Jump to content

fakilby

Members
 View Profile  See their activity

  • Posts

    7

  • Joined

  • Last visited

 Content Type 

Posts posted by fakilby

    Infected by Rootkit.0Access

    in Resolved Malware Removal Logs

    Posted

    Here are the results

    Results of screen317's Security Check version 0.99.50

    Windows 7 Service Pack 1 x86 (UAC is enabled)

    Internet Explorer 8 Out of date!

    ``````````````Antivirus/Firewall Check:``````````````

    Windows Security Center service is not running! This report may not be accurate!

    WMI entry may not exist for antivirus; attempting automatic update.

    `````````Anti-malware/Other Utilities Check:`````````

    Malwarebytes Anti-Malware version 1.62.0.1300

    Java 6 Update 24

    Java version out of Date!

    Adobe Reader X 10.1.3 Adobe Reader out of Date!

    Mozilla Firefox 10.0.2 Firefox out of Date!

    ````````Process Check: objlist.exe by Laurent````````

    Malwarebytes Anti-Malware mbamservice.exe

    Malwarebytes Anti-Malware mbamgui.exe

    `````````````````System Health check`````````````````

    Total Fragmentation on Drive C: 0%

    ````````````````````End of Log``````````````````````

    Infected by Rootkit.0Access

    in Resolved Malware Removal Logs

    Posted

    ************************************************

    Search.txt

    ************************************************

    Farbar Recovery Scan Tool (x86) Version: 04-09-2012 01

    Ran by SYSTEM at 2012-09-04 13:04:32

    Running from H:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe

    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===

    ******************************************************************

    FRST.txt

    ******************************************************************

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) (x86) Version: 04-09-2012 01

    Ran by SYSTEM at 04-09-2012 13:02:06

    Running from H:\

    Windows 7 Professional (X86) OS Language: English(US)

    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [287800 2009-11-11] ( Hewlett-Packard Development Company, L.P.)

    HKLM\...\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2010-04-05] (Intel Corporation)

    HKLM\...\Run: [NUSB3MON] "c:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-11-20] (NEC Electronics Corporation)

    HKLM\...\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden [1690680 2009-11-19] (Hewlett-Packard)

    HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1713448 2010-02-26] (Synaptics Incorporated)

    HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2009-11-19] (Hewlett-Packard)

    HKLM\...\Run: [nwiz] nwiz.exe /installquiet [x]

    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup [13830760 2010-02-26] (NVIDIA Corporation)

    HKLM\...\Run: [iMSS] "C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [111640 2009-11-04] ()

    HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [495708 2010-01-28] (IDT, Inc.)

    HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

    HKLM\...\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup [304568 2010-10-12] (Citrix Systems, Inc.)

    HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2010-09-17] (LogMeIn, Inc.)

    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

    HKLM\...\Run: [] [x]

    HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2012-04-03] (Adobe Systems Incorporated)

    HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [815512 2012-04-03] (Adobe Systems Inc.)

    HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)

    HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)

    HKU\admin\...\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [x]

    HKU\CV PM\...\RunOnce: [Application Restart #0] C:\Program Files\Windows Sidebar\sidebar.exe [1174016 2010-11-20] (Microsoft Corporation)

    HKU\fredk\...\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe" "/Trigger RunAtLogon" [39816 2012-01-19] (Citrix Online, a division of Citrix Systems, Inc.)

    HKU\fredk\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet [6276408 2011-08-22] (Yahoo! Inc.)

    HKU\fredk\...\Policies\system: [NoDispScrSavPage] 1

    HKLM\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe,c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe, [x]

    Winlogon\Notify\ScCertProp: wlnotify.dll [X]

    Tcpip\Parameters: [DhcpNameServer] 68.6.16.30

    Lsa: [Notification Packages] DPPassFilter scecli

    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

    ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Online plug-in.lnk

    ShortcutTarget: Online plug-in.lnk -> C:\windows\Installer\{0F1F7A90-E71B-4E45-A066-2891619F22E1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe ()

    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Snagit 10.lnk

    ShortcutTarget: Snagit 10.lnk -> C:\Program Files\TechSmith\Snagit 10\Snagit32.exe (TechSmith Corporation)

    Startup: C:\Users\fredk\Start Menu\Programs\Startup\Dropbox.lnk

    ShortcutTarget: Dropbox.lnk -> (No File)

    Startup: C:\Users\fredk\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

    ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

    ========================== Services (Whitelisted) ========================

    2 AESTFilters; C:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9b219d80a8843bf8\aestsrv.exe [81920 2009-03-03] (Andrea Electronics Corporation)

    2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-08-03] (LSI Corporation)

    2 AMSIntegrationRequestQueue; "C:\CV\RequestQWinService\SI-AMSIntegrationRequestQueue\RequestQWinService.exe" -sAMSIntegrationRequestQueue [24576 2011-04-11] (Commerce Velocity)

    2 AMSSecurityService; "C:\CV\Security Service Host\SI-AMSSecurityService\SecurityServiceHost.exe" -sAMSSecurityService [20480 2011-05-11] (Commerce Velocity)

    3 CQSchedulerService; "C:\CV\SchedulerService\SI-CQSchedulerService\CQScheduler.exe" -sCQSchedulerService [49152 2011-04-11] (Commerce Velocity)

    2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [309760 2011-01-25] (Microsoft Corporation)

    2 HP Power Assistant Service; "C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe" [102968 2009-11-19] (Hewlett-Packard)

    2 HP Wireless Assistant Service; "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe" [102968 2009-11-19] (Hewlett-Packard)

    2 Hp.Skyroom.Windows.Service; "C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe" -startService [124984 2009-11-20] (Hewlett-Packard)

    2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-11] (LogMeIn, Inc.)

    2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-11] (LogMeIn, Inc.)

    2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2010-11-08] (LogMeIn, Inc.)

    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

    2 MsDtsServer100; "C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe" [218136 2008-07-10] (Microsoft Corporation)

    2 MSSQLSERVER; "C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER [42727784 2011-02-05] (Microsoft Corporation)

    4 MSSQLServerADHelper100; "C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [47128 2008-07-09] (Microsoft Corporation)

    4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 [3201024 2008-07-29] (Microsoft Corporation)

    3 Multi-Loan Windows Service; "C:\Program Files\Commerce Velocity\Decision Windows Service\SI-Multi-Loan Windows Service\DecisionWinService.exe" -sMulti-Loan Windows Service [24576 2011-06-23] (Commerce Velocity)

    4 ReportServer; "C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [1113448 2009-03-30] (Microsoft Corporation)

    3 SQLSERVERAGENT; "C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE" -i MSSQLSERVER [366936 2009-03-30] (Microsoft Corporation)

    2 STacSV; C:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9b219d80a8843bf8\STacSV.exe [229458 2010-01-28] (IDT, Inc.)

    2 vcsFPService; C:\windows\system32\vcsFPService.exe [1639728 2009-10-21] (Validity Sensors, Inc.)

    2 DpHost; c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [x]

    2 HP ProtectTools Service; "c:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe" [x]

    2 HPDayStarterService; "c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe" [x]

    2 HpFkCryptService; "c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [x]

    2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]

    3 MSSQLFDLauncher; "C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe" -s MSSQL10.MSSQLSERVER [x]

    4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]

    2 MSSQLServerOLAPService; "C:\Program Files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Config" [x]

    2 rgsender; "c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe" -l logSetup [x]

    2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]

    2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

    ==================== Drivers (Whitelisted) ===================

    3 KMWDFILTERx86; C:\Windows\System32\DRIVERS\KMWDFILTER.sys [25088 2009-04-29] (Windows ® Codename Longhorn DDK provider)

    2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2010-09-17] (LogMeIn, Inc.)

    3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2010-09-17] (LogMeIn, Inc.)

    2 LMIRfsDriver; \??\C:\windows\system32\drivers\LMIRfsDriver.sys [47640 2010-09-17] (LogMeIn, Inc.)

    3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)

    3 PulseUsb; C:\Windows\System32\DRIVERS\PulseUsb.sys [20480 2010-12-29] (Windows ® Win 7 DDK provider)

    2 risdpcie; C:\Windows\system32\DRIVERS\risdpe86.sys [47616 2009-10-28] (REDC)

    3 rismc32; C:\Windows\System32\DRIVERS\rismc32.sys [49152 2009-07-20] (RICOH Company, Ltd.)

    2 rixdpcie; C:\Windows\system32\DRIVERS\rixdpe86.sys [38912 2009-09-28] (REDC)

    4 RsFx0103; C:\Windows\System32\DRIVERS\RsFx0103.sys [239336 2009-03-30] (Microsoft Corporation)

    1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [40088 2009-11-11] (McAfee, Inc.)

    0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [110520 2009-11-11] (McAfee, Inc.)

    0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [51800 2009-11-11] (McAfee, Inc.)

    0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [13256 2009-11-11] (McAfee, Inc.)

    3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1758464 2009-12-18] ()

    4 LMIRfsClientNP; [x]

    ==================== NetSvcs (Whitelisted) =================

    ============ One Month Created Files and Folders ==============

    2012-09-04 13:01 - 2012-09-04 13:02 - 00000000 ____D C:\FRST

    2012-09-04 11:24 - 2012-09-04 11:24 - 00002209 ____A C:\Users\fredk\Desktop\RKreport[2].txt

    2012-09-04 11:19 - 2012-09-04 11:19 - 00002191 ____A C:\Users\fredk\Desktop\RKreport[1].txt

    2012-09-04 11:17 - 2012-09-04 11:19 - 00000000 ____D C:\Users\fredk\Desktop\RK_Quarantine

    2012-09-04 11:16 - 2012-09-04 11:16 - 01378816 ____A C:\Users\fredk\Desktop\RogueKiller.exe

    2012-09-04 10:38 - 2012-09-04 10:38 - 00017186 ____A C:\Users\fredk\Desktop\Attach.txt

    2012-09-04 10:37 - 2012-09-04 10:37 - 00029164 ____A C:\Users\fredk\Desktop\DDS.txt

    2012-09-04 10:22 - 2012-09-04 10:22 - 00607260 ____R (Swearware) C:\Users\fredk\Desktop\dds.com

    2012-08-31 16:26 - 2012-08-31 16:26 - 00000051 ____A C:\Users\fredk\AppData\Roaming\mbam.context.scan

    2012-08-31 16:02 - 2012-08-31 16:02 - 00000000 ____D C:\Users\fredk\AppData\Roaming\Malwarebytes

    2012-08-31 16:01 - 2012-08-31 16:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

    2012-08-31 16:01 - 2012-08-31 16:01 - 00001067 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

    2012-08-31 16:01 - 2012-08-31 16:01 - 00000000 ____D C:\Users\All Users\Malwarebytes

    2012-08-31 16:01 - 2012-07-03 12:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

    2012-08-31 15:59 - 2012-08-31 15:59 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\fredk\Downloads\mbam-setup-1.62.0.1300.exe

    2012-08-29 11:27 - 2012-08-29 11:27 - 00265093 ____A C:\Users\fredk\Downloads\AWC_FORUM_EXTENSION.tar.gz

    2012-08-24 16:13 - 2012-08-24 16:13 - 00001326 ____A C:\Users\fredk\Desktop\MediaWiki.lnk

    2012-08-24 13:35 - 2012-08-24 13:35 - 08268544 ____A C:\Users\fredk\Downloads\PROD_wiki_db.sql

    2012-08-24 10:29 - 2012-08-24 10:29 - 00000000 ____D C:\Users\fredk\VirtualBox VMs

    2012-08-23 15:06 - 2012-08-24 10:25 - 00000000 ____D C:\VMAppliance

    2012-08-23 14:31 - 2012-08-30 11:56 - 00000000 ____D C:\Users\fredk\.VirtualBox

    2012-08-23 14:30 - 2012-08-23 14:30 - 00001076 ____A C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk

    2012-08-23 14:30 - 2012-08-23 14:30 - 00000000 ____D C:\Program Files\Oracle

    2012-08-23 14:30 - 2012-08-20 16:32 - 00158552 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxDrv.sys

    2012-08-23 14:30 - 2012-08-20 16:32 - 00091992 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxUSBMon.sys

    2012-08-23 14:27 - 2012-08-23 14:27 - 95187288 ____A (Oracle Corporation) C:\Users\fredk\Downloads\VirtualBox-4.1.20-80170-Win.exe

    2012-08-21 11:30 - 2012-08-21 11:30 - 00033199 ____A C:\Users\fredk\Downloads\MediaWiki-20120821192828.xml

    2012-08-20 16:32 - 2012-08-20 16:32 - 00135512 ____A (Oracle Corporation) C:\Windows\System32\VBoxNetFltNobj.dll

    2012-08-20 16:32 - 2012-08-20 16:32 - 00116056 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetFlt.sys

    2012-08-20 16:32 - 2012-08-20 16:32 - 00104792 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetAdp.sys

    2012-08-15 12:57 - 2012-08-15 12:57 - 00000000 __SHD C:\Windows\System32\%APPDATA%

    2012-08-15 09:59 - 2012-08-28 13:27 - 00000600 ____A C:\Users\fredk\AppData\Local\PUTTY.RND

    2012-08-15 09:47 - 2012-08-15 09:47 - 00000000 ____D C:\Program Files\Putty

    2012-08-15 02:01 - 2012-07-06 11:23 - 00393728 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys

    2012-08-14 23:05 - 2012-07-18 09:47 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

    2012-08-14 23:05 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

    2012-08-14 23:05 - 2012-07-04 13:14 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

    2012-08-14 23:05 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

    2012-08-14 23:05 - 2012-06-26 21:53 - 01231360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

    2012-08-14 23:05 - 2012-06-26 21:53 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

    2012-08-14 23:05 - 2012-06-26 21:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

    2012-08-14 23:05 - 2012-06-26 21:51 - 06027776 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

    2012-08-14 23:05 - 2012-06-26 21:51 - 00627712 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

    2012-08-14 23:05 - 2012-06-26 21:51 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

    2012-08-14 23:05 - 2012-06-26 21:50 - 11020800 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

    2012-08-14 23:05 - 2012-06-26 21:50 - 02073600 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

    2012-08-14 23:05 - 2012-06-26 21:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

    2012-08-14 23:05 - 2012-06-26 21:50 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

    2012-08-14 23:05 - 2012-06-26 20:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

    2012-08-14 23:05 - 2012-05-13 20:33 - 00769024 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

    2012-08-14 23:05 - 2012-05-04 23:46 - 00400896 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll

    2012-08-14 23:05 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

    2012-08-14 23:05 - 2012-02-10 21:37 - 00317440 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe

    2012-08-14 13:34 - 2012-08-14 13:37 - 00000000 ____D C:\Users\fredk\Downloads\UserMerge-MW1.15-48763.tar

    2012-08-14 13:33 - 2012-08-14 13:33 - 01110476 ____A C:\Users\fredk\Downloads\7z920.exe

    2012-08-14 13:33 - 2012-08-14 13:33 - 00000000 ____D C:\Program Files\7-Zip

    2012-08-14 13:28 - 2012-08-14 13:28 - 00029609 ____A C:\Users\fredk\Downloads\UserMerge-MW1.15-48763.tar.tar

    2012-08-14 08:09 - 2012-08-14 08:09 - 00000220 ____A C:\Users\fredk\Downloads\index.php

    2012-08-09 16:10 - 2012-08-29 11:28 - 00000000 ____D C:\Users\fredk\Documents\Wiki

    2012-08-08 11:20 - 2012-08-08 15:45 - 00000000 ____D C:\Users\fredk\Documents\Spectrum Workbench Actions

    2012-08-06 15:30 - 2012-08-06 15:29 - 00049152 ___AT C:\Users\fredk\Documents\ProficioQryRslt.txt

    ============ 3 Months Modified Files ========================

    2012-09-04 11:54 - 2010-09-21 17:10 - 01032650 ____A C:\Windows\System32\PerfStringBackup.INI

    2012-09-04 11:49 - 2011-05-25 08:11 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

    2012-09-04 11:33 - 2012-04-05 09:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

    2012-09-04 11:24 - 2012-09-04 11:24 - 00002209 ____A C:\Users\fredk\Desktop\RKreport[2].txt

    2012-09-04 11:19 - 2012-09-04 11:19 - 00002191 ____A C:\Users\fredk\Desktop\RKreport[1].txt

    2012-09-04 11:16 - 2012-09-04 11:16 - 01378816 ____A C:\Users\fredk\Desktop\RogueKiller.exe

    2012-09-04 10:55 - 2009-07-13 20:34 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

    2012-09-04 10:55 - 2009-07-13 20:34 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

    2012-09-04 10:52 - 2011-05-25 08:11 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

    2012-09-04 10:52 - 2010-11-11 13:57 - 00001556 _RASH C:\Users\fredk\ntuser.pol

    2012-09-04 10:50 - 2010-11-11 13:54 - 00000120 ____A C:\Windows\System32\config\netlogon.ftl

    2012-09-04 10:49 - 2010-11-05 03:12 - 01097793 ____A C:\Windows\WindowsUpdate.log

    2012-09-04 10:49 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

    2012-09-04 10:49 - 2009-07-13 20:39 - 00062909 ____A C:\Windows\setupact.log

    2012-09-04 10:38 - 2012-09-04 10:38 - 00017186 ____A C:\Users\fredk\Desktop\Attach.txt

    2012-09-04 10:37 - 2012-09-04 10:37 - 00029164 ____A C:\Users\fredk\Desktop\DDS.txt

    2012-09-04 10:22 - 2012-09-04 10:22 - 00607260 ____R (Swearware) C:\Users\fredk\Desktop\dds.com

    2012-09-04 09:54 - 2010-11-05 03:09 - 00038524 ____A C:\Windows\PFRO.log

    2012-08-31 16:26 - 2012-08-31 16:26 - 00000051 ____A C:\Users\fredk\AppData\Roaming\mbam.context.scan

    2012-08-31 16:01 - 2012-08-31 16:01 - 00001067 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

    2012-08-31 15:59 - 2012-08-31 15:59 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\fredk\Downloads\mbam-setup-1.62.0.1300.exe

    2012-08-31 14:30 - 2010-11-11 13:56 - 00002588 _RASH C:\Users\All Users\ntuser.pol

    2012-08-31 08:59 - 2012-01-31 14:23 - 00000320 ____A C:\Windows\Tasks\HPCeeScheduleForfredk.job

    2012-08-29 16:04 - 2010-12-22 09:25 - 00000600 ____A C:\Users\fredk\AppData\Roaming\winscp.rnd

    2012-08-29 11:27 - 2012-08-29 11:27 - 00265093 ____A C:\Users\fredk\Downloads\AWC_FORUM_EXTENSION.tar.gz

    2012-08-28 13:47 - 2011-01-05 15:07 - 00000052 ____A C:\Windows\System32\DOErrors.log

    2012-08-28 13:27 - 2012-08-15 09:59 - 00000600 ____A C:\Users\fredk\AppData\Local\PUTTY.RND

    2012-08-27 08:07 - 2012-04-05 09:10 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

    2012-08-27 08:07 - 2011-05-31 07:44 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

    2012-08-24 16:13 - 2012-08-24 16:13 - 00001326 ____A C:\Users\fredk\Desktop\MediaWiki.lnk

    2012-08-24 13:35 - 2012-08-24 13:35 - 08268544 ____A C:\Users\fredk\Downloads\PROD_wiki_db.sql

    2012-08-23 14:30 - 2012-08-23 14:30 - 00001076 ____A C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk

    2012-08-23 14:27 - 2012-08-23 14:27 - 95187288 ____A (Oracle Corporation) C:\Users\fredk\Downloads\VirtualBox-4.1.20-80170-Win.exe

    2012-08-21 11:30 - 2012-08-21 11:30 - 00033199 ____A C:\Users\fredk\Downloads\MediaWiki-20120821192828.xml

    2012-08-20 16:32 - 2012-08-23 14:30 - 00158552 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxDrv.sys

    2012-08-20 16:32 - 2012-08-23 14:30 - 00091992 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxUSBMon.sys

    2012-08-20 16:32 - 2012-08-20 16:32 - 00135512 ____A (Oracle Corporation) C:\Windows\System32\VBoxNetFltNobj.dll

    2012-08-20 16:32 - 2012-08-20 16:32 - 00116056 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetFlt.sys

    2012-08-20 16:32 - 2012-08-20 16:32 - 00104792 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetAdp.sys

    2012-08-20 11:31 - 2011-06-10 16:20 - 00487634 ____A C:\Users\fredk\Documents\Fred Time Analsys by Emails.xlsx

    2012-08-15 12:54 - 2011-08-18 16:26 - 00000435 ____A C:\Windows\System32\Drivers\etc\hosts.ics

    2012-08-15 02:23 - 2009-07-13 20:33 - 00411200 ____A C:\Windows\System32\FNTCACHE.DAT

    2012-08-15 02:04 - 2011-12-21 08:39 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

    2012-08-14 13:33 - 2012-08-14 13:33 - 01110476 ____A C:\Users\fredk\Downloads\7z920.exe

    2012-08-14 13:28 - 2012-08-14 13:28 - 00029609 ____A C:\Users\fredk\Downloads\UserMerge-MW1.15-48763.tar.tar

    2012-08-14 08:09 - 2012-08-14 08:09 - 00000220 ____A C:\Users\fredk\Downloads\index.php

    2012-08-06 15:29 - 2012-08-06 15:30 - 00049152 ___AT C:\Users\fredk\Documents\ProficioQryRslt.txt

    2012-08-06 14:49 - 2011-01-10 09:39 - 00002010 ___AH C:\Users\fredk\Documents\Default.rdp

    2012-08-01 13:27 - 2012-08-01 13:27 - 00596598 ____A C:\Users\fredk\Downloads\Word2MediaWikiPlus-1.0.0.zip

    2012-07-18 09:47 - 2012-08-14 23:05 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

    2012-07-11 07:42 - 2010-12-03 16:46 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll

    2012-07-11 07:42 - 2010-12-03 16:46 - 00083392 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll

    2012-07-11 07:42 - 2010-12-03 16:46 - 00030624 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll

    2012-07-06 11:23 - 2012-08-15 02:01 - 00393728 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys

    2012-07-04 13:16 - 2012-08-14 23:05 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

    2012-07-04 13:14 - 2012-08-14 23:05 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

    2012-07-04 13:14 - 2012-08-14 23:05 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

    2012-07-03 12:46 - 2012-08-31 16:01 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

    2012-06-26 21:53 - 2012-08-14 23:05 - 01231360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

    2012-06-26 21:53 - 2012-08-14 23:05 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

    2012-06-26 21:53 - 2012-08-14 23:05 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

    2012-06-26 21:51 - 2012-08-14 23:05 - 06027776 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

    2012-06-26 21:51 - 2012-08-14 23:05 - 00627712 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

    2012-06-26 21:51 - 2012-08-14 23:05 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

    2012-06-26 21:50 - 2012-08-14 23:05 - 11020800 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

    2012-06-26 21:50 - 2012-08-14 23:05 - 02073600 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

    2012-06-26 21:50 - 2012-08-14 23:05 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

    2012-06-26 21:50 - 2012-08-14 23:05 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

    2012-06-26 20:10 - 2012-08-14 23:05 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

    2012-06-08 20:41 - 2012-07-10 23:51 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

    ZeroAccess:

    C:\Windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}

    C:\Windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\@

    C:\Windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\L

    C:\Windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\U

    C:\Windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\U\00000001.@

    C:\Windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\U\80000000.@

    C:\Windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\U\800000cb.@

    ZeroAccess:

    C:\Users\fredk\AppData\Local\{49e6e453-5a06-05af-cc9f-99c9c89bf300}

    C:\Users\fredk\AppData\Local\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\@

    C:\Users\fredk\AppData\Local\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\L

    C:\Users\fredk\AppData\Local\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\U

    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit

    C:\Windows\System32\winlogon.exe => MD5 is legit

    C:\Windows\System32\wininit.exe => MD5 is legit

    C:\Windows\System32\svchost.exe => MD5 is legit

    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

    C:\Windows\System32\User32.dll => MD5 is legit

    C:\Windows\System32\userinit.exe => MD5 is legit

    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK

    HKLM\...\exefile\DefaultIcon: %1 => OK

    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-07-20 05:57:08

    Restore point made on: 2012-07-24 08:20:35

    Restore point made on: 2012-07-26 12:01:57

    Restore point made on: 2012-07-31 01:31:46

    Restore point made on: 2012-08-03 04:31:16

    Restore point made on: 2012-08-07 04:12:50

    Restore point made on: 2012-08-07 22:20:43

    Restore point made on: 2012-08-14 02:21:03

    Restore point made on: 2012-08-15 02:00:32

    Restore point made on: 2012-08-22 23:00:29

    Restore point made on: 2012-08-23 14:29:33

    Restore point made on: 2012-08-29 07:32:56

    ==================== Memory info ===========================

    Percentage of memory in use: 24%

    Total physical RAM: 1967.38 MB

    Available physical RAM: 1491.85 MB

    Total Pagefile: 1967.38 MB

    Available Pagefile: 1494.64 MB

    Total Virtual: 2047.88 MB

    Available Virtual: 1952.7 MB

    ==================== Partitions ============================

    1 Drive c: () (Fixed) (Total:215.59 GB) (Free:96.91 GB) NTFS ==>[system with boot components (obtained from reading drive)]

    2 Drive e: (HP_RECOVERY) (Fixed) (Total:15 GB) (Free:4.42 GB) NTFS ==>[system with boot components (obtained from reading drive)]

    3 Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.49 GB) FAT32

    5 Drive h: (PNY BLUE) (Removable) (Total:3.68 GB) (Free:2.7 GB) FAT

    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    7 Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[system with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt

    -------- ------------- ------- ------- --- ---

    Disk 0 Online 232 GB 0 B

    Disk 1 Online 3768 MB 0 B

    Partitions of Disk 0:

    ===============

    Partition ### Type Size Offset

    ------------- ---------------- ------- -------

    Partition 1 Primary 300 MB 1024 KB

    Partition 2 Primary 215 GB 301 MB

    Partition 3 Primary 15 GB 215 GB

    Partition 4 Primary 2043 MB 230 GB

    ==================================================================================

    Disk: 0

    Partition 1

    Type : 07

    Hidden: No

    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 1 Y SYSTEM NTFS Partition 300 MB Healthy

    ==================================================================================

    Disk: 0

    Partition 2

    Type : 07

    Hidden: No

    Active: No

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 2 C NTFS Partition 215 GB Healthy

    ==================================================================================

    Disk: 0

    Partition 3

    Type : 07

    Hidden: No

    Active: No

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 3 E HP_RECOVERY NTFS Partition 15 GB Healthy

    ==================================================================================

    Disk: 0

    Partition 4

    Type : 0C

    Hidden: No

    Active: No

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 4 F HP_TOOLS FAT32 Partition 2043 MB Healthy

    ==================================================================================

    Partitions of Disk 1:

    ===============

    Partition ### Type Size Offset

    ------------- ---------------- ------- -------

    * Partition 1 Primary 3768 MB 0 B

    ==================================================================================

    Disk: 1

    There is no partition selected.

    There is no partition selected.

    Please select a partition and try again.

    ==================================================================================

    Last Boot: 2012-08-27 16:57

    ==================== End Of Log =============================

    Infected by Rootkit.0Access

    in Resolved Malware Removal Logs

    Posted

    RogueKiller V8.0.2 [08/31/2012] by Tigzy

    mail: tigzyRK<at>gmail<dot>com

    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version

    Started in : Normal mode

    User : fredk [Admin rights]

    Mode : Scan -- Date : 09/04/2012 12:19:50

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤

    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    [ZeroAccess][FILE] @ : C:\windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\@ --> FOUND

    [ZeroAccess][FOLDER] U : C:\windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\U --> FOUND

    [ZeroAccess][FOLDER] L : C:\windows\Installer\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\L --> FOUND

    [ZeroAccess][FILE] @ : C:\Users\fredk\AppData\Local\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\@ --> FOUND

    [ZeroAccess][FOLDER] U : C:\Users\fredk\AppData\Local\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\U --> FOUND

    [ZeroAccess][FOLDER] L : C:\Users\fredk\AppData\Local\{49e6e453-5a06-05af-cc9f-99c9c89bf300}\L --> FOUND

    [susp.ASLR|Sig - ZeroAccess][FILE] services.exe : C:\windows\system32\services.exe --> FOUND

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤

    --> C:\windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST9250410AS +++++

    --- User ---

    [MBR] 70b35d3a634fda3993d857406c01a50e

    [bSP] 6606ccbb325a4a9d27ff1bb85d67f098 : Windows 7 MBR Code

    Partition table:

    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 300 Mo

    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 616448 | Size: 220763 Mo

    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 452739072 | Size: 15360 Mo

    3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 484196352 | Size: 2043 Mo

    User = LL1 ... OK!

    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>

    RKreport[1].txt

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.