Jump to content

rootkit.0access infection. Ran Farbar scan, where do I go from here?


Recommended Posts

Hi,

I posted another thread this morning but haven't gotten a response to my last log in a couple of hours...so I'm reposting with an update. I'm really hoping to have this fixed today. Thanks for the help.

I have a windows 7 32 bit computer infected with Rootkit.0access. Computer continues to reboot every 2 minutes, even in safe mode, giving me very limited time to complete anything. Per the instructions of the user on my previous post, I ran the Farbar Recovery Scan tool in the "repair computer" mode.

This is the log that it created. I don't know what to do from here.....

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01

Ran by SYSTEM at 18-07-2012 12:54:03

Running from G:\

Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe [2697832 2010-10-04] (Realtek Semiconductor Corp.)

HKLM\...\Run: [iAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)

HKLM\...\Run: [iMSS] "C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [112408 2012-03-01] (Intel Corporation)

HKLM\...\Run: [TdmNotify] C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [214384 2011-05-27] (Wave Systems Corp.)

HKLM\...\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2009-07-06] (CyberLink Corp.)

HKLM\...\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-04-29] (CyberLink Corp.)

HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM\...\Run: [brStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun [3605816 2010-02-09] (brother)

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [142616 2011-06-28] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [177432 2011-06-28] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [176408 2011-06-28] (Intel Corporation)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)

HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [X]

Tcpip\..\Interfaces\{1FC5DA1F-4096-4D5B-A5A7-6BE828714AE3}: [NameServer]75.75.75.75,75.75.76.76

Lsa: [Authentication Packages] msv1_0

wvauth

Startup: C:\Users\All Users\Start Menu\Programs\Startup\KONICA MINOLTA Print Status Notifier.lnk

ShortcutTarget: KONICA MINOLTA Print Status Notifier.lnk -> C:\Program Files\KONICA MINOLTA\Print Status Notifier\KMPSNv3.exe (KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.)

================================ Services (Whitelisted) ==================

2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)

2 Intel® PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [110752 2010-09-21] (Intel Corporation)

2 jhi_service; C:\Program Files\Intel\Services\IPT\jhi_service.exe [212944 2011-02-23] (Intel Corporation)

3 SecureStorageService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe" [1508232 2011-05-24] (Wave Systems Corp.)

2 tcsd_win32.exe; "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1633280 2011-02-17] ()

2 TdmService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe" [2605424 2011-05-27] (Wave Systems Corp.)

2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1131520 2011-07-01] (Wave Systems Corp.)

2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]

3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [268968 2011-07-20] (Intel Corporation)

3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [2749416 2010-10-04] (Realtek Semiconductor Corp.)

3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)

0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)

3 netvsc; C:\Windows\System32\DRIVERS\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)

0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2010-07-21] (Dell Inc)

3 SynthVid; C:\Windows\System32\DRIVERS\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-18 08:34 - 2012-07-18 08:35 - 00607260 ____R (Swearware) C:\Users\Eagle2\Desktop\dds.scr

2012-07-18 08:24 - 2012-07-18 08:24 - 00607260 ____R (Swearware) C:\Users\Eagle2\Downloads\dds.com

2012-07-18 06:12 - 2012-07-18 06:12 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-07-18 06:09 - 2012-07-18 06:09 - 10288512 ____A (Microsoft Corporation) C:\Users\Eagle2\Downloads\mseinstall (1).exe

2012-06-26 11:22 - 2012-07-18 03:27 - 00000196 ____A C:\users\apmelnetj.lnk

2012-06-26 08:42 - 2012-06-26 08:42 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-06-26 06:20 - 2012-07-18 03:27 - 00191488 ____A C:\users\zkgrzgwtqt.dyv

2012-06-22 11:21 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-22 11:21 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-22 11:21 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-22 11:21 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-22 11:21 - 2012-06-02 11:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-22 11:21 - 2012-06-02 11:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

============ 3 Months Modified Files ========================

2012-07-18 08:41 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-18 08:41 - 2009-07-13 20:39 - 00035246 ____A C:\Windows\setupact.log

2012-07-18 08:35 - 2012-07-18 08:34 - 00607260 ____R (Swearware) C:\Users\Eagle2\Desktop\dds.scr

2012-07-18 08:24 - 2012-07-18 08:24 - 00607260 ____R (Swearware) C:\Users\Eagle2\Downloads\dds.com

2012-07-18 06:46 - 2009-07-13 20:34 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-18 06:46 - 2009-07-13 20:34 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-18 06:23 - 2010-11-20 13:01 - 00856998 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-18 06:12 - 2012-05-09 09:08 - 00001945 ____A C:\Windows\epplauncher.mif

2012-07-18 06:12 - 2011-11-17 22:21 - 01782136 ____A C:\Windows\WindowsUpdate.log

2012-07-18 06:09 - 2012-07-18 06:09 - 10288512 ____A (Microsoft Corporation) C:\Users\Eagle2\Downloads\mseinstall (1).exe

2012-07-18 06:07 - 2010-11-20 13:48 - 00034116 ____A C:\Windows\PFRO.log

2012-07-18 03:27 - 2012-06-26 11:22 - 00000196 ____A C:\users\apmelnetj.lnk

2012-07-18 03:27 - 2012-06-26 06:20 - 00191488 ____A C:\users\zkgrzgwtqt.dyv

2012-07-17 12:36 - 2012-05-09 10:13 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-03 09:46 - 2012-05-08 10:20 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-13 23:20 - 2009-07-13 20:33 - 00409816 ____A C:\Windows\System32\FNTCACHE.DAT

2012-06-02 14:19 - 2012-06-22 11:21 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-22 11:21 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-22 11:21 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:12 - 2012-06-22 11:21 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 11:19 - 2012-06-22 11:21 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:12 - 2012-06-22 11:21 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-05-17 15:11 - 2012-06-13 23:00 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-05-17 14:48 - 2012-06-13 23:00 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-05-17 14:45 - 2012-06-13 23:00 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-05-17 14:36 - 2012-06-13 23:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-05-17 14:35 - 2012-06-13 23:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-05-17 14:35 - 2012-06-13 23:00 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-17 14:33 - 2012-06-13 23:00 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-05-17 14:31 - 2012-06-13 23:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-17 14:29 - 2012-06-13 23:00 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-05-17 14:29 - 2012-06-13 23:00 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-05-17 14:27 - 2012-06-13 23:00 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-05-17 14:25 - 2012-06-13 23:00 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-05-17 14:24 - 2012-06-13 23:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-05-17 14:20 - 2012-06-13 23:00 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-05-14 17:05 - 2012-06-13 06:03 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-05-09 10:12 - 2012-05-09 10:12 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Eagle2\Downloads\mbam-setup-1.61.0.1400.exe

2012-05-09 09:08 - 2012-05-09 09:07 - 10288512 ____A (Microsoft Corporation) C:\Users\Eagle2\Downloads\mseinstall.exe

2012-05-09 08:58 - 2012-03-16 04:28 - 00000317 ____A C:\Windows\TMFilter.log

2012-05-09 08:58 - 2011-11-17 22:44 - 00000031 ____A C:\tmuninst.ini

2012-05-09 08:58 - 2011-11-17 22:43 - 00060676 ____A C:\Windows\System32\TmInstall.log

2012-04-30 20:44 - 2012-06-13 06:03 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-04-27 19:17 - 2012-06-13 06:03 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-25 20:45 - 2012-06-13 06:03 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-04-25 20:45 - 2012-06-13 06:03 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-04-25 20:41 - 2012-06-13 06:03 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-04-23 20:36 - 2012-06-13 06:03 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-04-23 20:36 - 2012-06-13 06:03 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-04-23 20:36 - 2012-06-13 06:03 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

ZeroAccess:

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}\@

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}\L

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}\U

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}\U\00000001.@

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}\U\80000000.@

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}\U\800000cb.@

ZeroAccess:

C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af}

C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af}\@

C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af}\L

C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af}\U

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%

Total physical RAM: 3976.9 MB

Available physical RAM: 3453.58 MB

Total Pagefile: 3975.18 MB

Available Pagefile: 3467.06 MB

Total Virtual: 2047.88 MB

Available Virtual: 1960.68 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:453.57 GB) (Free:408.31 GB) NTFS

2 Drive e: (TRIADLC0712) (CDROM) (Total:4.27 GB) (Free:0 GB) CDFS

4 Drive g: () (Removable) (Total:1.91 GB) (Free:1.53 GB) FAT

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (RECOVERY) (Fixed) (Total:12.15 GB) (Free:6.98 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 Online 1953 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 12 GB 40 MB

Partition 3 Primary 453 GB 12 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 Y RECOVERY NTFS Partition 12 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C OS NTFS Partition 453 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1952 MB 122 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G FAT Removable 1952 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-17 20:03

======================= End Of Log ==========================

Link to post
Share on other sites

services.exe is infected and has to be replaced:

C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

MrC

Link to post
Share on other sites

thanks for helping, this is the log i got:

Farbar Recovery Scan Tool Version: 16-07-2012 01

Ran by SYSTEM at 2012-07-18 17:34:57

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

Link to post
Share on other sites

OK, here you go......

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}
C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af}
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01

Ran by SYSTEM at 2012-07-18 17:59:04 Run:1

Running from G:\

==============================================

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af}Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe not found.

Could not find C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af}C:\Windows\System32\services.exe.

Could not find C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af}C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af}C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe.

==== End of Fixlog ====

Link to post
Share on other sites

Sorry did it wrong. Here is the result

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01

Ran by SYSTEM at 2012-07-18 18:06:00 Run:2

Running from G:\

==============================================

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af} moved successfully.

C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af} moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Link to post
Share on other sites

Here was the second result-

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01

Ran by SYSTEM at 2012-07-18 18:06:00 Run:2

Running from G:\

==============================================

C:\Windows\Installer\{465e8d66-462a-639f-4757-7ea3844918af} moved successfully.

C:\Users\Eagle2\AppData\Local\{465e8d66-462a-639f-4757-7ea3844918af} moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Link to post
Share on other sites

That's better, lets use ComboFix to clean up any other malware....

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.