Jump to content

Google desktop trojan


Recommended Posts

Hello,

 

as of today I get this pop up every 5 mins from my antivirus saying a thread is quaranteed, located programe files/google/dekstop/install. I ran the anti malware program but it still pops up from time to time.

 

Logs:

Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.45.2
Run by Laura at 19:00:56 on 2013-10-28
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.31.1043.18.4094.2642 [GMT 1:00]
.
AV: Ad-Aware Antivirus *Enabled/Updated* {D87B6541-12A1-DAEA-0033-9B8057AAB996}
SP: Ad-Aware Antivirus *Enabled/Updated* {631A84A5-349B-D564-3A83-A0F22C2DF32B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Ad-Aware Firewall *Disabled* {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTray.exe
C:\Program Files\HP\HP Deskjet 3070 B611 series\Bin\ScanToPCActivationApp.exe
C:\Users\Laura\AppData\Local\DownBook\DownBook.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files\HP\HP Deskjet 3070 B611 series\Bin\HPNetworkCommunicator.exe
C:\Users\Laura\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Windows\system32\RunDll32.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\HP Deskjet 3070 B611 series\Bin\HPNetworkCommunicatorCom.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\HP Deskjet 3070 B611 series\Bin\HPCustPartic.exe
C:\Program Files\HP\HP Deskjet 3070 B611 series\Bin\HPNetworkCommunicator.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [HP Deskjet 3070 B611 series (NET)] "C:\Program Files\HP\HP Deskjet 3070 B611 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN1AF470Z705MQ:NW" -scfn "HP Deskjet 3070 B611 series (NET)" -AutoStart 1
uRun: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun
uRun: [DownBook] "C:\Users\Laura\AppData\Local\DownBook\DownBook.exe" 2666528fcd539f80a8ee459af19d6528 6
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [AdobeCEPServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe" -launchedbylogin
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\Users\Laura\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Laura\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Laura\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\INKTWA~1.LNK - C:\Windows\System32\RunDll32.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:221
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{19ACFF79-0E44-4CA3-B78D-BFD164C0FDAB} : DHCPNameServer = 172.16.0.1
TCP: Interfaces\{341BAE2B-1DB7-4BA2-9401-529063183289} : DHCPNameServer = 172.16.0.1
TCP: Interfaces\{8A2CF876-7060-498C-9DFA-81FA24E69580} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{A2839964-73A1-4B78-A0D5-788E18A48FA8} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{B662A51D-162D-4132-9A7F-DC577F24CDB5} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = about:blank
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [AdAwareTray] "C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTray.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\3u4dtue7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
.
============= SERVICES / DRIVERS ===============
.
R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;C:\Program Files\Lavasoft\Ad-Aware Antivirus\Firewall Engine\1.6.0.0\Drivers\bdfndisf6.sys [2013-7-17 93160]
R1 bdfwfpf;bdfwfpf;C:\Program Files\Lavasoft\Ad-Aware Antivirus\Firewall Engine\1.6.0.0\Drivers\bdfwfpf.sys [2013-7-17 102992]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-7-19 283200]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-3-29 241152]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-3-28 361984]
R2 AODDriver4.2;AODDriver4.2;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-4-9 57472]
R2 LavasoftAdAwareService11;Ad-Aware Service 11;C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareService.exe [2013-10-18 517344]
R3 AE1000;Linksys AE1000 Driver;C:\Windows\System32\drivers\ae1000w7.sys [2010-6-11 1101600]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-2-14 96768]
R3 gzflt;gzflt;C:\Program Files\Lavasoft\Ad-Aware Antivirus\Antimalware Engine\2.6.0.0\gzflt.sys [2013-7-17 138232]
R3 RTL8167;Realtek 8167 NT-stuurprogramma;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-7-25 162672]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-21 20992]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-4-12 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Windows Activation Technologies-service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-7-8 1255736]
.
=============== Created Last 30 ================
.
2013-10-28 16:30:45    --------    d-----w-    C:\Users\Laura\AppData\Local\CrashDumps
2013-10-28 16:17:16    --------    d-----w-    C:\Users\Laura\AppData\Roaming\Malwarebytes
2013-10-28 16:17:08    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-10-28 16:17:08    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-10-28 16:17:07    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-28 16:07:14    27256    ----a-w-    C:\Windows\System32\drivers\FixZeroAccess.sys
2013-10-28 15:41:45    --------    d-----w-    C:\Users\Laura\AppData\Local\Google
2013-10-28 15:36:54    --------    d-----w-    C:\Users\Laura\AppData\Local\DownBook
2013-10-28 15:36:37    --------    d-----w-    C:\Users\Laura\AppData\Roaming\Comical
2013-10-25 13:03:19    10280728    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9AC9359A-8BF4-4B63-B9BA-E6A431CA3799}\mpengine.dll
2013-10-25 12:56:10    --------    d-----w-    C:\Windows\SysWow64\wbem\Logs
2013-10-23 15:34:49    --------    d-----w-    C:\Users\Laura\AppData\Roaming\eCyber
2013-10-23 15:33:56    --------    d-----w-    C:\Users\Laura\AppData\Roaming\iSafe
2013-10-23 10:45:37    --------    d-----w-    C:\ProgramData\REVOLT
2013-10-23 09:07:15    --------    d-----w-    C:\Users\Laura\AppData\Roaming\LavasoftStatistics
2013-10-23 08:51:21    --------    d-----w-    C:\ProgramData\BitDefender
2013-10-23 08:44:51    2084072    ----a-w-    C:\Windows\System32\bdnc.dll
2013-10-23 08:44:49    96160    ----a-w-    C:\Windows\System32\bdpredir.dll
2013-10-23 08:44:49    209984    ----a-w-    C:\Windows\System32\BdFirewallSDK.dll
2013-10-23 08:44:49    195016    ----a-w-    C:\Windows\System32\httproxy.dll
2013-10-23 08:44:49    156936    ----a-w-    C:\Windows\System32\bdfwcore.dll
2013-10-23 08:44:49    155912    ----a-w-    C:\Windows\System32\bdpop3p.dll
2013-10-23 08:44:49    122928    ----a-w-    C:\Windows\System32\OEMbdpredir.dll
2013-10-23 08:44:49    1061776    ----a-w-    C:\Windows\System32\bdsmtpp.dll
2013-10-23 08:43:14    --------    d-----w-    C:\Program Files\Lavasoft
2013-10-23 08:42:02    --------    d-----w-    C:\Program Files\Common Files\Lavasoft
2013-10-22 12:24:23    --------    d-----w-    C:\ProgramData\Steam
2013-10-22 12:17:04    --------    d-----w-    C:\Users\Laura\AppData\Local\SearchProtect
2013-10-22 12:03:45    --------    d-----w-    C:\Users\Laura\AppData\Local\Programs
2013-10-21 10:55:07    212992    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
2013-10-18 16:41:56    --------    d-----w-    C:\Users\Laura\AppData\Roaming\.minecraft
2013-10-18 16:41:45    --------    d-----w-    C:\ProgramData\Oracle
2013-10-18 16:41:22    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-10 07:40:48    785624    ----a-w-    C:\Windows\System32\drivers\Wdf01000.sys
2013-10-10 07:39:58    76800    ----a-w-    C:\Windows\System32\drivers\hidclass.sys
2013-10-10 07:36:42    983488    ----a-w-    C:\Windows\System32\drivers\dxgkrnl.sys
2013-10-04 07:54:21    --------    d-----w-    C:\Users\Laura\AppData\Local\HEMA Fotoservice
.
==================== Find3M  ====================
.
2013-09-22 23:28:06    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:49    2876928    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-09-22 23:27:48    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-09-22 23:27:48    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-09-22 22:55:10    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-09-22 22:54:51    3959296    ----a-w-    C:\Windows\System32\jscript9.dll
2013-09-22 22:54:50    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-09-22 22:54:50    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-09-21 03:38:39    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-09-21 03:30:24    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-09-21 02:48:36    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-21 02:39:47    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-09-14 01:10:19    497152    ----a-w-    C:\Windows\System32\drivers\afd.sys
2013-09-08 02:30:37    1903552    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-09-08 02:27:14    327168    ----a-w-    C:\Windows\System32\mswsock.dll
2013-09-08 02:03:58    231424    ----a-w-    C:\Windows\SysWow64\mswsock.dll
2013-09-03 12:35:10    278800    ------w-    C:\Windows\System32\MpSigStub.exe
2013-08-29 02:17:48    5549504    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-08-29 02:16:35    1732032    ----a-w-    C:\Windows\System32\ntdll.dll
2013-08-29 02:16:28    243712    ----a-w-    C:\Windows\System32\wow64.dll
2013-08-29 02:16:14    859648    ----a-w-    C:\Windows\System32\tdh.dll
2013-08-29 02:13:28    878080    ----a-w-    C:\Windows\System32\advapi32.dll
2013-08-29 01:51:45    3969472    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51:45    3914176    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50:31    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-08-29 01:50:30    1292192    ----a-w-    C:\Windows\SysWow64\ntdll.dll
2013-08-29 01:50:16    619520    ----a-w-    C:\Windows\SysWow64\tdh.dll
2013-08-29 01:48:17    640512    ----a-w-    C:\Windows\SysWow64\advapi32.dll
2013-08-29 01:48:15    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2013-08-29 00:49:53    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-08-29 00:49:52    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-08-29 00:49:52    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-08-29 00:49:49    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-08-28 01:21:06    3155968    ----a-w-    C:\Windows\System32\win32k.sys
2013-08-28 01:12:33    461312    ----a-w-    C:\Windows\System32\scavengeui.dll
2013-08-05 02:25:45    155584    ----a-w-    C:\Windows\System32\drivers\ataport.sys
2013-08-02 02:14:57    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-08-02 02:13:34    424448    ----a-w-    C:\Windows\System32\KernelBase.dll
2013-08-02 01:50:42    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17    338432    ----a-w-    C:\Windows\System32\conhost.exe
2013-08-02 00:59:09    112640    ----a-w-    C:\Windows\System32\smss.exe
2013-08-02 00:43:05    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05    3072    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 19:01:17,85 ===============
 

 

 

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 2-7-2013 13:39:42
System Uptime: 28-10-2013 17:23:55 (2 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | M4A78LT-M
Processor: AMD Phenom II X6 1055T Processor | AM3 | 2184/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 86,717 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 932 GiB total, 335,442 GiB free.
F: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP95: 22-10-2013 10:42:00 - Windows Update
RP96: 23-10-2013 10:41:29 - AA11
RP97: 23-10-2013 20:07:32 - Windows Update
RP98: 24-10-2013 21:00:05 - Windows Update
.
==== Installed Programs ======================
.
Ad-Aware Antivirus
AdAwareInstaller
AdAwareUpdater
Adobe Digital Editions 2.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.05) - Nederlands
AMD Accelerated Video Transcoding
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Drag and Drop Transcoding
AMD Fuel
AMD Media Foundation Decoders
AMD VISION Engine Control Center
AMD Wireless Display v3.0
AntimalwareEngine
AntispamEngine
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Comical 0.8
Command & Conquer™ Red Alert™ 3
DAEMON Tools Pro
De Sims 3™ Film Accessoires
De Sims™ 3 Ambities
De Sims™ 3 Beestenbende
De Sims™ 3 Bovennatuurlijk
De Sims™ 3 Buurtleven Accessoires
De Sims™ 3 Creëer een Wereld-tool - Beta
De Sims™ 3 Diesel Accessoires
De Sims™ 3 Exotisch Eiland
De Sims™ 3 Jaargetijden
De Sims™ 3 Katy Perry Pakt uit
De Sims™ 3 Levensweg
De Sims™ 3 Luxe Accessoires
De Sims™ 3 Na Middernacht
De Sims™ 3 Showtime
De Sims™ 3 Slaap- en badkamer Accessoires
De Sims™ 3 Studententijd
De Sims™ 3 Supersnelle Accessoires

Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thanks for the quick reply, the log:

 

 

RogueKiller V8.7.6 _x64_ [Oct 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

besturingssysteem : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Gestart vanuit : Normale modus
Gebruiker : Laura [Administrator rechten]
Modus : Scan -- Datum : 10/28/2013 19:31:54
| ARK || FAK || MBR |

¤¤¤ Kwaadaardige processen : 2 ¤¤¤
[sUSP PATH] DownBook.exe -- C:\Users\Laura\AppData\Local\DownBook\DownBook.exe [-] -> BEEINDIGD [TermProc]
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files (x86)\Google\Desktop\Install\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\   \...\???ﯹ๛\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\GoogleUpdate.exe" < [x] -> Gestopt

¤¤¤ Register verwijzingen : 9 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : DownBook ("C:\Users\Laura\AppData\Local\DownBook\DownBook.exe" 2666528fcd539f80a8ee459af19d6528 6 [-][x]) -> gevonden
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Laura\AppData\Local\Google\Desktop\Install\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\?��?��?��\?��?��?��\???ﯹ๛\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\GoogleUpdate.exe" >) -> gevonden
[RUN][sUSP PATH] HKUS\S-1-5-21-2774953383-2056332083-4268117958-1000\[...]\Run : DownBook ("C:\Users\Laura\AppData\Local\DownBook\DownBook.exe" 2666528fcd539f80a8ee459af19d6528 6 [-][x]) -> gevonden
[RUN][ZeroAccess] HKUS\S-1-5-21-2774953383-2056332083-4268117958-1000\[...]\Run : Google Update ("C:\Users\Laura\AppData\Local\Google\Desktop\Install\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\?��?��?��\?��?��?��\???ﯹ๛\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\GoogleUpdate.exe" >) -> gevonden
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\   \...\???ﯹ๛\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\GoogleUpdate.exe" < [x]) -> gevonden
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\   \...\???ﯹ๛\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\GoogleUpdate.exe" < [x]) -> gevonden
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\   \...\???ﯹ๛\{37e9d1a8-9a5e-30e3-29e2-2c0c850126f2}\GoogleUpdate.exe" < [x]) -> gevonden
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> gevonden
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> gevonden

¤¤¤ geplande taken : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ webbrowsers : 0 ¤¤¤

¤¤¤ Speciale Files / Folders: ¤¤¤
[ZeroAccess][bestand] Desktop.ini : C:\Windows\assembly\GAC_32\Desktop.ini [-] --> gevonden
[ZeroAccess][bestand] Desktop.ini : C:\Windows\assembly\GAC_64\Desktop.ini [-] --> gevonden
[ZeroAccess][knooppunt] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][knooppunt] nl-NL : C:\Program Files\Windows Defender\nl-NL >> \systemroot\system32\config [-] --> gevonden
[ZeroAccess][map] Install : C:\Users\Laura\AppData\Local\Google\Desktop\Install [-] --> gevonden

¤¤¤ Driver : [Niet geladen 0x0] ¤¤¤

¤¤¤ Externe Hives: ¤¤¤

¤¤¤ Infectie : ZeroAccess ¤¤¤

¤¤¤ HOSTS Bestand: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Controle: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD3200AAJB-00J3A0 ATA Device +++++
--- User ---
[MBR] 47f0feb7ebc14133b765ae9d0867166c
[bSP] 08c859fc173d4e69f04604c6a2e7c600 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 305143 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Gereed : << RKreport[0]_S_10282013_193154.txt >>
RKreport[0]_S_10282013_171537.txt


 

Link to post
Share on other sites

Please read the following information first.

 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

Hmm seeing there is some personal information on this computer I think it's best to format my computer. I had my external hardrive on this computer aswell but disconnected it when the popups started showing, how do I make sure all my files on that drive are clean?

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.