Smart HDD... I think

SMiller · November 6, 2012

I think I was hit with the Smart HDD Virus. I used Rkill, TDSSKiller, MBAM, Avira and Unhide to correct the problem... I think. I now have a problem with EVERY program that I try to open opening my FreeCell game. I have tried to open programs in both SAFE mode and NORMAL mode. Even several of the programs inside of my Control Panel open up FreeCell. I tried to run System Restore (in Normal mode) with CMD line, but it also opened up FreeCell. I utilized System Restore when given the option in SAFE mode, but that did nothing. I tried to find help on Google, but each article mentions using the File Types folder inside my Control Panel to change associations. This works for "file types" but not the programs themselves. I have had a little success with various programs on my Desktop by right-clicking and using "Run as..." but still even Malwarebytes defaults to opening FreeCell.

I am sure there is a simple fix, but I can't seem to find it.

Any help is greatly appreciated.

Thx.

TheDarkKnight · November 7, 2012

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear.

Please download to the Desktop RogueKiller (by tigzy).

Please quit all programs.
Start RogueKiller.exe.
Wait until Prescan has finished.
Click on Scan.
Click on Report and copy/paste the contents of the report in your next reply.

=====

Next, please download Windows Repair (all in one) from here.

Install the program.
Please proceed to run it.
Go to Step 2 and allow it to run CheckDisk by clicking on the Do It button:
Once that is done please go to Step 3 and allow it to run the System File Check by clicking on the Do It button:
Go to Step 4 and under System Restore click on the Create button:
Next, go to the Start Repairs tab and click the Start button.
Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):
Click on the box next to the Restart System when Finished. Then click on Start.

=====

Finally, please download DDS by sUBs from one of the following links. Save it to your Desktop.
NOTE: Before scanning, make sure all other running programs are closed.
There shouldn't be any scheduled antivirus scans running while the scan is being performed.
Do not use your computer for anything else during the scan.[*]Double click on the DDS icon and allow it to run.
[*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.
[*]Notepad will open with the results.
[*]Follow the instructions that pop up for posting the results.

=====

In your reply please post the following:

RogueKiller log.
DDS.txt.

Does the issue remain?

SMiller · November 7, 2012

Dark Knight,

Thanks for responding. I have followed your instructions. I was able to open and run RogueKiller by right-clicking and using "Run as...". I was UNABLE to run Windows Repair as it continued to open FreeCell with both regular clicking and "Run as...". DDS ran with a left click. The same problem still remains. Here are the two logs you requested:

RogueKiller:

RogueKiller V8.2.3 [11/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Rob [Restricted rights]

Mode : Scan -- Date : 11/07/2012 13:02:36

¤¤¤ Bad processes : 27 ¤¤¤

[RESIDUE] smss.exe -- C: -> ERROR [0x5]

[RESIDUE] csrss.exe -- C: -> ERROR [0x5]

[RESIDUE] winlogon.exe -- C: -> ERROR [0x5]

[RESIDUE] services.exe -- C: -> ERROR [0x5]

[RESIDUE] lsass.exe -- C: -> ERROR [0x5]

[RESIDUE] svchost.exe -- C: -> ERROR [0x5]

[RESIDUE] spoolsv.exe -- C: -> ERROR [0x5]

[RESIDUE] svchost.exe -- C: -> ERROR [0x5]

¤¤¤ Registry Entries : 2 ¤¤¤

[sTARTUP][sUSP PATH] Seagate Product Registration.lnk @Rob : C:\Documents and Settings\Rob\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe -> FOUND

[HOSTS] HKLM\[...]\Parameters : DataBasePath (C:) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\windows\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\windows\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\windows\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\L --> FOUND

[ZeroAccess][FILE] @ : C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

Finished : << RKreport[1]_S_11072012_02d1302.txt >>

RKreport[1]_S_11072012_02d1302.txt

DDS Txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-07.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 11/27/2007 7:08:52 PM

System Uptime: 11/7/2012 12:56:06 PM (1 hours ago)

.

Motherboard: Gateway | | Gateway M675

Processor: Intel® Pentium® 4 CPU 2.80GHz | uFCPGA2 | 2793/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 75 GiB total, 7.673 GiB free.

D: is CDROM (UDF)

E: is Removable

F: is Removable

L: is CDROM ()

U: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: 1394 Net Adapter

Device ID: V1394\NIC1394\1007548E0B806

Manufacturer: Microsoft

Name: 1394 Net Adapter #2

PNP Device ID: V1394\NIC1394\1007548E0B806

Service: NIC1394

.

==== System Restore Points ===================

.

RP9: 8/13/2012 3:51:45 PM - System Checkpoint

RP10: 8/14/2012 4:37:29 PM - Before Re-Install of MBAM... (previous version is corrupt - Krypytik virus?)

RP11: 8/17/2012 3:52:04 PM - Before Install of Video Joiners & GordianKnot...

RP12: 8/30/2012 1:17:18 AM - System Checkpoint

RP13: 9/5/2012 12:23:04 AM - System Checkpoint

RP14: 9/6/2012 3:39:38 PM - System Checkpoint

RP15: 9/7/2012 12:32:22 PM - Installed BlackBerry Desktop Software 7.1.

RP16: 9/7/2012 4:06:51 PM - Before MANUAL UNINSTALL of BB Desktop Software v4.3...

RP17: 9/21/2012 10:51:56 AM - System Checkpoint

RP18: 9/21/2012 5:18:08 PM - Before Install of iTunes v9.2.1

RP19: 9/21/2012 5:21:50 PM - Removed iTunes

RP20: 9/21/2012 9:39:25 PM - Installed iTunes

RP21: 9/21/2012 9:49:50 PM - Removed QuickTime

RP22: 9/21/2012 9:54:26 PM - Removed Apple Mobile Device Support

RP23: 9/21/2012 9:55:38 PM - Removed Apple Application Support

RP24: 9/21/2012 9:57:56 PM - Removed Bonjour

RP25: 9/21/2012 9:59:19 PM - Removed iTunes

RP26: 9/21/2012 10:14:10 PM - Installed iTunes

RP27: 9/21/2012 10:22:39 PM - Removed iTunes

RP28: 9/21/2012 10:37:25 PM - Installed iTunes

RP29: 9/24/2012 9:05:49 PM - System Checkpoint

RP30: 9/27/2012 8:29:47 PM - System Checkpoint

RP31: 9/28/2012 10:46:34 PM - System Checkpoint

RP32: 9/30/2012 8:18:56 PM - System Checkpoint

RP33: 10/3/2012 8:44:10 PM - System Checkpoint

RP34: 10/18/2012 3:09:42 PM - System Checkpoint

RP35: 10/20/2012 4:21:17 PM - System Checkpoint

RP36: 10/22/2012 12:15:55 PM - System Checkpoint

RP37: 10/28/2012 9:37:34 PM - Before AdvancedSystemCare Disk Cleanup...

RP38: 11/4/2012 8:45:33 PM - Restore Operation

.

==== Installed Programs ======================

.

7-Zip 9.20

Acrobat.com

Adobe Acrobat 7.0 Professional

Adobe AIR

Adobe Bridge 1.0

Adobe Common File Installer

Adobe Flash Player 11 ActiveX

Adobe GoLive CS2

Adobe Help Center 1.0

Adobe Illustrator CS2

Adobe InDesign CS2

Adobe Media Player

Adobe Photoshop CS2

Adobe Photoshop CS5

Adobe Reader X (10.1.4)

Adobe Shockwave Player 11.6

Adobe Stock Photos 1.0

Adobe SVG Viewer 3.0

Adobe Version Cue CS2

Agere Systems AC'97 Modem

AoA Video Joiner

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI Display Driver

Auto Gordian Knot 2.55

Avira AntiVir Personal - Free Antivirus

AviSynth 2.5

BlackBerry Desktop Software 4.3

BlackBerry Desktop Software 7.1

BlackBerry Device Software Updater

BlackBerry v4.2.2 for the 8830 Series Wireless Device

Bonjour

C-Major Audio Driver and Applications

Canon MF Toolbox 4.9.1.1.mf01

Canon MF6500 Series

Compatibility Pack for the 2007 Office system

ConvertXtoDVD 4.0.9.322

Critical Update for Windows Media Player 11 (KB959772)

Desktop Notifier

DivX Converter

DivX Plus DirectShow Filters

DivX Setup

DivX Version Checker

Download Accelerator Plus (DAP)

DVD Shrink 3.2

DVDFab 7.0.6.7 (30/05/2010)

Encina DiscMaker

Far Cry

FormatFactory 2.96

Free AVI MPEG WMV MP4 FLV Video Joiner 3.7.0.1

Free Video Joiner

Hitman 2: Silent Assassin

Hitman Blood Money

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB932716-v2)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

IEEE 802.11g USB Wireless LAN Adapter

ImgBurn

Intel® PRO Network Connections Drivers

iTunes

Java Auto Updater

Java 6 Update 29

Logitech MouseWare 9.79.1

Magic ISO Maker v5.5 (build 0273)

MagicDisc 2.7.106

Malwarebytes Anti-Malware version 1.65.1.1000

Max Payne

Max Payne 2

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Halo

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.9

Microsoft National Language Support Downlevel APIs

Microsoft Office Standard Edition 2003

Microsoft Office XP Professional with FrontPage

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft_VC80_ATL_x86

Microsoft_VC80_CRT_x86

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFCLOC_x86

Microsoft_VC90_ATL_x86

Microsoft_VC90_CRT_x86

Microsoft_VC90_MFC_x86

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

MSXML 6.0 Parser (KB933579)

OGA Notifier 2.0.0048.0

OmniPage SE 2.0

PDF Settings CS5

PowerDVD

QuickTime

Roxio DLA

Roxio Express Labeler

Roxio Media Manager

Roxio RecordNow Audio

Roxio RecordNow Copy

Roxio RecordNow Data

Rushmore Casino

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2497640)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Sonic Update Manager

Splinter Cell Pandora Tomorrow

StreamTransport version: 1.0.2.1975

Suite Specific

swMSM

Tom Clancy's Splinter Cell

Ultimate Business Plan Starter

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2616676-v2)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

USB-IDE Bridge Driver

VC80CRTRedist - 8.0.50727.6195

VGA Dual-Mode Camera

VLC media player 1.1.9

VobSub v2.23 (Remove Only)

WebFldrs XP

Windows Driver Package - Camera Maker (MR97310_VGA_DUAL_CAMERA) Image 03/30/2004 2.0.0.0

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Live OneCare safety scanner

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

XP Codec Pack

XviD MPEG4 Video Codec (remove only)

.

==== Event Viewer Messages From Past Week ========

.

11/6/2012 10:54:46 PM, error: Service Control Manager [7031] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

11/4/2012 8:56:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SCDEmu ssmdrv

11/4/2012 8:42:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu ssmdrv Tcpip WS2IFSL

11/4/2012 8:42:46 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

11/4/2012 8:42:46 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/4/2012 8:42:46 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

11/4/2012 8:42:46 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/4/2012 8:42:46 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/1/2012 3:32:23 PM, error: SideBySide [59] - Generate Activation Context failed for C:\windows\WindowsShell.manifest. Reference error message: Error Message is unavailable .

11/1/2012 3:29:09 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

10/31/2012 8:48:39 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

10/31/2012 5:16:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde

10/31/2012 5:16:01 PM, error: Service Control Manager [7022] - The Distributed Link Tracking Client service hung on starting.

10/31/2012 5:16:01 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: After starting, the service hung in a start-pending state.

10/31/2012 5:15:31 PM, error: Service Control Manager [7022] - The Server service hung on starting.

10/31/2012 1:51:42 PM, error: Service Control Manager [7024] - The Distributed Transaction Coordinator service terminated with service-specific error 3221229584 (0xC0001010).

10/31/2012 1:50:10 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

10/31/2012 1:50:10 PM, error: Service Control Manager [7000] - The USB-IDE Bridge service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

10/31/2012 1:11:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

.

==== End Of File ===========================

TheDarkKnight · November 7, 2012

Hello SMiller.

Ah. You have ZeroAccess, a rather nasty infection.

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

=====

Also, please download to your Desktop:

TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

Click Change parameters.
Make sure you check the box Loaded modules.
A window will popup and say Reboot is required. Please click Reboot now.
Then click Change parameters again. Check the box Detect TDLFS file system.
Click on the Start Scan button.
If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
If you are asked to reboot the computer to complete the process, click on the Reboot Now button.
Once the tool has finished, please click Report. Please copy and paste the contents of that log in your reply.
Note:
A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "
TDSSKiller.[Version]_[Date]_[Time]_log.txt
" (for example, C:\
TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt
).

=====

In your reply please post the following:

ComboFix,txt.
TDSSKiller log.

SMiller · November 8, 2012

Dark Knight,

Thx for the quick response. Unfortunately, I was unable to run either ComboFix or TDSSKiller. ComboFix gave me an NSIS Error: "Error writing temp file." With TDSSKiller, I could get it to run using "Run as..." but this virus would not let me load the driver and reboot. Is it possible to run anything from a flash drive? This virus is a pain in the a##!

Awaiting further instructions.

TheDarkKnight · November 8, 2012

Hey SMiller,

OK.

Please re-run RogueKiller.
Click on the Delete button.
The report has been created on the Desktop. Please post it in your reply.

=====

After running RogueKiller, please run ComboFix and TDSSKiller.

=====

In your reply, please post the contents of the following logs:

RogueKiller log.
ComboFix.txt.
TDSSKiller log.

How is the computer running now?

SMiller · November 8, 2012

Dark Knight,

After running RogueKiller using "Run as...", I hit delte as instructed. The 2 listed Registry entries remained. All icons on my desktop disappeared so I restarted my computer to attempt to run CF and TDSSKiller. Neither one would run as I got the exact same error messages as I did yesterday for each of them.

Thx again for your quick responses.

Here is the RogueKiller log:

RogueKiller V8.2.3 [11/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Rob [Restricted rights]

Mode : Scan -- Date : 11/08/2012 11:35:45

¤¤¤ Bad processes : 27 ¤¤¤

[RESIDUE] smss.exe -- C: -> ERROR [0x5]

[RESIDUE] csrss.exe -- C: -> ERROR [0x5]

[RESIDUE] winlogon.exe -- C: -> ERROR [0x5]

[RESIDUE] services.exe -- C: -> ERROR [0x5]

[RESIDUE] lsass.exe -- C: -> ERROR [0x5]

[RESIDUE] svchost.exe -- C: -> ERROR [0x5]

[RESIDUE] spoolsv.exe -- C: -> ERROR [0x5]

[RESIDUE] svchost.exe -- C: -> ERROR [0x5]

¤¤¤ Registry Entries : 2 ¤¤¤

[sTARTUP][sUSP PATH] Seagate Product Registration.lnk @Rob : C:\Documents and Settings\Rob\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe -> FOUND

[HOSTS] HKLM\[...]\Parameters : DataBasePath (C:) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\windows\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\windows\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\windows\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\L --> FOUND

[ZeroAccess][FILE] @ : C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

Finished : << RKreport[2]_S_11082012_02d1135.txt >>

RKreport[1]_S_11072012_02d1302.txt ; RKreport[2]_S_11082012_02d1135.txt

TheDarkKnight · November 8, 2012

Hey SMiller,

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com).

There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin.
You only need to get one of them to run, not all of them.

rkill.exe

rkill.com

rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Do not run it yet.

=====

Now, please boot into Safe Mode by restarting and tapping F8 repeatedly to bring up the Advanced Boot Screen Menu.

Once in Safe Mode please run Rkill. Then try running ComboFix. If it succeeds, please post the contents of its log in your reply.

SMiller · November 9, 2012

Dark Knight,

I booted into Safe Mode as suggested. I was able to run rkill.scr. When I tried to run ComboFix, it opened FreeCell again so I changed it from .exe to .scr. *MAGIC* It ran, however, the warning came up about Avira still monitoring my system. I used to Windows Task Mgr to see if I could stop the associated process but didn't find it. I ran CF even though I was warned of potential problems. I figured it couldn't screw things up any more than they already were so...

Still have the same problem with everything opening up FreeCell. I noticed that when I right-click on an .exe, Windows shows the Recommended Program to use for opening is set to "FreeCell". Is there an easy Windows system fix we can use once we get this virus off?

FYI, had to chg my profile pic to Max Payne as this virus is a PAIN! I have a Batman one if you want it.

Here are the two logs:

Rkill Log:

Rkill 2.4.5 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/08/2012 08:07:43 PM in x86 mode.

Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html

Checking Windows Service Integrity:

* AFD (AFD) is not Running.

Startup Type set to: System

* DHCP Client (Dhcp) is not Running.

Startup Type set to: Automatic

* DNS Client (Dnscache) is not Running.

Startup Type set to: Manual

* COM+ Event System (EventSystem) is not Running.

Startup Type set to: Manual

* Network Connections (Netman) is not Running.

Startup Type set to: Manual

* AFD (AFD) is not Running.

Startup Type set to: System

* IPSEC driver (IPSec) is not Running.

Startup Type set to: System

* NetBios over Tcpip (NetBT) is not Running.

Startup Type set to: System

* TCP/IP Protocol Driver (Tcpip) is not Running.

Startup Type set to: System

* BITS [Missing Service]

* wscsvc [Missing Service]

* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 11/08/2012 08:08:58 PM

Execution time: 0 hours(s), 1 minute(s), and 15 seconds(s)

CF Log:

ComboFix 12-11-06.03 - Rob 11/08/2012 20:28:31.18.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.673 [GMT -8:00]

Running from: c:\documents and settings\Rob\Desktop\ComboFix.scr

Command switches used :: /S

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\TEMP

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

I:\Autorun.inf

I:\Setup.exe

.

((((((((((((((((((((((((( Files Created from 2012-10-09 to 2012-11-09 )))))))))))))))))))))))))))))))

.

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\64508186.sys

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\99718478.sys

2012-11-08 07:25 . 2012-11-08 07:25 177496 ----a-w- c:\windows\system32\drivers\31255700.sys

2012-11-08 07:23 . 2012-11-08 07:23 177496 ----a-w- c:\windows\system32\drivers\00155280.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\54066471.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\59382407.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\23847152.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\28443356.sys

2012-11-07 21:02 . 2012-11-07 21:02 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-02 22:52 . 2009-02-21 00:33 89680 ----a-w- c:\documents and settings\Rob\MSSSerif120.fon

2012-10-06 20:48 . 2012-04-03 20:23 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-06 20:48 . 2011-07-12 18:12 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-30 02:54 . 2012-08-15 05:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2008-11-18 210208]

"DownloadAccelerator"="c:\program files\STUFF\Download Accelerator Plus\DAP.EXE" [2012-08-15 2815488]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StacSysTray"="c:\program files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 102400]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

.

c:\documents and settings\Rob\Start Menu\Programs\Startup\

Seagate Product Registration.lnk - c:\documents and settings\Rob\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2012-1-13 1731736]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]

2005-04-05 02:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2007-03-29 22:41 222128 ----a-w- c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-17 16:50 19968 ------w- c:\windows\LOGI_MWX.EXE

.

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/27/2010 8:09 PM 136360]

S2 SigService;Sigmatel Service;c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe --> c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [?]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 10:29 AM 118106]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/17/2010 3:47 PM 47360]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-08 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: &Clean Traces - c:\program files\STUFF\Download Accelerator Plus\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie.htm

IE: Download &all with DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

TCP: DhcpNameServer = 192.168.0.1

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-latdi - (no file)

HKLM-Run-ksoad - (no file)

HKLM-Run-hsospExEGF.exe - c:\documents and settings\All Users\Application Data\hsospExEGF.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-08 20:49

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c0,e0,d6,b4,b9,a1,21,c7,f5,b5,bc,c5,9c,55,e8,60,9d,3f,ce,d0,10,24,71,

30,0a,f7,e7,0c,f5,a5,a1,d0,da,3d,75,c8,97,9d,91,8a,77,88,6e,b4,6a,66,9c,b3,\

"??"=hex:59,52,4d,96,40,27,6e,8f,7c,35,3d,81,cd,0f,89,4c

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:c2,1e,91,d7,9c,ef,c0,ad,7f,a9,be,b9,ef,ec,85,23,86,18,f1,f2,41,

6c,29,51,55,a2,cd,23,74,8d,c0,a9,68,0c,02,cf,15,85,69,26,eb,9d,4f,2c,a3,09,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(260)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2012-11-08 20:53:35

ComboFix-quarantined-files.txt 2012-11-09 04:53

ComboFix2.txt 2012-06-11 20:30

.

Pre-Run: 7,829,041,152 bytes free

Post-Run: 11,536,150,528 bytes free

.

- - End Of File - - 189211901B1A3B6756A537280AE0EE0D

TheDarkKnight · November 9, 2012

Hello SMiller,

Please follow these instructions to remove the remaining malicious entries:

Please close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open Notepad and copy/paste the text in the quotebox below into it:
Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

killall::
Folder::
C:\windows\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\@
C:\windows\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U
C:\windows\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\L
C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\@
C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U
C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\L
Save this as CFScript.txt, in the same location as ComboFix.exe.
Referring to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post the ComboFix.txt in your next reply.

=====

Then, please go to http://www.virustotal.com, click on Choose File, and upload the following file for analysis: You will only be able to have one file scanned at a time.

c:\windows\system32\drivers\64508186.sys

c:\windows\system32\drivers\31255700.sys

Then click Scan It!. Allow the file to be scanned, and then please copy/paste the results here for me to see.

Note: If a message appears saying the file has already been analysed, please resend the file.

=====

Finally, for your issue, please see if the fix from the below link fixes it:

http://www.thewindowsclub.com/file-association-fixer-for-windows-7-vista-released

=====

In your reply please provide the contents of the following logs:

ComboFix.txt.
Results from VirusTotal.

Do the issues remain?

SMiller · November 9, 2012

Dark Knight,

Thx AGAIN for all your quick responses. I followed your instructions and have the logs you requested. However, the problem with all .exe files STILL opening FreeCell remains. I did download the recommended File Fixer program, but it also opened FreeCell when I clicked on it. I tried to set a Restore Point, but that ALSO opend FreeCell. Help with this is much appreciated.

CFScript Log:

ComboFix 12-11-06.03 - Rob 11/08/2012 23:45:47.19.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.542 [GMT -8:00]

Running from: c:\documents and settings\Rob\Desktop\ComboFix.scr

Command switches used :: /S

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2012-10-09 to 2012-11-09 )))))))))))))))))))))))))))))))

.

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\64508186.sys

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\99718478.sys

2012-11-08 07:25 . 2012-11-08 07:25 177496 ----a-w- c:\windows\system32\drivers\31255700.sys

2012-11-08 07:23 . 2012-11-08 07:23 177496 ----a-w- c:\windows\system32\drivers\00155280.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\54066471.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\59382407.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\23847152.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\28443356.sys

2012-11-07 21:02 . 2012-11-07 21:02 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-02 22:52 . 2009-02-21 00:33 89680 ----a-w- c:\documents and settings\Rob\MSSSerif120.fon

2012-10-06 20:48 . 2012-04-03 20:23 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-06 20:48 . 2011-07-12 18:12 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-30 02:54 . 2012-08-15 05:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2008-11-18 210208]

"DownloadAccelerator"="c:\program files\STUFF\Download Accelerator Plus\DAP.EXE" [2012-08-15 2815488]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StacSysTray"="c:\program files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 102400]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

.

c:\documents and settings\Rob\Start Menu\Programs\Startup\

Seagate Product Registration.lnk - c:\documents and settings\Rob\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2012-1-13 1731736]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]

2005-04-05 02:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2007-03-29 22:41 222128 ----a-w- c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-17 16:50 19968 ------w- c:\windows\LOGI_MWX.EXE

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/27/2010 8:09 PM 136360]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/17/2010 3:47 PM 47360]

S2 SigService;Sigmatel Service;c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe --> c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [?]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 10:29 AM 118106]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-09 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: &Clean Traces - c:\program files\STUFF\Download Accelerator Plus\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie.htm

IE: Download &all with DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

TCP: DhcpNameServer = 192.168.0.1

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-08 23:58

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c0,e0,d6,b4,b9,a1,21,c7,f5,b5,bc,c5,9c,55,e8,60,9d,3f,ce,d0,10,24,71,

30,0a,f7,e7,0c,f5,a5,a1,d0,da,3d,75,c8,97,9d,91,8a,77,88,6e,b4,6a,66,9c,b3,\

"??"=hex:59,52,4d,96,40,27,6e,8f,7c,35,3d,81,cd,0f,89,4c

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:c2,1e,91,d7,9c,ef,c0,ad,7f,a9,be,b9,ef,ec,85,23,86,18,f1,f2,41,

6c,29,51,55,a2,cd,23,74,8d,c0,a9,68,0c,02,cf,15,85,69,26,eb,9d,4f,2c,a3,09,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(912)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(1852)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-11-08 23:59:53

ComboFix-quarantined-files.txt 2012-11-09 07:59

ComboFix2.txt 2012-11-09 04:53

ComboFix3.txt 2012-06-11 20:30

.

Pre-Run: 11,409,387,520 bytes free

Post-Run: 11,403,341,824 bytes free

.

- - End Of File - - 63C8DA592529C8FC2985A4C472FEDD05

VirusTotal Log:

c:\windows\system32\drivers\64508186.sys

Analysis date: 2012-11-09 08:17:45 UTC ( 0 minutes ago )

Detection ratio: 0/44

c:\windows\system32\drivers\31255700.sys

Analysis date: 2012-11-09 08:16:20 UTC ( 0 minutes ago )

Detection ratio: 0/44

TheDarkKnight · November 9, 2012

Hey SMiller,

Please see this link and try the fix:

http://www.sevenforums.com/tutorials/19449-default-file-type-associations-restore.html

=====

Also, please re-run RogueKiller and post the contents of the new log in your reply.

SMiller · November 10, 2012

Hi, Dark Knight. I am not at home tonight but will be able to get back to my computer tomorrow. I tried your link suggestion but it looks like the link you recommended is for Windows 7 only. I am running Windows XP so another suggestion is greatly appreciated. I will post the RK log tomorrow. I don't seem to have a "file association" error so much as just a default to FreeCell whenever I click on ANY .exe. I did try just deleting FreeCell from the c:\windows\system32 folder (didn't work) but it may have to be uninstalled instead. I thought I would try that as a possible quick and easy fix thinking that the programs would default to their own .exe's if FreeCell wasn't available. When I utlize a file (an avi, for example) the proper program opens. But when I go to open the program first is when FreeCell opens instead. Thanks, again. We'll talk tomorrow.

TheDarkKnight · November 10, 2012

Hey SMiller,

Hopefully uninstalling FreeCell will fix the issue.

SMiller · November 11, 2012

Dark Knight,

I have the latest RK log. I was able to run it by changing the .exe to .scr. Looks like ZeroAccess is still present. Although RK opened a link to the tigzy-RK webpage on ZeroAccess, I have not followed the instructions yet.

Also, how do I uninstall FreeCell when I can't open "Add/Remove Programs" as it ALSO opens FreeCell? IF I am able to uninstall it, where can I go to get another copy to reinstall? Thx again for the help.

RK Log:

RogueKiller V8.2.3 [11/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Rob [Admin rights]

Mode : Scan -- Date : 11/10/2012 20:05:26

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 13 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : ISUSPM ("C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" -scheduler) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1644491937-562591055-725345543-1003[...]\Run : ISUSPM ("C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" -scheduler) -> FOUND

[sTARTUP][sUSP PATH] Seagate Product Registration.lnk @Rob : C:\Documents and Settings\Rob\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Documents and Settings\Rob\Local Settings\Application Data\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[25] : NtClose @ 0x8056F8D7 -> HOOKED (Unknown @ 0xF7C8B284)

SSDT[41] : NtCreateKey @ 0x80578AB4 -> HOOKED (Unknown @ 0xF7C8B23E)

SSDT[50] : NtCreateSection @ 0x8056DB66 -> HOOKED (Unknown @ 0xF7C8B28E)

SSDT[53] : NtCreateThread @ 0x80584D39 -> HOOKED (Unknown @ 0xF7C8B234)

SSDT[63] : NtDeleteKey @ 0x8059A5C9 -> HOOKED (Unknown @ 0xF7C8B243)

SSDT[65] : NtDeleteValueKey @ 0x805991E8 -> HOOKED (Unknown @ 0xF7C8B24D)

SSDT[68] : NtDuplicateObject @ 0x8057F18D -> HOOKED (Unknown @ 0xF7C8B27F)

SSDT[98] : NtLoadKey @ 0x805B8287 -> HOOKED (Unknown @ 0xF7C8B252)

SSDT[122] : NtOpenProcess @ 0x8057F93A -> HOOKED (Unknown @ 0xF7C8B220)

SSDT[128] : NtOpenThread @ 0x80596743 -> HOOKED (Unknown @ 0xF7C8B225)

SSDT[193] : NtReplaceKey @ 0x806571A8 -> HOOKED (Unknown @ 0xF7C8B25C)

SSDT[204] : NtRestoreKey @ 0x80656D3D -> HOOKED (Unknown @ 0xF7C8B257)

SSDT[213] : NtSetContextThread @ 0x80635EFB -> HOOKED (Unknown @ 0xF7C8B293)

SSDT[247] : NtSetValueKey @ 0x80580088 -> HOOKED (Unknown @ 0xF7C8B248)

SSDT[257] : NtTerminateProcess @ 0x8058E8B1 -> HOOKED (Unknown @ 0xF7C8B22F)

S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xF7C8B298)

S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0xF7C8B29D)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600BEVE-00UYT0 +++++

--- User ---

[MBR] d78d6ae833efdcbc1642cb8365e128d3

[bSP] 09f3f30e050b0e78f4a273d6de7e96a6 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive3: WD Ext HDD 1021 USB Device +++++

--- User ---

[MBR] 6aff2b8f3ee9b4d7d8f72718b0599a79

[bSP] 3e4b2d5497fe55cd743d7f758a6de612 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive4: WDC WD16 00BB-00GUC0 USB Device +++++

--- User ---

[MBR] c981985ab4325682c14418f1e4da946f

[bSP] c27bff89ad152d5b85e14f435e81a8cd : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 152624 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_11102012_02d2005.txt >>

RKreport[1]_S_11102012_02d2005.txt

TheDarkKnight · November 11, 2012

Hey SMiller,

The issue probably won't go away until ZA is at least removed.

For x32 (x86) bit systems please download the Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

For x64 bit systems please download the Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using the Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
[*]Select Command Prompt.
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select Computer, find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Press the Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your reply.

SMiller · November 11, 2012

DK,

Do you want me to choose "Delete" on RK first?

TheDarkKnight · November 11, 2012

Hey SMiller,

Not yet. FRST is better at detecting all the components of ZA. RK can be used later if FRST doesn't work out.

SMiller · November 11, 2012

DK,

OK. Good cuz I just closed it THEN thought to ask.

SMiller · November 11, 2012

DK,

Did not have the option to REPAIR so I booted into SAFE Mode with CMD. Typed "notepad" at the prompt. It opened. Did not have any option to go to COMPUTER to select flash drive so I just typed the J:\frst.exe. FYI, when I clicked on SCAN, an error window opened stating, "Windows - No Disk." I cxled out of it and the scan ran. Here is the log:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-11-2012 02

Ran by Rob at 10-11-2012 21:29:43

Running from J:\

Service Pack 3 (X86) OS Language: English(US)

Attention: Could not load system hive.

Error: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==================== One Month Created Files and Folders ========

2012-11-10 21:29 - 2012-11-10 21:29 - 00000000 ____D C:\FRST

2012-11-10 21:05 - 2012-11-10 21:05 - 00005604 ____A C:\Windows\KB2712808.log

2012-11-10 21:04 - 2012-11-10 21:05 - 00006032 ____A C:\Windows\KB2731847-v2.log

2012-11-10 21:04 - 2012-11-10 21:05 - 00005848 ____A C:\Windows\KB2724197.log

2012-11-10 21:02 - 2012-11-10 21:05 - 00005352 ____A C:\Windows\KB2749655.log

2012-11-10 21:02 - 2012-11-10 21:05 - 00005348 ____A C:\Windows\KB2705219-v2.log

2012-11-10 21:02 - 2012-11-10 21:04 - 00005255 ____A C:\Windows\KB2661254-v2.log

2012-11-10 21:01 - 2012-11-10 21:01 - 00000000 ____D C:\Windows\LastGood

2012-11-10 20:05 - 2012-11-10 20:05 - 00004670 ____A C:\Documents and Settings\Rob\Desktop\RKreport[1]_S_11102012_02d2005.txt

2012-11-09 00:27 - 2012-11-09 00:27 - 00008224 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT

2012-11-09 00:21 - 2010-02-04 22:10 - 00000107 ____A C:\Documents and Settings\Rob\Desktop\Fix File Associations - Windows Club.URL

2012-11-09 00:21 - 2010-02-04 21:54 - 00921088 ____A (TheWindowsClub) C:\Documents and Settings\Rob\Desktop\File Association Fixer.exe

2012-11-08 23:59 - 2012-11-08 23:59 - 00009966 ____A C:\ComboFix.txt

2012-11-08 23:24 - 2012-11-09 00:18 - 00000530 ____A C:\Documents and Settings\Rob\Desktop\VirusTotal Analysis 1.txt

2012-11-08 23:19 - 2012-11-08 23:19 - 00000532 ____A C:\Documents and Settings\Rob\Desktop\CFScript.txt

2012-11-08 20:14 - 2012-11-08 20:14 - 00004078 ____A C:\Documents and Settings\Rob\Desktop\Rkill 11-8-12 20.07.43.txt

2012-11-08 15:59 - 2012-11-08 15:59 - 01754528 ____A (Bleeping Computer, LLC) C:\Documents and Settings\Rob\Desktop\rkill.scr

2012-11-08 11:43 - 2012-11-08 11:43 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\99718478.sys

2012-11-08 11:43 - 2012-11-08 11:43 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\64508186.sys

2012-11-07 23:25 - 2012-11-07 23:25 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\31255700.sys

2012-11-07 23:23 - 2012-11-07 23:23 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\00155280.sys

2012-11-07 23:16 - 2012-11-07 23:16 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\59382407.sys

2012-11-07 23:16 - 2012-11-07 23:16 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\54066471.sys

2012-11-07 23:15 - 2012-11-07 23:15 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\28443356.sys

2012-11-07 23:15 - 2012-11-07 23:15 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\23847152.sys

2012-11-07 23:06 - 2012-10-31 21:49 - 02213976 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\Rob\Desktop\TDSSKiller.exe

2012-11-07 20:25 - 2012-11-07 20:25 - 04997881 ____R (Swearware) C:\Documents and Settings\Rob\Desktop\ComboFix.scr

2012-11-07 16:33 - 2012-11-07 16:33 - 00000000 ____A C:\Documents and Settings\Rob\My Documents\Default.PLS

2012-11-07 13:02 - 2012-11-10 20:05 - 00000000 ____D C:\Documents and Settings\Rob\Desktop\RK_Quarantine

2012-11-07 12:49 - 2012-11-07 12:49 - 00688901 ____R (Swearware) C:\Documents and Settings\Rob\Desktop\DDS.com

2012-11-07 12:45 - 2012-11-07 12:45 - 05345318 ____A C:\Documents and Settings\Rob\Desktop\Windows Repair.exe

2012-11-07 12:42 - 2012-11-07 12:42 - 00662016 ____A C:\Documents and Settings\Rob\Desktop\RogueKiller.scr

2012-11-06 13:42 - 2012-11-06 13:42 - 00000140 ____A C:\Documents and Settings\Rob\My Documents\Shockwave Puzzle Web Address (chg for diff puzzles).txt

2012-11-04 21:03 - 2012-11-04 22:08 - 00000034 ____A C:\Documents and Settings\Rob\Application Data\mbam.context.scan

2012-11-04 18:52 - 2012-11-04 18:52 - 00006656 __ASH C:\Windows\System32\Thumbs.db

2012-10-31 07:48 - 2011-11-19 20:08 - 00684297 ____A C:\Documents and Settings\Rob\Desktop\unhide2.exe

2012-10-28 22:00 - 2012-10-28 21:59 - 00029184 ____A C:\Documents and Settings\Rob\My Documents\Player Rating Form (Coaches).xlsx

2012-10-13 15:23 - 2012-10-13 15:23 - 00000496 ____A C:\Documents and Settings\Rob\My Documents\Amazon Customer Svc Request for Micca Speck Media Player on 13Oct12.txt

2012-10-12 12:54 - 2012-10-12 12:54 - 00005332 ____A C:\Documents and Settings\Rob\My Documents\WD TV Live Streaming Media Player Install Notes.txt

==================== One Month Modified Files and Folders ========

2012-11-10 21:27 - 2007-11-27 19:17 - 00000062 __ASH C:\Documents and Settings\Rob\Local Settings\desktop.ini

2012-11-10 21:27 - 2004-08-04 02:00 - 00001374 ____A C:\Windows\System32\wpa.dbl

2012-11-10 21:20 - 2007-11-27 19:10 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini

2012-11-10 21:14 - 2007-11-27 19:03 - 01174441 ____A C:\Windows\WindowsUpdate.log

2012-11-10 21:05 - 2012-11-10 21:05 - 00005604 ____A C:\Windows\KB2712808.log

2012-11-10 21:05 - 2012-11-10 21:04 - 00006032 ____A C:\Windows\KB2731847-v2.log

2012-11-10 21:05 - 2012-11-10 21:04 - 00005848 ____A C:\Windows\KB2724197.log

2012-11-10 21:05 - 2012-11-10 21:02 - 00005352 ____A C:\Windows\KB2749655.log

2012-11-10 21:05 - 2012-11-10 21:02 - 00005348 ____A C:\Windows\KB2705219-v2.log

2012-11-10 21:05 - 2007-11-27 19:05 - 00000000 ____D C:\Windows\$hf_mig$

2012-11-10 21:04 - 2012-11-10 21:02 - 00005255 ____A C:\Windows\KB2661254-v2.log

2012-11-10 21:02 - 2012-07-10 13:46 - 00009346 ____A C:\Windows\KB2691442.log

2012-11-10 21:02 - 2012-07-10 13:46 - 00009246 ____A C:\Windows\KB2655992.log

2012-11-10 21:02 - 2012-07-10 13:45 - 00009122 ____A C:\Windows\KB2719985.log

2012-11-10 21:01 - 2012-11-10 21:01 - 00000000 ____D C:\Windows\LastGood

2012-11-10 21:01 - 2012-05-10 14:59 - 00013565 ____A C:\Windows\KB2676562.log

2012-11-10 20:05 - 2012-11-10 20:05 - 00004670 ____A C:\Documents and Settings\Rob\Desktop\RKreport[1]_S_11102012_02d2005.txt

2012-11-10 20:05 - 2012-11-07 13:02 - 00000000 ____D C:\Documents and Settings\Rob\Desktop\RK_Quarantine

2012-11-10 19:59 - 2010-03-09 13:13 - 00000236 ____A C:\Windows\Tasks\OGALogon.job

2012-11-10 19:59 - 2007-11-27 19:16 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini

2012-11-10 19:59 - 2007-11-27 19:16 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-11-10 19:59 - 2007-11-27 10:54 - 00000157 ____A C:\Windows\wiadebug.log

2012-11-10 19:59 - 2007-11-27 10:54 - 00000050 ____A C:\Windows\wiaservc.log

2012-11-10 19:53 - 2007-11-27 19:17 - 00000278 ___SH C:\Documents and Settings\Rob\ntuser.ini

2012-11-10 19:53 - 2007-11-27 19:16 - 00032186 ____A C:\Windows\SchedLgU.Txt

2012-11-10 18:59 - 2010-05-10 19:44 - 00241664 ____A C:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-11-09 01:15 - 2012-08-17 00:50 - 00000000 ____D C:\Documents and Settings\Rob\Desktop\ALL VIRUS BS

2012-11-09 00:27 - 2012-11-09 00:27 - 00008224 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT

2012-11-09 00:18 - 2012-11-08 23:24 - 00000530 ____A C:\Documents and Settings\Rob\Desktop\VirusTotal Analysis 1.txt

2012-11-08 23:59 - 2012-11-08 23:59 - 00009966 ____A C:\ComboFix.txt

2012-11-08 23:59 - 2012-06-11 12:15 - 00000000 ___AD C:\Qoobox

2012-11-08 23:58 - 2004-08-04 02:00 - 00000227 ____A C:\Windows\system.ini

2012-11-08 23:44 - 2007-11-27 10:51 - 00528920 ___AC C:\Windows\System32\PerfStringBackup.INI

2012-11-08 23:19 - 2012-11-08 23:19 - 00000532 ____A C:\Documents and Settings\Rob\Desktop\CFScript.txt

2012-11-08 20:14 - 2012-11-08 20:14 - 00004078 ____A C:\Documents and Settings\Rob\Desktop\Rkill 11-8-12 20.07.43.txt

2012-11-08 17:36 - 2010-04-16 20:29 - 00151517 ____A C:\Documents and Settings\Rob\Application Data\vso_ts_preview.xml

2012-11-08 17:36 - 2010-04-16 20:21 - 00000000 ____D C:\Documents and Settings\Rob\Application Data\Vso