Need help cant remove Rootkit.0Access from computer :(

wolfshalabh · June 29, 2012

I ran malwarebytes scan about a week ago and thought I deleted it. Scanned again today and it was still there. I only really noticed it today because random music suddenly started playing on my computer. Multiple times even when I had no programs open. How can I get rid of it without having to reformat my whole system?

here is a log:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.27.02

Windows Vista Service Pack 2 x64 NTFS

Internet Explorer 9.0.8112.16421

Amitabh :: AMITABH-PC [administrator]

6/28/2012 10:08:12 PM

mbam-log-2012-06-28 (22-08-12).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 314127

Time elapsed: 11 minute(s), 59 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\Installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

wolfshalabh · June 29, 2012

Also another question: Would doing a system restore solve the problem quickly? If I restored my computer to 2 weeks ago before the rootkit.

MrCharlie · June 29, 2012

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!)

Post back the report.

MrC

wolfshalabh · June 29, 2012

I have attached the files and logs

Attach.txt

DDS.txt

RKreport2.txt

MrCharlie · June 29, 2012

Run RogueKiller again and click Scan > when the scan completes > click the Files/Folders tab and put a check next to these and uncheck the rest:

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : c:\windows\installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\n --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U --> FOUND
[ZeroAccess][FILE] n : c:\users\amitabh\appdata\local\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\n --> FOUND
[ZeroAccess][FILE] @ : c:\users\amitabh\appdata\local\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\@ --> FOUND

know click Delete on the right hand side.

------------------------------------

Next........

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

wolfshalabh · June 29, 2012

I have attached the log. What do I do next now?

TDSSKiller.2.7.43.0_29.06.2012_11.53.02_log.txt

MrCharlie · June 29, 2012

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

wolfshalabh · June 29, 2012

Combofix wont seem to install on my computer. Ive disabled all malware and anti virus programs, saved it to desktop. But when I run the installer it freezes on output C:\32788R22FWJFW

Also after a few minutes it exits out of the installer and flashes a prompt screen saying warning, however I dont know what it says because the prompt screen disappears after 2 seconds. What is going on?

Also I ran Malwarebytes again and the Rootkit is still there... plus now an additional 4 malwares are being detected, but I think its detecting rougekiller as malware. Please help.

MrCharlie · June 29, 2012

Can you post the log from Malwarebytes.

-----------------------

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Make sure ComboFix is on your desktop.

Click Start --> Run, and enter this command exactly as shown: (copy and paste)

"%userprofile%\desktop\combofix.exe" /nombr

See if it will run successfully now.

MrC

wolfshalabh · June 29, 2012

The log is still reading the same now after I rebooted,

it's still showing C:\Windows\Installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

My new problem now is that I did as you stated above and ran it in safe mode. But now I get 2 errors.

First error: It tells me that McAfee is running and needs to be stopped. However in Safe mode Mcafee is not running at all. I even ran task manager and killed all the services and processes related to McAfee, but it still gives me the error

Second error: Combofix still runs however when the command prompt loads it says "attempting to run Combofix" But then under that it displays the error "You do not have administrative privlages to run this, please run in admin prompt."

I also tried right clicking and running as administrator but I still received the same error.

Why cant I run combofix? And the malware still seems to be on my PC.

MrCharlie · June 29, 2012

Delete your copy of RogueKiller and download a new one and run it.

RogueKiller

Post the log, MrC

wolfshalabh · June 30, 2012

I managed to get combofix to run and finish successfully however it did not create a log file... it created a file in the C:\ directory called "combofix" Which I cannot seem to open. And it created a folder called Combofix23155c

But no where is there a combofix.txt file

Also another folder called Qoobox was created.

---------------------------------------------

I have attached the Rougekiller file again as you specified. As you can see from the log Im still having an infection at c:\windows\installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}

Everytime I delete it and reboot the rootkit just comes back... do you think its a problem with my DNS perhaps?

RKreport13.txt

MrCharlie · June 30, 2012

Run RogueKiller again > click Scan > when the scan completes

Click on the Files/Folders tab > put a check next to this one > uncheck the rest

Now click delete on the right hand column.

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : c:\windows\installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U --> FOUND

-----------------------------------

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:Filefind
ComboFix.txt
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

-----------------------------------------------

Take a look in the Qoobox folder, there may be a copy of the log in there.

ComboFix.txt

Let me know, MrC

wolfshalabh · June 30, 2012

SystemLook 30.07.11 by jpshortstuff

Log created at 10:50 on 30/06/2012 by Amitabh

Administrator - Elevation successful

========== Filefind ==========

Searching for "ComboFix.txt"

C:\ComboFix\ComboFix.txt --a---- 555 bytes [00:44 30/06/2012] [00:44 30/06/2012] 7FAAEAA5935A8080B034A524287FED07

-= EOF =-

The log s ays its in a folder called Combofix... but there isnt a folder named that in my c drive. There is a file called combofix but when I click on that it just opens a screen that shows all my partitions and computer drives.

Also I have been runing rouge killer and deleting that file but everytime I reboot my computer it returns.

-------------------------------------------

I opened the Combofix.txt using the run command however this is all the file says

ComboFix 12-06-28.03 - Amitabh 06/29/2012 17:44:36.2.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2230 [GMT -7:00]

Running from: C:\Users\Amitabh\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

MrCharlie · June 30, 2012

Please try to run ComboFix again and see what happens, MrC

wolfshalabh · June 30, 2012

I will run the scan again later today. However im begining to think i might have to reinstall windows at this rate.

So I want to ask.

Should I do a system restore? Would that work?

or

Should I format and reinstall Vista? (in the event I cant delete this trojan)

MrCharlie · June 30, 2012

Lets try to run ComboFix first. MrC

wolfshalabh · July 1, 2012

Here is the combofix log, what should I do next?

---------------------------------------------------------------

ComboFix 12-06-28.03 - Amitabh 06/30/2012 12:58:45.3.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2191 [GMT -7:00]

Running from: c:\users\Amitabh\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Amitabh\Favorites\mxfilerelatedcache.mxc2

c:\users\Shalabh\Favorites\mxfilerelatedcache.mxc2

.

c:\windows\system32\Services.exe . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-30 )))))))))))))))))))))))))))))))

.

2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\Shalabh\AppData\Local\temp

2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\Mcx2\AppData\Local\temp

2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2012-06-29 18:55 . 2012-06-29 18:55 -------- d-----w- C:\TDSSKiller_Quarantine

2012-06-29 18:27 . 2012-06-29 18:27 -------- d-----w- c:\users\Amitabh\AppData\Local\Activision

2012-06-26 00:35 . 2012-06-26 00:35 -------- d-----w- c:\users\Shalabh\AppData\Local\Activision

2012-06-25 00:45 . 2012-06-25 00:45 -------- d-----w- c:\users\Amitabh\AppData\Roaming\NVIDIA

2012-06-24 03:35 . 2012-06-24 20:08 -------- d-----w- C:\AdobeTemp

2012-06-23 14:29 . 2012-06-23 14:29 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-06-21 06:26 . 2012-06-21 06:26 -------- d-----w- c:\users\Shalabh\A8B9466986544126BD28D0D2412CDED6.TMP

2012-06-21 00:08 . 2012-06-28 07:37 -------- d-----w- c:\users\Shalabh\AppData\Local\ApplicationHistory

2012-06-21 00:07 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\SpellEx

2012-06-21 00:04 . 2012-06-21 00:04 -------- d-----w- c:\windows\SysWow64\URTTEMP

2012-06-20 23:38 . 2012-06-20 23:38 -------- d-----w- c:\program files\DIFX

2012-06-20 23:38 . 2009-09-03 23:30 128512 ----a-w- c:\windows\system32\drivers\tiehdusb.sys

2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\TI Education

2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\TI Shared

2012-06-19 16:16 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-19 16:16 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-19 16:16 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-19 16:16 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-19 16:15 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-19 16:15 . 2012-06-02 22:19 35864 ----a-w- c:\windows\SysWow64\wups.dll

2012-06-19 16:15 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-19 16:15 . 2012-06-02 22:19 577048 ----a-w- c:\windows\SysWow64\wuapi.dll

2012-06-19 16:15 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-19 16:15 . 2012-06-02 22:12 88576 ----a-w- c:\windows\SysWow64\wudriver.dll

2012-06-19 16:15 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-19 16:15 . 2012-06-02 22:19 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll

2012-06-19 16:15 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-19 16:15 . 2012-06-02 22:12 33792 ----a-w- c:\windows\SysWow64\wuapp.exe

2012-06-13 21:36 . 2012-06-13 21:36 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll

2012-06-13 21:36 . 2012-06-13 21:36 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll

2012-06-03 21:24 . 2012-05-09 01:35 32600 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2012-06-03 21:23 . 2010-11-27 01:02 17720 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2012-06-03 20:41 . 2012-05-24 17:48 24448 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-06-02 19:20 . 2012-06-02 19:20 -------- d-----w- c:\users\Shalabh\AppData\Roaming\IObit

2012-06-02 19:19 . 2012-06-02 19:19 -------- d-----w- c:\programdata\IObit

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-23 02:14 . 2012-04-05 00:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-23 02:14 . 2011-05-15 13:21 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-05-15 10:48 . 2012-03-15 02:05 68928 ----a-w- c:\windows\system32\OpenCL.dll

2012-05-15 10:48 . 2012-03-15 02:05 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll

2012-05-15 10:48 . 2011-11-18 20:50 1738048 ----a-w- c:\windows\system32\nvdispco64.dll

2012-05-15 10:48 . 2011-11-18 20:50 1468224 ----a-w- c:\windows\system32\nvgenco64.dll

2012-05-15 10:48 . 2011-06-12 00:54 8105280 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2012-05-15 10:48 . 2011-06-12 00:54 2741568 ----a-w- c:\windows\system32\nvapi64.dll

2012-05-15 10:48 . 2011-06-12 00:54 2368832 ----a-w- c:\windows\SysWow64\nvapi.dll

2012-05-15 10:48 . 2011-06-12 00:54 18044224 ----a-w- c:\windows\system32\nvd3dumx.dll

2012-05-15 10:48 . 2011-06-12 00:54 15322432 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2012-05-15 09:29 . 2011-06-12 00:57 889664 ----a-w- c:\windows\system32\nvvsvc.exe

2012-05-15 09:29 . 2011-06-12 00:57 63296 ----a-w- c:\windows\system32\nvshext.dll

2012-05-15 09:29 . 2011-06-12 00:57 118080 ----a-w- c:\windows\system32\nvmctray.dll

2012-05-15 09:29 . 2011-06-12 00:57 3149632 ----a-w- c:\windows\system32\nvsvc64.dll

2012-05-15 09:28 . 2011-06-12 00:57 6151488 ----a-w- c:\windows\system32\nvcpl.dll

2012-05-15 09:21 . 2012-05-15 09:21 423744 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-04-18 17:08 . 2012-03-15 02:05 1451840 ----a-w- c:\windows\system32\nvhdagenco6420103.dll

2012-04-04 22:56 . 2009-06-16 00:15 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-04-11 . BC81150939BD52DBC7A08C245F1FB229 . 384512 . . [6.0.6000.16386] .. c:\windows\system32\services.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BTBFirstRun"="c:\program files (x86)\Hewlett-Packard\SDP\hprun.exe" [2007-07-19 20480]

"googletalk"="c:\users\Amitabh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-09 65536]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-18 1484856]

"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056]

S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-05-26 913792]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-30 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 02:14]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000Core.job

- c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000UA.job

- c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001Core.job

- c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001UA.job

- c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2007-10-25 5430272]

"LXCRCATS"="c:\windows\system32\spool\DRIVERS\x64\3\LXCRtime.dll" [2006-11-21 31744]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = hxxp://cm.my.yahoo.com/

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105

LSP: c:\windows\system32\wpclsp.dll

Trusted Zone: att.com

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.1.254

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Amitabh\AppData\Roaming\Mozilla\Firefox\Profiles\up9n5bpd.default\

FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

SafeBoot-WudfPf

SafeBoot-WudfRd

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]

"ImagePath"="\??\c:\program files (x86)\HP\DVDPlay\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-06-30 15:39:45

ComboFix-quarantined-files.txt 2012-06-30 22:39

.

Pre-Run: 168,491,253,760 bytes free

Post-Run: 168,349,458,432 bytes free

.

- - End Of File - - 675738E9DAA83E00203773B740229D66

MrCharlie · July 1, 2012

Services.exe is infected, lets see if there's a good copy on your machine, also do you have the Vista cd?

You used SystemLook before but here's the whole thing........

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:Filefind
Services.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

wolfshalabh · July 1, 2012

I have the 3 vista recovery disks that my computer made when I bought the computer yes.

----------------------------------

SystemLook 30.07.11 by jpshortstuff

Log created at 18:47 on 30/06/2012 by Amitabh

Administrator - Elevation successful

========== Filefind ==========

Searching for "Services.exe"

C:\Windows\System32\services.exe --a---- 384512 bytes [17:35 30/05/2009] [07:10 11/04/2009] BC81150939BD52DBC7A08C245F1FB229

C:\Windows\SysWOW64\services.exe --a---- 279552 bytes [17:34 30/05/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_294799ef88bb616c\services.exe --a---- 389632 bytes [09:10 02/11/2006] [11:16 02/11/2006] 0A87F57DFC2C0EB9BBA8BE1C87BAFE1A

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe --a---- 384512 bytes [13:21 07/06/2008] [08:00 19/01/2008] DFAC660F0F139276CC9299812DE42719

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe --a---- 384512 bytes [17:35 30/05/2009] [07:10 11/04/2009] 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe --a---- 279552 bytes [12:21 02/11/2006] [09:45 02/11/2006] 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [13:19 07/06/2008] [07:33 19/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe --a---- 279552 bytes [17:34 30/05/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B

-= EOF =-

MrCharlie · July 1, 2012

OK, there's several good copies of services.exe on the system, we'll use ComboFix to replace the infected one:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

FCopy::
C:\Windows\SysWOW64\services.exe | C:\Windows\System32\services.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

wolfshalabh · July 1, 2012

ComboFix 12-06-28.03 - Amitabh 07/01/2012 13:11:13.4.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2575 [GMT -7:00]

Running from: c:\users\Amitabh\Desktop\ComboFix.exe

Command switches used :: c:\users\Amitabh\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

--------------- FCopy ---------------

.

c:\windows\SysWOW64\services.exe --> c:\windows\System32\services.exe

.

((((((((((((((((((((((((( Files Created from 2012-06-01 to 2012-07-01 )))))))))))))))))))))))))))))))

.

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Shalabh\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Mcx2\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Alpana\AppData\Local\temp