Infected: BCMiner, Rootkit.0.Access, lameshield

[bootbox]

Hi I'm posting this from my non-infected laptop. My desktop is rebooted to safemode without networking or command prompt after malwarebytes has failed to remove BCMiner, Rootkit.0 and lameshield earlier today.

I have unplugged all peripherals from the infected box (including my usb wifi adapter) and also I've disconnected all but my OS drive, as the other drives are full of music, video, install files, drivers etc and I'm not sure when to connect those drives again. Please let me know along the way if these drives need to be plugged in while scans run or if they need to be plugged back in only after the system is cleaned etc, I'm not sure what to do here.

I have a USB thumbdrive I hope to use to transfer files and logs back and forth between my non-infected laptop and the infected desktop in question.

I have attached the requested logs and greatly appreciate any help here, I'm freaking out

DDS.txt

Attach.txt

[MrCharlie]

Welcome to the forum.......see what you can do >>>>>

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

  [*]Select Command Prompt

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

  services.exe

  [*]Now press the Search button

  [*]When the search is complete, search.txt will also be written to your USB

  [*]Type exit and reboot the computer normally

  [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[bootbox]

There is no 'Repair Your Computer' option when I use F8 to get to the Advanced Boot Options and I don't have a Windows 7 disc.

Is there some other term for 'Repair Your Computer' in the Avanced Boot Options of a Windows 7 machine?

[bootbox]

The options in my Advanced Boot Options are:

safe mode

safe mode with networking

safe mode with command prompt

enable boot logging

enable low-resolution video

last known good configuration (advanced)

directory services restore mode

debugging mode

disable automatic restart on system failure

disable driver signature enforcement

start windows normally

[MrCharlie]

[bootbox]

That's odd, I don't have that option at all.

Someone built this computer for me ages ago, I wonder if they didn't use a 'real' copy of Win 7

[MrCharlie]

I wonder if they didn't use a 'real' copy of Win 7

Do you want to find out??

------------------------------

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[bootbox]

I'm honestly afraid to run that at this point, I'm pretty convinced it's not retail now, it would explain a lot.

Is that it? Can we not proceed without this step?

If so, quick question, I basically plan to go buy win7 tomorrow after work and just format/reinstall - What should I do about my storage drives? I have two other hard drives inside my box that are currently disconnected, they are full of non-system files, can I just plug them back in after I reinstall win7? Is there some way to do a quarantined scan on them to make sure there are no infected files present, waiting to infect my fresh install?

[MrCharlie]

I'm honestly afraid to run that at this point, I'm pretty convinced it's not retail now, it would explain a lot.

Is that it? Can we not proceed without this step?

I'm not saying that it's not "real", but if you wanted to find out we may be able to.

It may have been some custom installation, do you have a "repair partition"?

RogueKiller is a scanner that has nothing to do with telling us whether it's real or not, it's going to give me information on the infection.

Please run it, MrC

[bootbox]

Thank you so much for your patience, should I reconnect my internal SATA drives or just have the system drive connected for this scan?

[MrCharlie]

The system drive, the one that's infected, MrC

[bootbox]

I'm just not sure if there are infected files on my non-system internal drives (I disconnected them right away when I shut down after realizing I was infected earlier today and haven't reconnected then since)

Here is my RougeKiller log from just the system drive:

RogueKiller V7.6.5 [08/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Safe mode

User: Rob [Admin rights]

Mode: Scan -- Date: 08/06/2012 21:26:41

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 7 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Rob\AppData\Local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\n.) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800JD-75LSA0 ATA Device +++++

--- User ---

[MBR] dfae7f413a547f9b8b44d83a94fbfeb7

[bSP] 581ba3f537daad75d47438f4f5d214a3 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76190 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[bootbox]

PS I just sent a donation with this thread URL as the reference. I know I can be wordy and I'm freaking out and I appreciate what you're doing here.

[bootbox]

Just to verify, is it ok that I am running combofix in safemode with no networking or command prompt, while disconnected from the internet (USB wifi adapter unplugged)

[MrCharlie]

Yes, that's OK, MrC

[bootbox]

Excellent, here is my log from that scenario:

ComboFix 12-08-05.02 - Rob 08/06/2012 21:52:37.1.2 - x64 MINIMAL

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2046.1490 [GMT -5:00]

Running from: c:\users\Rob\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Rob\AppData\Roaming\inst.exe

c:\users\Rob\AppData\Roaming\vso_ts_preview.xml

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\@

c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L\00000004.@

c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L\201d3dde

c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U\00000004.@

c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U\80000000.@

c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U\80000064.@

.

Infected copy of c:\windows\system32\services.exe was found and disinfected

Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-07-07 to 2012-08-07 )))))))))))))))))))))))))))))))

.

.

2012-08-07 02:57 . 2012-08-07 02:57 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-08-07 02:57 . 2012-08-07 02:57 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-07 02:08 . 2012-08-07 02:14 -------- d-----w- c:\users\Rob\AppData\Roaming\ImgBurn

2012-08-07 01:59 . 2012-08-07 01:59 -------- d-----w- c:\program files (x86)\ImgBurn

2012-08-06 00:56 . 2012-08-06 05:34 -------- d-----w- c:\users\Rob\.explorer.cache

2012-08-06 00:56 . 2012-08-06 05:33 -------- d-----w- c:\users\Rob\.explorer.local

2012-08-05 06:47 . 2012-08-05 06:47 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-07-27 04:36 . 2011-12-07 17:32 216064 ----a-w- c:\windows\SysWow64\lagarith.dll

2012-07-27 04:36 . 2011-06-24 14:44 243200 ----a-w- c:\windows\SysWow64\xvidvfw.dll

2012-07-27 04:36 . 2011-06-24 14:28 650752 ----a-w- c:\windows\SysWow64\xvidcore.dll

2012-07-27 04:36 . 2012-06-09 17:21 178688 ----a-w- c:\windows\SysWow64\unrar.dll

2012-07-27 04:36 . 2011-12-21 17:14 151552 ----a-w- c:\windows\SysWow64\ac3acm.acm

2012-07-27 04:36 . 2012-07-20 18:00 112640 ----a-w- c:\windows\SysWow64\ff_vfw.dll

2012-07-27 04:36 . 2012-07-27 04:36 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack

2012-07-27 04:29 . 2012-05-26 17:36 204800 ----a-w- c:\windows\system32\unrar64.dll

2012-07-27 04:29 . 2012-07-27 04:29 -------- d-----w- c:\program files\MPC-HC

2012-07-22 10:14 . 2004-08-04 05:56 438272 ----a-w- C:\shimgvw.dll

2012-07-17 02:44 . 2012-07-17 02:45 -------- d-----w- C:\ODIN3_v1.85

2012-07-09 07:02 . 2012-07-09 07:02 -------- d-----w- c:\program files\SAMSUNG

2012-07-09 07:01 . 2012-07-09 07:01 -------- d-----w- c:\programdata\Samsung

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-05 06:52 . 2012-03-30 01:32 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-08-05 06:52 . 2011-12-06 06:14 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-03 18:46 . 2012-05-06 15:16 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-11 12:34 . 2012-05-11 12:34 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys

2012-05-11 12:34 . 2012-05-11 12:34 99384 ----a-w- c:\windows\system32\drivers\ssudbus.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2011-12-06 394616]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-10-26 74752]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-07-03 1085000]

.

c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

AltTabMouse.exe [2011-12-13 217819]

SABnzbd.lnk - c:\program files (x86)\SABnzbd\SABnzbd.exe [2011-12-3 349696]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Subsonic.lnk - c:\program files (x86)\Subsonic\subsonic-agent.exe [2011-12-6 206336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer4"=wdmaud.drv

.

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]

R2 Realtek11nSU;Realtek11nSU;c:\program files (x86)\Realtek\11n USB Wireless LAN Utility\RtlService.exe [2010-04-16 36864]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-05-11 99384]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-18 113120]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2011-07-07 174184]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2011-12-11 82816]

R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2011-08-11 694376]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-05-11 203320]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]

S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]

S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

.

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-26 12681320]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\ehkn62x6.default\

FF - prefs.js: browser.search.selectedEngine - Firefox Add-ons

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3045573708-3644854199-1101737973-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*°*"#]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

.

[HKEY_USERS\S-1-5-21-3045573708-3644854199-1101737973-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*°*"#\OpenWithList]

@Class="Shell"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-08-06 22:02:13 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-07 03:02

.

Pre-Run: 49,998,921,728 bytes free

Post-Run: 49,737,318,400 bytes free

.

- - End Of File - - 45C8159F89E1F22DE423AE6765FC89B2

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Then........

Run another scan with RogueKiller and post the new log, MrC

[bootbox]

MBAM log:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.06.11

Windows 7 Service Pack 1 x64 NTFS (Safe Mode)

Internet Explorer 8.0.7601.17514

Rob :: CLAMPS [administrator]

8/6/2012 10:08:08 PM

mbam-log-2012-08-06 (22-08-08).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 209261

Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

New RogueKiller Log:

RogueKiller V7.6.5 [08/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Safe mode

User: Rob [Admin rights]

Mode: Scan -- Date: 08/06/2012 22:12:21

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800JD-75LSA0 ATA Device +++++

--- User ---

[MBR] dfae7f413a547f9b8b44d83a94fbfeb7

[bSP] 581ba3f537daad75d47438f4f5d214a3 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76190 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

[MrCharlie]

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest: (if found)

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND

Now click Delete on the right hand column under Options

Reboot and rescan with RogueKiller and post the new log, MrC

[bootbox]

Done, new RogueKiller log:

RogueKiller V7.6.5 [08/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Safe mode

User: Rob [Admin rights]

Mode: Scan -- Date: 08/06/2012 22:31:04

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800JD-75LSA0 ATA Device +++++

--- User ---

[MBR] dfae7f413a547f9b8b44d83a94fbfeb7

[bSP] 581ba3f537daad75d47438f4f5d214a3 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76190 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

***If this is clean, please let me know how I should handle my currently unplugged internal SATA drives. Should I just shut down and plug them back in or are the files on them at risk since the drives were attached when the machine was infected?

Should I deep scan the drives in safe mode? If so, what program should I use?

What real time scan do you suggest I run? Even if it's not free, I'll buy it tonight if this is clean now.

[bootbox]

Meant to say 'real time protection' in the last line of the last reply

[MrCharlie]

***If this is clean, please let me know how I should handle my currently unplugged internal SATA drives. Should I just shut down and plug them back in or are the files on them at risk since the drives were attached when the machine was infected?

Should I deep scan the drives in safe mode? If so, what program should I use?

I think they should be OK, but I would scan them with Malwarebytes.

What real time scan do you suggest I run? Even if it's not free, I'll buy it tonight if this is clean now.

Take a look at my Preventive Maintenance below.

------------------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!