2\SMARTD~1\Messages\SDNotify.exe [2012-03-07 18:22] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="c:\windows\system32\thpsrv" [X] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-18 1713448] "Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 165912] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 387608] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 365592] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-29 7982112] "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.com/ mStart Page = hxxp://start.funmoods.com/?f=1&a=aln&chnl=aln&cd=2XzuyEtN2Y1L1QzutDtDtC0EyCyDyEyD0A0CtDzz0AyD0ByBtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=73528215 mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = http=127.0.0.1:51253 IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files (x86)\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-cfFncEnabler - c:\program files (x86)\TOSHIBA\ConfigFree\cfFncEnabler.exe MSConfigStartUp-TUSBSleepChargeSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000001 "MSCurrentCountry"=dword:000000b5 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files (x86)\Bonjour\mDNSResponder.exe c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe . ************************************************************************** . Completion time: 2012-08-15 17:39:10 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-15 21:39 . Pre-Run: 210,777,845,760 bytes free Post-Run: 211,959,578,624 bytes free . - - End Of File - - 9D831B86E0956727303CCDC19B8FF837 -
ZeroAccess infection
mollysneighbor replied to mollysneighbor's topic in Resolved Malware Removal Logs
Hello, here it is: Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012 Ran by SYSTEM at 2012-08-15 17:04:50 Run:1 Running from F:\ ============================================== C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01} moved successfully. C:\Users\Sue\AppData\Local\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01} moved successfully. C:\Windows\assembly\GAC_32\Desktop.ini moved successfully. C:\Windows\assembly\GAC_64\Desktop.ini moved successfully. C:\Windows\System32\services.exe moved successfully. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe ==== End of Fixlog ==== -
ZeroAccess infection
mollysneighbor replied to mollysneighbor's topic in Resolved Malware Removal Logs
MrCharlie, many thanks for your help. Here are the results: FRST.TXT: Scan result of Farbar Recovery Scan Tool Version: 15-08-2012 Ran by SYSTEM at 15-08-2012 16:11:38 Running from F:\ Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1713448 2009-03-18] (Synaptics Incorporated) HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [487264 2009-03-06] (TOSHIBA Corporation) HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.) HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-09-02] (Intel Corporation) HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [387608 2009-09-02] (Intel Corporation) HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365592 2009-09-02] (Intel Corporation) HKLM\...\Run: [ThpSrv] C:\Windows\system32\thpsrv /logon [x] HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor) HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [197152 2011-02-10] (Trend Micro Inc.) HKLM-x32\...\Run: [TWebCamera] "%ProgramFiles(x86)%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [x] HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.) HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation) HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation) HKU\Sue\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [163328 2010-11-20] (Microsoft Corporation) HKU\Sue\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-12-11] (Google Inc.) HKU\Sue\...\Run: [Google Update] "C:\Users\Sue\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-06-06] (Google Inc.) Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation) Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1 Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.) Startup: C:\Users\All Users\Start Menu\Programs\Startup\V500_DLAgent.exe.lnk ShortcutTarget: V500_DLAgent.exe.lnk -> C:\Windows\Installer\{E312B20A-7074-44E4-BDE6-27F68A5D48C3}\_895325C67468DB1BAE25F2.exe () ==================== Services (Whitelisted) ====== 2 camsvc; C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [20544 2009-04-16] (TOSHIBA) 2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [x] 3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [x] ========================== Drivers (Whitelisted) ============= 2 tmactmon; C:\Windows\System32\Drivers\tmactmon.sys [90704 2011-01-28] (Trend Micro Inc.) 2 tmcomm; C:\Windows\System32\Drivers\tmcomm.sys [144464 2011-01-28] (Trend Micro Inc.) 2 tmcomm; C:\Windows\SysWow64\Drivers\tmcomm.sys [256904 2012-06-04] (Trend Micro Inc.) 2 tmevtmgr; C:\Windows\System32\Drivers\tmevtmgr.sys [67664 2011-01-28] (Trend Micro Inc.) 1 tmtdi; C:\Windows\System32\Drivers\tmtdi.sys [105552 2011-01-28] (Trend Micro Inc.) 3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x] ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-08-15 11:36 - 2012-08-15 11:36 - 00002469 ____A C:\Users\Sue\Desktop\RKreport[2].txt 2012-08-15 11:34 - 2012-08-15 11:34 - 00017588 ____A C:\Users\Sue\Desktop\DDS.txt 2012-08-15 11:34 - 2012-08-15 11:34 - 00009763 ____A C:\Users\Sue\Desktop\Attach.txt 2012-08-15 09:18 - 2012-08-15 09:18 - 00607260 ____R (Swearware) C:\Users\Sue\Desktop\dds.scr 2012-08-15 06:52 - 2012-08-15 06:52 - 00002451 ____A C:\Users\Sue\Desktop\RKreport[1].txt 2012-08-15 06:51 - 2012-08-15 06:52 - 00000000 ____D C:\Users\Sue\Desktop\RK_Quarantine 2012-08-15 06:50 - 2012-08-15 06:42 - 01558528 ____A C:\Users\Sue\Desktop\RogueKiller.exe 2012-08-15 06:25 - 2012-08-15 06:26 - 00003700 ____A C:\Windows\DCEBOOT.CFG 2012-07-20 15:37 - 2012-08-15 03:35 - 00000000 ____D C:\Users\Sue\AppData\Roaming\Systweak 2012-07-20 15:37 - 2012-07-16 10:25 - 00018856 ____A (Systweak Inc., (www.systweak.com)) C:\Windows\System32\roboot64.exe ============ 3 Months Modified Files ======================== 2012-08-15 12:06 - 2011-04-08 09:55 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-08-15 12:06 - 2011-04-08 09:55 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-08-15 11:39 - 2009-07-13 21:13 - 00741854 ____A C:\Windows\System32\PerfStringBackup.INI 2012-08-15 11:36 - 2012-08-15 11:36 - 00002469 ____A C:\Users\Sue\Desktop\RKreport[2].txt 2012-08-15 11:34 - 2012-08-15 11:34 - 00017588 ____A C:\Users\Sue\Desktop\DDS.txt 2012-08-15 11:34 - 2012-08-15 11:34 - 00009763 ____A C:\Users\Sue\Desktop\Attach.txt 2012-08-15 11:30 - 2012-04-17 20:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-08-15 11:29 - 2011-07-22 12:42 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272393853-854540987-2418330432-1000UA.job 2012-08-15 11:29 - 2010-02-08 20:35 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2012-08-15 09:18 - 2012-08-15 09:18 - 00607260 ____R (Swearware) C:\Users\Sue\Desktop\dds.scr 2012-08-15 06:52 - 2012-08-15 06:52 - 00002451 ____A C:\Users\Sue\Desktop\RKreport[1].txt 2012-08-15 06:50 - 2009-07-13 20:51 - 00321951 ____A C:\Windows\setupact.log 2012-08-15 06:42 - 2012-08-15 06:50 - 01558528 ____A C:\Users\Sue\Desktop\RogueKiller.exe 2012-08-15 06:26 - 2012-08-15 06:25 - 00003700 ____A C:\Windows\DCEBOOT.CFG 2012-08-15 06:26 - 2011-04-10 15:44 - 00021520 ____A C:\Windows\DCEBoot64.exe 2012-08-15 06:23 - 2012-03-06 17:35 - 00000468 ____A C:\Windows\Tasks\SDMsgUpdate (TE).job 2012-08-15 06:23 - 2010-02-08 20:35 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2012-08-15 06:23 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-08-15 06:22 - 2012-06-21 15:55 - 00027770 ____A C:\Windows\DCEBOOT.RST 2012-08-15 06:22 - 2011-04-11 18:35 - 00000000 ____A C:\Windows\DCEBOOT.LOG 2012-08-15 06:22 - 2011-04-08 10:18 - 01067726 ____A C:\Windows\PFRO.log 2012-08-14 15:11 - 2011-07-22 12:42 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272393853-854540987-2418330432-1000Core.job 2012-08-14 14:58 - 2011-04-08 10:37 - 01757935 ____A C:\Windows\WindowsUpdate.log 2012-07-18 17:01 - 2012-02-01 16:37 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-07-16 10:25 - 2012-07-20 15:37 - 00018856 ____A (Systweak Inc., (www.systweak.com)) C:\Windows\System32\roboot64.exe 2012-07-11 18:31 - 2009-07-13 20:45 - 00373536 ____A C:\Windows\System32\FNTCACHE.DAT 2012-07-11 17:48 - 2011-07-02 17:45 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-07-11 17:30 - 2012-04-17 20:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2012-07-11 17:30 - 2011-06-17 18:52 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2012-07-11 17:19 - 2012-07-11 17:20 - 00384844 ____A C:\Users\Sue\AppData\Local\funmoods-speeddial.crx 2012-07-06 07:30 - 2009-07-13 21:08 - 00032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2012-07-05 19:32 - 2012-06-20 20:03 - 00129024 ____A C:\Windows\RegBootClean64.exe 2012-07-03 09:46 - 2011-04-08 03:06 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-07-01 16:27 - 2012-06-22 17:10 - 00000036 ____A C:\Users\Sue\AppData\Local\housecall.guid.cache 2012-06-22 17:22 - 2012-06-22 17:22 - 00187493 ____A C:\Users\Sue\AppData\Local\census.cache 2012-06-22 17:22 - 2012-06-22 17:22 - 00107711 ____A C:\Users\Sue\AppData\Local\ars.cache 2012-06-11 19:08 - 2012-07-11 18:14 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-06-11 16:36 - 2012-06-11 16:36 - 00001856 ____A C:\Users\Public\Desktop\QuickTime Player.lnk 2012-06-10 12:29 - 2012-06-10 12:29 - 00006109 ____A C:\Users\Sue\Documents\Approved! The Huddle.htm 2012-06-08 21:43 - 2012-07-11 17:26 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-06-08 20:41 - 2012-07-11 17:26 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2012-06-05 22:06 - 2012-07-11 17:26 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-06-05 22:06 - 2012-07-11 17:26 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-06-05 22:02 - 2012-07-11 17:25 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-06-05 21:05 - 2012-07-11 17:26 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2012-06-05 21:05 - 2012-07-11 17:26 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2012-06-05 21:03 - 2012-07-11 17:25 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll 2012-06-04 23:37 - 2012-06-22 17:11 - 00256904 ____A (Trend Micro Inc.) C:\Windows\SysWOW64\Drivers\tmcomm.sys 2012-06-02 14:19 - 2012-06-23 07:36 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-02 14:19 - 2012-06-23 07:36 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-02 14:19 - 2012-06-23 07:36 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-02 14:19 - 2012-06-23 07:36 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-02 14:19 - 2012-06-23 07:36 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-02 14:15 - 2012-06-23 07:36 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-02 14:15 - 2012-06-23 07:36 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-02 11:19 - 2012-06-23 07:36 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-02 11:15 - 2012-06-23 07:36 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-06-01 21:50 - 2012-07-11 17:25 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-06-01 21:48 - 2012-07-11 17:25 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-06-01 21:48 - 2012-07-11 17:25 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-06-01 21:45 - 2012-07-11 17:25 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-06-01 21:44 - 2012-07-11 17:25 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-06-01 20:40 - 2012-07-11 17:25 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2012-06-01 20:40 - 2012-07-11 17:25 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2012-06-01 20:39 - 2012-07-11 17:25 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2012-06-01 20:34 - 2012-07-11 17:25 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll ZeroAccess: C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01} C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\U C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L\00000004.@ C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L\1afb2d56 C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L\201d3dde C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L\55490ac4 C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\U\80000064.@ ZeroAccess: C:\Users\Sue\AppData\Local\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01} C:\Users\Sue\AppData\Local\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L C:\Users\Sue\AppData\Local\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\U ZeroAccess: C:\Windows\assembly\GAC_32\Desktop.ini ZeroAccess: C:\Windows\assembly\GAC_64\Desktop.ini ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!. C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 14% Total physical RAM: 3963.99 MB Available physical RAM: 3392.26 MB Total Pagefile: 3962.14 MB Available Pagefile: 3383.16 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ======================= Partitions ========================= 1 Drive c: (TI100343V0F) (Fixed) (Total:286.38 GB) (Free:196.29 GB) NTFS ==>[Drive with boot components (obtained from BCD)] 2 Drive d: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.31 GB) NTFS 4 Drive f: () (Removable) (Total:3.82 GB) (Free:3.33 GB) FAT32 5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 298 GB 0 B Disk 1 Online 3919 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Recovery 1500 MB 1024 KB Partition 2 Primary 286 GB 1501 MB Partition 3 Primary 10 GB 287 GB ================================================================================== Disk: 0 Partition 1 Type : 27 Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 D TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden ================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 C TI100343V0F NTFS Partition 286 GB Healthy ================================================================================== Disk: 0 Partition 3 Type : 17 (Suspicious Type) Hidden: Yes Active: No There is no volume associated with this partition. ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 3919 MB 31 KB ================================================================================== Disk: 1 Partition 1 Type : 0B Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 F FAT32 Removable 3919 MB Healthy ================================================================================== Last Boot: 2012-06-22 00:09 ======================= End Of Log ========================== SEARCH.TXT: Farbar Recovery Scan Tool Version: 15-08-2012 Ran by SYSTEM at 2012-08-15 16:16:07 Running from F:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06 ====== End Of Search ====== -
Hello, I am trying to help a friend with a virus/trojan infection on his computer, which appears to be ZeroAccess. He and I have tried a few things including MBAM and his Trend Micro AV software, which has quarantined and/or removed a few things, but it appears to still be infected. I've read through a number of related posts looking for a solution, but it seems that I will need some help to resolve this, please. We will much appreciate any assistance you can provide. Attaching DDS.TXT, ATTACH.TXT, and RKReport. Thanks very much and let me know if any additional information is required. Attach.txt DDS.txt RKreport2.txt