Jump to content

FBI virus hit last night


Recommended Posts

On another computer running Win 7 we got hit with FBI virus

I ran frst64.exe and followed instructions. Please help.

 

Here are the results

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-06-2013
Ran by SYSTEM on 28-06-2013 12:15:42
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2399632 2011-04-13] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-05-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe [664600 2010-09-28] (PDF Complete Inc)
HKLM-x32\...\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide [205336 2011-11-11] (Logitech Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1564872 2012-06-06] (Ask)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [ApnTBMon] "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" [1495712 2013-06-07] (APN)
HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKU\Cynthia\...\Winlogon: [shell] explorer.exe,C:\Users\Cynthia\AppData\Roaming\skype.dat [69632 2011-11-16] () <==== ATTENTION
Startup: C:\ProgramData\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
ShortcutTarget: Logitech Desktop Messenger.lnk -> C:\Program Files (x86)\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)

==================== Services (Whitelisted) =================

S2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [169640 2013-06-07] (APN LLC.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-05-17] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-05-17] ()
S2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1119768 2010-09-28] (PDF Complete Inc)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] ()

==================== Drivers (Whitelisted) ====================

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247128 2013-04-26] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [137296 2013-04-26] (Microsoft Corporation)
S3 RemoteControl-USBLAN; C:\Windows\System32\DRIVERS\rcblan.sys [46616 2007-01-24] (Belcarra Technologies)
S1 tphwsykj; \??\C:\Windows\system32\drivers\tphwsykj.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-28 12:15 - 2013-06-28 12:15 - 00000000 ____D C:\FRST
2013-06-27 20:04 - 2013-06-27 20:04 - 00000000 ____D C:\Windows\TempD340B8E9-FB2D-50CA-6378-6F7305AC5AAD-Signatures
2013-06-27 19:55 - 2013-06-28 08:09 - 00000000 ____A C:\Users\Cynthia\AppData\Roaming\skype.ini
2013-06-22 16:46 - 2013-06-22 16:46 - 00000000 ____D C:\Windows\TempB549E74C-376C-60CE-3A7C-2A81AD9F9CCE-Signatures
2013-06-22 16:43 - 2013-06-08 06:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-22 16:43 - 2013-06-08 06:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-22 16:43 - 2013-06-08 06:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-22 16:43 - 2013-06-08 06:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-22 16:43 - 2013-06-08 06:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-22 16:43 - 2013-06-08 04:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-22 16:43 - 2013-06-08 03:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-22 16:43 - 2013-06-08 03:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-22 16:43 - 2013-06-08 03:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-22 16:43 - 2013-06-08 03:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-22 16:43 - 2013-06-08 03:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-22 16:43 - 2013-06-08 03:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-22 16:43 - 2013-05-16 17:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-22 16:43 - 2013-05-16 17:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-22 16:43 - 2013-05-16 17:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-22 16:43 - 2013-05-16 17:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-22 16:43 - 2013-05-16 17:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-22 16:43 - 2013-05-16 17:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-22 16:43 - 2013-05-16 17:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-22 16:43 - 2013-05-16 17:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-22 16:43 - 2013-05-16 16:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-22 16:43 - 2013-05-16 16:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-22 16:43 - 2013-05-16 16:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-22 16:43 - 2013-05-16 16:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-22 16:43 - 2013-05-16 16:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-22 16:43 - 2013-05-16 16:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-22 16:43 - 2013-05-16 16:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-22 16:43 - 2013-05-16 16:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-22 16:43 - 2013-05-16 16:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-22 16:43 - 2013-05-14 04:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-22 16:43 - 2013-05-14 00:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-06-22 13:06 - 2013-06-22 13:06 - 11679672 ____A C:\Users\Cynthia\Downloads\mp3rocket(2).exe
2013-06-22 12:55 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-22 12:55 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-22 12:55 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-22 12:55 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-22 12:55 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-22 12:55 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-22 12:55 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-22 12:55 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-22 12:55 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-22 12:55 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-22 12:53 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-22 12:53 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-22 12:53 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-22 12:46 - 2013-06-22 12:46 - 00001745 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-22 12:46 - 2013-06-22 12:46 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-22 12:46 - 2013-06-22 12:46 - 00000000 ____D C:\Program Files\iTunes
2013-06-22 12:46 - 2013-06-22 12:46 - 00000000 ____D C:\Program Files\iPod
2013-06-22 12:46 - 2013-06-22 12:46 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-22 12:39 - 2013-06-28 08:32 - 00000448 ____A C:\Windows\setupact.log
2013-06-22 12:39 - 2013-06-22 12:39 - 00000000 ____A C:\Windows\setuperr.log
2013-06-09 14:29 - 2013-06-09 14:29 - 00000000 ____D C:\ProgramData\McAfeeSecurePC
2013-06-07 13:59 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-06-07 13:59 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-06-07 13:59 - 2013-01-23 22:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys

==================== One Month Modified Files and Folders =======

2013-06-28 12:15 - 2013-06-28 12:15 - 00000000 ____D C:\FRST
2013-06-28 08:32 - 2013-06-22 12:39 - 00000448 ____A C:\Windows\setupact.log
2013-06-28 08:32 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-28 08:09 - 2013-06-27 19:55 - 00000000 ____A C:\Users\Cynthia\AppData\Roaming\skype.ini
2013-06-28 08:07 - 2009-07-13 21:13 - 00714754 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-28 08:06 - 2012-11-03 21:19 - 00687849 ____A C:\Windows\WindowsUpdate.log
2013-06-28 08:04 - 2011-09-16 21:29 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-28 07:59 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-28 07:59 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-27 20:04 - 2013-06-27 20:04 - 00000000 ____D C:\Windows\TempD340B8E9-FB2D-50CA-6378-6F7305AC5AAD-Signatures
2013-06-27 20:04 - 2012-07-19 03:25 - 00002146 ____A C:\Windows\epplauncher.mif
2013-06-27 19:42 - 2012-07-25 18:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-27 19:32 - 2011-09-16 21:29 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-27 15:09 - 2009-07-24 11:22 - 00000000 ____D C:\Windows\Panther
2013-06-22 16:46 - 2013-06-22 16:46 - 00000000 ____D C:\Windows\TempB549E74C-376C-60CE-3A7C-2A81AD9F9CCE-Signatures
2013-06-22 16:46 - 2011-04-14 15:34 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-06-22 16:44 - 2011-04-14 16:09 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-22 16:43 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-06-22 14:14 - 2012-07-19 15:10 - 00000000 ____D C:\Users\Cynthia\Incomplete
2013-06-22 13:48 - 2010-11-09 01:04 - 00000000 ____D C:\ProgramData\PDFC
2013-06-22 13:42 - 2012-07-22 16:27 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-22 13:42 - 2012-07-22 16:27 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-22 13:06 - 2013-06-22 13:06 - 11679672 ____A C:\Users\Cynthia\Downloads\mp3rocket(2).exe
2013-06-22 13:00 - 2011-10-28 14:19 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-06-22 13:00 - 2011-04-23 15:39 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-06-22 12:58 - 2011-04-23 15:38 - 00000000 ____D C:\Users\Cynthia\AppData\Roaming\HP Support Assistant
2013-06-22 12:58 - 2011-04-17 14:55 - 00000000 ____D C:\Users\Cynthia\AppData\Roaming\HpUpdate
2013-06-22 12:52 - 2012-07-18 14:50 - 00000000 ____D C:\Users\Cynthia\AppData\Roaming\MP3Rocket
2013-06-22 12:46 - 2013-06-22 12:46 - 00001745 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-22 12:46 - 2013-06-22 12:46 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-22 12:46 - 2013-06-22 12:46 - 00000000 ____D C:\Program Files\iTunes
2013-06-22 12:46 - 2013-06-22 12:46 - 00000000 ____D C:\Program Files\iPod
2013-06-22 12:46 - 2013-06-22 12:46 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-22 12:39 - 2013-06-22 12:39 - 00000000 ____A C:\Windows\setuperr.log
2013-06-09 19:21 - 2012-05-13 03:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-06-09 19:21 - 2011-04-14 11:37 - 00000000 ____D C:\users\Cynthia
2013-06-09 16:18 - 2013-02-09 20:11 - 00000340 ____A C:\Windows\Tasks\HPCeeScheduleForCynthia.job
2013-06-09 14:37 - 2013-06-09 14:29 - 00000000 ____D C:\ProgramData\McAfeeSecurePC
2013-06-09 09:40 - 2013-03-07 16:36 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-08 06:08 - 2013-06-22 16:43 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 06:07 - 2013-06-22 16:43 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 06:06 - 2013-06-22 16:43 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 06:06 - 2013-06-22 16:43 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 06:06 - 2013-06-22 16:43 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 04:28 - 2013-06-22 16:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-08 03:42 - 2013-06-22 16:43 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-08 03:40 - 2013-06-22 16:43 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-08 03:40 - 2013-06-22 16:43 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-08 03:40 - 2013-06-22 16:43 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-08 03:40 - 2013-06-22 16:43 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-08 03:14 - 2012-08-25 23:16 - 00000000 ____D C:\Users\Cynthia\AppData\Local\CrashDumps
2013-06-08 03:13 - 2013-06-22 16:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-07 16:45 - 2011-05-16 17:46 - 00000346 ____A C:\Windows\Tasks\HPCeeScheduleForCYNTHIA-HP$.job
2013-06-07 13:58 - 2012-07-19 03:25 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-06-07 13:58 - 2012-07-19 03:25 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2641964407-500067123-2422209157-1000\$4a82ca00c5689e198cd45a5212d5036d

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$4a82ca00c5689e198cd45a5212d5036d

Files to move or delete:
====================
C:\Users\Cynthia\AppData\Roaming\skype.dat
C:\Users\Cynthia\AppData\Roaming\skype.ini

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-03-29 22:40:28
Restore point made on: 2013-04-04 16:02:55
Restore point made on: 2013-04-12 15:03:48
Restore point made on: 2013-04-12 22:27:37
Restore point made on: 2013-04-20 16:19:26
Restore point made on: 2013-04-28 12:28:52
Restore point made on: 2013-04-28 22:15:02
Restore point made on: 2013-05-10 16:07:09
Restore point made on: 2013-05-19 11:57:01
Restore point made on: 2013-05-19 22:33:57
Restore point made on: 2013-06-07 13:52:21
Restore point made on: 2013-06-07 13:57:08
Restore point made on: 2013-06-07 13:59:56
Restore point made on: 2013-06-22 16:42:28
Restore point made on: 2013-06-22 16:42:57
Restore point made on: 2013-06-22 16:45:20
Restore point made on: 2013-06-22 16:45:29
Restore point made on: 2013-06-22 16:45:30
Restore point made on: 2013-06-22 16:45:31
Restore point made on: 2013-06-22 16:45:49
Restore point made on: 2013-06-22 16:46:04
Restore point made on: 2013-06-22 16:46:08
Restore point made on: 2013-06-27 20:04:01

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 3839.29 MB
Available physical RAM: 3038.7 MB
Total Pagefile: 3837.43 MB
Available Pagefile: 3006.55 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:685.25 GB) (Free:616.28 GB) NTFS (Disk=0 Partition=2)
Drive e: (HP_RECOVERY) (Fixed) (Total:13.28 GB) (Free:1.63 GB) NTFS (Disk=0 Partition=3) ==>[system with boot components (obtained from reading drive)]
Drive h: (TRAVELDRIVE) (Removable) (Total:1.91 GB) (Free:1.91 GB) FAT (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 699 GB) (Disk ID: 8CEC28D5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=685 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 2 GB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=2 GB) - (Type=0E)


LastRegBack: 2013-06-22 15:05

==================== End Of Log ============================

 

Search txt:

 

Farbar Recovery Scan Tool (x64) Version: 27-06-2013
Ran by SYSTEM at 2013-06-28 12:17:59
Running from H:\
Boot Mode: Recovery

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

 

Link to post
Share on other sites

Hello buyajet and welcome to Malwarebytes!

Please do the following:

  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the flashdrive as fixlist.txt

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess

HKLM-x32\...\Run: [] [x]

HKU\Cynthia\...\Winlogon: [shell] explorer.exe,C:\Users\Cynthia\AppData\Roaming\skype.dat [69632 2011-11-16] () <==== ATTENTION

S1 tphwsykj; \??\C:\Windows\system32\drivers\tphwsykj.sys [x]

2013-06-27 19:55 - 2013-06-28 08:09 - 00000000 ____A C:\Users\Cynthia\AppData\Roaming\skype.ini

2013-06-28 08:32 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-28 08:04 - 2011-09-16 21:29 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-06-27 19:42 - 2012-07-25 18:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-27 19:32 - 2011-09-16 21:29 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

C:\$Recycle.Bin\S-1-5-21-2641964407-500067123-2422209157-1000\$4a82ca00c5689e198cd45a5212d5036d

C:\$Recycle.Bin\S-1-5-18\$4a82ca00c5689e198cd45a5212d5036d

C:\Users\Cynthia\AppData\Roaming\skype.dat

C:\Users\Cynthia\AppData\Roaming\skype.ini

DeleteJunctionsIndirectory:

C:\Program Files\Windows Defender

C:\Program Files\Microsoft Security Client

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

After that- are you able to boot into normal mode? Let me know when you can as we have more malware to remove.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

 

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites

Glad to hear you can boot. Let's start getting rid of the rest of it:

----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


----------Step 4----------------
Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------
In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.