Jump to content

Infected with zero access, please help


debg68
 Share

Recommended Posts

 Hello, first, I want to thank you for this forum, and for malwarebytes .  I registered here a week ago when my desktop got infected with the fbi ransomware.  Thanks to this forum, I was able to completely remove it.

 

I now am infected with zero access on my laptop, dell, running windows vista.  Microsoft security essentials did quarantine it...I then deleted it. I then noticed an update needed via windows update for mse...which consequently, kept failing.  Then, java kept trying to update, and not knowing I was still infected...I eventually authorized the update because it would not go away (in hindsight, this was dumb, I know).  It has now spiraled out of control to the point that I do not know what to do.  I can no longer use mse, malwarebytes (which I admit I did not purchase yet before trial ended on the laptop) nor can I download anything for security or malware without zero access flagging it as a virus and aborting the download.

I'm posting this now from my desktop.

 

I've not yet tried to run DDS from the laptop, but will do so if instructed.  Thanks in advance!

 

Debbie

 

 

 

I downloaded FRST to a thumb drive and this is the report.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-10-2013
Ran by SYSTEM on MINWINPC on 19-10-2013 19:41:06
Running from E:\
Windows Vista Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ECenter] - C:\Dell\E-Center\EULALauncher.exe [17920 2008-02-28] ( )
HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [159744 2007-09-24] (Alps Electric Co., Ltd.)
HKLM\...\Run: [OEM02Mon.exe] - C:\Windows\OEM02Mon.exe [36864 2007-12-02] (Creative Technology Ltd.)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [DELL Webcam Manager] - C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe [118784 2007-07-27] (Creative Technology Ltd.)
HKLM\...\Run: [broadcom Wireless Manager UI] - C:\Windows\system32\WLTRAY.exe [3444736 2008-05-18] (Dell Inc.)
HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-09-18] (Google)
HKLM\...\Run: [dscactivate] - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [16384 2008-03-11] ( )
HKLM\...\Run: [PCMService] - C:\Program Files\Dell\MediaDirect\PCMService.exe [184320 2007-12-21] (CyberLink Corp.)
HKLM\...\Run: [sigmatelSysTrayApp] - C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2008-01-01] (IDT, Inc.)
HKLM\...\Run: [ReminderApp] - C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe [161864 2007-06-08] ()
HKLM\...\Run: [YouCam Mirage] - C:\Program Files\CyberLink\YouCam\YCMMirage.exe [136488 2010-09-13] (CyberLink)
HKLM\...\Run: [YouCam Tray] - C:\Program Files\CyberLink\YouCam\YouCamTray.exe [162912 2010-09-13] (CyberLink Corp.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [40368 2011-08-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-10-11] (Apple Inc.)
HKLM\...\Run: [VERIZONDM] - "C:\Program Files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
HKLM\...\Run: [Online Backup Auto Update] - C:\Program Files\Verizon\Online Backup & Sharing\Auto Update\OnlineBackup.UpdateSystemTray.exe [233472 2010-02-10] ()
HKLM\...\Run: [Vault Explorer Cache Watcher] - C:\Program Files\Verizon\Online Backup & Sharing\vewatch.exe [28672 2010-02-10] (DigiData Corp.)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-06-20] ()
HKLM\...\Run: [] - [x]
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-04-30] (Apple Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKU\Joe\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2008-08-04] (Google Inc.)
HKU\Joe\...\Run: [GarminExpressTrayApp] - C:\Program Files\Garmin\Express Tray\ExpressTray.exe [ 2013-07-22] (Garmin Ltd or its subsidiaries)
HKU\Joe\...\Run: [Google Update] - [x]
Startup: C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Verizon Wireless Software Utility Application for Android – Samsung.lnk
ShortcutTarget: Verizon Wireless Software Utility Application for Android – Samsung.lnk ->  (No File)

========================== Services (Whitelisted) =================

S2 FilesystemWatcher; C:\Program Files\Verizon\Online Backup & Sharing\Filesystem Watcher\DigiData.FilesystemWatcher.Service.Watcher.exe [24576 2010-02-02] (DigiData Corp.)
S2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [219480 2013-07-22] (Garmin Ltd or its subsidiaries)
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-09-18] (Google)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-06-20] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295376 2013-06-20] ()
S2 OnlineBackupSchedulerService; C:\Program Files\Verizon\Online Backup & Sharing\Scheduler\OnlineBackup.SchedulerService.exe [20480 2010-02-10] ()
S2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S2 sprtsvc_verizondm; C:\Program Files\VERIZONDM\bin\sprtsvc.exe [206120 2011-12-01] (SupportSoft, Inc.)
S2 tgsrvc_verizondm; C:\Program Files\VERIZONDM\bin\tgsrvc.exe [185640 2011-12-01] (SupportSoft, Inc.)
S2 wltrysvc; C:\Windows\System32\bcmwltry.exe [2506752 2008-05-18] (Dell Inc.)
S2 XAudioService; %SystemRoot%\system32\DRIVERS\xaudio.exe [x]
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{b0877cff-eee8-09eb-0ccd-20591f094ef3}\   \...\???\{b0877cff-eee8-09eb-0ccd-20591f094ef3}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-10] (Microsoft Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [30976 2013-10-16] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S3 pfc; C:\Windows\System32\drivers\pfc.sys [10368 2006-05-23] (Padus, Inc.)
S2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2007-08-12] (Samsung Electronics)
S3 U2SP; C:\Windows\System32\DRIVERS\u2s2kxp.sys [23296 2004-05-04] (Magic Control Technology Corp.)
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [x]
S2 DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 SymIM; system32\DRIVERS\SymIM.sys [x]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-19 19:40 - 2013-10-19 19:40 - 00000000 ____D C:\FRST
2013-10-19 12:51 - 2013-10-19 12:51 - 00000000 ____D C:\Windows\Temp68B2ECE3-97BD-1AF9-DE40-622C64DF43EB-Signatures
2013-10-16 16:47 - 2013-10-16 16:47 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-16 16:46 - 2013-10-16 16:47 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-10-16 16:46 - 2013-04-04 10:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-10-16 16:39 - 2013-10-16 16:39 - 00030976 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-10-16 16:38 - 2013-10-16 16:39 - 00000000 ____D C:\ProgramData\HitmanPro
2013-10-12 17:25 - 2013-09-22 02:29 - 12336128 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-10-12 17:25 - 2013-09-22 02:22 - 09739264 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-10-12 17:25 - 2013-09-22 02:22 - 01800704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-10-12 17:25 - 2013-09-22 02:14 - 01427968 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-10-12 17:25 - 2013-09-22 02:13 - 01129472 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-10-12 17:25 - 2013-09-22 02:13 - 01104896 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-10-12 17:25 - 2013-09-22 02:12 - 00231936 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2013-10-12 17:25 - 2013-09-22 02:09 - 00065024 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-10-12 17:25 - 2013-09-22 02:08 - 00142848 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-10-12 17:25 - 2013-09-22 02:07 - 00717824 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-10-12 17:25 - 2013-09-22 02:06 - 00420864 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-10-12 17:25 - 2013-09-22 02:05 - 00607744 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-10-12 17:25 - 2013-09-22 02:03 - 02382848 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-10-12 17:25 - 2013-09-22 02:03 - 01796096 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-10-12 17:25 - 2013-09-22 02:03 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-10-12 17:25 - 2013-09-22 01:59 - 00176640 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-10-08 16:57 - 2013-10-08 16:57 - 00001728 _____ C:\Users\Public\Desktop\QuickTime Player.lnk
2013-10-08 16:57 - 2013-10-08 16:57 - 00000000 ____D C:\ProgramData\Apple Computer
2013-10-08 16:57 - 2013-10-08 16:57 - 00000000 ____D C:\Program Files\QuickTime
2013-10-08 13:18 - 2013-08-28 23:36 - 02050048 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-10-08 13:18 - 2013-08-26 18:47 - 01029120 _____ (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-10-08 13:18 - 2013-08-26 18:47 - 00219648 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-10-08 13:18 - 2013-08-26 18:47 - 00189952 _____ (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-10-08 13:18 - 2013-08-26 18:47 - 00160768 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-10-08 13:18 - 2013-08-26 17:52 - 01172480 _____ (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-10-08 13:18 - 2013-08-26 17:50 - 00486400 _____ (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-10-08 13:18 - 2013-08-26 17:32 - 00683008 _____ (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-10-08 13:18 - 2013-08-26 17:28 - 01069056 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-10-08 13:18 - 2013-08-26 17:28 - 00798208 _____ (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-10-08 13:18 - 2013-07-31 19:16 - 00638400 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-10-08 13:18 - 2013-07-31 18:49 - 00037376 _____ (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-10-08 13:18 - 2013-07-20 02:44 - 00102608 _____ (Microsoft Corporation) C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2013-10-08 13:18 - 2013-06-28 18:07 - 00226304 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbport.sys
2013-10-08 13:18 - 2013-06-28 18:07 - 00197632 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbhub.sys
2013-10-08 13:18 - 2013-06-28 18:07 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbccgp.sys
2013-10-08 13:18 - 2013-06-28 18:06 - 00006016 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbd.sys
2013-10-08 13:18 - 2013-06-26 15:01 - 00527064 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2013-10-08 13:18 - 2011-05-05 05:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbehci.sys
2013-10-08 13:18 - 2011-05-05 05:54 - 00023552 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbuhci.sys
2013-10-08 13:17 - 2013-07-15 20:35 - 00615936 _____ (Microsoft Corporation) C:\Windows\System32\themeui.dll
2013-10-08 13:17 - 2013-07-03 20:21 - 00532480 _____ (Microsoft Corporation) C:\Windows\System32\comctl32.dll
2013-10-08 13:17 - 2013-07-02 18:10 - 00025472 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidparse.sys
2013-10-08 13:17 - 2013-06-03 20:16 - 00034304 _____ (Adobe Systems) C:\Windows\System32\atmlib.dll
2013-10-08 13:17 - 2013-06-03 17:49 - 00293376 _____ (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2013-10-08 11:46 - 2013-10-08 11:46 - 00002144 _____ C:\Users\Public\Desktop\Play Enigmatis - The Mists of Ravenwood Collector's Edition.lnk
2013-10-08 11:46 - 2013-10-08 11:46 - 00001274 _____ C:\Users\Public\Desktop\More Great Games.lnk
2013-10-08 11:42 - 2013-10-08 11:46 - 00000000 ____D C:\Program Files\Enigmatis - The Mists of Ravenwood Collector's Edition
2013-10-08 10:42 - 2013-10-08 10:42 - 00000000 ____D C:\ProgramData\Big Fish
2013-10-08 10:38 - 2013-10-08 19:19 - 00000000 ____D C:\BigFishCache
2013-10-08 10:38 - 2013-10-08 10:43 - 00000000 ____D C:\Users\Joe\AppData\Local\Big Fish

==================== One Month Modified Files and Folders =======

2013-10-19 19:40 - 2013-10-19 19:40 - 00000000 ____D C:\FRST
2013-10-19 15:33 - 2006-11-02 04:47 - 00003616 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-19 15:33 - 2006-11-02 04:47 - 00003616 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-19 15:32 - 2006-11-02 02:33 - 00768826 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-19 15:28 - 2006-11-02 04:47 - 00572584 _____ C:\Windows\System32\FNTCACHE.DAT
2013-10-19 13:16 - 2012-12-08 21:20 - 00002141 _____ C:\Windows\epplauncher.mif
2013-10-19 13:16 - 2008-08-04 04:06 - 01586429 _____ C:\Windows\WindowsUpdate.log
2013-10-19 13:09 - 2013-07-16 15:49 - 00005728 _____ C:\Windows\PFRO.log
2013-10-19 13:09 - 2008-02-03 15:07 - 00000000 ____D C:\Windows\Panther
2013-10-19 12:52 - 2012-04-13 16:38 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-10-19 12:52 - 2011-11-15 18:33 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-10-19 12:51 - 2013-10-19 12:51 - 00000000 ____D C:\Windows\Temp68B2ECE3-97BD-1AF9-DE40-622C64DF43EB-Signatures
2013-10-19 12:50 - 2009-07-25 07:23 - 00000435 _____ C:\Windows\System32\Drivers\etc\hosts.ics
2013-10-19 12:50 - 2008-08-04 09:26 - 00000000 ____D C:\Program Files\Google
2013-10-19 12:45 - 2008-10-03 10:59 - 00000000 ____D C:\Users\Joe\AppData\Local\Google
2013-10-16 18:17 - 2013-08-03 04:00 - 00001973 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-16 16:47 - 2013-10-16 16:47 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-16 16:47 - 2013-10-16 16:46 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-10-16 16:43 - 2010-06-02 22:12 - 00000000 ____D C:\Users\Joe\AppData\Local\CrashDumps
2013-10-16 16:39 - 2013-10-16 16:39 - 00030976 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-10-16 16:39 - 2013-10-16 16:38 - 00000000 ____D C:\ProgramData\HitmanPro
2013-10-15 16:00 - 2013-08-02 20:09 - 00002385 _____ C:\Windows\setupact.log
2013-10-14 10:48 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-10-14 10:08 - 2012-02-11 13:50 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-12 17:45 - 2011-04-14 10:18 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-12 17:38 - 2013-08-16 16:37 - 00000000 ____D C:\Windows\System32\MRT
2013-10-08 19:20 - 2011-12-03 20:53 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Artifex Mundi
2013-10-08 19:19 - 2013-10-08 10:38 - 00000000 ____D C:\BigFishCache
2013-10-08 16:57 - 2013-10-08 16:57 - 00001728 _____ C:\Users\Public\Desktop\QuickTime Player.lnk
2013-10-08 16:57 - 2013-10-08 16:57 - 00000000 ____D C:\ProgramData\Apple Computer
2013-10-08 16:57 - 2013-10-08 16:57 - 00000000 ____D C:\Program Files\QuickTime
2013-10-08 11:46 - 2013-10-08 11:46 - 00002144 _____ C:\Users\Public\Desktop\Play Enigmatis - The Mists of Ravenwood Collector's Edition.lnk
2013-10-08 11:46 - 2013-10-08 11:46 - 00001274 _____ C:\Users\Public\Desktop\More Great Games.lnk
2013-10-08 11:46 - 2013-10-08 11:42 - 00000000 ____D C:\Program Files\Enigmatis - The Mists of Ravenwood Collector's Edition
2013-10-08 10:43 - 2013-10-08 10:38 - 00000000 ____D C:\Users\Joe\AppData\Local\Big Fish
2013-10-08 10:43 - 2009-08-21 19:12 - 00000000 ____D C:\Program Files\bfgclient
2013-10-08 10:42 - 2013-10-08 10:42 - 00000000 ____D C:\ProgramData\Big Fish
2013-10-08 10:42 - 2011-02-10 05:15 - 00000000 ____D C:\ProgramData\Big Fish Games
2013-10-08 09:17 - 2008-10-03 10:58 - 00180592 _____ C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-25 22:19 - 2006-11-02 02:24 - 78106760 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-09-22 02:29 - 2013-10-12 17:25 - 12336128 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-09-22 02:22 - 2013-10-12 17:25 - 09739264 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-09-22 02:22 - 2013-10-12 17:25 - 01800704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-09-22 02:14 - 2013-10-12 17:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-09-22 02:13 - 2013-10-12 17:25 - 01129472 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-09-22 02:13 - 2013-10-12 17:25 - 01104896 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-09-22 02:12 - 2013-10-12 17:25 - 00231936 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2013-09-22 02:09 - 2013-10-12 17:25 - 00065024 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-09-22 02:08 - 2013-10-12 17:25 - 00142848 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-09-22 02:07 - 2013-10-12 17:25 - 00717824 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-09-22 02:06 - 2013-10-12 17:25 - 00420864 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-09-22 02:05 - 2013-10-12 17:25 - 00607744 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-09-22 02:03 - 2013-10-12 17:25 - 02382848 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-09-22 02:03 - 2013-10-12 17:25 - 01796096 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-09-22 02:03 - 2013-10-12 17:25 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-09-22 01:59 - 2013-10-12 17:25 - 00176640 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
ZeroAccess:
C:\Users\Joe\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Some content of TEMP:
====================
C:\Users\Joe\AppData\Local\Temp\bfguni.exe
C:\Users\Joe\AppData\Local\Temp\HitmanPro.exe
C:\Users\Joe\AppData\Local\Temp\InstallFlashPlayer.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

19
Restore point made on: 2013-08-17 17:17:26
Restore point made on: 2013-08-17 18:49:00
Restore point made on: 2013-08-20 19:08:01
Restore point made on: 2013-08-23 14:25:28
Restore point made on: 2013-08-24 15:01:21
Restore point made on: 2013-08-28 15:02:27
Restore point made on: 2013-10-08 08:58:18
Restore point made on: 2013-10-09 20:00:12
Restore point made on: 2013-10-10 20:04:54
Restore point made on: 2013-10-11 09:26:44
Restore point made on: 2013-10-12 17:13:15
Restore point made on: 2013-10-14 11:25:17
Restore point made on: 2013-10-15 20:00:31
Restore point made on: 2013-10-16 10:29:32
Restore point made on: 2013-10-17 17:02:11
Restore point made on: 2013-10-18 20:00:21
Restore point made on: 2013-10-19 12:49:48
Restore point made on: 2013-10-19 12:54:04
Restore point made on: 2013-10-19 13:16:12

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 3061.31 MB
Available physical RAM: 2751.64 MB
Total Pagefile: 2961.95 MB
Available Pagefile: 2824.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.83 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:220.29 GB) (Free:68.95 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (STORE'N'GO) (Removable) (Total:0.47 GB) (Free:0.39 GB) FAT
Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.72 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 70000000)
Partition 1: (Not Active) - (Size=94 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=220 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=3 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 480 MB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=480 MB) - (Type=0E)

LastRegBack: 2013-10-19 13:52

==================== End Of Log ============================

 

Link to post
Share on other sites

  • Replies 82
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Some info on the infection:

Please read the following information first.

 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

OK, copy the text below in bold into notepad (Make sure Word Warp is unchecked - Format > Word Wrap)
Save it as fixlist.txt
Save it to the folder containing FRST and click on Fix.


HKCU\...\Run: [Google Update*] - [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{b0877cff-eee8-09eb-0ccd-20591f094ef3}\ \...\???\{b0877cff-eee8-09eb-0ccd-20591f094ef3}\GoogleUpdate.exe"
C:\Windows\assembly\GAC\Desktop.ini
C:\Users\Joe\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Users\Joe\AppData\Local\Temp\bfguni.exe
C:\Users\Joe\AppData\Local\Temp\HitmanPro.exe
C:\Users\Joe\AppData\Local\Temp\HitmanPro_x64.exe
C:\Users\Joe\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Joe\AppData\Local\Temp\Kickstarter.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client


MrC

Link to post
Share on other sites

fix log

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-10-2013
Ran by d at 2013-10-20 16:15:07 Run:1
Running from G:\
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] - [x]
 U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{b0877cff-eee8-09eb-0ccd-20591f094ef3}\ \...\???\{b0877cff-eee8-09eb-0ccd-20591f094ef3}\GoogleUpdate.exe"
 C:\Windows\assembly\GAC\Desktop.ini
 C:\Users\Joe\AppData\Local\Google\Desktop\Install
 C:\Program Files\Google\Desktop\Install
 C:\Users\Joe\AppData\Local\Temp\bfguni.exe
 C:\Users\Joe\AppData\Local\Temp\HitmanPro.exe
 C:\Users\Joe\AppData\Local\Temp\HitmanPro_x64.exe
 C:\Users\Joe\AppData\Local\Temp\InstallFlashPlayer.exe
 C:\Users\Joe\AppData\Local\Temp\Kickstarter.exe
 DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
*etadpug => Service not found.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpClient.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpOAV.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpRtMon.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpRtPlug.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpSigDwn.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpSoftEx.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MpSvc.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MSASCui.exe" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Failed to delete reparsepoint.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client\Backup" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\DbgHelp.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\Drivers" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\en-us" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\EppManifest.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MpAsDesc.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MpClient.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MpCmdRun.exe" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MpCommu.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\mpevmsg.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MpOAv.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MpRTP.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MpSvc.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MsMpCom.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MsMpEng.exe" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MsMpLics.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\msseces.exe" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\MsseWat.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\NisLog.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\NisSrv.exe" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\NisWFP.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\Setup.exe" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\SetupRes.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\shellext.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\SqmApi.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\SymSrv.dll" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client\SymSrv.yes" => Failed to delete reparsepoint.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.

The system needs a manual reboot.

==== End of Fixlog ====

Link to post
Share on other sites

sorry, trying again.  I am now going to try to do it all from the laptop...I'm running from desktop to laptop with the thumbdrive because scared to connect it to internet.   I copied the bolded text into notepad, saved it as fixlist.txt and have hit fix.   please bear with me.  I will try to download mbar also again.  last night when I tried to do it on my own, it kept flagging the download as a virus and wouldn't download.  will try again.

Link to post
Share on other sites

 I think I did it wrong the first time. 2nd go and It still says fixing. Will give it time. Will reboot into safemode/networking if need to.  I'm ready to throw it out the window at this point.

Maybe it will reach you up in N Jersey. I'm in S Jersey LOL.  I also have a yellow lab and he is mad at me for not giving him attention ;)    back to being serious....thanks Mr C

Link to post
Share on other sites

I decided to reboot into safemode/networking and inserted my thumb drive with the fixlist and hit fix.   Should I expect that this will take awhile? I also tried to download mbar however it would not install....got to 99% then was flagged as a virus by this zero access.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.