Jump to content

My Trojan Dropped a BC Miner in my Rootkit Access!


Recommended Posts

I've been malwared. Must've been one of the many harmless websites I tend to visit when the wife and kids are out. The redirects and pop-ups have tapered off since I first experienced the virus 2 weeks ago. I just got back from vacation and booted up again for the first time since. Currently experiencing virtually no symptoms (other than URL's loading slower than usual), but I know there's an evil lurking in the shadows, waiting to do me in.

Oh wise and knowledgeable forum member(s), please bestow upon me your generosity and wisdom!

My mbam log here:

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.11.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Owner :: SZOCSDESKTOP [administrator]

Protection: Enabled

11/08/2012 6:40:21 PM

mbam-log-2012-08-11 (21-05-25).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 486423

Time elapsed: 1 hour(s), 26 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\000000cb.@ (Rootkit.0Access) -> No action taken.

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\80000032.@ (Rootkit.0Access) -> No action taken.

(end)

Link to post
Share on other sites

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]Now press the Search button

[*]When the search is complete, search.txt will also be written to your USB

[*]Type exit and reboot the computer normally

[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

MrCharlie!

It's direction such as yours that keeps knuckleheads like myself out of repair shops and able to afford an extra trip to the grocery store for diapers and scotch. Thanks a bunch - in advance!

FRST.txt :

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 11-08-2012 22:24:42

Running from O:\fixes

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)

HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1612880 2010-01-27] (Logitech, Inc.)

HKLM-x32\...\Run: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k [244480 2009-08-12] (NewTech Infosystems, Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [588648 2009-07-24] (Symantec Corporation)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-02] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A [124416 2009-07-20] (IOI)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)

HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)

HKLM-x32\...\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [1828136 2007-08-08] (Nero AG)

HKLM-x32\...\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [180224 2009-11-08] (PowerISO Computing, Inc.)

HKLM-x32\...\Run: [updatePDRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0" [218408 2008-12-03] (CyberLink Corp.)

HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)

HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-01-21] (Microsoft Corporation)

HKLM-x32\...\Run: [AP Sharing Switch] C:\Program Files (x86)\IOGEAR Auto Printer Sharing Switch\AutoPrt.exe [840704 2008-10-24] ()

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-03-01] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()

HKU\Owner\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-08-27] (Google Inc.)

HKU\Owner\...\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe" [202024 2007-08-03] (Nero AG)

HKU\Owner\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-11-20] (Hewlett-Packard Company)

HKU\Owner\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [717696 2010-01-16] (Microsoft Corporation)

HKU\Owner\...\Run: [FreeAC] C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe -autorun [1328976 2012-04-25] (Comfort Software Group)

HKU\Test\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-11-20] (Hewlett-Packard Company)

HKU\Test\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-08-27] (Google Inc.)

Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

==================== Services (Whitelisted) ======

3 Adobe LM Service; "C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" [68096 2010-01-05] ()

2 bgsvcgen; "C:\Windows\SysWOW64\bgsvcgen.exe" [139264 2010-05-23] (SOURCENEXT)

3 iPod Service; "C:\Program Files (x86)\iPod\bin\iPodService.exe" [934176 2011-03-01] (Apple Inc.)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

2 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [836904 2007-08-08] (Nero AG)

3 NMIndexingService; "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe" [382248 2007-08-03] (Nero AG)

2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-04-17] ()

3 Nero BackItUp Scheduler 4.0; C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe [x]

========================== Drivers (Whitelisted) =============

1 cdrbsdrv; C:\Windows\SysWow64\Drivers\cdrbsdrv.sys [38944 2010-05-23] (B.H.A Corporation)

3 L8042Kbd; C:\Windows\System32\Drivers\L8042Kbd.sys [30736 2009-11-10] (Logitech, Inc.)

3 L8042mou; C:\Windows\System32\Drivers\L8042mou.sys [89616 2009-11-10] (Logitech, Inc.)

3 LMouKE; C:\Windows\System32\Drivers\LMouKE.sys [112144 2009-11-10] (Logitech, Inc.)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)

0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-02-15] (Duplex Secure Ltd.)

3 Geacpnot; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-19 14:43 - 2012-07-19 14:43 - 00002658 ____A C:\Users\Owner\Desktop\Midnight Mysteries The Edgar Allan Poe Conspiracy.lnk

2012-07-16 19:26 - 2012-07-16 19:26 - 00000000 ____D C:\Users\All Users\MumboJumbo

2012-07-16 19:26 - 2012-07-16 19:26 - 00000000 ____D C:\Program Files (x86)\Games

2012-07-15 18:25 - 2012-07-15 18:26 - 16559808 ____A (Mozilla) C:\Users\Owner\Desktop\Firefox Setup 13.0.1.exe

2012-07-14 08:38 - 2012-07-14 08:38 - 00000000 ____D C:\Users\All Users\DVD Shrink

2012-07-14 05:36 - 2012-07-14 05:36 - 00585980 ____A C:\Users\Owner\Desktop\Escher.zip

============ 3 Months Modified Files ========================

2012-08-11 18:16 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-11 18:16 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-11 18:14 - 2009-07-13 21:13 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-11 18:10 - 2009-11-10 21:38 - 01189098 ____A C:\Windows\WindowsUpdate.log

2012-08-11 18:01 - 2012-04-06 17:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-11 18:00 - 2011-06-16 13:18 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-08-11 14:39 - 2011-06-16 13:18 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-08-11 14:39 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-11 14:39 - 2009-07-13 20:51 - 00073424 ____A C:\Windows\setupact.log

2012-08-11 14:34 - 2009-08-27 12:54 - 00257076 ____A C:\Windows\PFRO.log

2012-08-03 02:01 - 2012-04-06 17:42 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-08-03 02:01 - 2011-07-21 13:30 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-25 19:59 - 2010-01-26 14:30 - 00000069 ____A C:\Windows\NeroDigital.ini

2012-07-21 09:04 - 2011-05-06 09:35 - 00259072 __ASH C:\Users\Owner\Documents\Thumbs.db

2012-07-19 14:43 - 2012-07-19 14:43 - 00002658 ____A C:\Users\Owner\Desktop\Midnight Mysteries The Edgar Allan Poe Conspiracy.lnk

2012-07-15 18:26 - 2012-07-15 18:25 - 16559808 ____A (Mozilla) C:\Users\Owner\Desktop\Firefox Setup 13.0.1.exe

2012-07-14 05:36 - 2012-07-14 05:36 - 00585980 ____A C:\Users\Owner\Desktop\Escher.zip

2012-07-11 23:20 - 2009-07-13 20:45 - 02391328 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-11 23:00 - 2010-01-05 20:27 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-03 09:46 - 2010-04-18 07:25 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-11 19:08 - 2012-07-11 23:03 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 21:43 - 2012-07-11 02:21 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:41 - 2012-07-11 02:21 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 22:06 - 2012-07-11 02:21 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 22:06 - 2012-07-11 02:21 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 22:02 - 2012-07-11 02:21 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-06-05 21:05 - 2012-07-11 02:21 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:05 - 2012-07-11 02:21 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-05 21:03 - 2012-07-11 02:21 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-06-02 14:19 - 2012-06-20 23:29 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-20 23:29 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-20 23:29 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-20 23:28 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-20 23:28 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-20 23:29 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-20 23:28 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-20 23:28 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-20 23:28 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 10:47 - 2012-06-02 09:45 - 234151936 ____A C:\Users\Owner\Documents\Produce.mpg

2012-06-01 21:50 - 2012-07-11 02:21 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:48 - 2012-07-11 02:21 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:48 - 2012-07-11 02:21 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:45 - 2012-07-11 02:21 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:44 - 2012-07-11 02:21 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:40 - 2012-07-11 02:21 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:40 - 2012-07-11 02:21 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:39 - 2012-07-11 02:21 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:34 - 2012-07-11 02:21 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-05-31 20:29 - 2012-05-31 20:29 - 01721240 ____A (Comfort Software Group ) C:\Users\Owner\Desktop\FreeAlarmClockSetup.exe

2012-05-29 18:29 - 2012-05-29 18:29 - 00100024 ____A C:\Users\Owner\Documents\steve.pds

2012-05-29 18:25 - 2012-05-29 17:22 - 3171752964 ____A C:\Users\Owner\Documents\Produce.avi

2012-05-14 20:01 - 2012-06-13 19:57 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-14 19:59 - 2012-06-13 19:57 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-14 19:03 - 2012-06-13 19:57 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-05-14 19:00 - 2012-06-13 19:57 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

ZeroAccess:

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\@

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\L

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\L\00000004.@

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\L\1afb2d56

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\L\201d3dde

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\00000004.@

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\00000008.@

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\000000cb.@

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\80000000.@

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\80000032.@

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\80000064.@

ZeroAccess:

C:\Users\Owner\AppData\Local\{320906d0-ef4a-4e35-13da-74f22bc5fb45}

C:\Users\Owner\AppData\Local\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\@

C:\Users\Owner\AppData\Local\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\L

C:\Users\Owner\AppData\Local\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%

Total physical RAM: 8191.14 MB

Available physical RAM: 7308.02 MB

Total Pagefile: 8189.29 MB

Available Pagefile: 7305.78 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (Gateway) (Fixed) (Total:916.41 GB) (Free:126.12 GB) NTFS

2 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:5.43 GB) NTFS

5 Drive h: (JESUS) (Fixed) (Total:465.65 GB) (Free:48.26 GB) FAT32

6 Drive i: (KINGSLEY) (Fixed) (Total:1863.01 GB) (Free:0 GB) NTFS

12 Drive o: (TUFF N TINY) (Removable) (Total:14.42 GB) (Free:12.55 GB) FAT32

13 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

14 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 465 GB 1024 KB

Disk 2 Online 1863 GB 1024 KB

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Disk 6 No Media 0 B 0 B

Disk 7 No Media 0 B 0 B

Disk 8 Online 14 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 15 GB 1024 KB

Partition 2 Primary 100 MB 15 GB

Partition 3 Primary 916 GB 15 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E PQSERVICE NTFS Partition 15 GB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 Y SYSTEM RESE NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C Gateway NTFS Partition 916 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 465 GB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 H JESUS FAT32 Partition 465 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1863 GB 31 KB

==================================================================================

Disk: 2

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 I KINGSLEY NTFS Partition 1863 GB Healthy

==================================================================================

Partitions of Disk 8:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 14 GB 4032 KB

==================================================================================

Disk: 8

Partition 1

Type : 0C

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 12 O TUFF N TINY FAT32 Removable 14 GB Healthy

==================================================================================

Last Boot: 2012-08-06 20:49

======================= End Of Log ==========================

Link to post
Share on other sites

Search.txt:

Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 2012-08-11 22:26:33

Running from O:\fixes

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC Gone for tonight be back tomorrow am

Link to post
Share on other sites

fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012

Ran by SYSTEM at 2012-08-12 01:09:06 Run:1

Running from H:\fixes

==============================================

C:\Windows\Installer\{320906d0-ef4a-4e35-13da-74f22bc5fb45} moved successfully.

C:\Users\Owner\AppData\Local\{320906d0-ef4a-4e35-13da-74f22bc5fb45} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

combofix.txt:

ComboFix 12-08-10.02 - Owner 12/08/2012 11:46:38.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.8191.6571 [GMT -4:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}

c:\program files (x86)\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest

c:\program files (x86)\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul

c:\program files (x86)\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

c:\program files (x86)\TelevisionFanaticEI

c:\users\Owner\AppData\Local\{9D077FF9-CBBB-4489-A6FF-3263A1232611}

c:\users\Owner\AppData\Local\{9D077FF9-CBBB-4489-A6FF-3263A1232611}\chrome.manifest

c:\users\Owner\AppData\Local\{9D077FF9-CBBB-4489-A6FF-3263A1232611}\chrome\content\_cfg.js

c:\users\Owner\AppData\Local\{9D077FF9-CBBB-4489-A6FF-3263A1232611}\chrome\content\overlay.xul

c:\users\Owner\AppData\Local\{9D077FF9-CBBB-4489-A6FF-3263A1232611}\install.rdf

c:\users\Owner\AppData\Roaming\inst.exe

c:\users\Owner\AppData\Roaming\Microsoft\~DFK1d93c2bd.tmp

c:\users\Owner\AppData\Roaming\Microsoft\1eaadjc.dll

c:\users\Owner\AppData\Roaming\Microsoft\bass.dll

c:\users\Owner\AppData\Roaming\Microsoft\kfgresk.dll

c:\users\Owner\AppData\Roaming\Microsoft\mjcriu.dll

c:\users\Owner\AppData\Roaming\Microsoft\peaadje.dll

c:\users\Owner\AppData\Roaming\Microsoft\qwadjb.dll

c:\users\Owner\AppData\Roaming\Microsoft\rsaadjd.dll

c:\windows\SysWow64\ghspln2.log

c:\windows\SysWow64\Install.txt

c:\windows\SysWow64\szetyj67v.txt

.

.

((((((((((((((((((((((((( Files Created from 2012-07-12 to 2012-08-12 )))))))))))))))))))))))))))))))

.

.

2012-08-12 06:24 . 2012-08-12 06:24 -------- d-----w- C:\FRST

2012-07-17 03:26 . 2012-07-17 03:26 -------- d-----w- c:\programdata\MumboJumbo

2012-07-17 03:26 . 2012-07-17 03:26 -------- d-----w- c:\program files (x86)\Games

2012-07-14 16:38 . 2012-07-14 16:38 -------- d-----w- c:\programdata\DVD Shrink

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-03 10:01 . 2012-04-07 01:42 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-08-03 10:01 . 2011-07-21 21:30 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-12 07:00 . 2010-01-06 04:27 59701280 ----a-w- c:\windows\system32\MRT.exe

2012-07-03 17:46 . 2010-04-18 15:25 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-12 03:08 . 2012-07-12 07:03 3148800 ----a-w- c:\windows\system32\win32k.sys

2012-06-09 05:43 . 2012-07-11 10:21 14172672 ----a-w- c:\windows\system32\shell32.dll

2012-06-06 06:06 . 2012-07-11 10:21 2004480 ----a-w- c:\windows\system32\msxml6.dll

2012-06-06 06:06 . 2012-07-11 10:21 1881600 ----a-w- c:\windows\system32\msxml3.dll

2012-06-06 06:02 . 2012-07-11 10:21 1133568 ----a-w- c:\windows\system32\cdosys.dll

2012-06-06 05:05 . 2012-07-11 10:21 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll

2012-06-06 05:05 . 2012-07-11 10:21 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2012-06-06 05:03 . 2012-07-11 10:21 805376 ----a-w- c:\windows\SysWow64\cdosys.dll

2012-06-02 22:19 . 2012-06-21 07:28 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-21 07:29 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-21 07:29 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-21 07:29 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-21 07:28 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-06-21 07:29 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-21 07:28 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19 . 2012-06-21 07:28 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:15 . 2012-06-21 07:28 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 05:50 . 2012-07-11 10:21 458704 ----a-w- c:\windows\system32\drivers\cng.sys

2012-06-02 05:48 . 2012-07-11 10:21 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 05:48 . 2012-07-11 10:21 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-06-02 05:45 . 2012-07-11 10:21 340992 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 05:44 . 2012-07-11 10:21 307200 ----a-w- c:\windows\system32\ncrypt.dll

2012-06-02 04:40 . 2012-07-11 10:21 22016 ----a-w- c:\windows\SysWow64\secur32.dll

2012-06-02 04:40 . 2012-07-11 10:21 225280 ----a-w- c:\windows\SysWow64\schannel.dll

2012-06-02 04:39 . 2012-07-11 10:21 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll

2012-06-02 04:34 . 2012-07-11 10:21 96768 ----a-w- c:\windows\SysWow64\sspicli.dll

2012-05-31 04:04 . 2012-07-03 09:29 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{182460C8-E547-4FE3-9D56-AB6B70CFB242}\mpengine.dll

2012-05-15 04:01 . 2012-06-14 03:57 1188864 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 03:59 . 2012-06-14 03:57 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-05-15 03:03 . 2012-06-14 03:57 981504 ----a-w- c:\windows\SysWow64\wininet.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-27 39408]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]

"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-11-20 2363392]

"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2010-01-16 717696]

"FreeAC"="c:\program files (x86)\FreeAlarmClock\FreeAlarmClock.exe" [2012-04-25 1328976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-08-12 244480]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-24 588648]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]

"Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"NBKeyScan"="c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]

"UpdatePDRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"AP Sharing Switch"="c:\program files (x86)\IOGEAR Auto Printer Sharing Switch\AutoPrt.exe" [2008-10-24 840704]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-02 421160]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-6 113664]

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux3"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-16 135664]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]

R3 Geacpnot;Geacpnot; [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-16 135664]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-16 113120]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-02-18 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-01 1255736]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-16 834544]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-04 203264]

S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-06-04 1150496]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]

S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-08-12 62208]

S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-04 7451648]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-04 268288]

S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [2009-06-12 287960]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-01-06 82816]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-11-20 19:28 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 10:01]

.

2012-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-16 21:18]

.

2012-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-16 21:18]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1612880]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=dx4822&r=173601106106p03c5v175k4811r287

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Save video on Savevid.com - c:\program files (x86)\Savevid\redirect.htm

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\at48jrlr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SharedTaskScheduler-{CC9EDAB9-8FE9-4400-8FB6-0D5E0BF82F99} - c:\windows\SysWOW64\olrabiei.dll

Toolbar-Locked - (no file)

AddRemove-Electric Jellyfish (ScreensPro) - c:\windows\system32\Electric Jellyfish (ScreensPro).scr

AddRemove-Form 1 (ScreensPro) - c:\windows\system32\Form 1 (ScreensPro).scr

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3816042391-2229068463-1246618367-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (S-1-5-21-3816042391-2229068463-1246618367-1000)

@Denied: (2) (LocalSystem)

"Progid"="Microsoft Internet Mail Message WLMail"

.

[HKEY_USERS\S-1-5-21-3816042391-2229068463-1246618367-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (S-1-5-21-3816042391-2229068463-1246618367-1000)

@Denied: (2) (LocalSystem)

"Progid"="Microsoft Internet Mail VCard WLMail"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\SysWOW64\bgsvcgen.exe

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe

c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe

c:\program files (x86)\CyberLink\Shared files\RichVideo.exe

c:\program files (x86)\Common Files\Nero\Lib\NMIndexingService.exe

c:\program files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe

c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2012-08-12 12:31:59 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-12 16:31

.

Pre-Run: 185,279,418,368 bytes free

Post-Run: 190,242,877,440 bytes free

.

- - End Of File - - 608AE329615A89B83ADD25381344DBAC

Link to post
Share on other sites

updated quick scan mbam log;

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.12.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Owner :: SZOCSDESKTOP [administrator]

Protection: Enabled

12/08/2012 5:56:56 PM

mbam-log-2012-08-12 (17-56-56).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 247350

Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

updated FULL scan mbam log;

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.12.05

Windows 7 Service Pack 1 x64 FAT32

Internet Explorer 8.0.7601.17514

Owner :: SZOCSDESKTOP [administrator]

Protection: Enabled

12/08/2012 6:05:48 PM

mbam-log-2012-08-12 (19-01-05).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 476939

Time elapsed: 47 minute(s), 48 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\FRST\Quarantine\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

C:\FRST\Quarantine\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\000000cb.@ (Rootkit.0Access) -> No action taken.

C:\FRST\Quarantine\{320906d0-ef4a-4e35-13da-74f22bc5fb45}\U\80000032.@ (Rootkit.0Access) -> No action taken.

(end)

Link to post
Share on other sites

Those are OK > already in quarantine.

~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassociates.com/OT-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

MrCharlie,

It seems everything is clean now - nothing detected in MWB. Sending a big stern handshake and thanks your way. I'm on my way to your paypal site!

Could I trouble you to take a peak at my laptop's mbam log? - and would you recommend that I follow the same steps there?.......

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.12.06

Windows 7 Service Pack 1 x86 FAT32

Internet Explorer 9.0.8112.16421

qxlocates :: A10782 [administrator]

Protection: Enabled

8/12/2012 9:15:30 PM

mbam-log-2012-08-12 (22-05-20).txt

Scan type: Full scan (C:\|E:\|H:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 371089

Time elapsed: 30 minute(s), 54 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\Windows\System32\diskexnt.dll (Trojan.Agent) -> No action taken.

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 12

C:\Windows\System32\diskexnt.dll (Trojan.Agent) -> No action taken.

C:\Users\Administrator.A10782\AppData\Local\tafyvp.exe (Trojan.LameShield) -> No action taken.

C:\Users\qxlocates\AppData\Local\nvfarle.exe (Trojan.LameShield) -> No action taken.

C:\Users\qxlocates\AppData\Local\Temp\sgwe3t.exe (Trojan.Inject) -> No action taken.

C:\Users\qxlocates\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\839df2c-6e687be5 (Trojan.Inject) -> No action taken.

C:\Users\qxlocates\Downloads\installer_plants_vs_zombies.exe (PUP.BundleInstaller.BT) -> No action taken.

C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) -> No action taken.

C:\Windows\Installer\{f935cc66-766e-6d60-1eaa-31aeda77fbc6}\U\00000004.@ (Rootkit.Zaccess) -> No action taken.

C:\Windows\Installer\{f935cc66-766e-6d60-1eaa-31aeda77fbc6}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

C:\Windows\Installer\{f935cc66-766e-6d60-1eaa-31aeda77fbc6}\U\000000cb.@ (Rootkit.0Access) -> No action taken.

C:\Windows\Installer\{f935cc66-766e-6d60-1eaa-31aeda77fbc6}\U\80000000.@ (Rootkit.0Access) -> No action taken.

C:\Windows\Installer\{f935cc66-766e-6d60-1eaa-31aeda77fbc6}\U\80000032.@ (Rootkit.0Access) -> No action taken.

(end)

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.