Jump to content

fbi virus removal...ran frst.exe, now what?


Recommended Posts

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-05-2013 02

Ran by Administrator (administrator) on 20-05-2013 15:07:12

Running from E:\

Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\WINDOWS\system32\cmd.exe

(Farbar) e:\FRST.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe [x]

HKLM\...\Run: [soundMan] SOUNDMAN.EXE [x]

HKLM\...\Run: [AlcWzrd] ALCWZRD.EXE [x]

HKLM\...\Run: [Alcmtr] ALCMTR.EXE [x]

HKLM\...\Run: [ifxSecurePlatformIndication] C:\Program Files\Infineon\Security Platform Software\SpTNA.exe [114688 2004-03-22] (Infineon Technologies AG)

HKLM\...\Run: [PSDruntime] C:\Program Files\Infineon\Security Platform Software\PSDrt.EXE [87088 2004-03-22] (Infineon Technologies AG )

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)

HKLM\...\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 [x]

HKLM\...\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2008-08-14] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [378224 2008-08-15] (Adobe Systems Incorporated)

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-27] (Microsoft Corporation)

HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2516296 2010-03-24] (CANON INC.)

HKLM\...\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1185112 2010-04-02] (CANON INC.)

HKLM\...\Run: [iJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [140640 2010-03-02] (CANON INC.)

HKLM\...\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)

HKLM\...\Run: [] [x]

HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1564872 2012-06-06] (Ask)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-18] (Adobe Systems Incorporated)

HKLM\...\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u [x]

HKLM\...\Run: [TimeServer] "C:\Documents and Settings\Administrator\Application Data\Infineon\WIN52.exe" [121344 2013-05-16] ()

HKLM Group Policy restriction on software: %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* <====== ATTENTION

HKLM\...\Winlogon: [system]

Winlogon\Notify\IfxWlxEN: IfxWlxEN.dll (Infineon Technologies AG)

Winlogon\Notify\igfxcui: igfxsrvc.dll (Intel Corporation)

Winlogon\Notify\PSDNtfy: C:\Program Files\Infineon\Security Platform Software\PSDNtfy.dll [X]

Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\RECYCLER\S-1-5-18\$3375b6f7918d214150b9e70b9726ee1d\n. ATTENTION! ====> ZeroAccess

HKCU\...\Winlogon: [shell] explorer.exe,C:\Documents and Settings\Administrator\Application Data\skype.dat <==== ATTENTION

HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\RECYCLER\S-1-5-21-484763869-1801674531-839522115-500\$3375b6f7918d214150b9e70b9726ee1d\n. ATTENTION! ====> ZeroAccess

MountPoints2: ##UTILITY#3DSMAX7 (G) - G:\Setup.exe

MountPoints2: {23a126d0-2722-11e0-af70-001111658f7f} - "E:\WD SmartWare.exe" autoplay=true

MountPoints2: {73159106-7204-11e0-afd2-001111658f7f} - E:\MI.exe

MountPoints2: {86f479c2-4f93-11e1-b0d2-001111658f7f} - E:\setup.exe -a

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.yahoo.com/

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

SearchScopes: HKCU - {492A9EBC-0C19-46DC-A6DB-5DE605D5717D} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=550EAEAC-BFCE-4E68-9EF0-2AA9D4B50A52&apn_sauid=C49B9C2C-F012-49DC-9CFA-F08FCFF44668

BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL (Microsoft Corporation)

BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

Toolbar: HKCU -Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

PDF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122327659031

PDF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab

PDF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab

PDF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab

PDF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL (Microsoft Corporation)

ShellExecuteHooks: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2210608 2006-10-27] (Microsoft Corporation)

Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Winsock: Catalog5 03 mswsock.dll [16896] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 01 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 02 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 03 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 04 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 05 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 06 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 07 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 08 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 09 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 10 mswsock.dll [16896] (Microsoft Corporation)

Winsock: Catalog9 11 mswsock.dll [16896] (Microsoft Corporation)

FireFox:

========

FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a88yyr5n.default

FF SearchEngine: Ask.com

FF Homepage: hxxp://www.yahoo.com/

FF Keyword.URL: hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=100000031&locale=en_US&apn_uid=550EAEAC-BFCE-4E68-9EF0-2AA9D4B50A52&apn_ptnrs=TV&apn_sauid=C49B9C2C-F012-49DC-9CFA-F08FCFF44668&apn_dtid=OSJ000YYUS&&q=

FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()

FF Plugin: @canon.com/EPPEX - C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)

FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF Plugin: @java.com/DTPlugin,version=10.17.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a88yyr5n.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF Extension: Yahoo! Toolbar - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a88yyr5n.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF Extension: No Name - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a88yyr5n.default\Extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}.xpi

========================== Services (Whitelisted) =================

S2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

S3 Adobe Version Cue CS4; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [284016 2008-08-15] (Adobe Systems Incorporated)

S2 IFXSpMgtSrv; C:\WINDOWS\system32\IFXSPMGT.exe [196608 2004-03-22] (Infineon Technologies AG)

S2 IFXTCS; C:\WINDOWS\system32\IFXTCS.exe [503808 2004-03-22] (Infineon Technologies AG)

S2 IHA_MessageCenter; C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [290832 2011-12-12] (Verizon)

S2 mi-raysat_3dsmax2011_32; C:\Program Files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [86016 2010-03-10] ()

S2 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [223088 2011-04-26] ()

S2 PersonalSecureDriveService; C:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE [107568 2004-03-22] (Infineon Technologies AG )

S2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [455632 2005-03-11] (RealVNC Ltd.)

S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]

S2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

S3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)

S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [13192 2010-07-15] ()

S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [8456 2010-07-15] ()

S3 HdAudAddService; C:\Windows\System32\drivers\HdAudio.sys [113664 2004-03-17] (Windows ® Server 2003 DDK provider)

R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)

S3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [730653 2004-06-06] (Intel Corporation)

R3 IFXTPM; C:\Windows\System32\DRIVERS\IFXTPM.SYS [32640 2004-03-12] (Infineon Technologies AG)

R1 PersonalSecureDrive; C:\Windows\System32\drivers\psd.sys [34520 2004-03-22] (Infineon Technologies AG )

S3 pfc; C:\Windows\System32\drivers\pfc.sys [9856 2010-06-13] (Padus, Inc.)

R3 SMBios; C:\Windows\System32\DRIVERS\SMBios.sys [36484 2004-06-07] (Intel Corporation)

S3 yukonwxp; C:\Windows\System32\DRIVERS\yk51x86.sys [180480 2004-06-16] (Marvell)

S4 Abiosdsk; No ImagePath

S4 abp480n5; No ImagePath

S4 adpu160m; No ImagePath

S4 Aha154x; No ImagePath

S4 aic78u2; No ImagePath

S4 aic78xx; No ImagePath

S4 AliIde; No ImagePath

S4 amsint; No ImagePath

S4 asc; No ImagePath

S4 asc3350p; No ImagePath

S4 asc3550; No ImagePath

S4 Atdisk; No ImagePath

S4 cd20xrnt; No ImagePath

S1 Changer; No ImagePath

S4 CmdIde; No ImagePath

S4 Cpqarray; No ImagePath

U4 dac2w2k; No ImagePath

S4 dac960nt; No ImagePath

S4 dpti2o; No ImagePath

S4 hpn; No ImagePath

S1 i2omgmt; No ImagePath

S4 i2omp; No ImagePath

S4 ini910u; No ImagePath

S1 lbrtfdc; No ImagePath

S4 mraid35x; No ImagePath

S1 PCIDump; No ImagePath

S3 PDCOMP; No ImagePath

S3 PDFRAME; No ImagePath

S3 PDRELI; No ImagePath

S3 PDRFRAME; No ImagePath

S4 perc2; No ImagePath

S4 perc2hib; No ImagePath

S4 ql1080; No ImagePath

S4 Ql10wnt; No ImagePath

S4 ql12160; No ImagePath

S4 ql1240; No ImagePath

S4 ql1280; No ImagePath

S4 Simbad; No ImagePath

S4 Sparrow; No ImagePath

S4 symc810; No ImagePath

S4 symc8xx; No ImagePath

S4 sym_hi; No ImagePath

S4 sym_u3; No ImagePath

S4 TosIde; No ImagePath

S4 ultra; No ImagePath

S4 ViaIde; No ImagePath

S3 WDICA; No ImagePath

U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-20 15:06 - 2013-05-20 15:06 - 00000000 ____D C:\FRST

2013-05-16 01:55 - 2013-05-16 01:55 - 00000000 __SHD C:\Windows\CSC

2013-05-09 20:28 - 2013-05-09 20:28 - 00000000 ____D C:\Windows\System32\LogFiles

==================== One Month Modified Files and Folders ========

2013-05-20 15:06 - 2013-05-20 15:06 - 00000000 ____D C:\FRST

2013-05-20 15:05 - 2004-08-04 08:00 - 00013692 ____A C:\Windows\System32\wpa.dbl

2013-05-20 15:01 - 2011-11-11 23:22 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-20 15:01 - 2005-07-25 17:28 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-20 15:01 - 2005-07-25 13:11 - 00000049 ____A C:\Windows\wiaservc.log

2013-05-20 14:59 - 2005-07-25 17:28 - 00032458 ____A C:\Windows\SchedLgU.Txt

2013-05-20 14:59 - 2005-07-25 17:17 - 01253835 ____A C:\Windows\WindowsUpdate.log

2013-05-20 14:59 - 2005-07-25 13:11 - 00000214 ____A C:\Windows\wiadebug.log

2013-05-20 14:38 - 2005-07-25 13:06 - 00801911 ____A C:\Windows\setupapi.log

2013-05-20 14:38 - 2005-07-25 13:05 - 00170764 ____A C:\Windows\setupact.log

2013-05-16 01:55 - 2013-05-16 01:55 - 00000000 __SHD C:\Windows\CSC

2013-05-16 01:38 - 2012-06-23 18:48 - 00000250 ____A C:\Windows\Tasks\Scheduled Update for Ask Toolbar.job

2013-05-16 01:38 - 2008-12-10 16:44 - 00001324 ____A C:\Windows\System32\d3d9caps.dat

2013-05-16 01:27 - 2012-06-04 14:35 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-15 00:23 - 2011-11-11 23:22 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-14 23:37 - 2012-06-04 14:35 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-05-14 23:37 - 2011-05-14 17:58 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-05-09 20:28 - 2013-05-09 20:28 - 00000000 ____D C:\Windows\System32\LogFiles

ZeroAccess:

C:\RECYCLER\S-1-5-21-484763869-1801674531-839522115-500\$3375b6f7918d214150b9e70b9726ee1d

ZeroAccess:

C:\RECYCLER\S-1-5-18\$3375b6f7918d214150b9e70b9726ee1d

ZeroAccess:

C:\Windows\assembly\GAC\Desktop.ini

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe

[2004-08-04 08:00] - [2008-04-13 20:12] - 1033728 ____A (Microsoft Corporation) 12896823FB95BFB3DC9B46BCAEDC9923

C:\Windows\System32\winlogon.exe

[2004-08-04 08:00] - [2008-04-13 20:12] - 0507904 ____A (Microsoft Corporation) ED0EF0A136DEC83DF69F04118870003E

C:\Windows\System32\svchost.exe

[2004-08-04 08:00] - [2008-04-13 20:12] - 0014336 ____A (Microsoft Corporation) 27C6D03BCDB8CFEB96B716F3D8BE3E18

C:\Windows\System32\services.exe

[2004-08-04 08:00] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\Windows\System32\User32.dll

[2004-08-04 08:00] - [2008-04-13 20:12] - 0578560 ____A (Microsoft Corporation) B26B135FF1B9F60C9388B4A7D16F600B

C:\Windows\System32\userinit.exe

[2004-08-04 08:00] - [2008-04-13 20:12] - 0026112 ____A (Microsoft Corporation) A93AEE1928A9D7CE3E16D24EC7380F89

C:\Windows\System32\Drivers\volsnap.sys

[2004-08-04 08:00] - [2008-04-13 14:41] - 0052352 ____A (Microsoft Corporation) 4C8FCB5CC53AAB716D810740FE59D025

==================== End Of Log ============================

search.txt:

Farbar Recovery Scan Tool (x86) Version: 22-05-2013 02

Ran by Administrator at 2013-05-20 15:09:43

Running from E:\

Boot Mode: Safe Mode (minimal)

================== Search: "services.exe" ===================

C:\WINDOWS\system32\services.exe

[2004-08-04 08:00] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\WINDOWS\system32\dllcache\services.exe

[2010-03-27 12:56] - [2009-02-06 07:11] - 0110592 ____C (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\WINDOWS\ServicePackFiles\i386\services.exe

[2008-09-29 15:12] - [2008-04-13 20:12] - 0108544 ____C (Microsoft Corporation) 0E776ED5F7CC9F94299E70461B7B8185

C:\WINDOWS\$NtUninstallKB956572_0$\services.exe

[2010-03-27 13:09] - [2004-08-04 08:00] - 0108032 ____C (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\WINDOWS\$NtUninstallKB956572$\services.exe

[2010-03-28 12:06] - [2008-04-13 20:12] - 0108544 ____C (Microsoft Corporation) 0E776ED5F7CC9F94299E70461B7B8185

C:\WINDOWS\$NtServicePackUninstall$\services.exe

[2010-03-28 11:52] - [2009-02-06 13:14] - 0110592 ____C (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe

[2010-03-27 12:56] - [2009-02-06 07:06] - 0110592 ___AC (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6

C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\services.exe

[2010-03-27 12:56] - [2009-02-06 07:11] - 0110592 ___AC (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\services.exe

[2010-03-27 12:56] - [2009-02-06 06:22] - 0110592 ___AC (Microsoft Corporation) 4712531AB7A01B7EE059853CA17D39BD

=== End Of Search ===

Link to post
Share on other sites

PERFECT!!! Successfull reboot....here's the log file

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-05-2013 02

Ran by Administrator at 2013-05-20 16:54:51 Run:1

Running from E:\

Boot Mode: Safe Mode (minimal)

==============================================

HKLM => Group Policy Restriction on software restored successfully.

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon => Key deleted successfully.

HKCR\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\\Default => Value was restored successfully.

C:\RECYCLER\S-1-5-21-484763869-1801674531-839522115-500\$3375b6f7918d214150b9e70b9726ee1d => Moved successfully.

"C:\RECYCLER\S-1-5-18\$3375b6f7918d214150b9e70b9726ee1d" directory move:

C:\RECYCLER\S-1-5-18\$3375b6f7918d214150b9e70b9726ee1d\n => Moved successfully.

Could not move "C:\RECYCLER\S-1-5-18\$3375b6f7918d214150b9e70b9726ee1d" directory. => Scheduled to move on reboot.

Could not move C:\Windows\assembly\GAC\Desktop.ini. => Scheduled to move on reboot.

Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll

Winsock: Catalog5 entry 000000000003\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll

Link to post
Share on other sites

Great.....Please read this..............

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan also.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

-----------------------------------------

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.