Jump to content

Trojan problems. Please help./ zero access

Recommended Posts

Thank you in advance!

I've run dds- here are the requested files:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 8.0.7100.0 BrowserJavaVersion: 1.6.0_24

Run by HAL at 16:24:58 on 2013-05-01

Microsoft Windows 7 Ultimate 6.1.7100.0.1252.1.1033.18.2022.1177 [GMT 1:00]


AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}

SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


============== Running Processes ===============



C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService


C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork




C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation



C:\Program Files\Windows Media Player\wmpnetwk.exe





C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe


C:\Program Files (x86)\Mozilla Firefox\firefox.exe





============== Pseudo HJT Report ===============


uStart Page = hxxp://start.facemoods.com/?a=ddrnw

mSearchAssistant = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

BHO: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: NameServer =

TCP: Interfaces\{EAAE593D-E90D-47DF-AB22-09E5E59C597F} : DHCPNameServer =

TCP: Interfaces\{F4D57651-691B-4F33-AACB-2023C6220E7F} : DHCPNameServer =

TCP: Interfaces\{F4D57651-691B-4F33-AACB-2023C6220E7F}\146627963616023547574696F637 : DHCPNameServer =

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Notify: igfxcui - igfxdev.dll


================= FIREFOX ===================


FF - ProfilePath - C:\Users\HAL\AppData\Roaming\Mozilla\Firefox\Profiles\cxbbragj.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npzylomgamesplayer.dll

FF - plugin: C:\ProgramData\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll


============= SERVICES / DRIVERS ===============


R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-5-20 52760]

S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\System32\drivers\rtl8192cu.sys [2012-5-21 627744]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-4-16 1255736]


=============== Created Last 30 ================


2013-04-11 17:50:27 22752 ----a-w- C:\Windows\System32\PCloudBroom64.exe

2013-04-09 17:04:16 -------- d-----w- C:\Windows\FltMgr

2013-04-09 17:01:59 -------- d-----w- C:\Program Files (x86)\Panda Security

2013-04-09 16:42:43 -------- d-----w- C:\Users\HAL\AppData\Local\ElevatedDiagnostics

2013-04-02 13:06:15 -------- d-----w- C:\ProgramData\Backup


==================== Find3M ====================


2013-03-16 18:04:34 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-16 18:04:34 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe


============= FINISH: 16:25:18.16 ===============





DDS (Ver_2012-11-20.01)


Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 15/04/2011 23:53:47

System Uptime: 01/05/2013 16:06:44 (0 hours ago)


Motherboard: Intel Corporation | | DQ965GF

Processor: Intel® Core2 CPU 6320 @ 1.86GHz | LGA 775 | 1864/266mhz


==== Disk Partitions =========================


A: is Removable

C: is FIXED (NTFS) - 74 GiB total, 54.583 GiB free.

D: is FIXED (NTFS) - 70 GiB total, 15.262 GiB free.

E: is CDROM ()


==== Disabled Device Manager Items =============


Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Intel® 82566DM Gigabit Network Connection

Device ID: PCI\VEN_8086&DEV_104A&SUBSYS_00018086&REV_02\3&18D45AA6&0&C8

Manufacturer: Intel

Name: Intel® 82566DM Gigabit Network Connection

PNP Device ID: PCI\VEN_8086&DEV_104A&SUBSYS_00018086&REV_02\3&18D45AA6&0&C8

Service: e1express


Class GUID:

Description: PCI Simple Communications Controller

Device ID: PCI\VEN_8086&DEV_2994&SUBSYS_4F438086&REV_02\3&18D45AA6&0&18


Name: PCI Simple Communications Controller

PNP Device ID: PCI\VEN_8086&DEV_2994&SUBSYS_4F438086&REV_02\3&18D45AA6&0&18



==== System Restore Points ===================


RP86: 30/03/2013 16:27:52 - Scheduled Checkpoint

RP87: 11/04/2013 21:01:05 - Scheduled Checkpoint

RP88: 18/04/2013 21:02:26 - Scheduled Checkpoint

RP89: 26/04/2013 01:30:37 - Scheduled Checkpoint


==== Installed Programs ======================


Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.5.4

AviSynth 2.5


Cradle of Rome 2 PE

DivX Setup

Google Chrome

Google Update Helper

Governor of Poker 2 - Premium Edition

Intel® Graphics Media Accelerator Driver

Java Auto Updater

Java 6 Update 24

Mahjong The Endless Journey

Mahjongg Dimensions Deluxe

Malwarebytes Anti-Malware version

Melodyne 3.1

Microsoft Primary Interoperability Assemblies 2005

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Mozilla Firefox 20.0.1 (x86 en-US)

Mozilla Maintenance Service

Panda Cloud Cleaner

Panda Global Protection 2013

Peggle Nights Deluxe

Super Mahjong

VC80CRTRedist - 8.0.50727.4053

VLC media player 1.1.9

Web Games Player Plugin

WinRAR 4.00 (64-bit)

Zumas Revenge


==== Event Viewer Messages From Past Week ========


01/05/2013 16:09:44, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

01/05/2013 16:09:44, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

01/05/2013 16:06:52, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

01/05/2013 16:06:52, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

01/05/2013 16:06:52, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.


==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum, what seems to be the problem??


Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.



Make sure you're subscribed to this topic:
Click on the
Follow This Topic Button
(at the top right of this page), make sure that the
Receive notification
box is checked and that it is set to

Removing malware can be unpredictable
...things can go very wrong!
any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Well, I did have a problem on my mother's PC with the GAC.32 trojan. I would scan the computer, reboot to delete, scan again and find the virus still on the system. It seems to have vanished, however, upon scanning earlier this morning. I'm just running a full scan again now to see see if everything's still okay...

Link to post
Share on other sites

Please stop, as the system has a very serious infection.

Backdoor trojan warning:ZeroAccess / Sirefef

This system has some serious backdoor trojans. ZeroAccess / Sirefef

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

See this article on creating strong passwords http://www.microsoft.com/security/online-privacy/passwords-create.aspx

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Let me know what you decide.

If you wish to continue to attempt to remove the malware, DO what MrC had posted in reply post # 2.

Do NOT use this system for any online websurfing, or shopping or certainly, no banking.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.