Jump to content

My Computer is So Infected (BC.Miner), (Search Engine Redirects)


Recommended Posts

I've download the malwarebytes software, and it shows like 8 viruses, and removes them, but the bc.miner always comes back, and the other ones come back sometimes in a couple of days.

I'm getting a ton of Google Redirects in Firefox/IE 8, etc, and I dont know what to do.

Here is my HiJack File:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:03:17 PM, on 8/2/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v8.00 (8.00.7601.17514)

Boot mode: Normal

Running processes:

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files\PreSonus\1394AudioDriver_FireBox\FireBox.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe,-s,

O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Users\D\AppData\Roaming\Mozilla\Firefox\Profiles\wi4q8xwq.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.98.dll (file missing)

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Global Startup: FireBox Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FireBox\FireBox.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 6390 bytes

Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Cool, here are the reports:

DDS

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.4.1

Run by D at 21:29:54 on 2012-08-02

Microsoft Windows 7 Home Basic 6.1.7601.1.1252.1.1033.18.6142.2756 [GMT -7:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\Explorer.EXE

C:\Windows\System32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files\PreSonus\1394AudioDriver_FireBox\FireBox.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

-netsvcs

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE

C:\Windows\splwow64.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe,-s,

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - C:\Users\D\AppData\Roaming\Mozilla\Firefox\Profiles\wi4q8xwq.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.98.dll

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\FIREBO~1.LNK - C:\Program Files\PreSonus\1394AudioDriver_FireBox\FireBox.exe

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{01E4E73E-36FB-4FCC-8C46-F1B35331E5B9} : DhcpNameServer = 192.168.1.1

BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

TB-X64: FireShot: {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Users\D\AppData\Roaming\Mozilla\Firefox\Profiles\wi4q8xwq.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.98.dll

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\D\AppData\Roaming\Mozilla\Firefox\Profiles\wi4q8xwq.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-3 253088]

.

=============== Created Last 30 ================

.

2012-08-03 04:28:47 -------- d-----w- C:\Users\D\Files

2012-08-03 01:40:12 388096 ----a-r- C:\Users\D\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-08-03 01:40:12 -------- d-----w- C:\Program Files (x86)\Trend Micro

2012-08-03 01:10:50 20480 ----a-w- C:\Windows\svchost.exe

2012-08-02 07:33:02 -------- d-----w- C:\Users\D\dian

2012-07-29 05:41:56 -------- d-----w- C:\Users\D\autoresponder

2012-07-28 20:57:11 -------- d-----w- C:\Users\D\.swt

2012-07-28 15:11:41 -------- d-----w- C:\Users\D\AppData\Local\{37E26BA6-D8B6-11E1-8270-B8AC6F996F26}

2012-07-28 15:11:39 433664 ----a-w- C:\Users\D\AppData\Roaming\wmgmg.dll

2012-07-28 15:10:46 -------- d-----w- C:\Users\D\AppData\Roaming\xsecva

2012-07-28 03:59:44 -------- d-----w- C:\ProgramData\225932DB000002640000D2F4F875F002

2012-07-28 03:58:54 63488 ---ha-w- C:\Windows\System32\dllhrcfg64.dll

2012-07-27 03:00:42 -------- d-----w- C:\Windows\SysWow64\C2MP

2012-07-27 02:56:39 -------- d-----w- C:\Program Files (x86)\Essentials Codec Pack

2012-07-27 00:21:10 -------- d-----w- C:\Users\D\AppData\Local\CoverEditor

2012-07-27 00:20:57 -------- d-----w- C:\Program Files (x86)\TBS Cover Editor

2012-07-27 00:03:52 -------- d-----w- C:\Users\D\AppData\Local\True BoxShot

2012-07-27 00:03:00 -------- d-----w- C:\Program Files (x86)\True BoxShot

2012-07-23 18:33:17 -------- d-----w- C:\Users\D\dwhelper

2012-07-21 23:45:55 -------- d-----w- C:\Users\D\AppData\Roaming\Malwarebytes

2012-07-21 23:45:14 -------- d-----w- C:\ProgramData\Malwarebytes

2012-07-21 23:45:13 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-07-21 23:45:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-07-20 23:53:01 -------- d-----w- C:\Users\D\Patrick

2012-07-20 01:07:02 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%

2012-07-19 18:58:54 1436672 ----a-w- C:\Windows\System32\LAVVideo.ax

2012-07-19 18:58:38 486912 ----a-w- C:\Windows\System32\LAVSplitter.ax

2012-07-19 18:58:34 264704 ----a-w- C:\Windows\System32\LAVAudio.ax

2012-07-19 18:58:32 357376 ----a-w- C:\Windows\System32\IntelQuickSyncDecoder.dll

2012-07-19 18:58:32 202752 ----a-w- C:\Windows\System32\libbluray.dll

2012-07-19 18:58:26 7128652 ----a-w- C:\Windows\System32\avcodec-lav-54.dll

2012-07-19 18:58:26 420110 ----a-w- C:\Windows\System32\swscale-lav-2.dll

2012-07-19 18:58:26 248625 ----a-w- C:\Windows\System32\avutil-lav-51.dll

2012-07-19 18:58:26 174229 ----a-w- C:\Windows\System32\avfilter-lav-3.dll

2012-07-19 18:58:26 110826 ----a-w- C:\Windows\System32\avresample-lav-0.dll

2012-07-19 18:58:26 1074211 ----a-w- C:\Windows\System32\avformat-lav-54.dll

2012-07-19 18:56:30 1114624 ----a-w- C:\Windows\SysWow64\LAVVideo.ax

2012-07-19 18:56:14 399360 ----a-w- C:\Windows\SysWow64\LAVSplitter.ax

2012-07-19 18:56:12 233472 ----a-w- C:\Windows\SysWow64\LAVAudio.ax

2012-07-19 18:56:08 274944 ----a-w- C:\Windows\SysWow64\IntelQuickSyncDecoder.dll

2012-07-19 18:56:08 172544 ----a-w- C:\Windows\SysWow64\libbluray.dll

2012-07-19 18:56:02 6894331 ----a-w- C:\Windows\SysWow64\avcodec-lav-54.dll

2012-07-19 18:56:02 401685 ----a-w- C:\Windows\SysWow64\swscale-lav-2.dll

2012-07-19 18:56:02 232895 ----a-w- C:\Windows\SysWow64\avutil-lav-51.dll

2012-07-19 18:56:02 162743 ----a-w- C:\Windows\SysWow64\avfilter-lav-3.dll

2012-07-19 18:56:02 1111581 ----a-w- C:\Windows\SysWow64\avformat-lav-54.dll

2012-07-19 18:56:02 101820 ----a-w- C:\Windows\SysWow64\avresample-lav-0.dll

2012-07-18 16:28:13 -------- d-----w- C:\Users\D\Work on Track

2012-07-17 16:22:56 -------- d-----w- C:\Users\D\temp

2012-07-17 16:22:56 -------- d-----w- C:\Users\D\AppData\Roaming\TeamViewer

2012-07-17 08:58:42 4079616 ----a-w- C:\Windows\System32\ffmpeg.dll

2012-07-17 08:57:54 474624 ----a-w- C:\Windows\System32\ff_kernelDeint.dll

2012-07-17 08:57:42 127488 ----a-w- C:\Windows\System32\ff_vfw.dll

2012-07-17 08:57:38 4344832 ----a-w- C:\Windows\System32\ffdshow.ax

2012-07-17 08:57:10 631296 ----a-w- C:\Windows\System32\TomsMoComp_ff.dll

2012-07-17 08:56:44 114688 ----a-w- C:\Windows\System32\ff_wmv9.dll

2012-07-17 08:56:42 156160 ----a-w- C:\Windows\System32\ff_libmad.dll

2012-07-17 08:56:40 359424 ----a-w- C:\Windows\System32\ff_libfaad2.dll

2012-07-17 08:56:40 1532928 ----a-w- C:\Windows\System32\ff_samplerate.dll

2012-07-17 08:56:40 116224 ----a-w- C:\Windows\System32\ff_liba52.dll

2012-07-17 08:56:38 223232 ----a-w- C:\Windows\System32\ff_libdts.dll

2012-07-17 08:56:38 183296 ----a-w- C:\Windows\System32\ff_unrar.dll

2012-07-17 08:35:20 3978240 ----a-w- C:\Windows\SysWow64\ffmpeg.dll

2012-07-17 08:34:30 112640 ----a-w- C:\Windows\SysWow64\ff_vfw.dll

2012-07-17 08:34:18 3479552 ----a-w- C:\Windows\SysWow64\ffdshow.ax

2012-07-17 08:33:48 271360 ----a-w- C:\Windows\SysWow64\TomsMoComp_ff.dll

2012-07-17 08:33:28 99840 ----a-w- C:\Windows\SysWow64\ff_wmv9.dll

2012-07-17 08:33:28 157184 ----a-w- C:\Windows\SysWow64\ff_unrar.dll

2012-07-17 08:33:26 211968 ----a-w- C:\Windows\SysWow64\ff_libdts.dll

2012-07-17 08:33:26 1525760 ----a-w- C:\Windows\SysWow64\ff_samplerate.dll

2012-07-17 08:33:26 147456 ----a-w- C:\Windows\SysWow64\ff_libmad.dll

2012-07-17 08:33:26 114688 ----a-w- C:\Windows\SysWow64\ff_liba52.dll

2012-07-17 08:33:24 330240 ----a-w- C:\Windows\SysWow64\ff_libfaad2.dll

2012-07-17 04:51:41 -------- d-----w- C:\Windows\pss

2012-07-16 04:26:42 -------- d-----w- C:\Users\D\AppData\Local\Geckofx

2012-07-16 04:25:43 -------- d-----w- C:\Program Files (x86)\EatWorm Software

2012-07-11 16:05:01 -------- d-----w- C:\Users\D\Motif Dance XP

2012-07-09 02:54:39 -------- d-----w- C:\Users\D\Stem

2012-07-07 18:24:40 -------- d-----w- C:\Users\D\Submission

2012-07-07 06:13:57 -------- d-----w- C:\Program Files\Audio

2012-07-07 06:12:34 -------- d-----w- C:\Program Files\Images

2012-07-07 01:24:20 -------- d-----w- C:\Users\D\Toshokan

2012-07-07 00:17:29 -------- d-----w- C:\Users\D\Submissions

.

==================== Find3M ====================

.

2012-08-01 06:50:23 32 ----a-w- C:\Windows\SysWow64\msvcsv60.dll

2012-06-29 03:26:40 0 ---ha-w- C:\Users\D\AppData\Roaming\.82973152FAA8DB40.sys

2012-06-29 03:26:39 0 ---ha-w- C:\Users\D\AppData\Roaming\.82973152FAA8DB3F.sys

2012-06-21 01:18:05 238080 ----a-w- C:\Users\D\IGBot.exe

2012-06-21 01:18:05 192512 ----a-w- C:\Users\D\ICSharpCode.SharpZipLib.dll

2012-06-21 01:18:04 38912 ----a-w- C:\Users\D\HTTPHelper.dll

2012-06-17 21:22:42 245760 ----a-w- C:\Windows\System32\spdif_test.exe

2012-06-17 21:22:34 111104 ----a-w- C:\Windows\System32\ac3config.exe

2012-06-17 21:22:22 1058816 ----a-w- C:\Windows\System32\ac3filter64_intl.dll

2012-06-17 21:20:06 1766400 ----a-w- C:\Windows\System32\ac3filter64.ax

2012-06-17 21:18:22 324608 ----a-w- C:\Windows\System32\BugTrap-x64.dll

2012-06-17 21:15:04 198144 ----a-w- C:\Windows\SysWow64\spdif_test.exe

2012-06-17 21:14:58 97792 ----a-w- C:\Windows\SysWow64\ac3config.exe

2012-06-17 21:14:42 1021440 ----a-w- C:\Windows\SysWow64\ac3filter_intl.dll

2012-06-17 21:12:10 1406976 ----a-w- C:\Windows\SysWow64\ac3filter.ax

2012-06-17 21:10:36 276992 ----a-w- C:\Windows\SysWow64\BugTrap.dll

2012-06-17 21:10:08 965120 ----a-w- C:\Windows\SysWow64\ac3filter.acm

2012-05-26 16:16:30 510464 ----a-w- C:\Windows\System32\FLVSplitter.ax

2012-05-26 16:16:24 424960 ----a-w- C:\Windows\System32\cdxareader.ax

2012-05-26 16:15:40 440832 ----a-w- C:\Windows\SysWow64\FLVSplitter.ax

2012-05-26 16:15:34 377344 ----a-w- C:\Windows\SysWow64\cdxareader.ax

2012-05-15 03:46:48 0 ---ha-w- C:\Users\D\AppData\Roaming\.829731522B7C2F13.sys

2012-05-12 22:42:16 147456 ----a-w- C:\Windows\System32\avutil64-51.dll

2012-05-12 22:42:16 146432 ----a-w- C:\Windows\SysWow64\avutil-51.dll

2012-05-12 22:42:16 1294848 ----a-w- C:\Windows\System32\avcodec64-53.dll

2012-05-12 22:42:16 1272320 ----a-w- C:\Windows\SysWow64\avcodec-53.dll

2012-05-05 16:24:34 5072 ----a-w- C:\FLVDirect.exe

.

============= FINISH: 21:30:07.66 ===============

Attach

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Basic

Boot Device: \Device\HarddiskVolume1

Install Date: 5/3/2012 6:51:00 AM

System Uptime: 8/2/2012 6:09:33 PM (3 hours ago)

.

Motherboard: Gigabyte Technology Co., Ltd. | | EX58-UD4P

Processor: Intel® Core™ i7 CPU 950 @ 3.07GHz | Socket 1366 | 3192/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 932 GiB total, 609.453 GiB free.

D: is FIXED (NTFS) - 932 GiB total, 139.442 GiB free.

E: is CDROM (CDFS)

F: is CDROM (CDFS)

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}

Description: High Definition Audio Device

Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&7EBBC1C&0&0001

Manufacturer: Microsoft

Name: High Definition Audio Device

PNP Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&7EBBC1C&0&0001

Service: HdAudAddService

.

Class GUID: {4d36e969-e325-11ce-bfc1-08002be10318}

Description: Standard floppy disk controller

Device ID: ACPI\PNP0700\4&E4BBDBA&0

Manufacturer: (Standard floppy disk controllers)

Name: Standard floppy disk controller

PNP Device ID: ACPI\PNP0700\4&E4BBDBA&0

Service: fdc

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Adobe AIR

Advanced File Organizer 3.01

Apple Application Support

Apple Software Update

Camtasia Studio 7

CDBurnerXP

Cinesamples Drums of War 2

ElastikStandalone

ElastikVst

EZdrummer

EZXClaustrophobic

Foxit Reader

GoToMeeting 5.2.0.952

HiJackThis

IL Download Manager

iZotope Vinyl

J2SE Runtime Environment 5.0 Update 4

Java Auto Updater

Java™ 7 Update 4

JavaFX 2.1.0

LUXONIX Purity

MagicDisc 2.7.106

Malwarebytes Anti-Malware version 1.62.0.1300

Media Player Codec Pack 4.2.1

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Visual C++ 2005 Redistributable

MixMeister BPM Analyzer 1.0

Mobilizer

Mozilla Firefox 14.0.1 (x86 en-US)

Native Instruments Absynth 5

Native Instruments B4 II

Native Instruments Battery 3

Native Instruments FM8

Native Instruments George Duke Soul Treasures

Native Instruments Intakt

Native Instruments Kontakt 4

Native Instruments Kontakt 5

Native Instruments Massive

Native Instruments Pro-53

Native Instruments Service Center

PowerISO

PreSonus FireBox driver v5.13.0.0

Proteus VX

QuickTime

Skype™ 5.5

Steinberg Cubase 5

Steinberg Drum Loop Expansion 01

Steinberg Groove Agent ONE Content

Steinberg HALionOne

Steinberg HALionOne Additional Content Set 01

Steinberg HALionOne Expression Set

Steinberg HALionOne Pro Set

Steinberg HALionOne Studio Drum Set

Steinberg HALionOne Studio Set

Steinberg LoopMash Content

Steinberg REVerence Content 01

Sylenth1 v2.20

T-RackS 3 Deluxe

TBS Cover Editor 2.2.4

The Action Machine 3

Tone2 Firebird VSTi v1.2.1

Tone2 Gladiator VSTi v2.2

Trial Tarantula

True BoxShot 2.0

True BoxShot for Adobe Photoshop® v1.1

TruePianos: Amber Module 1.4.0

TruePianos: Diamond Module 1.4.0

TruePianos: Emerald Module 1.4.0

TruePianos: Sapphire Module 1.4.0

V-Station 1.5.1

VLC media player 2.0.1

Windows Essentials Media Codec Pack 4.0 [64-Bit]

WinPcap 4.1.2

YellaBot

.

==== Event Viewer Messages From Past Week ========

.

8/2/2012 6:10:09 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

8/2/2012 6:10:09 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

8/2/2012 6:09:57 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

8/2/2012 6:09:54 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

8/2/2012 6:09:54 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

7/26/2012 5:43:01 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c5 (0x0000000000000000, 0x0000000000000002, 0x0000000000000000, 0xfffff80002bc79bc). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 072612-20841-01.

.

==== End Of File ===========================

And here is the roguekiller report (I didnt hit delete or anything yet):

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo...13-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: D [Admin rights]

Mode: Scan -- Date: 08/02/2012 21:39:34

¤¤¤ Bad processes: 1 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 7 ¤¤¤

[bLACKLIST DLL] HKLM\[...]\Run : izctsb (rundll32.exe "C:\Users\D\AppData\Roaming\izctsb.dll",OpenFileStreamShare) -> FOUND

[bLACKLIST DLL] HKLM\[...]\Run : wmgmg ("C:\Windows\System32\rundll32.exe" "C:\Users\D\AppData\Roaming\wmgmg.dll",_SetSlice) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\D\AppData\Local\{6e08476f-10b8-0c2c-075a-46ae776232ae}\n.) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{6e08476f-10b8-0c2c-075a-46ae776232ae}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{6e08476f-10b8-0c2c-075a-46ae776232ae}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{6e08476f-10b8-0c2c-075a-46ae776232ae}\L --> FOUND

[ZeroAccess][FILE] n : c:\users\d\appdata\local\{6e08476f-10b8-0c2c-075a-46ae776232ae}\n --> FOUND

[ZeroAccess][FILE] @ : c:\users\d\appdata\local\{6e08476f-10b8-0c2c-075a-46ae776232ae}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\d\appdata\local\{6e08476f-10b8-0c2c-075a-46ae776232ae}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\d\appdata\local\{6e08476f-10b8-0c2c-075a-46ae776232ae}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 link-assistant.com

127.0.0.1 www.link-assistant.com

127.0.0.1 tone2.com

127.0.0.1 www.tone2.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1001FALS-00J7B1 ATA Device +++++

--- User ---

[MBR] 975e82c853644cc770990fcde26cf9b7

[bSP] 2489f79031dde064bf3e50ec90824b09 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] fcffaa6f25449e1afdd00336e1a57038

[bSP] 2489f79031dde064bf3e50ec90824b09 : Windows 7 MBR Code

Partition table:

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo

+++++ PhysicalDrive1: WDC WD1001FALS-00J7B1 ATA Device +++++

--- User ---

[MBR] 61246db5bd86d040c1d1e7fc9cb5f12c

[bSP] ae7b390d5dbeda33bdbdc5229b2d1835 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

Thanks

Link to post
Share on other sites

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]Now press the Search button

[*]When the search is complete, search.txt will also be written to your USB

[*]Type exit and reboot the computer normally

[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.