Threeff
Honorary Members-
Posts
38 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by Threeff
-
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Again, thank you Sir. -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Thanks MrC. I did all of the above steps. Now for the big question. Was this ZeroAccess infection the result of not killing it totally a couple months ago, or is a coincidence that I was infected again from an external source? If this virus is impossible to completely get rid of, maybe I need a total reformat. Thanks again, I really appreciate your doing this and your professionalism. -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Security Check log................ Results of screen317's Security Check version 0.99.74 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! avast! Free Antivirus `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner Adobe Flash Player 11.8.800.168 Adobe Reader 7 Adobe Reader out of Date! ````````Process Check: objlist.exe by Laurent```````` AVAST Software Avast AvastSvc.exe AVAST Software Avast avastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log`````````````````````` -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
M-Byte - 1 Object Found Computer is a little fater, but not 100%. While typing on webpage, letters showed-up slowly. Will Run Security Check..... Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.10.07.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 CPQ OWNER :: YOUR-4105E587B6 [administrator] 10/7/2013 12:48:14 PM MBAM-log-2013-10-07 (13-01-13).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 241470 Time elapsed: 12 minute(s), 6 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> No action taken. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
ADWCleaner log........ (Mware-b to follow) # AdwCleaner v3.006 - Report created 07/10/2013 at 12:30:18 # Updated 01/10/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : CPQ OWNER - YOUR-4105E587B6 # Running from : C:\Documents and Settings\CPQ OWNER\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 ************************* AdwCleaner[R0].txt - [1675 octets] - [07/10/2013 11:55:04] AdwCleaner[s0].txt - [1618 octets] - [07/10/2013 12:30:18] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1678 octets] ########## -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Pretty sure I don't need any of this, but what do you think? I'd hate to get this far and mess it up!!! # AdwCleaner v3.006 - Report created 07/10/2013 at 11:55:04 # Updated 01/10/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : CPQ OWNER - YOUR-4105E587B6 # Running from : C:\Documents and Settings\CPQ OWNER\Desktop\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Found C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Found : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 ************************* AdwCleaner[R0].txt - [1535 octets] - [07/10/2013 11:55:04] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1595 octets] ########## -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
ComboFix log................... ComboFix 13-10-04.02 - CPQ OWNER 10/07/2013 9:33.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.698 [GMT -4:00] Running from: c:\documents and settings\CPQ OWNER\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab c:\documents and settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll . . ((((((((((((((((((((((((( Files Created from 2013-09-07 to 2013-10-07 ))))))))))))))))))))))))))))))) . . 2013-10-07 12:32 . 2013-10-07 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-10-07 12:27 . 2013-10-07 12:27 105176 ----a-w- c:\windows\system32\drivers\48230029.sys 2013-10-07 02:17 . 2013-10-07 02:17 -------- d-----w- C:\FRST 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll 2013-09-26 12:21 . 2013-09-26 12:21 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-09-26 12:47 . 2012-04-12 14:09 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-09-26 12:47 . 2011-05-21 17:50 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-08-30 07:48 . 2013-08-21 13:58 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys 2013-08-30 07:48 . 2013-08-21 13:58 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2013-08-30 07:48 . 2013-08-21 13:58 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-08-30 07:48 . 2013-08-21 13:58 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2013-08-30 07:48 . 2013-08-21 13:58 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2013-08-30 07:48 . 2013-08-21 13:58 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-08-30 07:48 . 2013-08-21 13:58 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2013-08-30 07:48 . 2013-08-21 13:58 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2013-08-30 07:47 . 2013-08-21 13:54 41664 ----a-w- c:\windows\avastSS.scr 2013-08-30 07:47 . 2013-08-21 13:58 229648 ----a-w- c:\windows\system32\aswBoot.exe 2013-08-21 13:50 . 2013-08-21 13:48 117478104 ----a-w- c:\program files\avast_free_antivirus_setup.exe 2013-08-09 01:56 . 2004-08-04 08:00 386560 ----a-w- c:\windows\system32\themeui.dll 2013-08-08 06:05 . 2004-08-04 08:00 920064 ----a-w- c:\windows\system32\wininet.dll 2013-08-08 06:05 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-08-08 06:05 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2013-08-08 06:05 . 2004-08-04 08:00 18944 ----a-w- c:\windows\system32\corpol.dll 2013-08-08 01:27 . 2004-08-04 08:00 1877760 ----a-w- c:\windows\system32\win32k.sys 2013-08-08 00:02 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec 2013-08-05 13:30 . 2004-08-04 08:00 1289728 ----a-w- c:\windows\system32\ole32.dll 2013-08-03 18:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll 2013-08-03 15:40 . 2013-08-03 15:40 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2013-07-10 10:37 . 2004-08-04 08:00 406016 ----a-w- c:\windows\system32\usp10.dll 2010-10-25 18:36 . 2010-10-25 18:36 3524936 ----a-w- c:\program files\noteburner.exe 2010-10-12 02:46 . 2010-10-12 02:46 6153352 ----a-w- c:\program files\mbam-setup-1.46.exe 2010-05-16 21:09 . 2010-05-16 21:09 12383736 ----a-w- c:\program files\picasa36-setup.exe 2008-12-11 20:02 . 2008-12-11 20:02 355136 -c--a-w- c:\program files\SansaUpdaterInstall.exe 2008-10-08 00:52 . 2008-10-08 00:52 2934168 ----a-w- c:\program files\ccsetup212.exe 2008-07-17 14:01 . 2008-07-17 14:01 6104632 -c--a-w- c:\program files\picasaweb-current-setup.exe 2007-07-26 16:57 . 2007-07-26 16:57 470744 ----a-w- c:\program files\msgr8us.exe 2006-12-31 18:23 . 2006-12-31 18:23 12754672 ----a-w- c:\program files\MP10Setup.exe 2006-11-16 16:52 . 2006-11-16 16:52 8037624 -c--a-w- c:\program files\tunebite.exe 2006-10-14 13:58 . 2006-10-14 13:58 12841240 -c--a-w- c:\program files\SkypeSetup.exe 2006-09-10 01:44 . 2006-09-10 01:44 4983528 ----a-w- c:\program files\GoogleVideoPlayerSetup.exe 2006-08-29 22:11 . 2006-08-29 22:11 905216 ----a-w- c:\program files\iview398.exe 2006-05-14 19:50 . 2006-05-14 19:50 12089417 -c--a-w- c:\program files\ysitebuilder.exe 2006-05-14 19:37 . 2006-05-14 19:36 11817800 ----a-w- c:\program files\GoogleEarth.exe 2005-11-04 17:04 . 2005-11-04 17:04 231993 -c--a-w- c:\program files\WSUS.EXE 2005-10-24 22:53 . 2005-10-24 22:53 7680064 ----a-w- c:\program files\DivX521xp2k.exe 2005-09-29 20:37 . 2005-09-29 20:37 34235626 -c--a-w- c:\program files\Nero-6.6.0.16.exe 2005-09-22 01:42 . 2005-09-22 01:42 1226512 -c--a-w- c:\program files\proxyconn.exe 2005-09-16 03:27 . 2005-09-16 03:08 381480 ----a-w- c:\program files\msgr7us.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2013-08-30 07:47 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-06 39408] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-21 19875432] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "c:\windows\system32\V0250Ext.ax"="c:\windows\system32\V0250Ext.ax" [X] "Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "(A0)"="c:\documents and settings\CPQ OWNER\Desktop\Mbar\mbar\mbar.exe" [2013-08-13 1178424] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2005-07-14 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset] 2005-02-17 21:01 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl] 2004-12-03 20:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant] 2005-04-01 22:11 794624 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher] 2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] 2005-07-10 07:03 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2005-03-04 10:36 36975 ----a-w- c:\program files\Java\jre1.5.0_02\bin\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-02-06 16:16 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2005-02-02 12:11 692316 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] 2005-02-02 12:12 102492 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 2007-07-16 19:17 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [8/21/2013 9:58 AM 49376] R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [8/21/2013 9:58 AM 177864] R0 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\48230029.sys [10/7/2013 8:27 AM 105176] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/21/2013 9:58 AM 770344] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/21/2013 9:58 AM 369584] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/21/2013 9:58 AM 29816] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [8/21/2013 9:58 AM 66336] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 11:18 AM 200192] R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [8/3/2013 11:40 AM 35144] S2 gupdate1c9adae1d0975a6;Google Update Service (gupdate1c9adae1d0975a6);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2009 8:59 PM 133104] S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [9/16/2013 12:29 PM 3273088] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/21/2013 9:53 AM 162408] S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [12/31/2006 11:18 AM 163840] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MBAMSWISSARMY *Deregistered* - TrueSight . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2013-10-07 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 12:48] . 2013-10-07 c:\windows\Tasks\avast! Emergency Update.job - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-08-21 07:47] . 2013-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 00:59] . 2013-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 00:59] . . ------- Supplementary Scan ------- . uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym&.intl=us mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchAssistant = IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - . Notify-NavLogon - (no file) MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-10-07 09:45 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(764) c:\windows\system32\Ati2evxx.dll . Completion time: 2013-10-07 09:49:05 ComboFix-quarantined-files.txt 2013-10-07 13:49 . Pre-Run: 1,651,900,416 bytes free Post-Run: 1,726,996,480 bytes free . - - End Of File - - BE0FD1D960EBDDDB9134EBB75D9E1241 E5FA06ACA0D60BA9C870D0EF3D9898C9 -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
RogueKiller log............ RogueKiller V8.7.1 [Oct 3 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : CPQ OWNER [Admin rights] Mode : Scan -- Date : 10/07/2013 09:12:26 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] StartupMonitor.exe -- C:\WINDOWS\StartupMonitor.exe [-] -> KILLED [TermProc] ¤¤¤ Registry Entries : 4 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\RunOnce : (A0) (cmd /c "C:\Documents and Settings\CPQ OWNER\Desktop\Mbar\mbar\mbar.exe" /rdv /s [7]) -> FOUND [sERVICE][ROGUE ST] HKLM\[...]\CCSet\[...]\Services : MBAMSwissArmy (C:\WINDOWS\system32\drivers\48230029.sys [7]) -> FOUND [sERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : MBAMSwissArmy (C:\WINDOWS\system32\drivers\48230029.sys [7]) -> FOUND [sERVICE][ROGUE ST] HKLM\[...]\CS003\[...]\Services : MBAMSwissArmy (C:\WINDOWS\system32\drivers\48230029.sys [7]) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] SSDT[122] : NtOpenProcess @ 0x805C1512 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB85AFC54) [Address] SSDT[128] : NtOpenThread @ 0x805C179E -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB85AFD44) [inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520) [inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630) [inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370) [inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0) [inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20) [inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90) [inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0) [inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0) [inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0) [inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980) [inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400) [inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0) [inline] EAT @iexplore.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D118A0) [inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0) [inline] EAT @iexplore.exe (UnhookWindowsHookEx) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11A70) [inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520) [inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630) [inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370) [inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0) [inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20) [inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90) [inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0) [inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0) [inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0) [inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980) [inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400) [inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0) [inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - TOSHIBA MK6025GAS +++++ --- User --- [MBR] 405dba045b3d8f3e86599d0759ec383d [bSP] 8b0279795ab923368d682d692e6d4962 : Empty MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57223 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_10072013_091225.txt >> RKreport[0]_S_10062013_220147.txt -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Mbar ran clean. WIll run RogueKiller again..... Malwarebytes Anti-Rootkit BETA 1.07.0.1005 www.malwarebytes.org Database version: v2013.10.07.07 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 CPQ OWNER :: YOUR-4105E587B6 [administrator] 10/7/2013 8:32:50 AM mbar-log-2013-10-07 (08-32-50).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 244153 Time elapsed: 25 minute(s), 21 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
mbar-log-2013-10-07 (00-02-55).txtsystem-log.txt2nd Mbar resulys. Found 0Access. WIll run again... Mbar-log: Malwarebytes Anti-Rootkit BETA 1.07.0.1005 www.malwarebytes.org Database version: v2013.10.07.02 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 CPQ OWNER :: YOUR-4105E587B6 [administrator] 10/7/2013 12:02:55 AM mbar-log-2013-10-07 (00-02-55).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 244021 Time elapsed: 23 minute(s), 41 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_*202EETADPUG (Rootkit.0Access) -> Delete on reboot. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) System-log: --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 559333376 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 855552000 ======================================= Initializing... Done! Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 94E494E4 Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 117194112 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 60011642880 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-117190240-117210240)... Done! Scan finished ======================================= Removal queue found; removal started Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam... Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam... Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam... Removal finished --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 544288768 Downloaded database version: v2013.10.07.02 Downloaded database version: v2013.09.30.01 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 843599872 ======================================= Initializing... Done! Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 94E494E4 Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 117194112 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 60011642880 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-117190240-117210240)... Done! Infected: HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_*202EETADPUG --> [Rootkit.0Access] Scan finished Creating System Restore point... Cleaning up... Executing an action fixdamage.exe... Success! Queuing an action fixdamage.exe Removal scheduling successful. System shutdown needed. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 884793344 ======================================= -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Mbar System log........ --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 559333376 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.600000 GHz Memory total: 1206370304, free: 855552000 ======================================= Initializing... Done! Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 94E494E4 Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 117194112 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 60011642880 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-117190240-117210240)... Done! Scan finished ======================================= Removal queue found; removal started Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam... Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam... Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam... Removal finished Mbar Log......... Malwarebytes Anti-Rootkit BETA 1.07.0.1005 www.malwarebytes.org Database version: v2013.07.26.06 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 CPQ OWNER :: YOUR-4105E587B6 [administrator] 10/6/2013 10:51:31 PM mbar-log-2013-10-06 (22-51-31).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 258870 Time elapsed: 23 minute(s), 49 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) Running Mbar Again............... -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Fixlog...... Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-10-2013 Ran by CPQ OWNER at 2013-10-06 22:37:45 Run:1 Running from C:\Documents and Settings\CPQ OWNER\Desktop\Farbar Boot Mode: Normal ============================================== Content of fixlist: ***************** U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess) ***************** *etadpug => Service deleted successfully. ==== End of Fixlog ==== Will run anti-rootkit now....... -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Ran Fabar without closing Rogue.... seemed to work FRST log: Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013 Ran by CPQ OWNER (administrator) on YOUR-4105E587B6 on 06-10-2013 22:18:24 Running from C:\Documents and Settings\CPQ OWNER\Desktop\Farbar Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (ATI Technologies Inc.) C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.) C:\WINDOWS\system32\Ati2evxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe () C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Skype Technologies S.A.) C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (ATI Technologies, Inc.) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\avastUI.exe (Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe (Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe () C:\Documents and Settings\CPQ OWNER\Desktop\RogueKiller.exe (Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Run StartupMonitor] - C:\Windows\StartupMonitor.exe [86016 2000-05-20] () HKLM\...\Run: [C:\WINDOWS\system32\V0250Ext.ax] - C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0250Ext.ax HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2010-09-08] (Apple Inc.) HKLM\...\Run: [ATIPTA] - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2005-07-13] (ATI Technologies, Inc.) HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4858968 2013-08-30] (AVAST Software) Winlogon\Notify\AtiExtEvent: C:\Windows\system32\Ati2evxx.dll (ATI Technologies Inc.) HKLM\...\Policies\Explorer: [NoCDBurning] 0 HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-02-06] (Google Inc.) HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [19875432 2013-06-21] (Skype Technologies S.A.) HKCU\...\Run: [updateMgr] - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [313472 2006-03-30] (Adobe Systems Incorporated) HKU\Administrator\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation) HKU\Default User\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym&.intl=us HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html SearchScopes: HKLM - DefaultScope value is missing. SearchScopes: HKCU - DefaultScope {11C0E1A0-5535-4364-A4A4-1603AC408598} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie8 SearchScopes: HKCU - {11C0E1A0-5535-4364-A4A4-1603AC408598} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie8 SearchScopes: HKCU - {4A16CC46-CF4B-4C4C-A5EC-0F91C4243308} URL = http://delicious.com/search?p={searchTerms} SearchScopes: HKCU - {4BE5F0CE-AB46-4FC8-A5BB-96511AECDC22} URL = http://www.flickr.com/search/?q={searchTerms} SearchScopes: HKCU - {F13A0B7D-4119-4CBA-8E31-7A8EABF0756D} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms} BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll No File BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.) BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKCU - No Name - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File Toolbar: HKCU - No Name - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File Toolbar: HKCU - No Name - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129639333390 DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1263.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4/jinstall-win32.cab DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 ========================== Services (Whitelisted) ================= R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-08-30] (AVAST Software) S2 gupdate1c9adae1d0975a6; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-03-25] (Google Inc.) S3 hpqwmi; C:\Program Files\HPQ\SHARED\HPQWMI.exe [98304 2005-03-04] (Hewlett-Packard Development Company, L.P.) R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [38912 2005-02-22] () S3 SandraDataSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe [173040 2005-03-01] (SiSoftware) R2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3273088 2013-09-16] (Skype Technologies S.A.) U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess) ==================== Drivers (Whitelisted) ==================== R1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [39424 2004-08-11] (Advanced Micro Devices) R2 ASCTRM; C:\Windows\System32\Drivers\ASCTRM.sys [8552 2005-07-10] (Windows ® 2000 DDK provider) R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-08-30] (AVAST Software) R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [66336 2013-08-30] (AVAST Software) R1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [49760 2013-08-30] (AVAST Software) R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-08-30] () R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-08-30] (AVAST Software) R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-08-30] (AVAST Software) R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-08-30] (AVAST Software) R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [177864 2013-08-30] () R3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [1391104 2008-10-23] (Broadcom Corporation) S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [55320 2005-01-18] (Broadcom Corporation.) R1 eabfiltr; C:\WINDOWS\system32\drivers\EABFiltr.sys [7432 2004-04-14] (Hewlett-Packard Company) S3 eabusb; C:\WINDOWS\system32\drivers\eabusb.sys [5220 2003-06-06] (Hewlett-Packard Company) S3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [8320 2007-03-08] (GARMIN Corp.) R3 HSFHWATI; C:\Windows\System32\DRIVERS\HSFHWATI.sys [200192 2004-12-15] (Conexant Systems, Inc.) S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-08-03] () R2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2008-05-20] (RealNetworks, Inc.) S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation) S3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation) R3 RTL8023xp; C:\Windows\System32\DRIVERS\Rtlnicxp.sys [74496 2005-03-03] (Realtek Semiconductor Corporation ) S3 SMCIRDA; C:\Windows\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC) S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation) R1 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5632 2006-07-24] () S3 tbhsd; C:\Windows\System32\drivers\tbhsd.sys [15488 2006-06-21] (RapidSolution Software AG) U3 TrueSight; C:\WINDOWS\system32\TrueSight.sys [26624 2013-10-06] () S3 USB_RNDIS_XP; C:\Windows\System32\DRIVERS\usb8023.sys [12928 2013-02-11] (Microsoft Corporation) S3 V0250Dev; C:\Windows\System32\DRIVERS\V0250Dev.sys [163840 2006-04-05] (Creative Technology Ltd.) U5 P3; C:\Windows\System32\Drivers\P3.sys [42752 2008-04-13] (Microsoft Corporation) U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) U3 TlntSvr; S3 wanatw; system32\DRIVERS\wanatw4.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-10-06 22:17 - 2013-10-06 22:17 - 00000000 ____D C:\FRST 2013-10-06 22:14 - 2013-10-06 22:15 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\Farbar 2013-10-06 22:01 - 2013-10-06 22:01 - 00006221 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RKreport[0]_S_10062013_220147.txt 2013-10-06 21:56 - 2013-10-06 21:56 - 00026624 _____ C:\WINDOWS\system32\TrueSight.sys 2013-10-06 18:08 - 2013-10-06 22:01 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\RK_Quarantine 2013-10-06 18:07 - 2013-10-06 18:07 - 00950272 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RogueKiller.exe 2013-10-01 09:43 - 2013-10-06 11:37 - 00000783 _____ C:\Documents and Settings\CPQ OWNER\Desktop\Vanity Light.txt 2013-09-17 14:59 - 2013-09-17 14:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$ 2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$ 2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$ ==================== One Month Modified Files and Folders ======= 2013-10-06 22:17 - 2013-10-06 22:17 - 00000000 ____D C:\FRST 2013-10-06 22:16 - 2006-10-14 09:59 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Application Data\Skype 2013-10-06 22:15 - 2013-10-06 22:14 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\Farbar 2013-10-06 22:01 - 2013-10-06 22:01 - 00006221 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RKreport[0]_S_10062013_220147.txt 2013-10-06 22:01 - 2013-10-06 18:08 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\RK_Quarantine 2013-10-06 21:56 - 2013-10-06 21:56 - 00026624 _____ C:\WINDOWS\system32\TrueSight.sys 2013-10-06 18:10 - 2013-08-27 08:02 - 00400824 _____ C:\WINDOWS\WindowsUpdate.log 2013-10-06 18:07 - 2013-10-06 18:07 - 00950272 _____ C:\Documents and Settings\CPQ OWNER\Desktop\RogueKiller.exe 2013-10-06 17:45 - 2012-04-12 10:10 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2013-10-06 17:22 - 2009-07-10 15:14 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 2013-10-06 12:45 - 2013-08-21 09:58 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job 2013-10-06 12:45 - 2004-08-07 09:16 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl 2013-10-06 12:44 - 2009-07-10 15:14 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 2013-10-06 12:44 - 2004-08-07 09:16 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2013-10-06 12:44 - 2004-08-07 01:51 - 00000157 _____ C:\WINDOWS\wiadebug.log 2013-10-06 12:44 - 2004-08-07 01:51 - 00000049 _____ C:\WINDOWS\wiaservc.log 2013-10-06 12:43 - 2011-05-01 14:05 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2506212$ 2013-10-06 12:41 - 2005-07-04 07:53 - 00000278 ___SH C:\Documents and Settings\CPQ OWNER\ntuser.ini 2013-10-06 12:41 - 2004-08-07 09:16 - 00032650 _____ C:\WINDOWS\SchedLgU.Txt 2013-10-06 11:47 - 2005-07-04 07:53 - 00000000 ____D C:\Documents and Settings\CPQ OWNER 2013-10-06 11:37 - 2013-10-01 09:43 - 00000783 _____ C:\Documents and Settings\CPQ OWNER\Desktop\Vanity Light.txt 2013-10-02 13:01 - 2005-10-10 06:10 - 00000116 _____ C:\WINDOWS\NeroDigital.ini 2013-09-28 19:33 - 2005-07-16 06:13 - 00044544 _____ C:\Documents and Settings\CPQ OWNER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2013-09-26 21:31 - 2007-07-15 11:45 - 00000000 ___RD C:\Program Files\Skype 2013-09-26 21:31 - 2007-07-15 11:45 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype 2013-09-26 20:50 - 2006-09-11 10:59 - 00457728 ___SH C:\Documents and Settings\CPQ OWNER\Desktop\Thumbs.db 2013-09-26 20:44 - 2005-09-15 07:10 - 00001613 _____ C:\WINDOWS\PStudio.ini 2013-09-26 08:58 - 2004-08-07 08:58 - 00002577 ____C C:\WINDOWS\system32\CONFIG.NT 2013-09-26 08:47 - 2012-04-12 10:09 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe 2013-09-26 08:47 - 2011-05-21 13:50 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl 2013-09-17 20:46 - 2004-08-07 09:02 - 00312376 _____ C:\WINDOWS\system32\FNTCACHE.DAT 2013-09-17 15:02 - 2009-05-31 18:00 - 00000000 ____D C:\WINDOWS\ie8updates 2013-09-17 14:59 - 2013-09-17 14:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$ 2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$ 2013-09-17 14:58 - 2013-09-17 14:58 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$ 2013-09-17 14:53 - 2004-08-07 08:58 - 00000603 _____ C:\WINDOWS\win.ini 2013-09-17 14:51 - 2013-07-16 22:05 - 00000000 ____D C:\WINDOWS\system32\MRT 2013-09-17 14:43 - 2005-09-30 20:52 - 76725432 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe 2013-09-17 10:18 - 2013-04-11 14:33 - 00001132 _____ C:\Documents and Settings\CPQ OWNER\Desktop\Aztlan.txt 2013-09-08 11:48 - 2008-12-29 10:21 - 00000000 ____D C:\Documents and Settings\CPQ OWNER\Desktop\Pictures - New 2013-09-08 11:19 - 2008-01-22 13:50 - 00000000 ____D C:\WINDOWS\system32\FxsTmp Some content of TEMP: ==================== C:\Documents and Settings\CPQ OWNER\Local Settings\temp\ntdll_dump.dll ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================ Addition log: Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-10-2013 Ran by CPQ OWNER at 2013-10-06 22:19:37 Running from C:\Documents and Settings\CPQ OWNER\Desktop\Farbar Boot Mode: Normal ========================================================== ==================== Security Center ======================== AV: avast! Antivirus (Disabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D} ==================== Installed Programs ====================== ABBYY FineReader 5.0 Sprint Plus (Version: 5.0.0.3501) Adobe Flash Player 11 ActiveX (Version: 11.8.800.175) Adobe Flash Player 11 Plugin (Version: 11.8.800.168) Adobe Photoshop 7.0 (Version: 7.0) Adobe Photoshop Album 2.0 Starter Edition (Version: 2.00.100) Adobe Reader 7.1.0 (Version: 7.1.0) Apple Application Support (Version: 1.3.2) Apple Mobile Device Support (Version: 3.2.0.47) Apple Software Update (Version: 2.1.2.120) ArcSoft VideoImpression 1.6FP Athlon 64 Processor Driver (Version: 1.1.0.18) ATI - Software Uninstall Utility (Version: 6.14.10.1012) ATI Control Panel (Version: 6.14.10.5160) ATI Display Driver (Version: 8.16-050713a1-025450C) Audacity 1.2.4 AutoUpdate (Version: 1.0) avast! Free Antivirus (Version: 8.0.1497.0) Bonjour (Version: 2.0.3.0) Canon ScanGear Toolbox CS 2.2 CCleaner (Version: 2.29) Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000) Conexant AC-Link Audio Creative Live! Cam Notebook Pro Driver (1.01.03.0405) Creative Live! Cam Notebook Pro User's Guide (English) Creative System Information Creative WebCam Center Data Fax SoftModem with SmartCP DivX (Version: 5.2.1) DivX Player (Version: 2.5.5) DVD Shrink 3.2 FinePixViewer Ver.2.0 FUJIFILM USB Driver Garmin Trip and Waypoint Manager v5 (Version: 5.0.0.0) Genesys USB Mass Storage Device Get Yahoo! Messenger Google Earth (Version: 7.1.1.1888) Google Toolbar for Internet Explorer (Version: 1.0.0) Google Toolbar for Internet Explorer (Version: 7.5.4413.1752) Google Update Helper (Version: 1.3.21.153) Google Video Player HP Help and Support (Version: 3.200.16.1) HP Product Detection (Version: 11.15.0009) HP Software Update (Version: 3.0.5.001) HP User Guides 0001 (Version: 1.00.0003) HP Wireless Assistant 1.01 A2 (Version: 1.01 A2) HpSdpAppCoreApp (Version: 3.00.0000) InterActual Player InterVideo WinDVD (Version: 5.0-B11.637) IrfanView (remove only) iTunes (Version: 10.0.1.22) J2SE Runtime Environment 5.0 Update 2 (Version: 1.5.0.20) Learn2 Player (Uninstall Only) LS_HSI (Version: 1.0.21.1) Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300) Media Player Codec Pack 4.1.1 MediaMonkey 3.2 (Version: 3.2) Microsoft .NET Framework 1.1 (Version: 1.1.4322) Microsoft .NET Framework 1.1 Security Update (KB2698023) Microsoft .NET Framework 1.1 Security Update (KB2833941) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319) Microsoft .NET Framework 4 Extended (Version: 4.0.30319) Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1) Microsoft Money 2005 (Version: 14) Microsoft Office File Validation Add-In (Version: 14.0.5130.5003) Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0) Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161) Microsoft Works (Version: 08.04.0623) MSN MSXML 4.0 SP2 (KB925672) (Version: 4.20.9839.0) MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0) MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0) MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0) MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0) muvee autoProducer 4.0 - SE (Version: 4.00.050) Nero 6 Demo NoteBurner 2.31 Picasa 3 (Version: 3.9) Quick Launch Buttons 5.10 B2 (Version: 5.10 B2) QuickTime (Version: 7.68.75.0) RealPlayer Basic Rhapsody Player Engine (Version: 1.0.604) SAMSUNG Mobile USB Modem 1.0 Software SAMSUNG Mobile USB Modem Software Samsung USB Driver (MCCI 4.34) WHQL v3.4 (Version: 4.34.4) Sansa Updater ScanToWeb SiSoftware Sandra Lite 2005.SR1 (Win64/32/CE) (Version: 10.50.2005.3) Skype Click to Call (Version: 6.12.13601) Skype™ 6.6 (Version: 6.6.106) Sonic Audio Module (Version: 2.0.0) Sonic Copy Module (Version: 2.0.0) Sonic Data Module (Version: 2.0.0) Sonic Express Labeler (Version: 2.0.0) Sonic MyDVD Plus (Version: 6.1.0) Sonic Update Manager (Version: 3.0.0) StartupMonitor (Version: 1.0.2.0) Synaptics Pointing Device Driver (Version: 7.13.0.1) Texas Instruments PCIxx21/x515/xx12 drivers. (Version: 1.20.0000) The Rosetta Stone TIPCI (Version: 1.20.0000) Tunatic Tweak UI Update for Windows Internet Explorer 8 (KB971180) (Version: 1) Update for Windows Internet Explorer 8 (KB976662) (Version: 1) Update for Windows Internet Explorer 8 (KB976749) (Version: 1) Update for Windows Internet Explorer 8 (KB980182) (Version: 1) Update for Windows XP (KB2141007) (Version: 1) Update for Windows XP (KB2345886) (Version: 1) Update for Windows XP (KB2467659) (Version: 1) Update for Windows XP (KB2541763) (Version: 1) Update for Windows XP (KB2607712) (Version: 1) Update for Windows XP (KB2616676-v2) (Version: 2) Update for Windows XP (KB2641690) (Version: 1) Update for Windows XP (KB2661254-v2) (Version: 2) Update for Windows XP (KB2718704) (Version: 1) Update for Windows XP (KB2736233) (Version: 1) Update for Windows XP (KB2749655) (Version: 1) Update for Windows XP (KB2863058) (Version: 1) Update for Windows XP (KB951072-v2) (Version: 2) Update for Windows XP (KB951978) (Version: 1) Update for Windows XP (KB955759) (Version: 1) Update for Windows XP (KB955839) (Version: 1) Update for Windows XP (KB967715) (Version: 1) Update for Windows XP (KB968389) (Version: 1) Update for Windows XP (KB971029) (Version: 1) Update for Windows XP (KB971737) (Version: 1) Update for Windows XP (KB973687) (Version: 1) Update for Windows XP (KB973815) (Version: 1) WD Diagnostics (Version: 1.07.0000) WD Firewire HID Driver (Version: 1.04.0001) WebFldrs XP (Version: 9.50.7523) Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0) Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5) Windows Internet Explorer 8 (Version: 20090308.140743) Windows Media Format 11 runtime Windows XP Service Pack 3 (Version: 20080414.031525) XnView 1.99.5 (Version: 1.99.5) Yahoo! Browser Services Yahoo! Install Manager Yahoo! Internet Mail Yahoo! Software Update Yahoo! Toolbar ==================== Restore Points ========================= 21-08-2013 02:49:05 Software Distribution Service 3.0 21-08-2013 13:52:46 avast! Free Antivirus Setup 21-08-2013 14:04:35 Removed Symantec AntiVirus 26-08-2013 13:32:11 System Checkpoint 29-08-2013 01:11:50 Software Distribution Service 3.0 04-09-2013 23:17:57 System Checkpoint 09-09-2013 05:35:55 System Checkpoint 17-09-2013 18:42:42 Software Distribution Service 3.0 27-09-2013 01:43:44 System Checkpoint 28-09-2013 16:09:33 System Checkpoint 04-10-2013 13:22:15 System Checkpoint 05-10-2013 20:43:05 System Checkpoint ==================== Hosts content: ========================== 2004-08-04 04:00 - 2013-08-02 21:16 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Scheduled Tasks (whitelisted) ============= Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe ==================== Loaded Modules (whitelisted) ============= 2013-10-06 12:57 - 2013-10-06 10:01 - 02104832 _____ () C:\Program Files\AVAST Software\Avast\defs\13100601\algo.dll 2004-08-04 04:00 - 2008-04-13 20:11 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll 2004-08-04 04:00 - 2008-04-13 20:11 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll 2004-08-04 04:00 - 2008-04-13 20:12 - 00192512 _____ () C:\WINDOWS\system32\qcap.dll 2004-08-04 04:00 - 2013-01-02 02:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll ==================== Alternate Data Streams (whitelisted) ========= ==================== Safe Mode (whitelisted) =================== ==================== Faulty Device Manager Devices ============= Name: Description: Class Guid: {4D36E97B-E325-11CE-BFC1-08002BE10318} Manufacturer: Service: Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. ==================== Event log errors: ========================= Application errors: ================== Error: (10/06/2013 06:08:19 PM) (Source: Application Hang) (User: ) Description: Hanging application AvastUI.exe, version 8.0.1497.376, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/06/2013 10:18:48 AM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/06/2013 10:18:41 AM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/06/2013 10:18:41 AM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 15782 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledEvent 15782 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (10/03/2013 07:07:32 PM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/03/2013 07:07:32 PM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (10/02/2013 01:34:38 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 15609 System errors: ============= Error: (10/06/2013 09:51:30 PM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 09:51:01 PM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 00:44:39 PM) (Source: Service Control Manager) (User: ) Description: The following boot-start or system-start driver(s) failed to load: AliIde IntelIde ViaIde Error: (10/06/2013 11:32:36 AM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 11:32:04 AM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 08:55:10 AM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/06/2013 08:54:38 AM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Error: (10/05/2013 00:33:22 PM) (Source: Dhcp) (User: ) Description: The IP address lease 172.16.3.42 for the Network Card with network address 00904BF14AC6 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message). Error: (10/05/2013 00:33:02 PM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service. Error: (10/04/2013 04:18:27 PM) (Source: Service Control Manager) (User: ) Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. Microsoft Office Sessions: ========================= Error: (10/06/2013 06:08:19 PM) (Source: Application Hang)(User: ) Description: AvastUI.exe8.0.1497.376hungapp0.0.0.000000000 Error: (10/06/2013 10:18:48 AM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/06/2013 10:18:41 AM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/06/2013 10:18:41 AM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 15782 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledEvent 15782 Error: (10/03/2013 09:13:40 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (10/03/2013 07:07:32 PM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/03/2013 07:07:32 PM) (Source: Application Hang)(User: ) Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000 Error: (10/02/2013 01:34:38 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 15609 ==================== Memory info =========================== Percentage of memory in use: 85% Total physical RAM: 1150.48 MB Available physical RAM: 167.68 MB Total Pagefile: 2178.03 MB Available Pagefile: 1174.42 MB Total Virtual: 2047.88 MB Available Virtual: 1949.84 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:55.88 GB) (Free:1.87 GB) NTFS ==>[Drive with boot components (Windows XP)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 56 GB) (Disk ID: 94E494E4) Partition 1: (Active) - (Size=56 GB) - (Type=07 NTFS) ==================== End Of Log ============================ -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Should I close RogueKiller before running Farbar? -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
The file {ff24043d-55f8-5ce9-a20a-8337d9b4b888} sees the same as the last infection 2 months ago. -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
The first scan using RogueKiller didn't seem to work right, This is the result..... [Params] EulaAccepted=true I ran again with a better result...... RogueKiller V8.7.1 [Oct 3 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : CPQ OWNER [Admin rights] Mode : Scan -- Date : 10/06/2013 22:01:47 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x] -> STOPPED ¤¤¤ Registry Entries : 6 ¤¤¤ [sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND [sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND [sERVICE][ZeroAccess] HKLM\[...]\CS003\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\ \ \???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe" < [x]) -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CS003\[...]\Services : . e () -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ [inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520) [inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630) [inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370) [inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0) [inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20) [inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90) [inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0) [inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0) [inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0) [inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980) [inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400) [inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0) [inline] EAT @iexplore.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D118A0) [inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0) [inline] EAT @iexplore.exe (UnhookWindowsHookEx) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11A70) [inline] EAT @iexplore.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A520) [inline] EAT @iexplore.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0A630) [inline] EAT @iexplore.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C370) [inline] EAT @iexplore.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0C5C0) [inline] EAT @iexplore.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BB20) [inline] EAT @iexplore.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0BF90) [inline] EAT @iexplore.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0ACD0) [inline] EAT @iexplore.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B1A0) [inline] EAT @iexplore.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0B8B0) [inline] EAT @iexplore.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D0E980) [inline] EAT @iexplore.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D11400) [inline] EAT @iexplore.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D116D0) [inline] EAT @iexplore.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x64D115A0) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - TOSHIBA MK6025GAS +++++ --- User --- [MBR] 405dba045b3d8f3e86599d0759ec383d [bSP] 8b0279795ab923368d682d692e6d4962 : Empty MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57223 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_10062013_220147.txt >> -
Re-infected with Zero Access, or False Possitive?
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
I've switched from Symantec to Avast, which did not detect anything so far. -
MrCharlie did a great job helping me with this issue a few months ago. We went thru the process and the computer seemed clean. She started running a little slow so I ran MalwareByte Chameleon and the log is as follows..... (WIndows XP SP3).... Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.10.06.03 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 :: YOUR-4105E587B6 [administrator] 10/6/2013 12:07:02 PM MBAM-log-2013-10-06 (12-23-03).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 240163 Time elapsed: 15 minute(s), 9 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 4 HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> No action taken. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG (Rootkit.0Access) -> No action taken. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 1 C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab (PUP.Optional.DefaultTab.A) -> No action taken. Files Detected: 1 C:\Documents and Settings\CPQ OWNER\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll (PUP.Optional.DefaultTab) -> No action taken. (end) Do I have the same infection, new infection or false possitive? The original thread for this virus is titled "ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte ", 2 aug 2013.
-
ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Thanks once more!!! -
ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Sorry to bug you again MrC, after running M-byte one last time (I'm clean), I went to view a news video on Youtube and every time a window is displayed over the video which says ..... Adobe Flash Player Settings Local Storage s.ytimg.com is requesting permission to store information on your computer. Requested: up to 10 KB Currently Used: 0 KB ALLOW DENY Any advice on what this is? I've never seen it before. -
ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Cheers !!!! -
ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
MrC, I ran RogueKiller with my external HD attached and it found these........ RogueKiller V8.6.4 [Jul 29 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : CPQ OWNER [Admin rights] Mode : Scan -- Date : 08/03/2013 11:22:51 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] StartupMonitor.exe -- C:\WINDOWS\StartupMonitor.exe [-] -> KILLED [TermProc] ¤¤¤ Registry Entries : 5 ¤¤¤ [HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND [HID SVC][Hidden from API] HKLM\[...]\CS003\[...]\Services : . e () -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] SSDT[31] : NtConnectPort @ 0x80599B2A -> HOOKED (Unknown @ 0x8898ADB8) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: TOSHIBA MK6025GAS +++++ --- User --- [MBR] 405dba045b3d8f3e86599d0759ec383d [bSP] 8b0279795ab923368d682d692e6d4962 : Empty MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57223 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: TOSHIBA MK6025GAS +++++ --- User --- [MBR] 7c9ed30bd74da1063d4a90f11130162a [bSP] b20e22e1615d2a9055254f006a3f6761 : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 381551 Mo User = LL1 ... OK! Error reading LL2 MBR! +++++ PhysicalDrive2: TOSHIBA MK6025GAS +++++ --- User --- [MBR] 3aa9ddfca72963c0ef19b1a361227bb7 [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 253 | Size: 1927 Mo Error reading LL1 MBR! Error reading LL2 MBR! Finished : << RKreport[0]_S_08032013_112251.txt >> 1 Process, 5 Registry and 1 Driver issue. Do I need to Delete all/some of these? -
ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Will do sir...... have a great day and thanks again!!!! -
ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
....for the external HD, that is. -
ZeroAccess.C & Trojan.Gen.2 Defeats M-warebyte
Threeff replied to Threeff's topic in Resolved Malware Removal Logs
Which program should I run to check for ZeroAccess? Will my Symantec sufice or should I use a specialized tool?