Rootkit.0Access infection

bryan89 · August 4, 2012

Recently I had that virus on my laptop that looks like it's from the FBI and says you need to pay money or something and I got rid of that, but it scared me and made me wonder what else I had. So I scanned with Malwarebytes Anti-Malware and got nothing(was using an old version) so I downloaded the new one and am currently using the trial, and was able to remove (everything I hope) that fake FBI virus. I kept scanning and saw that I had this Rootkit.0Access virus. I have performed 5+ full scans since then and each time it keeps coming up with it even though I always click delete when the scan finishes. So now I'm here, looking for some help with dealing with this. Oh and since installing your excellent product, I have been getting popups saying "Successfully blocked access to a potentially malicious website: [ip address] Type: outgoing Port: [port number] Process: [either services.exe or svchost.exe]" and I even disconnected my laptop from the internet and am still getting those popups. I only know about them since i installed this newer version so I don't actually know how long this has been going on.

Anyway, sorry for the long story but I thought it might be important to say sort of what happened and what I did.

So I'm following this post http://forums.malwar...?showtopic=9573 on what to do.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 10.5.1
Run by Bryan at 19:48:17 on 2012-08-03
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1917.1079 [GMT -10:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe
C:\Program Files\IBM\SQLLIB\bin\db2dasrrm.exe
C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe
C:\Program Files\Kodak\AiO\center\KodakSvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
C:\Program Files\IBM\SQLLIB\BIN\db2fmp.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\OEM02Mon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\AceHide Free\AceHideFree.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
uRun: [zHideWin] c:\program files\acehide free\AceHideFree.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [PlayNC Launcher]
uRun: [Google Update] "c:\users\bryan\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\bryan\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech touch mouse server\iTouch-Server-Win.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{19FA4404-0525-4A1B-9858-115FAFD7B53C} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{82BE0B43-5A3E-4F7D-927E-829FAE3510CC} : DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\bryan\appdata\roaming\mozilla\firefox\profiles\c9gju475.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://urlseek40.vmn.net/search.php?lg=en&type=dns&tbn=oovoo2_0dn&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\bryan\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 SafDskNT;SafeHouse;c:\windows\system32\drivers\SafDskNT.sys [2009-3-5 77824]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2012-1-9 158512]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2012-1-9 91440]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-10-2 73728]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-6-25 20968]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-4-24 24328]
R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\ibm\sqllib\bin\db2mgmtsvc.exe [2011-11-22 37736]
R2 DB2REMOTECMD_DB2COPY1;DB2 Remote Command Server (DB2COPY1);c:\program files\ibm\sqllib\bin\db2rcmd.exe [2011-11-22 34664]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-12-18 21504]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKDiscovery.exe [2009-5-4 279960]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\aio\center\KodakSvc.exe [2009-4-17 32768]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-8-1 655944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-1 22344]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2011-9-4 20080]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-12-19 116016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-7 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-15 250056]
S3 DB2GOVERNOR_DB2COPY1;DB2 Governor (DB2COPY1);c:\program files\ibm\sqllib\bin\db2govds.exe [2011-11-22 23912]
S3 DB2LICD_DB2COPY1;DB2 License Server (DB2COPY1);c:\program files\ibm\sqllib\bin\db2licd.exe [2011-11-22 128360]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-6 113120]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-12-19 104752]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2011-12-19 82736]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2012-08-01 12:09:18 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-01 11:07:22 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-01 11:07:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-01 10:38:19 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-31 09:44:18 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7653850b-8b63-4046-a72d-6a32247ac3f2}\mpengine.dll
2012-07-13 11:05:28 -------- d-----w- C:\DriveKey
2012-07-13 09:54:54 -------- d-----w- c:\program files\DiskCheckup
2012-07-11 13:07:29 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 17:51:49 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 17:51:49 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-10 17:51:48 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-10 17:51:43 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 17:51:43 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 17:51:43 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-07 06:37:53 88576 ----a-w- c:\windows\system32\tlntsess.exe
.
==================== Find3M ====================
.
2012-07-27 08:19:40 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-27 08:19:39 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-19 07:33:09 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-07-06 08:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-03 01:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-03 01:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-05-31 22:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-16 22:53:13 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-05-16 22:53:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec
2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 19:48:34.00 ===============

I think that that is everything. If I need to do something else, let me know. Any help would be appreciated, thanks.

Attach.txt

MrCharlie · August 4, 2012

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

bryan89 · August 4, 2012

Hi thanks for responding. I just clicked scan and didnt mess with any of the other options like you said.

It also opened a website when it finished, but my laptop is not connected to the internet, so I don't know what it was about or if it was important.

This is RKreport[1].txt:

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Bryan [Admin rights]
Mode: Scan -- Date: 08/04/2012 00:47:53
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 11 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\U --> FOUND
[ZeroAccess][FILE] @ : c:\users\bryan\appdata\local\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\bryan\appdata\local\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\bryan\appdata\local\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\L --> FOUND
[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX
[ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX
¤¤¤ Driver: [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST9160821AS ATA Device +++++
--- User ---
[MBR] 9c07d9de0ae77bdfdde0ba19da87d1bd
[bSP] 0bbd13b5d76695bb505e813c44c7894b : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21100544 | Size: 139763 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 307335168 | Size: 2560 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt

Thanks

MrCharlie · August 4, 2012

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.
BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.
I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Being that you have Vista > you may or may not be able to do this, please give it a try anyway.

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]Now press the Search button
[*]When the search is complete, search.txt will also be written to your USB
[*]Type exit and reboot the computer normally
[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

bryan89 · August 4, 2012

Ok I ran the FRST.exe in system recovery and did the search.

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 04-08-2012 01:34:37
Running from E:\
Windows Vista Home Basic (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [90112 2006-11-10] ()
HKLM\...\Run: [broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe [3444736 2007-12-08] (Dell Inc.)
HKLM\...\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe [36864 2007-05-10] (Creative Technology Ltd.)
HKLM\...\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [857648 2007-04-27] (Synaptics, Inc.)
HKLM\...\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2007-09-07] (IDT, Inc.)
HKLM\...\Run: [Conime] %windir%\system32\conime.exe [x]
HKLM\...\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe [1638400 2010-09-02] (Eastman Kodak Company)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot [296056 2012-05-16] (RealNetworks, Inc.)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\Bryan\...\Run: [zHideWin] C:\Program Files\AceHide Free\AceHideFree.exe [94720 2002-05-16] ()
HKU\Bryan\...\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe [1866864 2010-11-07] (PeerBlock, LLC)
HKU\Bryan\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\Bryan\...\Run: [PlayNC Launcher] [x]
HKU\Bryan\...\Run: [Google Update] "C:\Users\Bryan\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-03-12] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 24.25.227.55 209.18.47.61 24.25.227.53
Tcpip\..\Interfaces\{19FA4404-0525-4A1B-9858-115FAFD7B53C}: [NameServer]156.154.70.22,156.154.71.22
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\Bryan\Start Menu\Programs\Startup\Logitech Touch Mouse Server.lnk
ShortcutTarget: Logitech Touch Mouse Server.lnk -> C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe (Logitech, Inc.)
================================ Services (Whitelisted) ==================
2 DB2; C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe [148840 2011-11-22] (International Business Machines Corporation)
2 DB2DAS00; "C:\Program Files\IBM\SQLLIB\bin\db2dasrrm.exe" [169320 2011-11-22] (International Business Machines Corporation)
3 DB2GOVERNOR_DB2COPY1; "C:\Program Files\IBM\SQLLIB\BIN\db2govds.exe" [23912 2011-11-22] (International Business Machines Corporation)
3 DB2LICD_DB2COPY1; "C:\Program Files\IBM\SQLLIB\BIN\db2licd.exe" [128360 2011-11-22] (International Business Machines Corporation)
2 DB2MGMTSVC_DB2COPY1; "C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe" [37736 2011-11-22] (International Business Machines Corporation)
2 DB2REMOTECMD_DB2COPY1; "C:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe" [34664 2011-11-22] (International Business Machines Corporation)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
2 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe [279960 2009-05-04] (Eastman Kodak Company)
2 KodakSvc; "C:\Program Files\Kodak\AiO\center\KodakSvc.exe" [32768 2009-04-17] (Eastman Kodak Company)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2009-11-27] ()
2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [215104 2011-08-04] ()
2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-06-07] (Skype Technologies)
2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
4 SQLAgent$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [x]
4 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
========================== Drivers (Whitelisted) =============
2 cpuz133; \??\C:\Windows\system32\drivers\cpuz133_x32.sys [20968 2010-03-31] (Windows ® Win 7 DDK provider)
2 cpuz135; \??\C:\Windows\system32\drivers\cpuz135_x32.sys [24328 2012-03-09] (CPUID)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
4 RsFx0103; C:\Windows\System32\DRIVERS\RsFx0103.sys [239336 2009-03-30] (Microsoft Corporation)
1 SafDskNT; \??\C:\Windows\system32\drivers\SAFDSKNT.SYS [77824 2009-03-05] (PC Dynamics, Inc.)
1 VBoxDrv; C:\Windows\System32\DRIVERS\VBoxDrv.sys [158512 2011-12-19] (Oracle Corporation)
3 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp.sys [104752 2011-12-19] (Oracle Corporation)
3 VBoxNetFlt; C:\Windows\System32\DRIVERS\VBoxNetFlt.sys [116016 2011-12-19] (Oracle Corporation)
3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [82736 2011-12-19] (Oracle Corporation)
1 VBoxUSBMon; C:\Windows\System32\DRIVERS\VBoxUSBMon.sys [91440 2011-12-19] (Oracle Corporation)
3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [x]
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]
3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-08-04 02:47 - 2012-08-04 02:47 - 00002657 ____A C:\Users\Bryan\Desktop\RKreport[1].txt
2012-08-04 02:46 - 2012-08-04 02:47 - 00000000 ____D C:\Users\Bryan\Desktop\RK_Quarantine
2012-08-04 02:46 - 2012-08-04 02:45 - 01552896 ____A C:\Users\Bryan\Desktop\RogueKiller.exe
2012-08-04 01:34 - 2012-08-04 01:34 - 00000000 ____D C:\FRST
2012-08-03 21:48 - 2012-08-03 21:48 - 00023560 ____A C:\Users\Bryan\Desktop\Attach.txt
2012-08-03 21:48 - 2012-08-03 21:48 - 00015403 ____A C:\Users\Bryan\Desktop\DDS.txt
2012-08-03 19:24 - 2012-08-03 19:21 - 00607260 ____R (Swearware) C:\Users\Bryan\Desktop\dds.scr
2012-08-01 04:09 - 2012-08-01 04:08 - 00227824 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-08-01 04:09 - 2012-07-06 00:06 - 00772544 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-08-01 04:08 - 2012-08-01 04:08 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-08-01 04:08 - 2012-08-01 04:08 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-08-01 03:44 - 2012-08-03 19:08 - 00022528 ____A C:\Users\Bryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-01 03:07 - 2012-08-01 03:08 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-08-01 03:07 - 2012-08-01 03:07 - 00000866 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-01 03:07 - 2012-07-03 15:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-01 02:56 - 2012-08-01 02:26 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Public\Documents\mbam-setup-1.62.0.1300.exe
2012-08-01 02:38 - 2012-08-01 02:38 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-28 04:58 - 2012-07-28 05:03 - 04503728 ___AT C:\Users\All Users\zak_lo0i7g.pad
2012-07-13 03:05 - 2012-07-13 03:05 - 00000000 ____D C:\DriveKey
2012-07-13 01:54 - 2012-07-13 03:05 - 00000000 ____D C:\Program Files\DiskCheckup
2012-07-13 01:54 - 2012-07-13 01:54 - 00000800 ____A C:\Users\Bryan\Desktop\DiskCheckup.lnk
2012-07-11 05:07 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 09:51 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 09:51 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 09:51 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 09:51 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 09:51 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 09:51 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-06 22:37 - 2009-06-10 01:43 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\tlntsess.exe
2012-07-06 04:33 - 2012-07-06 04:33 - 00000862 ____A C:\Windows\System32\termcap
============ 3 Months Modified Files ========================
2012-08-04 03:29 - 2009-10-02 20:36 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-08-04 03:29 - 2006-11-02 04:58 - 00032522 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-04 03:29 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-04 03:29 - 2006-11-02 04:45 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-04 03:29 - 2006-11-02 04:45 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-04 03:27 - 2006-11-02 04:49 - 01404134 ____A C:\Windows\WindowsUpdate.log
2012-08-04 03:19 - 2012-04-15 20:16 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-04 02:51 - 2010-03-12 15:33 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219010701-923674729-2664050940-1000UA.job
2012-08-04 02:47 - 2012-08-04 02:47 - 00002657 ____A C:\Users\Bryan\Desktop\RKreport[1].txt
2012-08-04 02:45 - 2012-08-04 02:46 - 01552896 ____A C:\Users\Bryan\Desktop\RogueKiller.exe
2012-08-03 21:48 - 2012-08-03 21:48 - 00023560 ____A C:\Users\Bryan\Desktop\Attach.txt
2012-08-03 21:48 - 2012-08-03 21:48 - 00015403 ____A C:\Users\Bryan\Desktop\DDS.txt
2012-08-03 20:06 - 2009-10-10 10:20 - 01009412 ____A C:\Windows\PFRO.log
2012-08-03 19:21 - 2012-08-03 19:24 - 00607260 ____R (Swearware) C:\Users\Bryan\Desktop\dds.scr
2012-08-03 19:08 - 2012-08-01 03:44 - 00022528 ____A C:\Users\Bryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-03 05:51 - 2010-03-12 15:33 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219010701-923674729-2664050940-1000Core.job
2012-08-01 14:40 - 2010-03-12 15:34 - 00002042 ____A C:\Users\Bryan\Desktop\Google Chrome.lnk
2012-08-01 04:08 - 2012-08-01 04:09 - 00227824 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-08-01 04:08 - 2012-08-01 04:08 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-08-01 04:08 - 2012-08-01 04:08 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-08-01 03:07 - 2012-08-01 03:07 - 00000866 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-01 02:46 - 2011-09-04 20:26 - 00001688 ____A C:\Users\Bryan\Desktop\PeerBlock.lnk
2012-08-01 02:26 - 2012-08-01 02:56 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Public\Documents\mbam-setup-1.62.0.1300.exe
2012-07-28 05:03 - 2012-07-28 04:58 - 04503728 ___AT C:\Users\All Users\zak_lo0i7g.pad
2012-07-27 00:19 - 2012-04-15 20:16 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-27 00:19 - 2011-05-21 19:46 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-22 02:32 - 2012-06-27 20:10 - 00002337 ____A C:\Users\Public\Desktop\Skype.lnk
2012-07-18 23:33 - 2010-01-16 14:34 - 00231760 ____A (TrueCrypt Foundation) C:\Windows\System32\Drivers\truecrypt.sys
2012-07-13 01:54 - 2012-07-13 01:54 - 00000800 ____A C:\Users\Bryan\Desktop\DiskCheckup.lnk
2012-07-11 05:27 - 2006-11-02 04:44 - 00371864 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 05:07 - 2006-11-02 02:23 - 00000291 ____A C:\Windows\win.ini
2012-07-11 05:03 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-06 04:33 - 2012-07-06 04:33 - 00000862 ____A C:\Windows\System32\termcap
2012-07-06 00:06 - 2012-08-01 04:09 - 00772544 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-07-06 00:06 - 2010-08-12 05:31 - 00687544 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-07-03 15:46 - 2012-08-01 03:07 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-30 16:05 - 2011-01-11 09:44 - 00005661 ____A C:\Windows\setupact.log
2012-06-14 05:16 - 2006-11-02 02:33 - 00932946 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-13 05:40 - 2012-07-11 05:07 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:47 - 2012-07-10 09:51 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 08:47 - 2012-07-10 09:51 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-10 09:51 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-10 09:51 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 17:19 - 2012-06-18 17:25 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 17:12 - 2012-06-18 17:25 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 14:19 - 2012-06-18 17:26 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-18 17:26 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-18 17:26 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-18 17:26 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-18 17:26 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-18 17:26 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-18 17:26 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-01 16:04 - 2012-07-10 09:51 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-10 09:51 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-31 14:25 - 2009-10-25 22:17 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-27 16:41 - 2009-11-27 19:32 - 00176344 ____A C:\Windows\DirectX.log
2012-05-16 14:53 - 2012-05-16 14:53 - 00198832 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
2012-05-16 14:53 - 2012-05-16 14:53 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
2012-05-16 14:53 - 2012-05-16 14:53 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
2012-05-16 14:53 - 2011-01-10 16:30 - 00272896 ____A (Progressive Networks) C:\Windows\System32\pncrt.dll
2012-05-16 14:53 - 2009-10-02 21:27 - 00499712 ____A (Microsoft Corporation) C:\Windows\System32\msvcp71.dll
2012-05-16 14:53 - 2009-10-02 21:27 - 00348160 ____A (Microsoft Corporation) C:\Windows\System32\msvcr71.dll
2012-05-14 22:37 - 2012-06-13 21:17 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-14 22:37 - 2012-06-13 21:17 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 22:37 - 2012-06-13 21:17 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-14 22:35 - 2012-06-13 21:17 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-05-14 22:33 - 2012-06-13 21:17 - 06007808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-14 22:33 - 2012-06-13 21:17 - 00629760 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-05-14 22:33 - 2012-06-13 21:17 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-05-14 22:33 - 2012-06-13 21:17 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-14 22:33 - 2012-06-13 21:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-05-14 22:32 - 2012-06-13 21:17 - 01469440 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-14 22:32 - 2012-06-13 21:17 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-05-14 22:32 - 2012-06-13 21:17 - 00025600 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 22:31 - 2012-06-13 21:17 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-14 22:31 - 2012-06-13 21:17 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-14 22:31 - 2012-06-13 21:17 - 00387584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-05-14 22:31 - 2012-06-13 21:17 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-05-14 22:31 - 2012-06-13 21:17 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-14 22:31 - 2012-06-13 21:17 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-05-14 22:31 - 2012-06-13 21:17 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-05-14 22:31 - 2012-06-13 21:17 - 00055808 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-05-14 21:01 - 2012-06-13 21:17 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-05-14 19:26 - 2012-06-13 21:17 - 00133632 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-14 19:25 - 2012-06-13 21:17 - 00174080 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-05-14 19:24 - 2012-06-13 21:17 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-05-14 19:23 - 2012-06-13 21:17 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-11 00:09 - 2012-05-11 00:09 - 00001843 ____A C:\Users\Bryan\Desktop\Aion.lnk
ZeroAccess:
C:\Windows\Installer\{0246b307-0e5c-0c04-a762-9c807d42b6d8}
C:\Windows\Installer\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\@
C:\Windows\Installer\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\U
C:\Windows\Installer\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\U\00000001.@
C:\Windows\Installer\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\U\80000000.@
ZeroAccess:
C:\Users\Bryan\AppData\Local\{0246b307-0e5c-0c04-a762-9c807d42b6d8}
C:\Users\Bryan\AppData\Local\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\@
C:\Users\Bryan\AppData\Local\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\L
C:\Users\Bryan\AppData\Local\{0246b307-0e5c-0c04-a762-9c807d42b6d8}\U
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 13%
Total physical RAM: 1917.53 MB
Available physical RAM: 1653.21 MB
Total Pagefile: 1853.34 MB
Available Pagefile: 1734.33 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:136.49 GB) (Free:46.99 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Removable) (Total:1.91 GB) (Free:1.9 GB) FAT
4 Drive f: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
5 Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.79 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1024 KB
Disk 1 Online 1954 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 63 MB 32 KB
Partition 2 Primary 10 GB 63 MB
Partition 3 Primary 136 GB 10 GB
Partition 0 Extended 2560 MB 147 GB
Partition 4 Logical 2559 MB 147 GB
==================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 63 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 X RECOVERY NTFS Partition 10 GB Healthy Boot
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 136 GB Healthy
==================================================================================
Disk: 0
Partition 4
Type : DD
Hidden: Yes
Active: No
There is no volume associated with this partition.
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1954 MB 32 KB
==================================================================================
Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E FAT Removable 1954 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-08-03 20:14
======================= End Of Log ==========================

Search.txt:

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-04 01:36:32
Running from E:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2010-01-16 20:57] - [2009-04-11 01:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2009-12-18 19:25] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0
C:\Windows\System32\services.exe
[2010-01-16 20:57] - [2009-04-11 01:28] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843
=== End Of Search ===

Thanks for your help.

MrCharlie · August 4, 2012

OK, here you go......Please carefully carry out this procedure!!!!!!

Open notepad. Make sure "word wrap" under Format is unchecked! Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


C:\Windows\Installer\{0246b307-0e5c-0c04-a762-9c807d42b6d8}
C:\Users\Bryan\AppData\Local\{0246b307-0e5c-0c04-a762-9c807d42b6d8}
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

bryan89 · August 4, 2012

I made sure to follow your instructions, and I believe I did it all right.

Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-04 02:18:40 Run:1
Running from E:\
==============================================
C:\Windows\Installer\{0246b307-0e5c-0c04-a762-9c807d42b6d8} moved successfully.
C:\Users\Bryan\AppData\Local\{0246b307-0e5c-0c04-a762-9c807d42b6d8} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====

Thanks again for all your help.

MrCharlie · August 4, 2012

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

bryan89 · August 4, 2012

I ran ComboFix and it went ok, but in the middle, it restarted the computer and windows firewall/malwarebytes went back on. I hope this didn't affect the scan.

Here is the log

ComboFix.txt:

ComboFix 12-08-04.02 - Bryan 08/04/2012 2:54.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1917.1183 [GMT -10:00]
Running from: c:\users\Bryan\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - system32: deleted 12 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Bryan\AppData\Local\assembly\tmp
c:\users\Bryan\AppData\Local\Windows Server
c:\users\Bryan\AppData\Local\Windows Server\flags.ini
c:\users\Bryan\AppData\Local\Windows Server\uses32.dat
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
.
.
((((((((((((((((((((((((( Files Created from 2012-07-04 to 2012-08-04 )))))))))))))))))))))))))))))))
.
.
2012-08-04 13:06 . 2012-08-04 13:06 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-08-04 13:06 . 2012-08-04 13:06 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-08-04 13:06 . 2012-08-04 13:06 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-08-04 13:06 . 2012-08-04 13:06 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-08-04 13:06 . 2012-08-04 13:06 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-08-04 13:06 . 2012-08-04 13:06 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-08-04 13:06 . 2012-08-04 13:06 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-08-04 13:06 . 2012-08-04 13:06 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-08-04 13:06 . 2012-08-04 13:06 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-08-04 13:05 . 2012-08-04 13:05 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-08-04 13:05 . 2012-08-04 13:05 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-08-04 13:05 . 2012-08-04 13:05 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-08-04 13:05 . 2012-08-04 13:05 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-08-04 13:05 . 2012-08-04 13:05 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-08-04 13:05 . 2012-08-04 13:05 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-08-04 13:05 . 2012-08-04 13:05 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-08-04 13:05 . 2012-08-04 13:05 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-08-04 09:34 . 2012-08-04 09:34 -------- d-----w- C:\FRST
2012-08-01 12:09 . 2012-07-06 08:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-01 11:07 . 2012-08-01 11:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-01 11:07 . 2012-07-03 23:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-01 10:38 . 2012-08-01 10:38 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-13 11:05 . 2012-07-13 11:05 -------- d-----w- C:\DriveKey
2012-07-13 09:54 . 2012-07-13 11:05 -------- d-----w- c:\program files\DiskCheckup
2012-07-11 13:07 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 17:51 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 17:51 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-10 17:51 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-10 17:51 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 17:51 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 17:51 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-07 06:37 . 2009-06-10 09:43 88576 ----a-w- c:\windows\system32\tlntsess.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-27 08:19 . 2012-04-16 04:16 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-27 08:19 . 2011-05-22 03:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-19 07:33 . 2010-01-16 22:34 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-07-06 08:06 . 2010-08-12 13:31 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-29 08:44 . 2012-07-31 09:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7653850B-8B63-4046-A72D-6A32247AC3F2}\mpengine.dll
2012-06-03 01:19 . 2012-06-19 01:25 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-03 01:12 . 2012-06-19 01:25 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:19 . 2012-06-19 01:26 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 01:26 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 01:26 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 01:26 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 01:26 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-19 01:26 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-19 01:26 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-05-31 22:25 . 2009-10-26 06:17 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-16 22:53 . 2009-10-03 05:27 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-05-16 22:53 . 2009-10-03 05:27 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-05-15 06:37 . 2012-06-14 05:17 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 06:32 . 2012-06-14 05:17 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-15 06:32 . 2012-06-14 05:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-15 06:31 . 2012-06-14 05:17 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-15 06:31 . 2012-06-14 05:17 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-05-15 05:01 . 2012-06-14 05:17 385024 ----a-w- c:\windows\system32\html.iec
2012-05-15 03:26 . 2012-06-14 05:17 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-15 03:23 . 2012-06-14 05:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-07-21 05:20 . 2012-04-24 07:16 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zHideWin"="c:\program files\AceHide Free\AceHideFree.exe" [2002-05-16 94720]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1866864]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-09 3444736]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-03 1638400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-05-16 296056]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\users\Bryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Touch Mouse Server.lnk - c:\program files\Logitech Touch Mouse Server\iTouch-Server-Win.exe [2009-10-23 228352]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-10-2 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^Bryan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\Bryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PBFILTER
*Deregistered* - pbfilter
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 08:19]
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219010701-923674729-2664050940-1000Core.job
- c:\users\Bryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-12 23:33]
.
2012-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219010701-923674729-2664050940-1000UA.job
- c:\users\Bryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-12 23:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{19FA4404-0525-4A1B-9858-115FAFD7B53C}: NameServer = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\Bryan\AppData\Roaming\Mozilla\Firefox\Profiles\c9gju475.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://urlseek40.vmn.net/search.php?lg=en&type=dns&tbn=oovoo2_0dn&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{A1FB2F9A-D35E-11DD-8935-E46A56D89593} - c:\program files\oovootb\oovoodx.dll
HKCU-Run-PlayNC Launcher - (no file)
MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
AddRemove-504244733D18C8F63FF584AEB290E3904E791693 - c:\progra~1\DIFX\B4723E9A0713E5B1\dpinst.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{CFA05440-A429-4A60-84C9-16919C12876F}_is1 - c:\program files\OGPlanet\CABAL Online\unins000.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(900)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\IBM\SQLLIB\bin\db2syscs.exe
c:\program files\IBM\SQLLIB\bin\db2dasrrm.exe
c:\program files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
c:\program files\IBM\SQLLIB\BIN\db2rcmd.exe
c:\program files\Kodak\AiO\center\KodakSvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Kodak\AiO\Center\EKDiscovery.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\FirewallControlPanel.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-08-04 03:14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-04 13:13
.
Pre-Run: 50,141,708,288 bytes free
Post-Run: 51,619,119,104 bytes free
.
- - End Of File - - CCF421EE11A655AC9F8F44A415E2F648

Thanks

MrCharlie · August 4, 2012

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

bryan89 · August 5, 2012

I reconnected my laptop to the internet again to do the update then ran a quick scan, I'm also doing a full scan now if thats ok.

There was nothing to check/remove which I guess is a good thing, but we'll see if thats the case after the full scan.

quick scan report:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.04.10
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19272
Bryan :: BRYAN-LAPTOP [administrator]
Protection: Disabled
8/4/2012 6:10:35 PM
mbam-log-2012-08-04 (18-10-35).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197275
Time elapsed: 12 minute(s), 3 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

I think that you may have fixed it all, but of course I can't be 100% sure that my computer is clean.

As far as I can tell, everything is running great. MBAM isn't blocking any more outgoing connections according to the logs which is the only thing i noticed was wrong along with the full scan result of the rootkit.

Is there anyway to know how I got this infection to possibly prevent this in the future?

Thanks so much for your help!

bryan89 · August 5, 2012

Oops I just noticed that MBAM wasn't catching anyting because I had turned off the protection module for when I used one of the programs to scan.

I turned it back on and will see how it goes.

MrCharlie · August 5, 2012

Is there anyway to know how I got this infection to possibly prevent this in the future?

There's various method used, one was a phony Adobe Flash Player Update.

Check my Preventive Maintenance to avoid being infected again.

------------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

bryan89 · August 6, 2012

I ran OTL and uninstalled combofix and everything seems fine. I'm also doing the things you listed in your preventive maintenance post, and I hope to keep my computer clean and not need your help in the future.

Thanks again for all your help, I really appreciate it.

Maurice Naggar · August 6, 2012

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Rootkit.0Access infection

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information