Jump to content

i've been infected. i would like to remove. thank you.


Recommended Posts

Hello dhy116 and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Okay, post it, but explain to me what is your problem.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool Version: 20-07-2012 01

Ran by SYSTEM at 20-07-2012 17:28:09

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-06-24] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-06-24] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [413208 2010-06-24] (Intel Corporation)

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10775584 2010-05-31] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [2040352 2010-05-31] (Realtek Semiconductor)

HKLM\...\Run: [Apoint] %ProgramFiles%\Apoint\Apoint.exe [212480 2010-05-31] (Alps Electric Co., Ltd.)

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)

HKLM\...\Run: [intelWirelessWiMAX] "C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe" /tasktray /nosplash [1441792 2010-06-08] (Intel® Corporation)

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)

HKLM\...\Run: [sBRegRebootCleaner] "C:\Program Files (x86)\Ad-Aware Antivirus\SBRC.exe" [200560 2011-12-19] (GFI Software)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)

HKLM-x32\...\Run: [iSBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe" [673136 2010-05-31] (Sony Corporation)

HKLM-x32\...\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [600928 2010-06-01] (Sony Corporation)

HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-23] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-20] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [37232 2008-06-12] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2008-06-11] (Adobe Systems Inc.)

HKLM-x32\...\Run: [HFALoader] C:\Program Files (x86)\Hamster Soft\Free ZIP Archiver\Hamster.Archiver.UI.exe -loader [2925056 2011-05-10] (HamsterSoft)

HKLM-x32\...\Run: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1527128 2011-06-14] (Intuit Inc. All rights reserved.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-10-09] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run [x]

HKLM-x32\...\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [198032 2011-10-21] (Lavasoft)

HKU\grinch green\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-07-27] (Google Inc.)

HKU\grinch green\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

HKU\grinch green\...\Run: [AdobeBridge] [x]

HKU\grinch green\...\Run: [starfield Updater] "C:\Users\grinch green\AppData\Local\Workspace\WorkspaceUpdate.exe" [34496 2012-01-24] ()

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1085000 2012-07-03] (Malwarebytes Corporation)

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

AppInit_DLLs: acaptuser64.dll

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk

ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk

ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE (Intuit Inc.)

Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\grinch green\Start Menu\Programs\Startup\MagicDisc.lnk

ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)

Startup: C:\Users\QBDataServiceUser21\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

==================== Services (Whitelisted) ======

3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

2 Ad-Aware Service; "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe" [1239952 2012-07-12] (Lavasoft Limited)

2 FedExAdminService; "C:\Program Files (x86)\FedEx\ShipManager\BIN\AdminService.exe" [24576 2012-01-17] ()

2 FedExLoggingService; "C:\Program Files (x86)\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe" [7168 2012-01-17] (FedEx Corporation)

2 FedExShipnetDBService; "C:\Program Files (x86)\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe" -hvFedExShipnetDBService [141176 2012-01-17] (iAnywhere Solutions, Inc.)

3 FedExShipService; "C:\Program Files (x86)\FedEx\ShipManager\BIN\ShipEngineService.exe" [5120 2012-01-17] (FedEx Corporation)

3 FedExTransactionService; "C:\Program Files (x86)\FedEx\ShipManager\BIN\TransEngineService.exe" [6656 2012-01-17] (FedEx Corporation)

2 File Backup; C:\Program Files (x86)\Workspace\offSyncService.exe [1187600 2012-01-05] (Starfield Technologies)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()

3 QuickBooksDB21; C:\PROGRA~2\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB21 [679936 2010-04-27] (Intuit, Inc.)

2 SampleCollector; "C:\Program Files\Sony\VAIO Care\VCPerfService.exe" "/service" "/sstates" "/sampleinterval=2000" "/procinterval=5" "/dllinterval=120" "/counter=\Processor(_Total)\% Processor Time:1/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:1" "/counter=\Network Interface(*)\Bytes Total/sec:1" "/expandcounter=\Processor Information(*)\Processor Frequency:1" "/expandcounter=\Processor(*)\% Idle Time:1" "/expandcounter=\Processor(*)\% C1 Time:1" "/expandcounter=\Processor(*)\% C2 Time:1" "/expandcounter=\Processor(*)\% C3 Time:1" "/expandcounter=\Processor(*)\% Processor Time:1" "/directory=inteldata" [252416 2010-05-25] (Sony Corporation)

2 SBAMSvc; "C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe" [3289032 2011-12-19] (GFI Software)

2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-05-28] (Intel Corporation)

3 VUAgent; "C:\Program Files\Sony\VAIO Update 5\VUAgent.exe" [1250160 2010-05-31] (Sony Corporation)

========================== Drivers (Whitelisted) =============

2 DgiVecp; C:\Windows\System32\Drivers\DgiVecp.sys [54072 2006-11-02] (Samsung Electronics)

1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [57976 2011-10-26] (GFI Software)

2 MSSQL$DDNI; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-20 17:28 - 2012-07-20 17:28 - 00000000 ____D C:\FRST

2012-07-20 16:24 - 2012-07-20 16:24 - 00000438 ____A C:\Windows\SysWOW64\WSCConfig.xml

2012-07-19 22:17 - 2012-07-19 22:17 - 00001188 ____A C:\Windows\SysWOW64\ServiceConfig.xml

2012-07-19 22:00 - 2012-07-19 22:00 - 00000000 ____D C:\Users\grinch green\AppData\Roaming\Malwarebytes

2012-07-19 22:00 - 2012-07-19 22:00 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-07-19 22:00 - 2012-07-19 22:00 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-07-19 22:00 - 2012-07-03 12:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-19 21:55 - 2012-07-19 21:55 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\grinch green\Downloads\mbam-setup-1.62.0.1300.exe

2012-07-19 17:51 - 2012-07-19 22:18 - 00000000 ____D C:\Users\All Users\Ad-Aware Browsing Protection

2012-07-19 17:51 - 2012-07-19 18:00 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus

2012-07-19 17:51 - 2012-07-19 17:51 - 00000000 ____D C:\Users\grinch green\AppData\Local\adaware

2012-07-19 17:51 - 2012-07-19 17:51 - 00000000 ____D C:\Users\All Users\Lavasoft

2012-07-19 17:51 - 2011-12-19 12:21 - 00045936 ____A (GFI Software) C:\Windows\System32\sbbd.exe

2012-07-19 17:51 - 2011-12-19 11:44 - 00060536 ____A (GFI Software) C:\Windows\System32\Drivers\sbhips.sys

2012-07-19 17:51 - 2011-10-26 13:23 - 00057976 ____A (GFI Software) C:\Windows\System32\Drivers\sbredrv.sys

2012-07-19 17:50 - 2012-07-19 17:50 - 00000000 ____D C:\Users\grinch green\AppData\Local\Downloaded Installations

2012-07-19 17:49 - 2012-07-19 22:20 - 00000000 ____D C:\Users\grinch green\AppData\Roaming\Ad-Aware Antivirus

2012-07-19 17:49 - 2012-07-19 17:49 - 04587128 ____A (Lavasoft Limited) C:\Users\grinch green\Downloads\Adaware_Installer.exe

2012-07-18 23:25 - 2012-07-18 23:25 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-07-18 23:13 - 2012-07-18 23:13 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-07-18 23:13 - 2012-07-18 23:13 - 00000000 ____D C:\Windows\System32\Macromed

2012-07-11 17:59 - 2012-07-11 17:59 - 00264858 ____A C:\Windows\msxml4-KB2721691-enu.LOG

2012-07-11 17:59 - 2012-06-11 19:02 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-11 10:20 - 2012-06-08 21:30 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-11 10:20 - 2012-06-08 20:46 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-07-11 10:20 - 2012-06-05 21:50 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-11 10:20 - 2012-06-05 21:50 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-11 10:20 - 2012-06-05 21:09 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-07-11 10:20 - 2012-06-05 21:09 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-07-11 10:20 - 2012-06-01 21:38 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-07-11 10:20 - 2012-06-01 21:38 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-11 10:20 - 2012-06-01 21:37 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-07-11 10:20 - 2012-06-01 21:27 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-11 10:20 - 2012-06-01 21:27 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-07-11 10:20 - 2012-06-01 20:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-07-11 10:19 - 2012-06-01 20:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-07-11 10:19 - 2012-06-01 20:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-07-11 10:19 - 2012-06-01 20:42 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-07-11 10:19 - 2012-04-23 21:59 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-07-11 10:19 - 2012-04-23 21:59 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-07-11 10:19 - 2012-04-23 21:59 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-07-11 10:19 - 2012-04-23 20:47 - 01156608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-07-11 10:19 - 2012-04-23 20:47 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-07-11 10:19 - 2012-04-23 20:47 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2012-06-25 15:04 - 2012-06-25 15:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll

============ 3 Months Modified Files ========================

2012-07-20 16:24 - 2012-07-20 16:24 - 00000438 ____A C:\Windows\SysWOW64\WSCConfig.xml

2012-07-20 16:24 - 2010-07-27 00:05 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-07-20 16:23 - 2010-11-09 18:16 - 01873104 ____A C:\Windows\WindowsUpdate.log

2012-07-20 13:58 - 2009-07-13 21:13 - 00730924 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-20 11:45 - 2009-07-13 20:45 - 00013872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-20 11:45 - 2009-07-13 20:45 - 00013872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-20 11:23 - 2010-07-27 00:05 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-07-20 10:05 - 2012-01-24 11:59 - 00096733 ____A C:\Users\grinch green\Documents\WorkspaceUpdate.log

2012-07-20 10:05 - 2012-01-24 11:57 - 00733380 ____A C:\Users\grinch green\Documents\workspaceinstall.log

2012-07-19 22:17 - 2012-07-19 22:17 - 00001188 ____A C:\Windows\SysWOW64\ServiceConfig.xml

2012-07-19 22:17 - 2010-07-27 00:11 - 00209738 ____A C:\Windows\PFRO.log

2012-07-19 22:17 - 2010-07-27 00:09 - 00000050 ____A C:\Windows\System32\SupplicantTest.log

2012-07-19 22:17 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-19 22:17 - 2009-07-13 20:51 - 00066540 ____A C:\Windows\setupact.log

2012-07-19 21:55 - 2012-07-19 21:55 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\grinch green\Downloads\mbam-setup-1.62.0.1300.exe

2012-07-19 17:49 - 2012-07-19 17:49 - 04587128 ____A (Lavasoft Limited) C:\Users\grinch green\Downloads\Adaware_Installer.exe

2012-07-18 23:13 - 2012-07-18 23:13 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-07-18 23:13 - 2011-09-05 01:34 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-12 10:22 - 2009-07-13 20:45 - 05098128 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-11 17:59 - 2012-07-11 17:59 - 00264858 ____A C:\Windows\msxml4-KB2721691-enu.LOG

2012-07-11 17:56 - 2010-12-09 11:09 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-07 20:40 - 2011-09-11 13:59 - 00001653 ____A C:\Users\grinch green\AppData\Local\HamsterFreeArchiver.cfg

2012-07-03 12:46 - 2012-07-19 22:00 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-25 15:04 - 2012-06-25 15:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll

2012-06-11 19:02 - 2012-07-11 17:59 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 21:30 - 2012-07-11 10:20 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:46 - 2012-07-11 10:20 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 21:50 - 2012-07-11 10:20 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 21:50 - 2012-07-11 10:20 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 21:09 - 2012-07-11 10:20 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:09 - 2012-07-11 10:20 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-02 14:19 - 2012-06-18 13:18 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-18 13:18 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-18 13:18 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-18 13:17 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-18 13:17 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 14:19 - 2012-06-18 13:17 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-18 13:18 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-18 13:17 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 14:15 - 2012-06-18 13:17 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-01 21:38 - 2012-07-11 10:20 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:38 - 2012-07-11 10:20 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:37 - 2012-07-11 10:20 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:27 - 2012-07-11 10:20 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:27 - 2012-07-11 10:20 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:48 - 2012-07-11 10:19 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:48 - 2012-07-11 10:19 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:47 - 2012-07-11 10:20 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:42 - 2012-07-11 10:19 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-06-01 11:23 - 2011-09-01 22:48 - 00001041 ____A C:\Users\grinch green\Desktop\Dropbox.lnk

2012-05-31 11:25 - 2010-12-07 17:07 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2012-05-29 20:01 - 2012-05-29 20:01 - 00007606 ____A C:\Users\grinch green\AppData\Local\Resmon.ResmonCfg

2012-05-14 19:56 - 2012-06-12 14:30 - 01197568 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-14 19:52 - 2012-06-12 14:30 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-14 19:08 - 2012-06-12 14:30 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-05-14 19:06 - 2012-06-12 14:30 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-05-04 02:52 - 2012-06-12 14:29 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-04 02:08 - 2012-06-12 14:29 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-05-04 02:08 - 2012-06-12 14:29 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-05-03 10:14 - 2012-05-03 10:14 - 00103784 ____A C:\Users\grinch green\GoToAssistDownloadHelper.exe

2012-05-02 12:24 - 2010-12-07 16:56 - 00533048 ____A C:\Users\grinch green\AppData\Local\GDIPFONTCACHEV1.DAT

2012-05-02 12:20 - 2012-04-11 17:24 - 00002202 ____A C:\Users\Public\Desktop\Help Me FedEx.lnk

2012-05-02 12:20 - 2012-04-11 17:24 - 00001294 ____A C:\Users\Public\Desktop\FedEx Ship Manager.lnk

2012-05-02 12:18 - 2012-04-11 17:21 - 02156504 ____A C:\Windows\SysWOW64\SQLCONVERT.LOG

2012-05-02 12:18 - 2012-04-11 17:21 - 00000023 ____A C:\Windows\ODBCINST.INI

2012-05-01 01:43 - 2012-05-01 01:43 - 00047340 ____A C:\Users\grinch green\Downloads\rprtordsumD9R.xls

2012-04-27 19:50 - 2012-06-12 14:29 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-25 21:34 - 2012-06-12 14:29 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-04-25 21:34 - 2012-06-12 14:29 - 00076288 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-04-25 21:28 - 2012-06-12 14:29 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-04-23 21:59 - 2012-07-11 10:19 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-04-23 21:59 - 2012-07-11 10:19 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-04-23 21:59 - 2012-07-11 10:19 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-04-23 20:47 - 2012-07-11 10:19 - 01156608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-04-23 20:47 - 2012-07-11 10:19 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-04-23 20:47 - 2012-07-11 10:19 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

ZeroAccess:

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\@

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\L

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\U

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\L\00000004.@

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\L\1afb2d56

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\L\201d3dde

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\U\00000004.@

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\U\00000008.@

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\U\000000cb.@

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\U\80000000.@

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\U\80000032.@

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\U\80000064.@

ZeroAccess:

C:\Users\grinch green\AppData\Local\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}

C:\Users\grinch green\AppData\Local\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\@

C:\Users\grinch green\AppData\Local\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\L

C:\Users\grinch green\AppData\Local\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\n

C:\Users\grinch green\AppData\Local\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 16%

Total physical RAM: 3758.1 MB

Available physical RAM: 3134.84 MB

Total Pagefile: 3756.25 MB

Available Pagefile: 3123.02 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:287.8 GB) (Free:129.03 GB) NTFS

2 Drive e: (Recovery) (Fixed) (Total:10.19 GB) (Free:0.77 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive f: (D9_SPRING_SUMMER_12) (CDROM) (Total:1.41 GB) (Free:0 GB) UDF

4 Drive g: (Lexar) (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 7648 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 10 GB 1024 KB

Partition 2 Primary 100 MB 10 GB

Partition 3 Primary 287 GB 10 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E Recovery NTFS Partition 10 GB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 287 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7646 MB 1132 KB

==================================================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G Lexar FAT32 Removable 7646 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-18 16:08

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 20-07-2012 01

Ran by SYSTEM at 2012-07-20 17:29:58

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Link to post
Share on other sites

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}
C:\Users\grinch green\AppData\Local\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01

Ran by SYSTEM at 2012-07-23 10:47:15 Run:1

Running from G:\

==============================================

C:\Windows\Installer\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a} moved successfully.

C:\Users\grinch green\AppData\Local\{cd966dd2-b4d8-3e9d-302f-001f5ff3132a} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Great! :)

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.