Jump to content

pbearjar

pbearjar
 Share

Recommended Posts

pbearjar

pbearjar

Posted
Posted

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01

Ran by annk at 31-07-2012 10:41:51

Running from C:\Users\annk\Desktop\Pete

(X86) OS Language: English(US)

Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

============ One Month Created Files and Folders ==============

2012-07-31 10:40 - 2012-07-31 10:41 - 00000000 ____D C:\FRST

2012-07-31 10:39 - 2012-07-31 10:41 - 00000000 ____D C:\Users\annk\Desktop\Pete

2012-07-31 10:35 - 2012-07-31 10:35 - 00000000 ____D C:\Program Files\ESET

2012-07-31 10:18 - 2012-07-31 10:18 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys

2012-07-31 10:12 - 2012-07-31 10:12 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-07-31 10:06 - 2012-07-31 10:06 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\annk\Downloads\tdsskiller.exe

2012-07-31 09:53 - 2012-07-31 09:53 - 00000000 ____D C:\Users\All Users\Google

2012-07-31 09:51 - 2012-07-31 10:29 - 00002694 ____A C:\Windows\PFRO.log

2012-07-31 09:51 - 2012-07-31 10:29 - 00000224 ____A C:\Windows\setupact.log

2012-07-31 09:51 - 2012-07-31 09:51 - 00000000 ____A C:\Windows\setuperr.log

2012-07-31 09:50 - 2012-07-31 09:50 - 00090758 ____A C:\Users\Public\Documents\cc_20120731_095028.reg

2012-07-31 09:48 - 2012-07-31 09:48 - 00000000 ____D C:\Program Files\CCleaner

2012-07-31 09:47 - 2012-07-31 09:53 - 00000000 ____D C:\Program Files\Google

2012-07-31 09:47 - 2012-07-31 09:49 - 00000000 ____D C:\Users\annk\AppData\Local\Google

2012-07-31 09:41 - 2012-07-31 10:03 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-07-31 09:41 - 2012-07-31 09:42 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-07-31 09:41 - 2012-07-31 09:41 - 00000000 ____D C:\Users\annk\AppData\Roaming\Malwarebytes

2012-07-31 09:41 - 2012-07-03 13:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-30 15:54 - 2012-07-30 15:54 - 00000000 ____D C:\Users\annk\AppData\Local\{22266349-DD4E-418E-8F26-0B33C5B7DAE8}

2012-07-30 15:53 - 2012-07-30 15:54 - 00000000 ____D C:\Users\annk\AppData\Local\{BED886A7-2C4A-4E98-AC56-514A7B46F8BA}

2012-07-23 08:21 - 2012-07-23 08:21 - 00000000 ____D C:\Users\annk\AppData\Local\{A952ED3A-4B83-4907-AEBC-B982ADA54282}

2012-07-23 08:21 - 2012-07-23 08:21 - 00000000 ____D C:\Users\annk\AppData\Local\{2DBAE505-5E29-452F-B4C9-24B345630B21}

2012-07-22 20:20 - 2012-07-22 20:20 - 00000000 ____D C:\Users\annk\AppData\Local\{B89747C7-65D0-4CD3-8D4D-9B0F8AD2568D}

2012-07-22 20:20 - 2012-07-22 20:20 - 00000000 ____D C:\Users\annk\AppData\Local\{9C8550CE-F354-46EF-ADC6-0551B4CEC1B0}

2012-07-22 08:20 - 2012-07-22 08:20 - 00000000 ____D C:\Users\annk\AppData\Local\{F95BF506-423E-4769-8309-969FD0212BD4}

2012-07-22 08:20 - 2012-07-22 08:20 - 00000000 ____D C:\Users\annk\AppData\Local\{468CC455-EF31-4D0B-969E-499EE1AA9836}

2012-07-21 20:20 - 2012-07-21 20:20 - 00000000 ____D C:\Users\annk\AppData\Local\{F12E32F8-3C21-4217-A6B8-A3FB62A54AAE}

2012-07-21 20:19 - 2012-07-21 20:20 - 00000000 ____D C:\Users\annk\AppData\Local\{DC9A43BE-581B-47E9-9DFE-6B8E0C0C9042}

2012-07-21 08:19 - 2012-07-21 08:19 - 00000000 ____D C:\Users\annk\AppData\Local\{DF4A437C-16CF-4F7C-BCA2-D943BBB11E82}

2012-07-21 08:19 - 2012-07-21 08:19 - 00000000 ____D C:\Users\annk\AppData\Local\{A514DCFF-8B66-4744-AE23-538FEA1CC463}

2012-07-20 20:19 - 2012-07-20 20:19 - 00000000 ____D C:\Users\annk\AppData\Local\{FDE41CF1-80EA-4190-A862-6F550D8577F9}

2012-07-20 20:19 - 2012-07-20 20:19 - 00000000 ____D C:\Users\annk\AppData\Local\{9B8390CE-5185-4C33-A70B-79AC4AB41E05}

2012-07-20 08:19 - 2012-07-20 08:19 - 00000000 ____D C:\Users\annk\AppData\Local\{7C0CD0AA-DCF3-40BF-AB18-8F62B357DDA4}

2012-07-20 08:18 - 2012-07-20 08:18 - 00000000 ____D C:\Users\annk\AppData\Local\{70B85D95-D744-4323-A0D9-8267C9D36BCB}

2012-07-19 20:18 - 2012-07-19 20:18 - 00000000 ____D C:\Users\annk\AppData\Local\{3FFE576A-C938-4FF3-ADEE-B5801758C0E8}

2012-07-19 20:18 - 2012-07-19 20:18 - 00000000 ____D C:\Users\annk\AppData\Local\{2B5628E0-6AD9-4F11-9675-E4A6495BD9E8}

2012-07-19 08:18 - 2012-07-19 08:18 - 00000000 ____D C:\Users\annk\AppData\Local\{E49BC4D5-B87F-4C89-8939-89124AFACD12}

2012-07-19 08:18 - 2012-07-19 08:18 - 00000000 ____D C:\Users\annk\AppData\Local\{2514CC51-F466-4670-8892-9E531E30C278}

2012-07-18 20:17 - 2012-07-18 20:18 - 00000000 ____D C:\Users\annk\AppData\Local\{06842779-8325-4468-8CC2-8C2B14612B88}

2012-07-18 20:17 - 2012-07-18 20:17 - 00000000 ____D C:\Users\annk\AppData\Local\{2D3BC9BB-253D-4178-BCB2-BED31F4E462B}

2012-07-18 08:17 - 2012-07-18 08:17 - 00000000 ____D C:\Users\annk\AppData\Local\{FBA398F9-1B4E-41A1-B952-AFC05B9C3485}

2012-07-18 08:17 - 2012-07-18 08:17 - 00000000 ____D C:\Users\annk\AppData\Local\{DCCD5222-4A59-4725-A331-D2F681FFD20E}

2012-07-17 20:16 - 2012-07-17 20:17 - 00000000 ____D C:\Users\annk\AppData\Local\{3B1E1699-A5E6-4A05-A1F9-EAD71820B88F}

2012-07-17 20:16 - 2012-07-17 20:16 - 00000000 ____D C:\Users\annk\AppData\Local\{0F0BAC75-E54F-4718-B5C7-B828C57256F5}

2012-07-17 08:16 - 2012-07-17 08:16 - 00000000 ____D C:\Users\annk\AppData\Local\{F6894DD1-1ED1-4063-8F1F-51F516F2BE38}

2012-07-17 08:16 - 2012-07-17 08:16 - 00000000 ____D C:\Users\annk\AppData\Local\{9CF8BBB0-F7E9-4CC4-AC38-ED66D643C6F0}

2012-07-03 08:48 - 2012-07-03 08:48 - 00000000 ____D C:\Users\annk\AppData\Local\{F30C4BF6-8FF2-4D2A-AB66-FF136E4093D1}

2012-07-03 08:48 - 2012-07-03 08:48 - 00000000 ____D C:\Users\annk\AppData\Local\{71165293-67F8-4AAF-82B7-674E33B322E9}

============ 3 Months Modified Files ========================

2012-07-31 10:36 - 2009-07-14 00:34 - 00015040 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-31 10:36 - 2009-07-14 00:34 - 00015040 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-31 10:29 - 2012-07-31 09:51 - 00002694 ____A C:\Windows\PFRO.log

2012-07-31 10:29 - 2012-07-31 09:51 - 00000224 ____A C:\Windows\setupact.log

2012-07-31 10:29 - 2011-04-19 14:46 - 01394137 ____A C:\Windows\WindowsUpdate.log

2012-07-31 10:29 - 2009-07-14 00:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-31 10:18 - 2012-07-31 10:18 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys

2012-07-31 10:06 - 2012-07-31 10:06 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\annk\Downloads\tdsskiller.exe

2012-07-31 09:58 - 2011-04-19 14:47 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-31 09:51 - 2012-07-31 09:51 - 00000000 ____A C:\Windows\setuperr.log

2012-07-31 09:50 - 2012-07-31 09:50 - 00090758 ____A C:\Users\Public\Documents\cc_20120731_095028.reg

2012-07-03 13:46 - 2012-07-31 09:41 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-29 08:05 - 2012-04-29 16:38 - 00018710 ____A C:\Users\annk\Documents\KOVATCH.odt

2012-06-19 11:50 - 2012-06-19 11:50 - 00014704 ____A C:\Users\annk\Documents\LAUNDRY ROOM.odt

2012-06-14 03:08 - 2009-07-14 00:33 - 00288088 ____A C:\Windows\System32\FNTCACHE.DAT

2012-06-14 03:03 - 2012-06-14 03:03 - 00000129 ____A C:\Windows\System32\MRT.INI

2012-06-14 03:03 - 2011-04-19 13:50 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-06-02 18:19 - 2012-06-24 04:44 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 18:19 - 2012-06-24 04:44 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 18:19 - 2012-06-24 04:44 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 18:19 - 2012-06-24 04:44 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 18:19 - 2012-06-24 04:44 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 18:12 - 2012-06-24 04:44 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 18:12 - 2012-06-24 04:44 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 15:19 - 2012-06-24 04:44 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 15:12 - 2012-06-24 04:44 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-05-22 13:38 - 2012-05-22 13:38 - 00016207 ____A C:\Users\annk\Documents\EVICTION NOTICE.odt

2012-05-21 14:34 - 2012-05-21 14:34 - 00011840 ____A C:\Users\annk\Documents\WAYNE CO APARTMENTS.odt

2012-05-18 12:20 - 2011-08-31 09:08 - 00013741 ____A C:\Users\annk\Documents\SECURITY DEPOSIT SETTLEMENT.odt

2012-05-17 19:11 - 2012-06-14 03:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-05-17 18:48 - 2012-06-14 03:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-05-17 18:45 - 2012-06-14 03:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-05-17 18:36 - 2012-06-14 03:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-05-17 18:35 - 2012-06-14 03:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-05-17 18:35 - 2012-06-14 03:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-17 18:33 - 2012-06-14 03:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-05-17 18:31 - 2012-06-14 03:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-17 18:29 - 2012-06-14 03:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-05-17 18:29 - 2012-06-14 03:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-05-17 18:27 - 2012-06-14 03:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-05-17 18:25 - 2012-06-14 03:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-05-17 18:24 - 2012-06-14 03:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-05-17 18:20 - 2012-06-14 03:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-05-17 10:16 - 2012-05-17 10:16 - 00012486 ____A C:\Users\annk\Documents\DISTURBANCES.odt

2012-05-14 21:12 - 2012-06-13 16:13 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-05-10 09:49 - 2011-11-08 13:12 - 00012492 ____A C:\Users\annk\Documents\KEEP ON WAITING LIST.odt

ZeroAccess:

C:\Windows\Installer\{0229a450-3ec4-fcc2-33a4-162312a3dc90}

C:\Windows\Installer\{0229a450-3ec4-fcc2-33a4-162312a3dc90}\@

C:\Windows\Installer\{0229a450-3ec4-fcc2-33a4-162312a3dc90}\L

C:\Windows\Installer\{0229a450-3ec4-fcc2-33a4-162312a3dc90}\U

ZeroAccess:

C:\Users\annk\AppData\Local\{0229a450-3ec4-fcc2-33a4-162312a3dc90}

C:\Users\annk\AppData\Local\{0229a450-3ec4-fcc2-33a4-162312a3dc90}\@

C:\Users\annk\AppData\Local\{0229a450-3ec4-fcc2-33a4-162312a3dc90}\L

C:\Users\annk\AppData\Local\{0229a450-3ec4-fcc2-33a4-162312a3dc90}\U

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 34%

Total physical RAM: 3260.51 MB

Available physical RAM: 2119.73 MB

Total Pagefile: 6519.3 MB

Available Pagefile: 5274.19 MB

Total Virtual: 2047.88 MB

Available Virtual: 1955.25 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:297.99 GB) (Free:264.61 GB) NTFS

3 Drive e: () (Fixed) (Total:74.52 GB) (Free:57.04 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 74 GB 8 MB

Disk 1 Online 298 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 74 GB 31 KB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 E NTFS Partition 74 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 297 GB 101 MB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 System Rese NTFS Partition 100 MB Healthy System (partition with boot components)

==================================================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C NTFS Partition 297 GB Healthy Boot

==================================================================================

==========================================================

Last Boot: 2012-07-28 00:41

======================= End Of Log ==========================

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello pbearjar,

Trojan warning: ZeroAccess

This system has some serious backdoor trojans, spyware, and likely, a rookit. Backdoor trojans allow hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

I'd suggest you do a full reformat and a new/clean install of Windows.

I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

IF you have a full-mirror-image backup of your system from before the infection, you should restore the system from that backup.

Let me know what you decide to do.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.