Jump to content

System message - Write Fault Error

Best_Dad

By Best_Dad
in Resolved Malware Removal Logs

 Share

Recommended Posts

Best_Dad

Best_Dad

Posted
Posted

Hello,

I think that my computer is infected with malware and need help!

A few days ago, I received "System Message - Write Fault Error" message that popped up several times, with a message "A write command during the test has failed to complete .This may be due to media ... Invalid system memory address".

Also, all of the icons on my desktop have disappeared (except for a few) and I cannot access any program under "All Programs".

Please HELP!!!

Brandon

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum,

Running unhide should restore hidden files...etc.

http://www.bleepingc...opic405109.html

......please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites
Best_Dad

Best_Dad

Posted
  • Author
Posted

Thank you for your help!!!

Ok here are the 2 logs.

DDS - Notepad

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6000.17037

Run by aeland at 1:28:50 on 2012-09-22

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1662.641 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\IDT\WDM\STacSV.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Windows\sttray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Camera Assistant Software for Gateway\traybar.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Spare Backup\SpareBackup.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\ProgramData\qGdhLMVjErKbog.exe

C:\ProgramData\nZtu8imNJI9Ve6.exe

C:\Program Files\BigFix\bigfix.exe

C:\Program Files\Walgreens PictureMover\Bin\PictureMover.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\msiexec.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.bing.com/

uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1625

mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1625

mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1625

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1625

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll

BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll

TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [NetZero_uoltray] c:\program files\netzero\exec.exe regrun

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [smileboxTray] "c:\users\aeland\appdata\roaming\smilebox\SmileboxTray.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [qGdhLMVjErKbog.exe] c:\programdata\qGdhLMVjErKbog.exe

uRun: [nZtu8imNJI9Ve6] c:\programdata\nZtu8imNJI9Ve6.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11f_ActiveX.exe -update activex

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [startCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe

mRun: [sigmatelSysTrayApp] sttray.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent

mRun: [NapsterShell] c:\program files\napster\napster.exe /systray

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

StartupFolder: c:\users\aeland\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe

StartupFolder: c:\users\aeland\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\walgre~1.lnk - c:\program files\walgreens picturemover\bin\PictureMover.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: netzero.com

Trusted Zone: netzero.net

TCP: DhcpNameServer = 192.168.0.1 205.171.2.25

TCP: Interfaces\{07A1C592-ED0C-4C50-8544-58D56CF33EDE} : DhcpNameServer = 192.168.0.1 205.171.2.25

TCP: Interfaces\{43158789-B7BD-4246-B6B6-69B7933C897E} : DhcpNameServer = 206.9.64.101 137.192.2.3

TCP: Interfaces\{AE2033E2-7401-42BF-A7A5-4503FE8A40AC} : DhcpNameServer = 192.168.0.1 205.171.2.65

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\aeland\appdata\roaming\mozilla\firefox\profiles\1avdda86.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll

.

============= SERVICES / DRIVERS ===============

.

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20080305.003\IDSvix86.sys [2008-3-9 261680]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2010-6-5 149352]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-4 40776]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2007-11-19 253952]

R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-2-3 1251720]

R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-5 136176]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-19 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-5 136176]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-28 113120]

S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

.

=============== Created Last 30 ================

.

2012-09-04 05:53:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-09-04 01:38:59 260096 ---ha-w- c:\programdata\nZtu8imNJI9Ve6.exe

2012-09-03 14:17:30 356352 ---ha-w- c:\programdata\qGdhLMVjErKbog.exe

2012-08-25 18:06:44 -------- d--h--w- c:\users\aeland\appdata\local\Macromedia

2012-08-25 18:06:02 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

==================== Find3M ====================

.

2012-08-25 18:06:02 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 1:29:10.50 ===============

...and Attach - Notepad

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 11/19/2007 8:44:31 AM

System Uptime: 9/22/2012 12:21:38 AM (1 hours ago)

.

Motherboard: GATEWAY | |

Processor: AMD Turion 64 X2 Mobile Technology TL-60 | Socket M2/S1G1 | 2000/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 222 GiB total, 153.523 GiB free.

D: is FIXED (NTFS) - 11 GiB total, 4.508 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP171: 1/1/2012 4:35:47 PM - Scheduled Checkpoint

RP172: 1/2/2012 5:43:14 PM - Scheduled Checkpoint

RP173: 1/5/2012 6:35:04 AM - Scheduled Checkpoint

RP174: 1/8/2012 12:27:51 AM - Scheduled Checkpoint

RP175: 3/23/2012 11:47:58 PM - Scheduled Checkpoint

RP176: 4/11/2012 7:45:46 PM - Installed Walgreens PictureMover.

RP177: 4/13/2012 10:55:05 AM - Installed HR Block 2011.

RP178: 4/13/2012 12:40:41 PM - Installed HR Block Minnesota 2011.

RP179: 5/13/2012 11:35:29 PM - Removed Walgreens PictureMover.

RP180: 5/28/2012 2:10:46 PM - Scheduled Checkpoint

RP181: 6/4/2012 7:45:42 PM - Scheduled Checkpoint

RP182: 6/17/2012 11:59:27 AM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers

RP183: 6/17/2012 12:00:10 PM - Device Driver Package Install: Apple Network adapters

RP184: 6/17/2012 12:02:52 PM - Installed iTunes

RP185: 6/17/2012 12:52:17 PM - Installed iTunes

RP186: 6/26/2012 1:08:32 AM - Scheduled Checkpoint

RP187: 7/5/2012 7:08:09 PM - Scheduled Checkpoint

RP188: 7/28/2012 3:00:34 AM - Windows Update

RP189: 7/29/2012 3:00:29 AM - Windows Update

RP190: 8/16/2012 3:00:25 AM - Windows Update

.

==== Installed Programs ======================

.

Activation Assistant for the 2007 Microsoft Office suites

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 8

Agere Systems HDA Modem

AppCore

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Ask Toolbar

ATI Catalyst Install Manager

BigFix

Bonjour

Browser Address Error Redirector

Camera Assistant Software for Gateway

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center Localization Chinese Standard

Catalyst Control Center Localization Chinese Traditional

Catalyst Control Center Localization Czech

Catalyst Control Center Localization Danish

Catalyst Control Center Localization Dutch

Catalyst Control Center Localization Finnish

Catalyst Control Center Localization French

Catalyst Control Center Localization German

Catalyst Control Center Localization Greek

Catalyst Control Center Localization Hungarian

Catalyst Control Center Localization Italian

Catalyst Control Center Localization Japanese

Catalyst Control Center Localization Korean

Catalyst Control Center Localization Norwegian

Catalyst Control Center Localization Polish

Catalyst Control Center Localization Portuguese

Catalyst Control Center Localization Russian

Catalyst Control Center Localization Spanish

Catalyst Control Center Localization Swedish

Catalyst Control Center Localization Thai

Catalyst Control Center Localization Turkish

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

ccCommon

Clifford Phonics

Compatibility Pack for the 2007 Office system

Component Framework

Gateway Connect

Gateway Games

Gateway Recovery Center Installer

Google Desktop

Google Toolbar for Internet Explorer

Google Update Helper

H&R Block Deluxe + Efile + State 2011

H&R Block Minnesota 2011

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

IDT Audio

iTunes

Java SE Runtime Environment 6 Update 1

JumpStart Reading for First Graders

LabelPrint

LimeWire 5.5.8

LiveUpdate (Symantec Corporation)

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft .NET Framework 3.5 SP1

Microsoft Money Essentials

Microsoft Money Shared Libraries

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

Microsoft WSE 2.0 SP3 Runtime

Mozilla Firefox 14.0.1 (x86 en-US)

Mozilla Maintenance Service

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Napster

Napster Burn Engine

NetZero Internet

Norton AntiVirus

Norton AntiVirus Help

Norton Confidential Core

Norton Internet Security

Norton Internet Security (Symantec Corporation)

Norton Protection Center

Pdf995 (installed by TaxCut)

PdfEdit995 (installed by TaxCut)

Power2Go 5.0

QuickTime

Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista

Realtek USB 2.0 Card Reader

REALTEK USB Wireless LAN Driver

RotoWire Football Software 2012

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Skins

Smilebox

Spare Backup

SPBBC 32bit

Symantec Real Time Storage Protection Component

SymNet

Synaptics Pointing Device Driver

TaxCut Minnesota 2007

TaxCut Premium + State 2007

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Walgreens PictureMover

Windows Live Messenger

.

==== End Of File ===========================

Thank you!

Link to post
Share on other sites
Best_Dad

Best_Dad

Posted
  • Author
Posted

Thank you. Just ran it.

Here is log:

RogueKiller V8.0.5 [09/23/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6000 ) 32 bits version

Started in : Normal mode

User : aeland [Admin rights]

Mode : Scan -- Date : 09/23/2012 13:39:16

¤¤¤ Bad processes : 4 ¤¤¤

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.2.643.41\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.2.643.41\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.2.643.41\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.2.643.41\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : SmileboxTray ("C:\Users\aeland\AppData\Roaming\Smilebox\SmileboxTray.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : qGdhLMVjErKbog.exe (C:\ProgramData\qGdhLMVjErKbog.exe) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : nZtu8imNJI9Ve6 (C:\ProgramData\nZtu8imNJI9Ve6.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2049136128-3216804590-1937335049-1000[...]\Run : SmileboxTray ("C:\Users\aeland\AppData\Roaming\Smilebox\SmileboxTray.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2049136128-3216804590-1937335049-1000[...]\Run : qGdhLMVjErKbog.exe (C:\ProgramData\qGdhLMVjErKbog.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2049136128-3216804590-1937335049-1000[...]\Run : nZtu8imNJI9Ve6 (C:\ProgramData\nZtu8imNJI9Ve6.exe) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] n : C:\Users\aeland\AppData\Local\{93e95bb9-2ae6-a962-dfb4-72a39c95e249}\n --> FOUND

[ZeroAccess][FILE] @ : C:\Users\aeland\AppData\Local\{93e95bb9-2ae6-a962-dfb4-72a39c95e249}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\aeland\AppData\Local\{93e95bb9-2ae6-a962-dfb4-72a39c95e249}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\aeland\AppData\Local\{93e95bb9-2ae6-a962-dfb4-72a39c95e249}\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[13] : NtAlertResumeThread @ 0x8221D597 -> HOOKED (Unknown @ 0x860631A8)

SSDT[14] : NtAlertThread @ 0x8221D53F -> HOOKED (Unknown @ 0x86063008)

SSDT[18] : NtAllocateVirtualMemory @ 0x821D54AF -> HOOKED (Unknown @ 0x8605E178)

SSDT[21] : NtAlpcConnectPort @ 0x821BFFE3 -> HOOKED (Unknown @ 0x86059EE8)

SSDT[67] : NtCreateMutant @ 0x8229018A -> HOOKED (Unknown @ 0x86068418)

SSDT[78] : NtCreateThread @ 0x8221217B -> HOOKED (Unknown @ 0x85D534B0)

SSDT[116] : NtDebugActiveProcess @ 0x82176262 -> HOOKED (Unknown @ 0x86068F10)

SSDT[147] : NtFreeVirtualMemory @ 0x820BEC63 -> HOOKED (Unknown @ 0x8477F990)

SSDT[156] : NtImpersonateAnonymousToken @ 0x8224E117 -> HOOKED (Unknown @ 0x860684E8)

SSDT[158] : NtImpersonateThread @ 0x822226C5 -> HOOKED (Unknown @ 0x860630C8)

SSDT[177] : NtMapViewOfSection @ 0x821D0396 -> HOOKED (Unknown @ 0x8477F890)

SSDT[184] : NtOpenEvent @ 0x822874B1 -> HOOKED (Unknown @ 0x86068338)

SSDT[195] : NtOpenProcessToken @ 0x82240F8A -> HOOKED (Unknown @ 0x8606C4A8)

SSDT[197] : NtOpenSection @ 0x821DA71B -> HOOKED (Unknown @ 0x84540720)

SSDT[202] : NtOpenThreadToken @ 0x82241177 -> HOOKED (Unknown @ 0x86063710)

SSDT[281] : NtResumeThread @ 0x8221D3A0 -> HOOKED (Unknown @ 0x86057190)

SSDT[293] : NtSetContextThread @ 0x8221AEBB -> HOOKED (Unknown @ 0x86063650)

SSDT[309] : NtSetInformationProcess @ 0x82215EBB -> HOOKED (Unknown @ 0x8606C7E8)

SSDT[310] : NtSetInformationThread @ 0x8221861B -> HOOKED (Unknown @ 0x86063560)

SSDT[334] : NtSuspendProcess @ 0x8221D483 -> HOOKED (Unknown @ 0x86068FD0)

SSDT[335] : NtSuspendThread @ 0x8221D2B7 -> HOOKED (Unknown @ 0x8606CC08)

SSDT[338] : NtTerminateProcess @ 0x8221B2B3 -> HOOKED (Unknown @ 0x85F78330)

SSDT[339] : NtTerminateThread @ 0x8221B707 -> HOOKED (Unknown @ 0x8606CCE8)

SSDT[352] : NtUnmapViewOfSection @ 0x821E0D88 -> HOOKED (Unknown @ 0x8606C8D8)

SSDT[362] : NtWriteVirtualMemory @ 0x821D71AB -> HOOKED (Unknown @ 0x8605E0A8)

¤¤¤ Extern Hives: ¤¤¤

-> D:\windows\system32\config\SOFTWARE

-> D:\Users\Default\NTUSER.DAT

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS542525K9SA00 ATA Device +++++

--- User ---

[MBR] 8abc22a2edcef491a6c82225ff127a62

[bSP] 8adf42fc351c0e0c1111c9ffb04004c0 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 11476 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 23503095 | Size: 226996 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Thanks again!!!

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Here you go......

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKCU\[...]\Run : qGdhLMVjErKbog.exe (C:\ProgramData\qGdhLMVjErKbog.exe) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : nZtu8imNJI9Ve6 (C:\ProgramData\nZtu8imNJI9Ve6.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2049136128-3216804590-1937335049-1000[...]\Run : qGdhLMVjErKbog.exe (C:\ProgramData\qGdhLMVjErKbog.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2049136128-3216804590-1937335049-1000[...]\Run : nZtu8imNJI9Ve6 (C:\ProgramData\nZtu8imNJI9Ve6.exe) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FILE] n : C:\Users\aeland\AppData\Local\{93e95bb9-2ae6-a962-dfb4-72a39c95e249}\n --> FOUND

[ZeroAccess][FILE] @ : C:\Users\aeland\AppData\Local\{93e95bb9-2ae6-a962-dfb4-72a39c95e249}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\aeland\AppData\Local\{93e95bb9-2ae6-a962-dfb4-72a39c95e249}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\aeland\AppData\Local\{93e95bb9-2ae6-a962-dfb4-72a39c95e249}\L --> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~

Last.......

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.