Jump to content

Infected with ZeroAccess and maybe more


Recommended Posts

Below are my malwarebytes pro, dds, attach, and roguekiller logs

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.06.06

Windows 7 x86 NTFS

Internet Explorer 9.0.8112.16421

John Nicholas :: JOHNNICHOLAS [administrator]

Protection: Enabled

9/6/2012 7:12:12 AM

mbam-log-2012-09-06 (08-16-18).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 399135

Time elapsed: 1 hour(s), 59 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U\00000004.@ (Rootkit.Zaccess) -> No action taken.

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U\000000cb.@ (Rootkit.0Access) -> No action taken.

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U\80000000.@ (Trojan.Small) -> No action taken.

(end)

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by John Nicholas at 7:05:53 on 2012-09-06

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3037.1985 [GMT -4:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\TightVNC\tvnserver.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE

C:\Program Files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe

C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe

C:\Program Files\TightVNC\tvnserver.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe

C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe

C:\Program Files\TightVNC\tvnserver.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

uRun: [Google Update] "c:\users\john nicholas\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [hpsysdrv] c:\program files\hewlett-packard\hp odometer\hpsysdrv.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HP KEYBOARDx] "c:\program files\hewlett-packard\hp desktop keyboard\HPKEYBOARDx.EXE"

mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe

mRun: [bATINDICATOR] c:\program files\hewlett-packard\hp mainstream keyboard\BATINDICATOR.exe

mRun: [LaunchHPOSIAPP] c:\program files\hewlett-packard\hp mainstream keyboard\LaunchApp.exe

mRun: [tvncontrol] "c:\program files\tightvnc\tvnserver.exe" -controlservice -slave

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [<NO NAME>]

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

mPolicies-system: SoftwareSASGeneration = 1 (0x1)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

LSP: mswsock.dll

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

TCP: Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602} : NameServer = 65.32.1.65,65.32.1.70

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2010-8-20 92216]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-27 655944]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-11-16 13880]

R2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-7-16 22344]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-1-22 279656]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-16 136176]

S2 PEVSystemStart;PEVSystemStart;c:\32788r22fwjfw\pev.3XE [2011-6-26 256000]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 250056]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-16 136176]

S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-1-22 132480]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 OxPPort;OxPPort;c:\windows\system32\drivers\OxPPort.sys [2011-1-22 82048]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-2 1343400]

.

=============== Created Last 30 ================

.

2012-09-06 11:05:22 54016 ----a-w- c:\windows\system32\drivers\ivani.sys

2012-08-08 14:45:22 -------- d-----w- c:\users\john nicholas\appdata\local\Deployment

2012-08-08 14:45:22 -------- d-----w- c:\users\john nicholas\appdata\local\Apps

.

==================== Find3M ====================

.

2012-08-14 18:50:34 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-14 18:50:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-12 02:44:03 2344448 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 7:06:30.23 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 4/15/2011 3:31:29 PM

System Uptime: 9/6/2012 6:00:17 AM (1 hours ago)

.

Motherboard: FOXCONN | | 2A8C

Processor: Pentium® Dual-Core CPU E5700 @ 3.00GHz | CPU 1 | 3003/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 139 GiB total, 85.787 GiB free.

D: is FIXED (NTFS) - 10 GiB total, 1.252 GiB free.

E: is CDROM (UDF)

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

ActiveCheck component for HP Active Support Library

Adobe Acrobat X Pro - English, Français, Deutsch

Adobe AIR

Adobe Flash Player 11 ActiveX

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Google Apps Migration For Microsoft Outlook® 2.3.12.34

Google Apps Sync™ for Microsoft Outlook® 3.1.94.203

Google Chrome

Google Cloud Connect for Microsoft Office

Google Update Helper

HP Auto

HP Connect Solutions

HP Customer Experience Enhancements

HP Desktop Keyboard

HP MAINSTREAM KEYBOARD

HP Odometer

HP Remote Solution

HP Setup

HP Support Assistant

HP Support Information

HP Vision Hardware Diagnostics

HPAsset component for HP Active Support Library

Intel® Graphics Media Accelerator Driver

InterVideo WinDVD 8

Java Auto Updater

Java 6 Update 25

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft_VC90_CRT_x86

Mozilla Thunderbird (3.1.10)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

PlayReady PC Runtime x86

Realtek High Definition Audio Driver

Recovery Manager

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition

Spotify

TightVNC 2.0.2

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Windows Live ID Sign-in Assistant

.

==== Event Viewer Messages From Past Week ========

.

9/6/2012 6:28:56 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Profile Service service, but this action failed with the following error: An instance of the service is already running.

9/6/2012 6:28:56 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error: An instance of the service is already running.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 2 time(s).

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/6/2012 6:23:55 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

9/6/2012 6:18:27 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Application Experience service, but this action failed with the following error: An instance of the service is already running.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/6/2012 6:03:15 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

9/6/2012 6:03:15 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

9/6/2012 6:00:35 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

.

==== End Of File ===========================

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : John Nicholas [Admin rights]

Mode : Scan -- Date : 09/06/2012 06:52:04

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602} : NameServer (65.32.1.65,65.32.1.70) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602} : NameServer (65.32.1.65,65.32.1.70) -> FOUND

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L --> FOUND

[ZeroAccess][FILE] @ : C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC\Desktop.ini --> FOUND

[susp.ASLR|Sig - ZeroAccess][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160318AS ATA Device +++++

--- User ---

[MBR] ea6acb3719542c5e4aa14d17adb2750b

[bSP] 29d88a6bd94bb9282499f9c0d775a976 : Windows Vista/7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 142007 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 291037184 | Size: 10518 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

I have included the contents of the two files below.

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) (x86) Version: 08-09-2012

Ran by SYSTEM at 08-09-2012 16:41:54

Running from H:\

Windows 7 Professional (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [hpsysdrv] c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)

HKLM\...\Run: [HP KEYBOARDx] "C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE" [710656 2010-02-11] (Hewlett-Packard)

HKLM\...\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)

HKLM\...\Run: [bATINDICATOR] C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe [2068992 2009-05-08] (Hewlett-Packard)

HKLM\...\Run: [LaunchHPOSIAPP] C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe [385024 2009-04-03] (Hewlett-Packard)

HKLM\...\Run: [tvncontrol] "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave [815704 2010-07-08] (GlavSoft LLC.)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM\...\Run: [] [x]

HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2012-04-03] (Adobe Systems Incorporated)

HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [815512 2012-04-03] (Adobe Systems Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253672 2011-01-07] (Sun Microsystems, Inc.)

HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)

HKU\John Nicholas\...\Run: [Google Update] "C:\Users\John Nicholas\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-08-08] (Google Inc.)

HKU\John Nicholas\...\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

Tcpip\..\Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602}: [NameServer]65.32.1.65,65.32.1.70

==================== Services ================================

2 HP Health Check Service; "C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [126008 2010-09-17] (Hewlett-Packard Company)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

2 PEVSystemStart; "C:\32788R22FWJFW\pev.3XE" EXEC /i CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:15 "C:\32788R22FWJFW\KNetSvcs.vbs" [322 2012-09-03] ()

2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

2 tvnserver; "C:\Program Files\TightVNC\tvnserver.exe" -service [815704 2010-07-08] (GlavSoft LLC.)

==================== Drivers =================================

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)

3 OxPPort; C:\Windows\system32\DRIVERS\OxPPort.sys [82048 2008-07-31] (OEM)

==================== NetSvcs (Whitelisted) =================

============ One Month Created Files and Folders ==============

2012-09-08 12:38 - 2012-09-08 12:38 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2012-09-06 03:49 - 2009-06-10 13:39 - 00000824 ____A C:\Windows\System32\Drivers\etc\hosts.20120906-074911.backup

2012-09-06 03:47 - 2012-09-06 03:49 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy

2012-09-06 03:47 - 2012-09-06 03:48 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy

2012-09-06 03:45 - 2012-09-06 03:46 - 16409960 ____A (Safer Networking Limited ) C:\Users\John Nicholas\Downloads\spybotsd162.exe

2012-09-06 03:44 - 2012-09-06 03:44 - 00897888 ____A C:\Users\John Nicholas\Downloads\spybot search amp destroy setup.exe

2012-09-06 03:03 - 2012-09-06 03:03 - 00607260 ____R (Swearware) C:\Users\John Nicholas\Downloads\dds.com

2012-09-06 02:46 - 2012-09-06 02:46 - 01378816 ____A C:\Users\John Nicholas\Downloads\RogueKiller.exe

2012-09-06 02:38 - 2012-09-06 02:42 - 04722680 ____A (Swearware) C:\Users\John Nicholas\Downloads\ComboFix.exe

2012-09-06 02:36 - 2012-09-06 02:36 - 00587640 ____A C:\Users\John Nicholas\Downloads\cbsidlm-tr1_6-Combofix-75221073.exe

2012-09-06 02:17 - 2012-09-06 02:24 - 00000000 ___SD C:\32788R22FWJFW

2012-09-06 02:17 - 2012-09-06 02:24 - 00000000 ____D C:\Qoobox

2012-09-06 02:17 - 2012-09-06 02:18 - 00000000 ____D C:\Windows\erdnt

============ 3 Months Modified Files ========================

2012-09-08 12:38 - 2012-09-08 12:38 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2012-09-08 12:38 - 2011-01-22 16:25 - 01520612 ____A C:\Windows\WindowsUpdate.log

2012-09-08 12:38 - 2009-07-13 20:39 - 00044819 ____A C:\Windows\setupact.log

2012-09-08 12:37 - 2009-07-13 20:34 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-09-08 12:37 - 2009-07-13 20:34 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-09-08 12:31 - 2009-07-25 04:54 - 00778660 ____A C:\Windows\System32\PerfStringBackup.INI

2012-09-08 12:27 - 2012-03-16 10:12 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-09-08 12:27 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-09-08 12:26 - 2009-07-13 20:53 - 00032594 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-09-06 14:57 - 2012-08-08 06:45 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2196710471-1452651213-449474573-1001UA.job

2012-09-06 14:50 - 2012-04-03 09:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-09-06 14:27 - 2012-03-16 10:12 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-09-06 06:57 - 2012-08-08 06:45 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2196710471-1452651213-449474573-1001Core.job

2012-09-06 04:19 - 2011-04-15 12:38 - 00063412 ____A C:\Windows\PFRO.log

2012-09-06 03:49 - 2009-07-13 18:04 - 00444231 ___RA C:\Windows\System32\Drivers\etc\hosts.20120906-075004.backup

2012-09-06 03:46 - 2012-09-06 03:45 - 16409960 ____A (Safer Networking Limited ) C:\Users\John Nicholas\Downloads\spybotsd162.exe

2012-09-06 03:44 - 2012-09-06 03:44 - 00897888 ____A C:\Users\John Nicholas\Downloads\spybot search amp destroy setup.exe

2012-09-06 03:03 - 2012-09-06 03:03 - 00607260 ____R (Swearware) C:\Users\John Nicholas\Downloads\dds.com

2012-09-06 02:46 - 2012-09-06 02:46 - 01378816 ____A C:\Users\John Nicholas\Downloads\RogueKiller.exe

2012-09-06 02:42 - 2012-09-06 02:38 - 04722680 ____A (Swearware) C:\Users\John Nicholas\Downloads\ComboFix.exe

2012-09-06 02:36 - 2012-09-06 02:36 - 00587640 ____A C:\Users\John Nicholas\Downloads\cbsidlm-tr1_6-Combofix-75221073.exe

2012-09-04 09:58 - 2012-08-08 06:46 - 00002497 ____A C:\Users\John Nicholas\Desktop\Google Chrome.lnk

2012-08-15 10:15 - 2011-07-15 10:15 - 00000338 ____A C:\Windows\Tasks\HPCeeScheduleForJOHNNICHOLAS$.job

2012-08-14 10:50 - 2012-04-03 09:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-08-14 10:50 - 2011-05-17 04:59 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-08-08 06:02 - 2012-08-08 06:02 - 00000996 ____A C:\Users\John Nicholas\Downloads\disable-balloon-tips.reg

2012-08-08 05:06 - 2012-01-31 09:21 - 00034816 __ASH C:\Users\John Nicholas\Thumbs.db

2012-07-27 07:18 - 2012-07-27 07:18 - 00001029 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-16 05:44 - 2011-04-15 11:57 - 00001945 ____A C:\Windows\epplauncher.mif

2012-07-12 10:16 - 2009-07-13 20:33 - 00412440 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-11 11:33 - 2011-05-02 07:50 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-03 09:46 - 2012-07-16 05:10 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-11 18:44 - 2012-07-11 11:33 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

ZeroAccess:

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L\00000004.@

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L\201d3dde

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U\80000032.@

ZeroAccess:

C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}

C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\@

C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L

C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U

ZeroAccess:

C:\Windows\assembly\GAC\Desktop.ini

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-08 12:30:52

==================== Memory info ===========================

Percentage of memory in use: 16%

Total physical RAM: 4061.24 MB

Available physical RAM: 3398.12 MB

Total Pagefile: 4059.52 MB

Available Pagefile: 3401.29 MB

Total Virtual: 2047.88 MB

Available Virtual: 1954.3 MB

==================== Partitions ============================

1 Drive c: (OS) (Fixed) (Total:138.68 GB) (Free:85.72 GB) NTFS

2 Drive e: (HP_RECOVERY) (Fixed) (Total:10.27 GB) (Free:1.25 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive f: (PRR #15327) (CDROM) (Total:0.29 GB) (Free:0 GB) UDF

4 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

5 Drive h: (ANGELITO) (Removable) (Total:1.9 GB) (Free:1.9 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS

7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 Online 1952 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 138 GB 101 MB

Partition 3 Primary 10 GB 138 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 Y SYSTEM NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C OS NTFS Partition 138 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E HP_RECOVERY NTFS Partition 10 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1952 MB 1024 B

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 H ANGELITO FAT32 Removable 1952 MB Healthy

==================================================================================

Last Boot: 2012-09-05 20:17

==================== End Of Log =============================

Farbar Recovery Scan Tool (x86) Version: 08-09-2012

Ran by SYSTEM at 2012-09-08 16:43:26

Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 08-09-2012

Ran by SYSTEM at 2012-09-08 17:49:25 Run:1

Running from H:\

==============================================

C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18} moved successfully.

C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18} moved successfully.

C:\Windows\assembly\GAC\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Link to post
Share on other sites

Next............

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

I just wanted to add that after the step involving running frst.exe with the fixlist.txt

everything has disappeared from the desktop and I am getting errors when windows starts up like

"C:\Windows\system32\config\systemprofile\Desktop refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."

Also at the bottom right, there is a little lock with a notification that says:

"Failed to connect to a windows service"

"Windows could not connect to the System Event Notification Service service. This problem prevents standard users from logging on to the system. As an administrative user, you can review the System Event Log for details about why the service didn't respond"

Link to post
Share on other sites

I wasn't trying to be a smart alec. I just want to make sure I'm doing the right thing.

I rescanned with FRST.exe and I also did the search for services.exe just in case you needed that again too.

Here's the info:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) (x86) Version: 08-09-2012

Ran by SYSTEM at 08-09-2012 18:59:52

Running from H:\

Windows 7 Professional (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [hpsysdrv] c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)

HKLM\...\Run: [HP KEYBOARDx] "C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE" [710656 2010-02-11] (Hewlett-Packard)

HKLM\...\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)

HKLM\...\Run: [bATINDICATOR] C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe [2068992 2009-05-08] (Hewlett-Packard)

HKLM\...\Run: [LaunchHPOSIAPP] C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe [385024 2009-04-03] (Hewlett-Packard)

HKLM\...\Run: [tvncontrol] "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave [815704 2010-07-08] (GlavSoft LLC.)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM\...\Run: [] [x]

HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2012-04-03] (Adobe Systems Incorporated)

HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [815512 2012-04-03] (Adobe Systems Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253672 2011-01-07] (Sun Microsystems, Inc.)

HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)

HKU\John Nicholas\...\Run: [Google Update] "C:\Users\John Nicholas\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-08-08] (Google Inc.)

HKU\John Nicholas\...\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKLM\...\Runonce: [1AFCE5B9-5C1B-4C2C-AFB6-626681D81BD8] cmd.exe /C start /D "C:\Users\JOHNNI~1\AppData\Local\Temp" /B 1AFCE5B9-5C1B-4C2C-AFB6-626681D81BD8.exe -activeimages -postboot [x]

Tcpip\..\Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602}: [NameServer]65.32.1.65,65.32.1.70

==================== Services ================================

2 HP Health Check Service; "C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [126008 2010-09-17] (Hewlett-Packard Company)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

2 PEVSystemStart; "C:\32788R22FWJFW\pev.3XE" EXEC /i CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:15 "C:\32788R22FWJFW\KNetSvcs.vbs" [322 2012-09-03] ()

2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

2 tvnserver; "C:\Program Files\TightVNC\tvnserver.exe" -service [815704 2010-07-08] (GlavSoft LLC.)

==================== Drivers =================================

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)

3 OxPPort; C:\Windows\system32\DRIVERS\OxPPort.sys [82048 2008-07-31] (OEM)

==================== NetSvcs (Whitelisted) =================

============ One Month Created Files and Folders ==============

2012-09-08 14:31 - 2012-09-08 14:18 - 02211928 ____A (Kaspersky Lab ZAO) C:\tdsskiller.exe

2012-09-08 12:38 - 2012-09-08 12:38 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2012-09-06 03:49 - 2009-06-10 13:39 - 00000824 ____A C:\Windows\System32\Drivers\etc\hosts.20120906-074911.backup

2012-09-06 03:47 - 2012-09-06 03:49 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy

2012-09-06 03:47 - 2012-09-06 03:48 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy

2012-09-06 03:45 - 2012-09-06 03:46 - 16409960 ____A (Safer Networking Limited ) C:\Users\John Nicholas\Downloads\spybotsd162.exe

2012-09-06 03:44 - 2012-09-06 03:44 - 00897888 ____A C:\Users\John Nicholas\Downloads\spybot search amp destroy setup.exe

2012-09-06 03:03 - 2012-09-06 03:03 - 00607260 ____R (Swearware) C:\Users\John Nicholas\Downloads\dds.com

2012-09-06 02:46 - 2012-09-06 02:46 - 01378816 ____A C:\Users\John Nicholas\Downloads\RogueKiller.exe

2012-09-06 02:38 - 2012-09-06 02:42 - 04722680 ____A (Swearware) C:\Users\John Nicholas\Downloads\ComboFix.exe

2012-09-06 02:36 - 2012-09-06 02:36 - 00587640 ____A C:\Users\John Nicholas\Downloads\cbsidlm-tr1_6-Combofix-75221073.exe

2012-09-06 02:17 - 2012-09-06 02:24 - 00000000 ___SD C:\32788R22FWJFW

2012-09-06 02:17 - 2012-09-06 02:24 - 00000000 ____D C:\Qoobox

2012-09-06 02:17 - 2012-09-06 02:18 - 00000000 ____D C:\Windows\erdnt

============ 3 Months Modified Files ========================

2012-09-08 14:58 - 2011-01-22 16:25 - 01540924 ____A C:\Windows\WindowsUpdate.log

2012-09-08 14:57 - 2012-08-08 06:45 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2196710471-1452651213-449474573-1001UA.job

2012-09-08 14:50 - 2012-04-03 09:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-09-08 14:47 - 2009-07-13 20:34 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-09-08 14:47 - 2009-07-13 20:34 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-09-08 14:46 - 2009-07-25 04:54 - 00778660 ____A C:\Windows\System32\PerfStringBackup.INI

2012-09-08 14:40 - 2012-03-16 10:12 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-09-08 14:40 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-09-08 14:39 - 2009-07-13 20:53 - 00032594 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-09-08 14:39 - 2009-07-13 20:39 - 00045043 ____A C:\Windows\setupact.log

2012-09-08 14:18 - 2012-09-08 14:31 - 02211928 ____A (Kaspersky Lab ZAO) C:\tdsskiller.exe

2012-09-08 12:38 - 2012-09-08 12:38 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2012-09-06 14:27 - 2012-03-16 10:12 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-09-06 06:57 - 2012-08-08 06:45 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2196710471-1452651213-449474573-1001Core.job

2012-09-06 04:19 - 2011-04-15 12:38 - 00063412 ____A C:\Windows\PFRO.log

2012-09-06 03:49 - 2009-07-13 18:04 - 00444231 ___RA C:\Windows\System32\Drivers\etc\hosts.20120906-075004.backup

2012-09-06 03:46 - 2012-09-06 03:45 - 16409960 ____A (Safer Networking Limited ) C:\Users\John Nicholas\Downloads\spybotsd162.exe

2012-09-06 03:44 - 2012-09-06 03:44 - 00897888 ____A C:\Users\John Nicholas\Downloads\spybot search amp destroy setup.exe

2012-09-06 03:03 - 2012-09-06 03:03 - 00607260 ____R (Swearware) C:\Users\John Nicholas\Downloads\dds.com

2012-09-06 02:46 - 2012-09-06 02:46 - 01378816 ____A C:\Users\John Nicholas\Downloads\RogueKiller.exe

2012-09-06 02:42 - 2012-09-06 02:38 - 04722680 ____A (Swearware) C:\Users\John Nicholas\Downloads\ComboFix.exe

2012-09-06 02:36 - 2012-09-06 02:36 - 00587640 ____A C:\Users\John Nicholas\Downloads\cbsidlm-tr1_6-Combofix-75221073.exe

2012-09-04 09:58 - 2012-08-08 06:46 - 00002497 ____A C:\Users\John Nicholas\Desktop\Google Chrome.lnk

2012-08-15 10:15 - 2011-07-15 10:15 - 00000338 ____A C:\Windows\Tasks\HPCeeScheduleForJOHNNICHOLAS$.job

2012-08-14 10:50 - 2012-04-03 09:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-08-14 10:50 - 2011-05-17 04:59 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-08-08 06:02 - 2012-08-08 06:02 - 00000996 ____A C:\Users\John Nicholas\Downloads\disable-balloon-tips.reg

2012-08-08 05:06 - 2012-01-31 09:21 - 00034816 __ASH C:\Users\John Nicholas\Thumbs.db

2012-07-27 07:18 - 2012-07-27 07:18 - 00001029 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-16 05:44 - 2011-04-15 11:57 - 00001945 ____A C:\Windows\epplauncher.mif

2012-07-12 10:16 - 2009-07-13 20:33 - 00412440 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-11 11:33 - 2011-05-02 07:50 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-03 09:46 - 2012-07-16 05:10 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-11 18:44 - 2012-07-11 11:33 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-08 12:30:52

==================== Memory info ===========================

Percentage of memory in use: 16%

Total physical RAM: 4061.24 MB

Available physical RAM: 3394.14 MB

Total Pagefile: 4059.52 MB

Available Pagefile: 3402.78 MB

Total Virtual: 2047.88 MB

Available Virtual: 1959.2 MB

==================== Partitions ============================

1 Drive c: (OS) (Fixed) (Total:138.68 GB) (Free:85.72 GB) NTFS

2 Drive e: (HP_RECOVERY) (Fixed) (Total:10.27 GB) (Free:1.25 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive f: (PRR #15327) (CDROM) (Total:0.29 GB) (Free:0 GB) UDF

4 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

5 Drive h: (ANGELITO) (Removable) (Total:1.9 GB) (Free:1.9 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS

7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 Online 1952 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 138 GB 101 MB

Partition 3 Primary 10 GB 138 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 Y SYSTEM NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C OS NTFS Partition 138 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E HP_RECOVERY NTFS Partition 10 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1952 MB 1024 B

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 H ANGELITO FAT32 Removable 1952 MB Healthy

==================================================================================

Last Boot: 2012-09-05 20:17

==================== End Of Log =============================

Farbar Recovery Scan Tool (x86) Version: 08-09-2012

Ran by SYSTEM at 2012-09-08 19:00:47

Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\FRST\Quarantine\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

Link to post
Share on other sites

I assume that the restore corrected the problems.

~~~~~~~~~~~~~~~~~~~~~~~~~~

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

The malwarebytes quick scan didn't find anything, but RogueKiller said it found ZeroAccess

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.08.09

Windows 7 x86 NTFS

Internet Explorer 9.0.8112.16421

John Nicholas :: JOHNNICHOLAS [administrator]

Protection: Enabled

9/8/2012 8:32:20 PM

mbam-log-2012-09-08 (20-32-20).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 287980

Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : John Nicholas [Admin rights]

Mode : Scan -- Date : 09/08/2012 21:02:15

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602} : NameServer (65.32.1.65,65.32.1.70) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602} : NameServer (65.32.1.65,65.32.1.70) -> FOUND

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160318AS ATA Device +++++

--- User ---

[MBR] ea6acb3719542c5e4aa14d17adb2750b

[bSP] 29d88a6bd94bb9282499f9c0d775a976 : Windows Vista/7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 142007 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 291037184 | Size: 10518 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: SanDisk U3 Cruzer Micro USB Device +++++

--- User ---

[MBR] 564565fe7246fa41a0d61cb0cd5946f2

[bSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 2 | Size: 1952 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest: (if found)

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L --> FOUND

Now click Delete on the right hand column under Options

Reboot and run another scan with RogueKiller > post the new log, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.